pC_l4674.md

Parser Content

{
Name = l-4674
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "windows-privileged-access"
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
  Conditions = [ """An operation was attempted on a privileged object.""", """<EventID>4674</EventID>""" ]
  Fields = [
    """({event_name}An operation was attempted on a privileged object)""",
    """<TimeCreated SystemTime(\\)?='({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d{0,100}Z+)'/>""",
    """<Keywords>({outcome}[^<]{1,2000}?)</Keywords>""",
    """<Computer>({host}({dest_host}[\w\-]{1,2000})[\w.\-]{0,2000})</Computer>""",
    """({event_code}4674)""",
    """Process Name:\s{0,100}[\\rnt]{0,100}(?:( |[\\rnt]{1,100})|({process}({directory}(?:[^"]{1,2000}?)?[\\\/])?({process_name}[^\\\/"]{1,2000}?)))[\\rnt\s]{0,200}Requested""",
    """Account Name:\s{0,100}[\\trn]{0,100}(?:-|({user}[^:<]{1,2000}?))[\\rnt\s]{0,200}Account Domain:""",
    """Account Domain:\s{0,100}[\\trn]{0,100}({domain}[^:]{1,2000}?)[\\rnt\s]{0,200}Logon ID:""",
    """Logon ID:\s{0,100}[\\rnt]{0,100}({logon_id}[^:]{1,2000}?)[\\rnt\s]{0,200}Object:""",
    """Object Server:\s{0,100}[\\rnt]{0,100}({object_server}[^:]{1,2000}?)[\\rnt\s]{0,200}Object Type:""",
    """Object Type:\s{0,100}[\\rnt]{0,100}(?:-|({object_type}[^:]{1,2000}?))[\\rnt\s]{0,200}Object Name:""",
    """Object Name:\s{0,100}[\\rnt]{0,100}(?:|-|({object}[^<>]{1,2000}?))[\\rnt\s]{0,200}Object Handle""",
    """Desired Access:\s{0,100}[\\rnt]{0,100}({accesses}[^:]{1,2000}?)[\\rnt\s]{0,2000}Privileges:""",
    """Privileges:\s{0,100}[\\rnt]{0,100}({privileges}[^:<>"=]{1,2000}?)(\s{0,100}<|\s{0,100}($|")|\s{0,100}\w{1,2000}=)"""
  ]
  DupFields = [ "directory->process_directory" ]


}