pC_raw462410.md

Parser Content

{
Name = raw-4624-10
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-4624"
    TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
    Conditions = ["""4624""", """LogonType:""","""TargetUserName:""","""Logon"""]
    Fields = [
      """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\d[+-]\d\d:\d\d)\s({host}[\w\-.]{1,2000})"""
      """Audit\s{1,100}({host}[\w\-.]{1,2000})\s{1,100}Logon""",
      """({event_code}4624)""",
      """LogonType:({logon_type}\d{1,10})""",
      """TargetUserName:({user}[^,]{1,2000})""",
      """TargetDomainName:({domain}[^,]{1,2000})""",
      """TargetLogonId:({logon_id}[^,]{1,2000})""",
      """TargetUserSid:({user_sid}[^,]{1,2000})""",
      """LogonProcessName:({auth_process}[^,]{1,2000})""",
      """AuthenticationPackageName:({auth_package}[^,]{1,2000})""",
      """WorkstationName:(-|({src_host_windows}[^,]{1,2000}))""",
      """SubjectUserSid:({subject_sid}[^,]{1,100})""",
      """SubjectUserName:(-|({caller_user}[^,]{1,2000}))""",
      """KeyLength:(({key_length}[^,]{1,100}))""",
      """\sProcessName:(?:-|({process}({process_directory}[^,]{0,2000}?[\\\/]{1,2000})?({process_name}[^,\\\/]{1,2000}))),"""
      """IpAddress:({src_ip}[A-Fa-f\d:.]{1,2000})""",
      """IpPort:({src_port}\d{1,100})"""
    ]
    DupFields = ["directory->process_directory"]
  

}