pC_raw46248.md
June 14, 2023 ยท View on GitHub
Parser Content
{
Name = raw-4624-8
Vendor = Microsoft
Product = Windows
Lms = Direct
DataType = "windows-4624"
TimeFormat = "MM/dd/yyyy HH:mm:ss a"
Conditions = ["An account was successfully logged on", "Account Name", "Computer"]
Fields = [
"""({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{1,3}Z)""",
"""ComputerHOST644=({host}[^\s]{1,2000})\s\w+=""",
"""({time}\d\d\/\d\d\/\d\d\d\d \d\d:\d\d:\d\d (?i:am|pm)?)""",
"""({event_name}An account was successfully logged on)""",
"""Computer_name:({host}[^\s]{1,2000})""",
"""ComputerName =({host}({dest_host}[\w\-\.]{1,2000}))([^\s]{0,2000}\s|;)""",
"""({event_code}4624)""",
"""Logon Type(:|=)\s{0,100}({logon_type}[\d]{1,2000})""",
"""New Logon[^\}]{0,2000}?Account Name(:|=)\s{0,100}(-|SYSTEM|({user}[^\s]{1,2000}?))[\s;]{0,2000}Account Domain(:|=)""",
"""New Logon[^\}]{0,2000}?Account Domain(:|=)\s{0,100}(-|({domain}[^\s]{1,2000}?))[\s;]{0,2000}Logon ID(:|=)""",
"""Process Name(:|=)\s{0,100}(?:-|({process}({directory}[^\}]{0,2000}?)(\\+({process_name}[^\\]{1,2000}?))?))\s{1,100}Network Information:""",
"""Workstation Name(:|=)\s{0,100}(-|[A-Fa-f:\d.]{1,2000}|({src_host_windows}[^\s;]{1,2000}))[\s;]{0,2000}Source Network Address(:|=)""",
"""Source Network Address(:|=)\s{0,100}(?:-|({src_ip}(\d{1,3}\.){3}\d{1,3}|([A-Fa-f\d]{1,2000}:[A-Fa-f\d:]{1,2000})))[\s;]{0,2000}Source Port(:|=)""",
"""Logon Process(:|=)\s{0,100}({auth_process}[^\s;]{1,2000})[\s;]{0,2000}Authentication Package(:|=)\s{0,100}({auth_package}[^\s;]{1,2000})""",
"""Logon ID(:|=)\s{0,100}({logon_id}[^\s;]{1,2000})[\s;]{0,2000}(Linked Logon|Logon GUID)""",
"""New Logon(:|=)[\s;]{0,2000}Security ID(:|=)\s{0,100}(NT AUTHORITY\\+SYSTEM|({user_sid}[^;:=]{1,2000}?))(\s{1,100}|;)Account Name(:|=)"""
"""Key Length(:|=)\s{0,100}({key_length}\d{1,100})"""
"""Subject(:|=)[\s;]{0,2000}Security ID(:|=)\s{0,100}({subject_sid}[^;:=]{1,2000}?)(\s{1,100}|;)Account Name(:|=)"""
]
DupFields = ["directory->process_directory"]
}