pC_raw46621.md

Parser Content

{
Name = raw-4662-1
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "object-access"
  TimeFormat = "yyyy-MM-dd HH:mm:ss"
  Conditions = ["""An operation was performed on an object""", "4662"]
  Fields = [
    """exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)""",
    """exabeam_host=([^=]{1,2000}?@\s{0,100})?({host}[\w.-]{1,2000})""",
    """({event_name}An operation was performed on an object)""",
    """({event_code}4662)""",
    """({time}\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d (AM|PM|am|pm))""",
    """({time}\w+ \d\d \d\d:\d\d:\d\d \d\d\d\d)\s{1,100}""",
    """<TimeCreated SystemTime='({time}\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\d)\d{1,100}Z'/>""",
    """\d\d:\d\d:\d\d\s{1,100}({host}[^\s]{1,2000})\s{1,100}Microsoft-Windows-Security-Auditing""",
    """Computer(Name)?\s{0,100}\\*"?(=|:|>)\s{0,100}"{0,20}({host}[\w\.-]{1,2000})(\s|,|"|</Computer>|$)""",
    """({host}[^\s=]{1,2000})\sMSWinEventLog""",
    """Security ID:\s{0,100}(|({user_sid}[^:]{1,2000}?))\s{0,100}Account Name:""",
    """Account Name:\s{0,100}(({user_fullname}[^:]{1,2000}?\s[^\s]{1,2000}?)|({user}[^\:]{1,2000}?))\s{0,100}Account Domain:""",
    """Account Domain:\s{0,100}(|({domain}[^:]{1,2000}?))\s{0,100}Logon ID:""",
    """Object Server:\s{0,100}(|({object_class}[^:]{1,2000}?))\s{0,100}Object Type:""",
    """Object Type:\s{0,100}(|({object_type}[^:]{1,2000}?))\s{0,100}Object Name:""",
    """Object Name:\s{0,100}(|({object}[^:]{1,2000}?))\s{0,100}Handle ID:""",
    """Logon ID:\s{0,100}({logon_id}[^\s]{1,2000})\s""",
    """Operation Type:\s{0,100}({activity}[^:]{1,2000}?)\s{1,100}Accesses:""",
    """Properties:\s{0,100}(-|({properties}[^:]{1,2000}?))\s{0,100}Additional Information:""",
    """Additional Information:\s{0,100}({attribute}.+?)\s{0,100}(<\/Message>|\s{1,100}User:|"|$)"""
    """Access Mask:\s{0,100}({access_mask}[^\s]{1,2000})"""
  ]


}