pC_raw46623.md

Parser Content

{
Name = raw-4662-3
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "object-access"
  TimeFormat = "epoch"
  Conditions = [ """CEF:0|""", """|Microsoft-Windows-Security-Auditing:4662|""", """An operation was performed on an object""" ]
  Fields = [
    """exabeam_host=([^=]{1,2000}?@\s{0,100})?({host}[\w.-]{1,2000})""",
    """({event_name}An operation was performed on an object)""",
    """({event_code}4662)""",
    """\srt=({time}\d{1,100})""",
    """ahost=({host}[^\s]{1,2000})""",
    """\sdhost=({dest_host}[^\s]{1,2000})""",
    """\sdntdom=(-|({domain}[^\s]{1,2000}))""",
    """duser=(-|({user}[^\s]{1,2000}))""",
    """\sduid=({logon_id}[^\s]{1,2000})""",
    """agt=({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",	
    """originalAgentAddress=({src_ip}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})""",	
    """amac=({src_mac}[^\s]{1,2000})""",
    """originalAgentMacAddress=({src_mac}[^\s]{1,2000})""",
    """cs5=({object_type}[^=]{1,2000})\s\w+=""",
    """fname=({object}[^\s]{1,2000})""",
    """ad\.Object:Object_,?Server=({object_class}[^=]{1,2000}?)\s{0,100}([^=\s]{1,2000}=|$)""",
    """ad\.Operation:Operation_,?Type=({activity}[^=]{1,2000}?)\s{0,100}([^=\s]{1,2000}=|$)""",
  ]


}