pC_raw46721.md

Parser Content

{
Name = raw-4672-1
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-privileged-access"
    TimeFormat = "yyyy-MM-dd'T'HH:mm:ss"
    Conditions = ["Special privileges assigned to new logon", "Privileges", "computer_name"]
    Fields = [
      """({event_name}Special privileges assigned to new logon)""",
      """\scategoryOutcome=(|/({outcome}.+?))(\s{1,100}\w+=|\s{0,100}$)""",
      """"(?:winlog\.)?computer_name\\*":\\*"({host}[^\\"]{1,2000})""",
      """@timestamp":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)""",
      """Type\s{0,100}=\s{0,100}"({outcome}[^";]{1,2000})"""",
      """Keywords=({outcome}.+?);?\s{0,100}(\w+=)""",
      """<Computer>({host}[^<]{1,2000})</Computer>""",
      """Computer(\w+)?["\s]{0,2000}(:|=)\s{0,100}"?({host}[^\s";]{1,2000})""",
      """({event_code}4672)""",
      """Account Name(:|=)\s{0,100}(-|SYSTEM|({user}[^\s]{1,2000}?))[\s;]{0,2000}Account Domain(:|=)""",
      """Account Domain(:|=)\s{0,100}(-|({domain}[^\s]{1,2000}?))[\s;]{0,2000}Logon ID(:|=)""",
      """\s{0,100}Logon ID(:|=)\s{0,100}({logon_id}.+?)[\s;]{0,2000}Privileges(:|=)\s{0,100}({privileges}.+?)(<|\s{0,100}User:|\s{1,100}\d{1,100}|,|\s{0,100}"|;|\s{0,100}$)"""
    ]
    DupFields = ["host->dest_host"]
  

}