pC_raw46743.md

Parser Content

{
Name = raw-4674-3
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-privileged-access"
    TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
    Conditions = ["An operation was attempted on a privileged object", "Computer"]
    Fields = [
      """({event_name}An operation was attempted on a privileged object)""",
      """TimeGenerated=({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\dZ)""", 
      """Type\s{0,100}=\s{0,100}"({outcome}[^";]{1,2000})"""",
      """Computer(\w+)?["\s]{0,2000}(:|=)\s{0,100}"?({host}[^"\s;]{1,2000})""",
      """({event_code}4674)""",
      """"Account":"((NT AUTHORITY|({domain}[^\\\s"]{1,2000}))\\+)?(LOCAL SERVICE|({user}[^\\\s"]{1,2000}))\s{0,100}"""",
      """"TargetAccount":"(({target_domain}[^\\\s"]{1,2000})\\+)?({target_user}[^\\\s"]{1,2000})""",
      """"SubjectUserSid":"({user_sid}[^\s"]{1,2000})""",
      """"SubjectLogonId":"({logon_id}[^\s"]{1,2000})""",
      """"ObjectServer":"(-|({object_server}[^\s"]{1,2000}))""",
      """"ObjectName":"(-|({object}[^\s"]{1,2000}))""",
      """"ObjectType":"(-|({object_type}[^\s"]{1,2000}))""",
      """"ProcessName":"(?: |({process}({directory}(?:[^";]{1,2000})?[\\\/])?({process_name}[^\\\/";]{1,2000}?)))\s{0,100}"""",
    ]
    DupFields = ["host->dest_host","directory->process_directory"]
  

}