pC_raw46745.md

Parser Content

{
Name = raw-4674-5
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-privileged-access"
    TimeFormat = "MM/dd/yyyy HH:mm:ss a"
    Conditions = ["""EventCode=4674""", """Message=An operation was attempted on a privileged object""", """Logon ID:""", """Object Name:""", """Computer"""]
    Fields = [ 
      """({event_name}An operation was attempted on a privileged object)""",
      """\s({time}(\d{2}\/){2}\d{4}\s(\d{2}:){2}\d{2}\s(am|AM|pm|PM))\s""", 
      """Keywords=Audit\s({outcome}\w{1,2000})\s""",
      """Computer(\w+)?["\s]{0,2000}(:|=)\s{0,100}"?({host}[^"\s;]{1,2000})""",
      """({event_code}4674)""",
      """Account Name:\s{0,100}(LOCAL SERVICE|({user}[^:"]{1,2000}?))\s{1,100}Account Domain:\s{0,100}(NT AUTHORITY|({domain}[^":]{1,2000}?))\s""",
      """"TargetAccount":"(({target_domain}[^\\\s"]{1,2000})\\+)?({target_user}[^\\\s"]{1,2000})""",
      """"SubjectUserSid":"({user_sid}[^\s"]{1,2000})""",
      """Logon ID:\s{0,100}({logon_id}[^\s"]{1,2000})""",
      """Object Server:\s{0,100}(-|({object_server}[^:"]{1,2000}?))\s""",
      """Object Name:\s{0,100}(-|({object_name}[^:"]{1,2000}?))\s""",
      """Object Type:\s{0,100}(-|({object_type}[^:"]{1,2000}?))\s""",
      """Process Name:\s{0,100}(?: |({process}({directory}(?:[^";]{1,2000})?[\\\/])?({process_name}[^\\\/"\.]{1,2000}\.\w+?)))"{0,20}\s{1,100}""",
      """Desired Access:\s{0,100}({accesses}[^:]{1,2000}?)\s{0,100}(?:\s\w+:|$|")""",
      """Privileges:\s{0,100}({privileges}[^:"]{1,2000}?)\s{0,100}("|\w+:|$)"""
    ]
    DupFields = ["host->dest_host","directory->process_directory"]


}