pC_raw47431.md

Parser Content

{
Name = raw-4743-1
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "account-deleted"
  TimeFormat = "MMM dd HH:mm:ss yyyy"
  Conditions = [ """A computer account was deleted""", """4743""", """(EventID 4743)""", """Microsoft Windows security auditing""" ]
  Fields = [
    """({event_name}A computer account was deleted)""",
    """exabeam_host=([^=]{1,2000}?@\s{0,100})?({host}[\w.-]{1,2000})""",
    """({time}\w+\s{1,100}\d{1,100}\s{1,100}\d{1,100}:\d{1,100}:\d{1,100}\s{1,100}\d{1,100})\s{1,100}({event_code}\d{1,100})"""
    """({event_code}4743)""",
    """:\d{1,100}:\d{1,100}\s{1,100}(({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({host}[\w\-.]{1,2000}))\s{1,100}MSWinEventLog""",
    """Security ID:\s{1,100}(NT AUTHORITY\\(SYSTEM|LOCAL SERVICE)|({user_sid}[^:]{1,2000}?))\s{1,100}Account Name:\s{1,100}(?=\w)({user}[^:]{1,2000}?)\s{1,100}Account Domain:\s{1,100}(?=\w)({domain}[^:]{1,2000}?)\s{1,100}Logon ID:\s{1,100}({logon_id}[^\s]{1,2000})\s{1,100}""",
    """Target Computer:\s{1,100}Security ID:\s{1,100}(NT AUTHORITY\\(SYSTEM|LOCAL SERVICE)|({target_user_sid}[^:]{1,2000}?))\s{1,100}Account Name:\s{1,100}(?=\w)({target_user}[^:]{1,2000}?)\s{1,100}Account Domain:\s{1,100}(?=\w)({object_dn}[^:]{1,2000}?)\s{1,100}Additional Information:"""
  ]
  DupFields = [ "host-> dest_host", "target_user -> object", "target_user->account_name"]


}