pC_raw47432.md

Parser Content

{
Name = raw-4743-2
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "account-deleted"
  TimeFormat = "MM/dd/yyyy HH:mm:ss a"
  Conditions = [ """EventCode=4743""", """Message=A computer account was deleted.""", """SourceName =Microsoft Windows security auditing""", """Target Computer:""", """TaskCategory=Computer Account Management""" ]
  Fields = [
    """({time}\d\d\/\d\d\/\d\d\d\d\s\d\d:\d\d:\d\d\s(AM|PM))""",
    """EventCode=({event_code}\d{1,100})""",
    """ComputerName =({host}[^\s]{1,2000})""",
    """Keywords=({outcome}[^=]{1,2000}?)\s{1,100}\w+=""",
    """Message=({event_name}[^:]{1,2000}?)\s{1,100}\w+:""",
    """Subject:\s{1,100}Security ID:\s{1,100}({user_sid}[^:]{1,2000}?)\s{1,100}Account Name:""",
    """Subject:.+?Account Name:\s{1,100}({user}[^:]{1,2000}?)\s{1,100}Account Domain:""",
    """Subject:.+?Account Domain:\s{1,100}({domain}[^:]{1,2000}?)\s{1,100}Logon ID:""",
    """Subject:.+?Logon ID:\s{1,100}({logon_id}[^\s]{1,2000})""",
    """Target Computer:\s{1,100}Security ID:\s{1,100}({target_user_sid}[^:]{1,2000}?)\s{1,100}Account Name:""",
    """Target Computer:.+?Account Name:\s{1,100}({target_user}[^:]{1,2000}?)\s{1,100}Account Domain:""",
    """Target Computer:.+?Account Domain:\s{1,100}({target_domain}[^:]{1,2000}?)\s{1,100}Additional Information:""",
    """Privileges:\s{1,100}(-|({privileges}[^$]{1,2000}))\s{0,100}$"""
  ]
  DupFields = [ "host->dest_host","target_user->account_name" ]


}