pC_raw47761.md

Parser Content

{
Name = raw-4776-1
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-4776"
    TimeFormat = "MMM dd HH:mm:ss yyyy"
    Conditions = ["attempted to validate the credentials for an account", "Authentication Package", "dhn"]
    Fields = [
      """({event_name}The (computer|domain controller) attempted to validate the credentials for an account)""",
      """({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)""",
      """({time}(?i)(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} 20\d{2})""",
      """(?i)(((audit|success|failure)( |_)(success|audit|failure))|information)\s{0,100}(\s|\t|,|#\d{1,100}|<[^>]{1,2000}>)\s{0,100}(?!(?:[A-Fa-f:\d.]{1,2000}))[^\t,#<\s.]{1,2000}\.({domain}[^\s.",]{1,2000})""",
      """(?!(?:[A-Fa-f:\d.]{1,2000}))[^\s\/.]{1,2000}\.({domain}[^\s\/.]{1,2000})[^\s\/]{0,2000}\/Microsoft-Windows-Security-Auditing \(4776\)""",
      """"dhn":"({host}[^-"]{1,2000})""",
      """"dhn":"(?!(?:[A-Fa-f:\d.]{1,2000}))[^".]{1,2000}\.({domain}[^-".]{1,2000})[^"-]{0,2000}""",
      """<Computer>(?!(?:[A-Fa-f:\d.]{1,2000}))[^<.]{1,2000}\.({domain}[^.<]{1,2000})[^<]{0,2000}</Computer>""",
      """Computer(Name)?\s{0,100}(:|=)\s{0,100}"?(?!(?:[A-Fa-f:\d.]{1,2000}))[^\s."]{1,2000}\.({domain}[^\s".]{1,2000})[^\s"]{0,2000}("|\s)""",
      """({event_code}4776)""",
      """The ({login_type}computer|domain)(\s\w+)? attempted to validate the credentials""",
      """Logon (?:a|A)ccount(:|=)\s{0,100}(({user_email}[^@\s]{1,2000}?@[^\s]{1,2000}?\.[^\s]{1,2000}?)|(({user}[^@\s,;=]{1,2000}?)(?:@({domain}[^\s.;,@=]{1,2000}).*?)?))[\s;]{0,2000}Source Workstation(:|=)([\s\\]{1,2000}|(\s{0,100}\\*((({dest_ip}[A-Fa-f:\d.]{1,2000}?)(:({dest_port}\d{1,100}))?)|({dest_host}.+?))[\s;]{0,2000}))Error Code(:|=)""",
      """Error Code(:|=)\s{0,100}({result_code}[\w\-]{1,2000})""",
      """Computer_name\s{0,100}:\s{0,100}({dest_host}({host}[^"\s]{1,2000}))""",
      """Source Workstation(:|=)([\s\\]{1,2000}|(\s{0,100}\\*((({src_ip}[A-Fa-f:\d.]{1,2000}?)(:({src_port}\d{1,100}))?)|({src_host}.+?))[\s;]{0,2000}))Error Code(:|=)""",
    ]
  

}