pC_rawprocesscreated1.md
June 14, 2023 ยท View on GitHub
Parser Content
{
Name = raw-process-created-1
Vendor = Microsoft
Product = Windows
Lms = Direct
DataType = "windows-process-created"
TimeFormat = "MMM dd HH:mm:ss yyyy"
Conditions = ["""A new process has been created""", """Account Name:""" ]
Fields = [
"""exabeam_time=({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)""",
"""exabeam_host=([^=]{1,2000}?@\s{0,100})?({host}[\w.-]{1,2000})""",
"""Audit (Success|Failure),({host}[\w\-.]{1,1000}),Process Creation""",
"""hostname=({host}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[\w.\-]{1,2000})),\s{0,100}\w+=""",
"""ip=\[({dest_ip}[a-fA-F0-9.:]{1,2000})""",
""""timestamp":"({time}[^"]{1,2000})""",
""""host":"(::ffff:)?({host}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[\w.\-]{1,2000}))""",
"""HOSTNAME:\s{0,100}\\?"{1,100}\(({host}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[\w.\-]{1,2000}))""",
"""({event_name}A new process has been created)""",
"""({time}\d\d\/\d\d\/\d\d\d\d\s{1,100}\d\d:\d\d:\d\d\s{1,100}(?i)(AM|PM))""",
"""\w+\s{1,100}({time}\w+\s{1,100}\d{1,100}\s{1,100}\d{1,100}:\d{1,100}:\d{1,100}\s{1,100}\d{1,100})\s""",
"""timestamp":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\dZ)""",
"""({event_code}4688)""",
"""ComputerName =({host}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[\w.\-]{1,2000}))\s""",
"""(Success Audit|information)\s{1,100}({host}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|({dest_host}[^\s]{1,2000}))""",
"""Process Name:\s{0,100}({process}({directory}(?:[^";]{1,2000})?[\\\/])?({process_name}[^\\\/";]{1,2000}?\.\w+))(\\n){0,20}[\s;]{0,2000}Token Elevation Type:""",
"""Account Name:\s{0,100}(-|SYSTEM|({user}[^\s]{1,2000}?))(\\n){0,20}[\s;]{0,2000}Account Domain:""",
"""Account Domain:\s{0,100}(-|({domain}[^\s]{1,2000}?))(\\n){0,20}[\s;]{0,2000}Logon ID:""",
"""Logon ID:\s{0,100}({logon_id}[^\s;]{1,2000}?)[\\n\s]{0,20}(Target|Process)""",
"""New Process ID:\s{0,100}({process_guid}[^\s;]{1,2000}?)(\\n){0,20}(\s|;)""",
"""Creator Process ID:\s{0,100}({parent_process_guid}[^\s;]{1,2000}?)(\\n){0,20}\\?(\s|;|")""",
"""Creator Process Name:\s{0,100}({parent_process}((?:[^";]{1,2000})?[\\\/])?({parent_process_name}[^\\\/";]{1,2000}?))[\s;]{0,2000}Process Command Line:""",
"""Process Command Line:\s{1,100}"?(\s{0,100}|({command_line}.+?))"?(\\n){0,20}\s{0,100}Token Elevation Type indicates""",
"""Process Command Line:\s{0,100}"{0,20}(|-|(sc|((?:[^"]{1,2000})?[\\\/])?sc.exe)\s{0,100}(?:\\*[\w.\-]{1,2000})?\s{0,100}create\s{0,100}({service_name}.+?))\s{1,100}binPath= \s{0,100}(|-|({process}({directory}(?:[^"]{1,2000})?[\\\/])?({process_name}[^\\\/\s]{1,2000})))"{0,20}\s{0,100}Token Elevation Type""",
"""binPath=\s{0,100}({service_command_line}(?:\"(.+)\")|(?:(\S+)))\s{0,100}""",
"""Command\s{0,100}Line(:|=).*\s{1,100}({parameter_sct}\S+\.sct)""",
"""Command\s{0,100}Line(:|=).*\s{1,100}"({parameter_sct}.+\.sct)"""",
"""Command\s{0,100}Line(:|=).*\s{1,100}({parameter_hta}\S+\.hta)""",
"""Command\s{0,100}Line(:|=).*\s{1,100}"({parameter_hta}.+\.hta)"""",
"""Command\s{0,100}Line(:|=).*\s{1,100}({parameter_xml}\S+\.xml)""",
"""Command\s{0,100}Line(:|=).*\s{1,100}\s{1,100}"({parameter_xml}.+\.xml)"""",
"""Command\s{0,100}Line(:|=).*\s{1,100}({parameter_csproj}\S+\.csproj)""",
"""Command\s{0,100}Line(:|=).*\s{1,100}"({parameter_csproj}.+\.csproj)"""",
"""Command\s{0,100}Line(:|=).+?\/u\s{0,100}["\s]({parameter_exe}.+?\.exe)""",
"""Command\s{0,100}Line(:|=).+?\/u\s{0,100}["\s]({parameter_dll}.+?\.dll)"""
]
DupFields = [ "process_guid->pid","directory->process_directory","process->path" ]
}