pC_s47402.md

Parser Content

{
Name = s-4740-2
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "windows-account-lockout"
  TimeFormat = "yyyy-MM-dd HH:mm:ss"
  Conditions = ["""Account That Was Locked Out""", """ ComputerName =""", """Account Name =""", """ EventID=4740 """]
  Fields = [
    """({event_name}Account That Was Locked Out)""",
    """({event_code}4740)""",
    """\sComputerName =({host}[^\s]{1,2000})""",
    """Locked Out:Security ID=({user_sid}[^\s]{1,2000})""",
    """\sDetectTime=({time}\d\d\d\d-\d{1,100}-\d{1,100} \d{1,100}:\d{1,100}:\d{1,100})\s""",
    """\sUser=(null|({user}[^\s]{1,2000}))""",
    """\sEventType=({outcome}[^\s]{1,2000})""",
    """Caller Computer Name =({src_host}[^\s]{1,2000})""",
    """Account Name =({user}[^\s]{1,2000})""",
    """Account Domain=({domain}[^\s]{1,2000})""",
    """Logon ID=({logon_id}[^\s"]{1,2000})""",
    """Security ID=({sid}[^\s]{1,2000})""",
  ]
  DupFields=[ "host->dest_host", "domain->caller_domain" ]


}