pC_s4801.md

Parser Content

{
Name = s-4801
  Vendor = Microsoft
  Product = Windows
  Lms = Splunk
  DataType = "windows-4801"
  TimeFormat = "MM/dd/yyyy HH:mm:ss a"
  Conditions = [ """EventCode=4801""", """The workstation was unlocked.""" ]
  Fields = [
    """({event_name}The workstation was unlocked)""",
    """({time}\d\d\/\d\d\/\d\d\d\d \d\d:\d\d:\d\d (am|AM|pm|PM))\s{1,100}LogName =""",
    """({event_code}4801)""",
    """ComputerName =({host}[^\s]{1,2000})""",
    """Account Name:\s{0,100}({user}[^:]{1,2000})\s{1,100}Account Domain:""",
    """Account Domain:\s{0,100}({domain}[^:]{1,2000})\s{1,100}Logon ID:""",
    """Logon ID:\s{0,100}({logon_id}[^\s]{1,2000})\s{1,100}Session""",
  ]
  DupFields = [ "host->dest_host" ]


}