pC_s680.md

Parser Content

{
Name = s-680
  Vendor = Microsoft
  Product = Windows
  Lms = Splunk
  DataType = "windows-680"
  TimeFormat = "MM/dd/yyyy hh:mm:ss a"
  Conditions = [ "EventCode=680" ]
  Fields = [ """exabeam_raw=({time}\d{1,100}/\d{1,100}/\d{1,100} \d{1,100}:\d{1,100}:\d{1,100} (am|AM|pm|PM))""",
    """({event_name}Logon attempt)""",
             """EventCode=({event_code}\w+)""",
             """Logon account:\s{1,100}({user}[^@]{1,2000}?)(?:@({domain}[^\s.]{1,2000})[^\s]{0,2000})?\s{1,100}Source Workstation:\s{1,100}({dest_host}[^\s]{1,2000})""",
             """Error Code:\s{1,100}({result_code}[\w\-]{1,2000})""",
             """Sid=({user_sid}[^\s]{1,2000})\s{1,100}SidType""",
             """ComputerName =[^.\s]{1,2000}(\.({domain}[^.\s]{1,2000}))?"""
  ]


}