pC_windowsxmlpowershellprocesscreated2.md

Parser Content

{
Name = windows-xml-powershell-process-created-2
  Vendor = Microsoft
  Product = Windows
  Lms = Direct
  DataType = "process-created"
  IsHVF = true
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSS"
  Conditions = [ """Microsoft-Windows-PowerShell""", """Context:""", """<Provider Name =""", """<EventID>4103<""" ]
  Fields = [
    """<TimeCreated SystemTime='({time}\d{1,100}\-\d{1,100}\-\d{1,100}T\d{1,100}:\d{1,100}:\d{1,100}\.\d{3})""",
    """({event_code}4103)""",
    """<Computer>({host}[^<>]{1,2000})</Computer>""",
    """<Execution ProcessID='({pid}\d{1,100})""",
    """<Security UserID='({user_sid}[\w\-]{1,2000})'/>""",
    """Context[^@]{1,2000}?User\s{0,100}=\s{0,100}(({domain}[^=]{1,2000}?)[\\\/]{1,2000})?(SYSTEM|({user}[^=\/\\]{1,2000}?))\s{0,100}Connected User =""",
    """Context[^@]{1,2000}?Host Application\s{0,100}=\s{0,100}({command_line}.+?)\s{0,100}Engine Version =""",
    """Context[^@]{1,2000}?Host Application\s{0,100}=\s{0,100}({command_line}(({directory}[^\;=\s]{1,2000})[\\\/]{1,2000})?({process_name}[^\s]{1,2000})[^\n]{1,2000}?)\s{1,100}Engine Version =""", 
    """Context[^@]{1,2000}?Command Type\s{0,100}=\s{0,100}(|({command_type}[^=]{1,2000}?))\s{0,100}Script Name =""",
    """Context[^@]{1,2000}?Command Name\s{0,100}=\s{0,100}(|({command_name}[^=]{1,2000}?))\s{0,100}Command Type =""",
    """Context[^@]{1,2000}?Script Name\s{0,100}=\s{1,100}({script_name}\S[^=]{1,2000}?)\s{1,100}Command Path =""",
    """Engine Version\s{0,10}=\s{0,10}({engine_version}[^\s]{1,2000})\s{0,100}""",
  ]
  DupFields = [ "host->dest_host", "directory->process_directory" ]


}