pC_xml46241.md

June 14, 2023 ยท View on GitHub

Parser Content

{
Name = xml-4624-1
  Vendor = Microsoft
  Product = Windows
  Lms = Splunk
  DataType = "windows-4624"
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSS"
  Conditions = [ """<EventID>4624<""", """An account was successfully logged on""", """<Data Name\=""", """WorkstationName""" ]
  Fields = [
    """<TimeCreated SystemTime\\='({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3})""",
    """<Computer>({host}[^<>]{1,2000})</Computer>""",
    """<Provider Name\\='({provider_name}[^'"]{1,2000})""",
    """<EventID[^<]{0,2000}?>({event_code}\d{1,100})""",
    """({event_name}An account was successfully logged on)""",
    """<Data Name\\='SubjectUserSid'>(-|({user_sid}.+?))<""",
    """<Data Name\\='SubjectUserName'>(-|({user}.+?))<""",
    """<Data Name\\='SubjectDomainName'>(-|({domain}.+?))<""",
    """<Data Name\\='SubjectLogonId'>(-|({logon_id}.+?))<""",
    """<Data Name\\='TargetUserName'>(SYSTEM|({target_user}[^<]{1,2000}))<""",
    """<Data Name\\='TargetDomainName'>({target_domain}[^<]{1,2000})<""",
    """<Data Name\\='LogonType'>({logon_type}\d{1,100})<""",
    """<Data Name\\='TargetUserSid'>({target_user_sid}[^<]{1,2000})<""",
    """<Data Name\\='TargetLogonId'>({target_logon_id}[^<]{1,2000})<""",
    """<Data Name\\='ProcessName'>(-|({process}({process_directory}[^<>]{0,2000}?[\\\/]{1,2000})?({process_name}[^<>\\\/]{1,2000})))<""",
    """<Data Name\\='ProcessId'>({pid}[^<]{1,2000}?)\s{0,100}<""",
    """<Execution ProcessID\\='({pid}[^'"]{1,2000})""",
    """<Data Name\\='IpAddress'[^<>]{0,2000}?>(-|({src_ip}[A-Fa-f:\d.]{1,2000}))""",
    """<Data Name\\='LogonProcessName'>({auth_process}[^\s<]{1,2000})""",
    """<Data Name\\='AuthenticationPackageName'>({auth_package}[^<]{1,2000})<""",
    """<Data Name\\='WorkstationName'>([A-Fa-f:\d.]{1,2000}|-|({src_host}[^<]{1,2000}))<""",
    """<Keywords>({outcome}.+?)</Keywords>"""
    """<Data Name\\=('|")WorkstationName('|")>([A-Fa-f:\d.]{1,2000}|-|({src_host_windows}[^<]{1,2000}))</Data>""",
    """<Data Name\\=('|")SubjectUserSid('|")>({subject_sid}[^<]{1,2000})</Data>""",
    """<Data Name\\=('|")KeyLength('|")>({key_length}[^<]{1,2000})</Data>"""
  ]
  DupFields = ["host->dest_host"]


}