pC_xml46251.md

Parser Content

{
Name = xml-4625-1
    Vendor = Microsoft
    Product = Windows
    Lms = Direct
    DataType = "windows-failed-logon"
    TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSZ"
    Conditions = ["<EventID>4625</EventID>", "An account failed to log on", "Failure Reason", "Computer"]
    Fields = [
      """({event_name}An account failed to log on)""",
      """TimeCreated SystemTime='({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\d\d\dZ)'""",
      """Computer>({host}[^<]{1,2000})<\/Computer""",
      """({event_code}4625)""",
      """Subject(:|=).+?Account Name(:|=)\s{0,100}(-|({caller_user}[^\s@]{1,2000}?))[\s;]{0,2000}Account Domain(:|=)""",
      """Logon Type(:|=)\s{0,100}({logon_type}[\d]{1,2000})\s{1,100}Account\s""",
      """Account For[\s;]{0,2000}Which Logon Failed(:|=)[\s;]{0,2000}Security ID(:|=)\s{0,100}(?:\/?NULL SID|({user_sid}.+?))[\s;]{0,2000}Account Name""",
      """Logon Failed(:|=).+?Account Name(:|=)\s{0,100}({user}[^\s@]{1,2000}?)[\s;]{0,2000}Account Domain(:|=)""",
      """Logon Failed(:|=).+?Account Name(:|=)\s{0,100}({user_email}[^\s@;]{1,2000}?@[^\s@;]{1,2000}?)[\s;]{0,2000}Account Domain(:|=)""",
      """Logon Failed(:|=).+?Account Domain(?::|=)\s{0,100}(|-|({domain}[^\s]{1,2000}?))[\s;]{0,2000}Failure Information""",
      """Sub Status(:|=)\s{0,100}({result_code}.+?)[\s;]{0,2000}Process Information(:|=)""",
      """Workstation Name(:|=)\s{0,100}(-|({src_host_windows}[^\s;]{1,2000}))[\s;]{0,2000}Source Network Address(:|=)""",
      """Source Network Address(:|=)\s{0,100}(-|({src_ip}[^\s;]{1,2000}))[\s;]{0,2000}Source Port(:|=)""",
      """Logon Process(:|=)\s{0,100}({auth_process}[^\s;]{1,2000})[\s;]{0,2000}Authentication Package(:|=)""",
      """Authentication Package(:|=)\s{0,100}({auth_package}.+?)[\s;]{0,2000}Transited Services(:|=)""",
    ]
    DupFields = ["host->dest_host"]
  

}