pC_xml4776.md

Parser Content

{
Name = xml-4776
    Vendor = Microsoft
    Product = Windows
    Lms = ElasticSearch
    DataType = "windows-4776"
    TimeFormat = "yyyy-MM-dd'T'HH:mm:ss"
    Conditions = ["""<EventID>4776</EventID>""", """'Status'>"""]
    Fields = [
      """SystemTime(\\)?=\'({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)""",
      """({event_name}The (computer|domain controller) attempted to validate the credentials for an account)""",
      """<Data Name(\\)?='Workstation'>(\\+)?(({src_ip}(((\d{1,3}\.){1,3}\d{1,3})|([A-Fa-f0-9]{0,2000}:[A-Fa-f0-9:.]{1,2000})))|(?:(?!NULL)(Unknown|(?i)(workstation)|({src_host}[^\s.]{1,2000}))(\.[^\s]{1,2000})?))</Data>""",
      """<Computer>({host}[^<]{1,2000})</Computer>""",
      """The ({login_type}computer|domain)(\s\w+)? attempted to validate the credentials""",
      """<EventID>({event_code}\d{1,100})</EventID>""",
      """<Computer>(?!(?:[A-Fa-f:\d.]{1,2000}))[^<.]{1,2000}(\.({domain}[^<]{1,2000})[^<]{0,2000})?</Computer>""",
      """<Data Name(\\)?='TargetUserName'>(({user_email}[^@<]{1,2000}@[^\.<]{1,2000}\.[^<]{1,2000})|(({domain}[^<\\]{1,2000})\\{1,20})?(null|({user}[^<;]{1,2000}))|({=user}[^@<;]{1,2000}?)(?:@({=domain}[^<.]{1,2000})[^<]{0,2000})?)</Data>""",
      """<Data Name(\\)?='Status'>({result_code}[^<]{1,2000})</Data>""",
      """<Keywords><Keyword>({outcome}[^<]{1,2000})<""",
      """(?i)Workstation:\s{0,100}((?i)(workstation)|({src_host}[^"\s]{1,2000}))"""
    ]
    DupFields = ["host->dest_host"]
  

}