pC_microsoftevsecurityjsonuserenablesuccess47221.md

December 5, 2023 · View on GitHub

Parser Content

{
Name = microsoft-evsecurity-json-user-enable-success-4722-1
Conditions = [
  """"event_id":4722"""
  """Microsoft-Windows-Security-Auditing"""
  """A user account was enabled"""
]
ParserVersion = "v1.0.0"

json-windows-events-1.Fields}[
    """({event_name}A user account was disabled)""",
    """"hostname"+:"+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|({dest_host}[^"]+))""",
  
}