###### Add Host value for Standard Windows Performance Counter Information ######
[source::(Perfmon|WMI:Perfmon)...]
FIELDALIAS-Host_for_windows_perfmon = host as Host

[source::...Perfmon...]
EVAL-componentId = "Perfmon-" . object . "-" . counter
EVAL-componentInstance = instance
EVAL-componentValue = Value
LOOKUP-exc_host = hostInformation host OUTPUT ms_exchange_host

[source::...(service|process)...]
LOOKUP-exc_host = hostInformation host OUTPUT ms_exchange_host

[WinHostMon]
EVAL-componentId = "WinHostMon-" . Name
EVAL-componentInstance = Path
EVAL-componentValue = if((isnull(State) AND Type == "Process") OR (State == "Running" AND Type == "Service"), 1, 0)

[MSExchange:2007:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)

[MSExchange:2010:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)

[MSExchange:2013:Topology]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-mv=ProductVersion="(?<MajorVersion>\d+\.\d+)

[MSExchange:2007:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username

[MSExchange:2010:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username

[MSExchange:2013:Mailbox-Usage]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
FIELDALIAS-Username = User as Username

[MSExchange:2007:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[MSExchange:2010:Database-Stats]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 26
NO_BINARY_CHECK = true
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[MSExchange:2013:Database-Stats]
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%:z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 26
NO_BINARY_CHECK = true
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[MSExchange:Reputation]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[source::XmlWinEventLog:Application]
FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status

FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest

###### All Windows Event Log ######

###### Windows Application Event Log ######

## All Windows Application

[source::WinEventLog:Application]
EVAL-dest = coalesce('ComputerName','Computer')

## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility
FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status



##Below fields extractions have been moved from  [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]

[WMI:WinEventLog:Application]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows


## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject

## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)

FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id

FIELDALIAS-dest_for_wmi = ComputerName AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid


###### Backward Compatibility ######

## Perfmon Disk Space
# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf.

[MSExchange:2007:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2007msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)

[MSExchange:2010:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2010msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)

[MSExchange:2013:MessageTracking]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = msexchange2013msgtrack-fields,msgtrack-extract-psender,msgtrack-psender,msgtrack-sender,msgtrack-recipients,msgtrack-recipient
TRANSFORMS-comments = ignore_comments
FIELDALIAS-server_hostname_as_dest = server_hostname AS dest
FIELDALIAS-host_as_dvc = host AS dvc
EVAL-src = coalesce(original_client_ip,cs_ip)
EVAL-product = "Exchange"
EVAL-vendor = "Microsoft"
LOOKUP-event_id_to_action = event_id_to_action_lookup event_id OUTPUT action
FIELDALIAS-user = sender_username AS user
FIELDALIAS-orig_dest = ss_ip AS orig_dest
FIELDALIAS-dest_ip = ss_ip AS dest_ip
FIELDALIAS-return_addr = return_path AS return_addr
FIELDALIAS-size = message_size AS size
FIELDALIAS-subject = message_subject AS subject
EVAL-orig_src = coalesce(original_client_ip,cs_ip)
EVAL-protocol = "SMTP"
EVAL-vendor_product = "Microsoft Exchange"
EVAL-sender = coalesce(PurportedSender,sender)
EVAL-src_user = coalesce(PurportedSender,sender)
EVAL-sender_username = coalesce(psender_username,sender_username)
EVAL-sender_domain = coalesce(psender_domain,sender_domain)

[MSWindows:2003:IIS]
TZ = GMT
REPORT-fields = mswin_2003_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent

[MSWindows:2008R2:IIS]
TZ = GMT
REPORT-fields = mswin_2008r2_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent

[MSWindows:2012:IIS]
TZ = GMT
REPORT-fields = mswin_2012_iis_fields, extract_webapp, extract_client
TRANSFORMS-comments = ignore_comments
FIELDALIAS-ipaddress = c_ip as IPAddress
FIELDALIAS-cs_user_agent = cs_User_Agent as cs_user_agent
FIELDALIAS-cs_referer = cs_Referer as cs_referer

[MSWindows:2013EWS:IIS]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = mswindows2013ews_fields
FIELDALIAS-csusername_usersubject = user_subject AS cs_username
FIELDALIAS-rawclient_csuseragent = cs_user_agent AS raw_client
EVAL-cs_uri_stem = "/EWS/"
TRANSFORMS-comments = ignore_comments
TRANSFORMS-header = ignore_header
EVAL-RpcC = if(ServiceTaskMetadata_RpcCount>0,ServiceTaskMetadata_RpcCount,0)

[MSWindows:2010EWS:IIS]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = mswindows2010ews_fields
FIELDALIAS-csusername_usersubject = user_subject AS cs_username
FIELDALIAS-rawclient_csuseragent = cs_user_agent AS raw_client
EVAL-cs_uri_stem = "/EWS/"
TRANSFORMS-comments = ignore_comments
TRANSFORMS-header = ignore_header
EVAL-RpcC = if(ServiceTaskMetadata_RpcCount>0,ServiceTaskMetadata_RpcCount,0)

[MSExchange:2010:DistributionLists]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[MSExchange:2013:DistributionLists]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[MSExchange:2010:AdminAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = AdminAudit_ExtractParam,AdminAudit_ExtractError

[MSExchange:2013:AdminAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-fields = AdminAudit_ExtractParam,AdminAudit_ExtractError

[MSExchange:2013:MailboxAudit]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

[source::WinEventLog:Exchange Auditing]
REPORT-fields = exch_audit_user_extraction
FIELDALIAS-ipaddress = Address as IPAddress

[source::WinEventLog:Security]
EXTRACT-4625-fields = (?ms)EventCode=4625.*?Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<dst_user>.*?)\n.*?Account Domain:\s*(?<dst_nt_domain>.*?)\n.*?Logon ID:\s*(?<session_id>.*?)\n.*?\nLogon Type:.*?\n.*?Account For Which Logon Failed.*?\n.*?Security ID:(?<user_sid>.*?)\n.*?Account Name:(?<user>.*?)\n.*?Account Domain:(?<src_nt_domain>.*?)\n
EXTRACT-4624-srcip = (?ms)EventCode=4624\n.*?Source Network Address:\s+?(?<src_ip>[^\n]+)
EXTRACT-4624-user = (?ms)New Logon:\n*?.*?Security ID:\s*?(?<dest_nt_domain>[^\\]+)\\(?<src_host>.*?)\n.*?Account Name:(?<user>.*?)\s*\n.*?Account Domain:\s+(?<dst_nt_domain>[^\n]+).*?Logon ID:\s+(?<session_id>[^\n]+)
EXTRACT-group_changes = (?ms)EventCode=(4727|4730|4731|4734|4735|4737|4744|4745|4748|4749|4750|4753|4754|4755|4758|4759|4760|4763|4764).*Message=A (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled))\s(?<MSADGroupType>.*)\sgroup\swas\s(?<msad_action>[^\.]+).*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\s*\n.*Account Name:.*Group:.*Security ID:\s*(?<member_id>.*)\s*\n.*Group Name:.*Group Domain:(?<dest_nt_domain>[^(\r|\n)]+).*Attributes:
EXTRACT-group_change_4764 = (?ms)EventCode=(4764)(\n|\r).*Message\=A group’s type was (?<msad_action>[^\.]+)
EXTRACT-groupmembership_changes = (?ms)EventCode=(4728|4729|4732|4733|4746|4747|4751|4752|4756|4757|4761|4762).*Message=A member was (?<msad_action>.*) (to|from) a (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled)) (?<MSADGroupType>.*) group.*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\n.*Account Name:.*Account Domain:.*Member:.*Security ID:\s*.*\\(?<member>.*)\n.*Account Name:.*Group:.*
EXTRACT-dest_nt_domain_for_4756 = (?msi)EventCode=4756.*(?:Account Domain.*Account Domain|Account Domain(?!(Account Domain)))\:\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S\-\S]+)$
EXTRACT-group_changes_event_4756 = (?ms)EventCode\=4756\s*\n.*Member\:.*CN\=(?<member_id>[^\,]+),CN.*Group\:.*Account\sName\:\s+(?<user_group>[^(\n|\r|\s)]+).*Account\sDomain\:\s+(?<member_nt_domain>[^(\n|\r|\s)]+).*
EXTRACT-group_change_groupname = (?ms)EventCode=(4756)(\n|\r).*Group:(\n|\r).*Security ID:(?<Group_Domain>.*)\\(?<Group_Name>[^(\n|\r)]+)(\r|\n).*Account Name:
EXTRACT-4662-fields = (?ms)EventCode=4662\s*\n.*Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<src_user>.*?)\s*\n.*?Account Domain:\s*(?<src_nt_domain>.*?)\s*\n.*?Logon ID:\s*(?<session_id>.*?)\s*\n
EXTRACT-ObjectNameGuid = (?ms)EventCode=4662\s*\n.*Message=.*?Object\s*:.*?Object\sName:\s*(CN=|%)*{*(?<Object_Name_Guid>[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})}*.*
LOOKUP-msadgroupclass = GroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EXTRACT-gpo_changes = (?ms)Object Type\:\s+groupPolicyContainer(\n|\r).*Object\sName\:\s+CN(=|=\")(?<Object_Name_Guid>\{.*\})
EXTRACT-msad_changes_oldevents = (?ms)EventCode=(624|628)(\n|\r).*Message\=(?<MSADChanges>[^\:]+)
EXTRACT-msad_action_oldevents = (?ms)EventCode=(624|628|642)(\n|\r).*Message\=User\sAccount\s(?<msad_action>[^\:]+)
EXTRACT-unlocked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^\.]+)\.(\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Target\sAccount\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
EXTRACT-locked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^(\.|\s)]+)(\.|\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*(Account\sThat\sWas\sLocked\sOut|Target\sAccount)\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+) 
EXTRACT-group_changes_srcuser = (?ms)Account Name\:\s+(?<src_user>[^(\n|\r|\s)]+)(\r|\n|\s).*Account\sDomain\:\s+(?<src_nt_domain>[^(\n|\r|\s)]+)(\r|\n|\s).*Logon\sID\:\s+(?<session_id>[^(\n|\r|\s)]+)(\r|\n|\s).*Group\:
EXTRACT-PSN=Process Name:.*Microsoft\.Exchange\.(?<ProtocolServiceName>[^\.]+)\.exe


[source::*:System]
REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
REPORT-package_for_windows_system_update = package_title_for_windows_system_update,package_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias

EVAL-vendor = "Microsoft"
EVAL-product = "Windows"

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0package_message_for_windowsupdatelog = package_message_for_windowsupdatelog
REPORT-1package_title_for_windowsupdatelog = package_title_for_windowsupdatelog,package_title_for_windowsupdatelog_restartrequired,package_title_for_windowsupdatelog_package_message
REPORT-package_for_windowsupdatelog = package_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status