## windows system sub-sourcetyping
[source::WinEventLog:System]
TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog

###### All Windows Event Log ######

## Apply the following properties to all Windows events
[source::(WinEventLog|XmlWinEventLog|WMI:WinEventLog)...]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString
FIELDALIAS-dvc_for_windows = host as dvc_nt_host,host as dvc
FIELDALIAS-event_id_for_windows = RecordNumber as event_id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows

## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature as name

## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature as name

FIELDALIAS-signature_id_for_windows = EventCode as signature_id
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID as user_group_id

###### Add Windows Event Code Description Lookup Using LogName, EventCode ######
LOOKUP-EventCodeDescription_for_windows = windows_event_descriptions LogName,EventCode OUTPUTNEW EventCodeDescription

###### Add an Alias for TaskCategory and CategoryString from the Windows Events ##### 
#FIELDALIAS-CategoryString_for_windows = CategoryString as TaskCategory

###### Add Host value for Standard Windows Performance Counter Information ######
[source::(Perfmon|WMI:Perfmon)...]
FIELDALIAS-Host_for_windows_perfmon = host as Host

###### Windows Application Event Log ######
[source::WinEventLog:Application]
FIELDALIAS-dest_for_wineventlog_application = ComputerName as dest
FIELDALIAS-msgid = Message_ID AS message_id

###### Windows System Event Log ######

## All Windows System
[source::*:System]
REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
REPORT-package_for_windows_system_update = package_title_for_windows_system_update,package_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias

EVAL-vendor = "Microsoft"
EVAL-product = "Windows"

## IAS (Currently WinEventLog Support Only)
[source::WinEventLog:System:IAS]
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias

EVAL-app = "ias"

###### WindowsUpdateLog ######
[source::*WindowsUpdateLog]
sourcetype = WindowsUpdateLog

[source::*WindowsUpdate.Log]
sourcetype = WindowsUpdateLog

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host as dest
REPORT-0package_message_for_windowsupdatelog = package_message_for_windowsupdatelog
REPORT-1package_title_for_windowsupdatelog = package_title_for_windowsupdatelog,package_title_for_windowsupdatelog_restartrequired,package_title_for_windowsupdatelog_package_message
REPORT-package_for_windowsupdatelog = package_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status

###### WindowsFirewallLog ######
[Windows_FW]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-Windows_FW = Transform_Windows_FW

[source::Splunk_Data_Collect]
EXTRACT-remote_data_host = host\=\"(?<host>[^\"]+)

[source::WinEventLog:Security]
EXTRACT-4625-fields = (?ms)EventCode=4625.*?Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<dst_user>.*?)\n.*?Account Domain:\s*(?<dst_nt_domain>.*?)\n.*?Logon ID:\s*(?<session_id>.*?)\n.*?\nLogon Type:.*?\n.*?Account For Which Logon Failed.*?\n.*?Security ID:(?<user_sid>.*?)\n.*?Account Name:(?<user>.*?)\n.*?Account Domain:(?<src_nt_domain>.*?)\n
EXTRACT-4624-srcip = (?ms)EventCode=4624\n.*?Source Network Address:\s+?(?<src_ip>[^\n]+)
EXTRACT-4624-user = (?ms)New Logon:\n*?.*?Security ID:\s*?(?<dest_nt_domain>[^\\]+)\\(?<src_host>.*?)\n.*?Account Name:(?<user>.*?)\s*\n.*?Account Domain:\s+(?<dst_nt_domain>[^\n]+).*?Logon ID:\s+(?<session_id>[^\n]+)
EXTRACT-group_changes = (?ms)EventCode=(4727|4730|4731|4734|4735|4737|4744|4745|4748|4749|4750|4753|4754|4755|4758|4759|4760|4763|4764).*Message=A (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled))\s(?<MSADGroupType>.*)\sgroup\swas\s(?<msad_action>[^\.]+).*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\s*\n.*Account Name:.*Group:.*Security ID:\s*(?<member_id>.*)\s*\n.*Group Name:.*Group Domain:(?<dest_nt_domain>[^(\r|\n)]+).*Attributes:
EXTRACT-group_change_4764 = (?ms)EventCode=(4764)(\n|\r).*Message\=A group’s type was (?<msad_action>[^\.]+)
EXTRACT-groupmembership_changes = (?ms)EventCode=(4728|4729|4732|4733|4746|4747|4751|4752|4756|4757|4761|4762).*Message=A member was (?<msad_action>.*) (to|from) a (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled)) (?<MSADGroupType>.*) group.*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\n.*Account Name:.*Account Domain:.*Member:.*Security ID:\s*.*\\(?<member>.*)\n.*Account Name:.*Group:.*
EXTRACT-dest_nt_domain_for_4756 = (?msi)EventCode=4756.*(?:Account Domain.*Account Domain|Account Domain(?!(Account Domain)))\:\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S\-\S]+)$
EXTRACT-group_changes_event_4756 = (?ms)EventCode\=4756\s*\n.*Member\:.*CN\=(?<member_id>[^\,]+),CN.*Group\:.*Account\sName\:\s+(?<user_group>[^(\n|\r|\s)]+).*Account\sDomain\:\s+(?<member_nt_domain>[^(\n|\r|\s)]+).*
EXTRACT-group_change_groupname = (?ms)EventCode=(4756)(\n|\r).*Group:(\n|\r).*Security ID:(?<Group_Domain>.*)\\(?<Group_Name>[^(\n|\r)]+)(\r|\n).*Account Name:
EXTRACT-4662-fields = (?ms)EventCode=4662\s*\n.*Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<src_user>.*?)\s*\n.*?Account Domain:\s*(?<src_nt_domain>.*?)\s*\n.*?Logon ID:\s*(?<session_id>.*?)\s*\n
EXTRACT-ObjectNameGuid = (?ms)EventCode=4662\s*\n.*Message=.*?Object\s*:.*?Object\sName:\s*(CN=|%)*{*(?<Object_Name_Guid>[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})}*.*
LOOKUP-msadgroupclass = GroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EXTRACT-gpo_changes = (?ms)Object Type\:\s+groupPolicyContainer(\n|\r).*Object\sName\:\s+CN(=|=\")(?<Object_Name_Guid>\{.*\})
EXTRACT-msad_changes_oldevents = (?ms)EventCode=(624|628)(\n|\r).*Message\=(?<MSADChanges>[^\:]+)
EXTRACT-msad_action_oldevents = (?ms)EventCode=(624|628|642)(\n|\r).*Message\=User\sAccount\s(?<msad_action>[^\:]+)
EXTRACT-unlocked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^\.]+)\.(\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Target\sAccount\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
EXTRACT-locked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^(\.|\s)]+)(\.|\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*(Account\sThat\sWas\sLocked\sOut|Target\sAccount)\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+) 
EXTRACT-group_changes_srcuser = (?ms)Account Name\:\s+(?<src_user>[^\n\r\s]+)[\r\n\s].*Account\sDomain\:\s+(?<src_nt_domain>[^\n\r\s]+)[\r\n\s].*Logon\sID\:\s+(?<session_id>[^\n\r\s]+)(\r|\n|\s).*Group\:
EXTRACT-PSN=Process Name:.*Microsoft\.Exchange\.(?<ProtocolServiceName>[^\.]+)\.exe