################################################################# #### MS Windows AD Objects App - Field Extractions #### ################################################################# [source::WinEventLog:Application] EXTRACT-winevent_1033_install_msg = (?msi)(?:Message\=)(?Windows\sInstaller[^\.]+)\.\s+Product\sName\: EXTRACT-winevent_11707_install_msg = (?msi)(?:Message\=)Produ(c|k)t.*\-\-\s+(?[^\.]+)\. EXTRACT-winevent_all_product_name = (?msi)(?:(Product|Produkt)(\:|\sName\:))(?[^(\.|\-)]+) EXTRACT-winevent_install_msg_flow = (?msi)(?:Message\=)(?(Beginning|Ending)\s+a\s+Windows\s+Installer\s+transaction)\:\s+(?.+)(\s|\n|\r)Client EXTRACT-winevent_product_language = (?msi)(?:Product\sLanguage\:)(?[^(\.|\-)]+) EXTRACT-winevent_product_manufacturer = (?msi)(?:Product\sManufacturer\:)(?[^(\.|\-)]+) EXTRACT-winevent_product_version = (?msi)(?:Product\sVersion\:)(?[^(\.|\-)]+) [source::WinEventLog:Security] EXTRACT-ms_ad_obj_src_user = (?msi)(?:Account\s+Name\:)(?!\s+(\-|\S+\$\r\n|NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE|\r\n))\s+(?[^(\r|\n)]+) EXTRACT-ms_ad_obj_user_obj = (?msi)(?:Account\s+Name\:.*?(Account\s+Name\:)|(?:(Logon\s+Account|Account\s+Name)\:))(?!\s+(\-|\S+\$|NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE|\r\n))\s+(?[^(\r|\n)]+) EXTRACT-ms_ad_obj_sys_user = (?msi)(?:Account\s+Name\:.*?(Account\s+Name\:)|(?:Account\s+Name\:))\s+(?(NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT AUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE)+) EXTRACT-ms_ad_obj_comp_obj_sam = (?msi)(?:Account\s+Name\:.*(?:Account\s+Name\:)|(?:Account\s+Name\:))\s+(?[a-zA-Z0-9._[\S\-\S]+\$)([\r\n]+) EXTRACT-ms_ad_obj_member_Account_Name_secid = (?msi)(?:Member\:)(.*?(Account\sName\:|Security ID:)(\s+(?[^\x5C{1}]+)\x5C{1}|\s+)(?[\S\-\S][^(\r|\n)]+)(\r|\n)) EXTRACT-ms_ad_obj_member_obj_dn = (?msi)(?:Member\:).*?(Account\s+Name\:\s+(?CN\=[^(\r|\n)]+)) EXTRACT-ms_ad_obj_member_obj_cn_val = (?msi)(?:LDAP Display Name\:\s+member)(.*?Value\:)\s+CN=(?.+?)(?[^\x5C{1}]+)\x5C{1}|\s+)(?[\S\-\S][^(\r|\n)]+)(\r|\n)) EXTRACT-ms_ad_obj_group_nm_domain = (?msi)Group\:(\s|\r|\n)(.*?Group\sName\:\s+(?[\S\-\S][^(\r|\n)]+)(\r|\n))(.*?Group\sDomain\:\s+(?[\S\-\S][^(\r|\n)]+)(\r|\n)) EXTRACT-ms_ad_obj_group_name_secid = (?msi)(?:New\sGroup\:|Group\:)(\s|\r|\n)(.*?Security ID:(\s+(?[^\x5C{1}]+)\x5C{1}|\s+)(?[\S\-\S][^(\r|\n)]+)(\r|\n)) EXTRACT-ms_ad_obj_src_nt_domain_Account_Domain = (?msi)(?:Account\s+Domain\:(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S\-\S][^\r|\n]+)) EXTRACT-ms_ad_obj_src_ip_Source_Network_Address = (?msi)Source Network Address:\s+?(?[^\n]+) EXTRACT-ms_ad_obj_dest_nt_domain_Account_Domain = (?msi)(Account\s+Domain\:.*?(Account\s+Domain\:)|Account\s+Domain\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S\-\S][^\r|\n]+) EXTRACT-ms_ad_obj_dest_nt_domain_Group_Domain = (?msi)(Group\s+Domain\:.*?(Group\s+Domain\:)|Group\s+Domain\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S\-\S][^\r|\n]+) EXTRACT-ms_ad_obj_objectGUID_GUID = (?msi)(?:([\r\n\s]+)GUID\:\s+(\{|))(?[^\}\r\n]+) EXTRACT-ms_ad_obj_session_id = (?msi)(Logon\s+ID\:.*?(Logon\s+ID\:)|Logon\s+ID\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S\-\S][^\r|\n]+) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_object_type_group = (?msi)(?:Object Type\:\s+(?group)(\s+|\n|\r).*?(Object\sName|DN)\:\s+(?[^(\r|\n)]+)) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_object_type_user = (?msi)(?:Object Type\:\s+(?user)(\s+|\n|\r).*?(Object\sName|DN)\:\s+(?[^(\r|\n)]+)) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_object_type_ou = (?msi)(?:Object Type\:\s+(?organizationalUnit)(\s+|\n|\r).*?(Object\sName|DN)\:\s+(?[^(\r|\n)]+)) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_object_type_gpo = (?msi)(?:Object Type\:\s+(?groupPolicyContainer)(\s+|\n|\r).*?(Object\sName|DN)\:\s+(?[^(\r|\n)]+)) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_object_type_computer = (?msi)(?:Object Type\:\s+(?computer)(\s+|\n|\r).*?(Object\sName|DN)\:\s+(?[^(\r|\n)]+)) EXTRACT-ms_ad_obj_object_new_dn = (?msi)(?:([\r\n\s]+)Old DN\:\s+)(?[^\r\n]+) EXTRACT-ms_ad_obj_object_old_dn = (?msi)(?:([\r\n\s]+)New DN\:\s+)(?[^\r\n]+) EXTRACT-ms_ad_obj_object_dn = (?msi)(?:([\r\n\s]+)DN\:\s+)(?[^\r\n]+) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_type_class = (?msi)(?:Object(\sType\:|\:))(\s+|\n|\r)(?:.*Class\:)\s+(?[^(\r|\n)]+) EXTRACT-ms_ad_obj_type_class = (?msi)(?:Class\:(\s+|))(?(computer|groupPolicyContainer|group|container|organizationalUnit|user)\b) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_type_only = (?msi)(?:Object Type\:(?!\s+(\r|\n))\s+(?[^(\r|\n)]+)) EXTRACT-ms_ad_obj_type_file = (?msi)(?:(\:\s+|\=)(Detailed\s|))(?(Removable Storage|File)\b)(\sSystem|\sShare|([\r\n]+)) # above - 4.1.1 - Possible Other File rex (?msi)(?:(|Subcategory\:\s+|TaskCategory\=|Object\sType\:\s+)(Detailed\s|)(?File)) OR (?msi)(\:\s+|\=|Detailed\s))(?File\b) EXTRACT-ms_ad_obj_type_taskcat = (?msi)(?:TaskCategory\=)(\s|)(Security|)(?[^\s]+)(\sAccount\s|\s)Management EXTRACT-ms_ad_obj_type_grp_chg = (?msi)(?:Message=A\s)(?[^(\’|\s]+)(\’s\s+|\s+)(account|type)\swas\s(?[^\.]+)\. EXTRACT-ms_ad_obj_winevt_chg_2 = (?msi)(?:Message=A)\s+(non\-member|member)\s+was\s+(?\S+)\s+(to|from)\s+a\s+(?(basic|LDAP))\s(?(\S+|\S+\s\S+))\s+(?group) EXTRACT-ms_ad_obj_other_groups = (?msi)(?:Message=(An|A))\s+(?(basic|LDAP))\s(?[^\s]+)\s+(?group)\swas\s(?[^\.]+)\. EXTRACT-ms_ad_obj_type_member = (?msi)(?:Message=A)\s+member\s+was\s+(?\S+)\s+(to|from)\s+a\s+(?\S+)\-(?(enabled|disabled))\s(?(\S+|\S+\s\S+))\s+(?[^\.]+)\. EXTRACT-ms_ad_obj_type_group = (?msi)(?:Message=A)\s+(?\S+)\-(?(enabled|disabled))\s(?(\S+|\S+\s\S+))\s(?group)\swas\s(?[^\.]+)\. EXTRACT-ms_ad_obj_user_grp_en = (?msi)(?:Message=(An|A))\s+(?[^\']+)\'s\s(?[^\s]+)\s+group\smembership\swas\s(?[^\.]+)\. EXTRACT-ms_ad_obj_name_chg = (?msi)(?:Message=The)\sname\sof\san\saccount\swas\s(?[^\:]+)\: EXTRACT-ms_ad_obj_winevt_chg_6 = (?msi)(?:Message=Per)\s(?[^\s]+)\sAudit\sPolicy\swas\s(?[^\.]+)\. EXTRACT-ms_ad_obj_winevt_chg_7 = (?msi)(?:Message=An)\sattempt\swas\smade\sto\s(?[^\s]+)\san\saccount\'s\spassword EXTRACT-ms_ad_obj_winevt_chg_8 = (?msi)(?:Message=An)\sattempt\swas\smade\sto\sset\sthe\sDirectory\sServices\sRestore\sMode\s(?[^(\’|\s]+)(\’s\s+|\s+)password EXTRACT-ms_ad_obj_winevt_chg_9 = (?msi)(?:Message=)(?[^\:]+)\:\sSID\sHistory\swas\s(?[^\s]+)\sto\san\s(?[^\.]+)\. EXTRACT-ms_ad_obj_winevt_chg_10 = (?msi)(?:Message=)(?[^\:]+)\:\sAn\sattempt\sto\s(?[^\s]+)\sSID\sHistory\sto\san\s(?[^\s]+) EXTRACT-ms_ad_obj_winevt_chg_11 = (?msi)(?:Message=The)\sACL\swas\s(?[^\s]+)\son\saccounts\swhich\sare\smembers\sof\sadministrators\s(?[^s]+) EXTRACT-ms_ad_obj_dir_svcs_changes_msad_action = (?msi)Message\=A\sdirectory\sservice\s(?object)\swas\s(?[^\.]+) EXTRACT-ms_ad_obj_dir_svcs_user_obj_dn = (?msi)(?:Object\:)(.*?DN\:\s+)(?[^\r|\n]+)(.*?Class\:\s+user) EXTRACT-ms_ad_obj_dir_svcs_comp_obj_dn = (?msi)(?:Object\:)(.*?DN\:\s+)(?[^\r|\n]+)(.*?Class\:\s+computer) EXTRACT-ms_ad_obj_dir_svcs_group_obj_dn = (?msi)(?:Object\:)(.*?DN\:\s+)(?[^\r|\n]+)(.*?Class\:\s+group)(\r|\n) EXTRACT-ms_ad_obj_dir_svcs_gpo_obj_dn = (?msi)(?:Object\:)(.*?DN\:\s+)(?[^\r|\n]+)(.*?Class\:\s+groupPolicyContainer)(\r|\n) EXTRACT-ms_ad_obj_dir_svcs_ou_obj_dn = (?msi)(?:Object\:)(.*?DN\:\s+)(?[^\r|\n]+)(.*?Class\:\s+organizationalUnit) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_dir_svcs_changes_object_guid = (?msi)(Object Type\:|Object\:)(\s+|\n|\r).*(Object\sName|DN)\:\s+CN(=\"|=\{)(?[^(\"|\})]+) EXTRACT-ms_ad_obj_dir_svcs_changes_object_guid = (?msi)(?:(\:\s)+CN\=(\"|\{))(?[^\"\}]+) EXTRACT-ms_ad_obj_dir_svcs_mb_user_obj_dn = (?msi)(?:LDAP Display Name\:\s+member)(.*?Value\:)\s+(?CN[^(\r|\n)]+) #Replaced by Below - 4.1.1 - EXTRACT-ms_ad_obj_cd_dir_svc_action = (?msi)Operation:(\s|\r|\n).*(?:Type:)\s+(?[^(\r|\n)]+) EXTRACT-ms_ad_obj_cd_dir_svc_action = (?msi)(?:([\r\n]+)Operation:([\s\r\n]+)Type:\s+)(?[^(\r|\n)]+) REPORT-ms_ad_obj_cs_changed_attributes = ms_ad_obj_cs_changed_attributes_values EVAL-user_obj_email = if(isnull(user_obj_email),if(match(user,"(?=.{1,64}@\S)"),lower(user),if(isnull(User_Principal_Name),NULL,lower(User_Principal_Name))),lower(user_obj_email)) EVAL-user_type = if(isnull(user_obj),NULL,"user") EVAL-src_user_type = if(isnull(src_user),if(isnull(sys_user),if(isnull(comp_obj_sam),NULL,"computer"),"system"),"user") EVAL-group_obj_ldap_v = if(Class=="group",LDAP_Display_Name."|".Value,NULL) EVAL-user_obj_ldap_v = if(Class=="user",LDAP_Display_Name."|".Value,NULL) EVAL-gpo_obj_ldap_v = if(Class=="groupPolicyContainer",LDAP_Display_Name."|".Value,NULL) EVAL-ou_obj_ldap_v = if(Class=="organizationalUnit",LDAP_Display_Name."|".Value,NULL) EVAL-comp_obj_ldap_v = if(Class=="computer",LDAP_Display_Name."|".Value,NULL) EVAL-MSADChangedAttributes = if(isnotnull(Old_DN),"Object Moved - ########From DN: ".replace(Old_DN,"\x5C{1}","")."########To DN: ".replace(New_DN,"\x5C{1}",""),MSADChangedAttributes) EVAL-Old_DN = lower(replace(Old_DN,"\x5C{1}","")) EVAL-New_DN = lower(replace(New_DN,"\x5C{1}","")) EVAL-DN = lower(replace(DN,"\x5C{1}","")) EVAL-group_dn = if(lower(ObjectClass)="group",lower(replace(ObjectDN,"\x5C{1}","")),lower(replace(group_dn,"\x5C{1}",""))) EVAL-user_obj_lkp = if(lower(Class)="user" OR lower(obj_type)="user",if(isnull(DN) AND isnull(Old_DN),lower(user_obj),mvdedup(mvappend(lower(replace(DN,"\x5C{1}","")),lower(replace(New_DN,"\x5C{1}","")),lower(replace(Old_DN,"\x5C{1}",""))))),if(isnull(user_obj),lower(src_user),lower(user_obj))) EVAL-user_obj_dn = lower(replace(user_obj_dn,"\x5C{1}","")) EVAL-contact_obj_dn = if((lower(Class)="contact" OR lower(obj_type)="contact") AND (isnotnull(DN) OR isnotnull(New_DN) OR isnotnull(Old_DN)),mvdedup(mvappend(lower(replace(DN,"\x5C{1}","")),lower(replace(New_DN,"\x5C{1}","")),lower(replace(Old_DN,"\x5C{1}","")))),NULL) EVAL-user_group = lower(replace(user_group,"\x5C{1}","")) EVAL-Group_Name = lower(replace(Group_Name,"\x5C{1}","")) EVAL-group_obj_dn = lower(replace(group_obj_dn,"\x5C{1}","")) EVAL-group_obj_id = lower(replace(group_obj_id,"\x5C{1}","")) EVAL-group_obj_lkp = if(isnull(user_group),if(isnull(Group_Name),if(isnull(group_obj_dn),if(isnull(group_obj_id),if(isnull(group_dn),NULL,lower(replace(group_dn,"\x5C{1}",""))),lower(replace(group_obj_id,"\x5C{1}",""))),lower(replace(group_obj_dn,"\x5C{1}",""))),lower(replace(Group_Name,"\x5C{1}",""))),lower(replace(user_group,"\x5C{1}",""))) EVAL-comp_obj_dn = lower(replace(comp_obj_dn,"\x5C{1}","")) EVAL-comp_obj_sam = if(isnull(comp_obj_sam),lower(replace(comp_obj_dn,"\x5C{1}","")),comp_obj_sam) EVAL-ou_obj_dn = lower(replace(ou_obj_dn,"\x5C{1}","")) EVAL-gpo_obj_dn = lower(replace(gpo_obj_dn,"\x5C{1}","")) EVAL-cn = if(isnull(cn),name,if(match("\x5C{1}",cn),replace(cn,"\x5C{1}",""),cn)) EVAL-distinguishedName = lower(replace(distinguishedName,"\x5C{1}","")) EVAL-member_obj_dn = lower(replace(member_obj_dn,"\x5C{1}","")) EVAL-member_obj_sam = if(isnull(member_obj_sam),if(isnull(member_obj_secid),lower(replace(member_obj_dn,"\x5C{1}","")),lower(member_obj_secid)),lower(replace(member_obj_sam,"\x5C{1}",""))) EVAL-member_obj_cn = lower(replace(member_obj_cn,"\x5C{1}","")) EVAL-member_obj_id = case(isnull(member_obj_sam) AND isnotnull(member_obj_cn),lower(replace(member_obj_cn,"\x5C{1}","")),match(member_obj_sam,"(?i)^CN\="),lower(replace(member_obj_cn,"\x5C{1}","")),isnotnull(member_obj_sam) AND NOT match(member_obj_sam,"(?i)^CN\="),lower(replace(member_obj_sam,"\x5C{1}","")),isnull(member_obj_sam) AND isnull(member_obj_cn),lower(replace(member_obj_dn,"\x5C{1}",""))) EVAL-member_obj_lkp = mvdedup(mvappend(lower(replace(member_obj_cn,"\x5C{1}","")),lower(replace(member_obj_dn,"\x5C{1}","")),lower(replace(member_obj_id,"\x5C{1}","")),lower(member_obj_sam))) #Replaced by Below - 4.1.1 - EVAL-obj_type = if(obj_type="Group Policy","groupPolicyContainer",if(obj_type="User" OR obj_type="administrator" OR obj_type="account","user",if(obj_type="Organisational Unit" OR obj_type="OU" OR obj_type="Container","organizationalUnit",if(obj_type="Group" OR obj_type="groups","group",if(obj_type="Computer","computer",if(obj_type="object",Class,obj_type)))))) EVAL-obj_type = case((lower(obj_type)="user" OR lower(obj_type)="administrator" OR lower(obj_type)="account"),"user",(lower(obj_type)="grouppolicycontainer" OR lower(obj_type)="group policy"),"grouppolicycontainer",(lower(obj_type)="ou" OR lower(obj_type)="organizational unit" OR lower(obj_type)="organizationalunit" OR lower(obj_type)="container"),"organizationalunit",(lower(obj_type)="groups" OR lower(obj_type)="group"),"group",lower(obj_type)="object",lower(Class),isnotnull(obj_type),lower(obj_type)) EVAL-msad_action = if(msad_action="change" OR msad_action="changed" OR msad_action="set" OR msad_action="reset","modified",if(msad_action="add","added",msad_action)) EVAL-user = if(isnull(user_obj_dn),if(isnull(user_obj),lower(user),lower(user_obj)),lower(replace(user_obj_dn,"\x5C{1}",""))) [source::XmlWinEventLog:Security] EXTRACT-ms_ad_obj_xml_eventcode = (?msi)(?:EventID.*?\>(?[^\<]+))\< EXTRACT-ms_ad_obj_xml_obj_type = (?msi)(?:\'ObjectClass\'\>(?[^\<]+))\< EXTRACT-ms_ad_obj_xml_file = (?msi)(?:\>(Detailed\s|))(?(Removable Storage|File)\b)(\sSystem|\sShare|([\<]+)) EXTRACT-ms_ad_obj_dir_src_user_nm = (?msi)(?:SubjectUserName\'\>(?!(\-|\S+\$\<|NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE|\<))(?[^\<]+)) EXTRACT-ms_ad_obj_xml_src_domain = (?msi)(?:SubjectDomainName\'\>(?!\-)(?[^\<]+)) EXTRACT-ms_ad_obj_xml_user_nm = (?msi)(?:\)(?!(\-|\S+\$\<|NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE|\<))(?[^\<]+) EXTRACT-ms_ad_obj_xml_user_sid_nm = (?msi)(?:\\<\/Data\>\)(?[^\<]+)\<\/Data\>\(\S+\x5C{1}|)(?!(\-|\S+\$\<|NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE|\<))(?[^\<]+)\< EXTRACT-ms_ad_obj_xml_sys_user = (?msi)(?:\)(?!(\-|\S+\$\<|\<))(?(NOT_TRANSLATED|SYSTEM|NoGuestsAllowed|ANONYMOUS\sLOGON|ANONYMOUS|NT\sAUTHORITY|DWM\-([0-9]+)|LOCAL\sSERVICE|NETWORK\sSERVICE))" EXTRACT-ms_ad_obj_xml_comp_obj_sam = (?msi)(?:\)(?[a-zA-Z0-9._[\S\-\S]+\$)" EXTRACT-ms_ad_obj_xml_comp_nm = (?msi)(?:\'\>(?!\-)(?[^\<]+)) EXTRACT-ms_ad_obj_xml_dest_domain = (?msi)(?:TargetDomainName\'\>(?!\-)(?[^\<]+)) EXTRACT-ms_ad_obj_xml_dest_domain_ds = (?msi)(?:DSName\'\>(?!\-)(?[^\.]+)\..*\<) EXTRACT-ms_ad_obj_xml_user_obj_guid = (?msi)(?:(ObjectGUID)\'\>\{(?[^\}]+))\}.*?\'ObjectClass\'\>user\< EXTRACT-ms_ad_obj_xml_user_obj_dn = (?msi)(?:(ObjectDN|NewObjectDN)\'\>(?[^\<]+))\<.*?\'ObjectClass\'\>user\< EXTRACT-ms_ad_obj_xml_comp_obj_guid = (?msi)(?:(ObjectGUID)\'\>\{(?[^\}]+))\}.*?\'ObjectClass\'\>computer\< EXTRACT-ms_ad_obj_xml_comp_obj_dn = (?msi)(?:(ObjectDN|NewObjectDN)\'\>(?[^\<]+))\<.*?\'ObjectClass\'\>computer\< EXTRACT-ms_ad_obj_xml_group_obj_guid = (?msi)(?:(ObjectGUID)\'\>\{(?[^\}]+))\}.*?\'ObjectClass\'\>group\< EXTRACT-ms_ad_obj_xml_group_obj_dn = (?msi)(?:(ObjectDN|NewObjectDN)\'\>(?[^\<]+))\<.*?\'ObjectClass\'\>group\< EXTRACT-ms_ad_obj_xml_member_obj_dn = (?msi)(?:\'ObjectClass\'\>group\<\/Data\>\member\<).*(?:\'AttributeValue\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_member_obj_dn_a = (?msi)(?:\)(?CN\=[^\<]+) EXTRACT-ms_ad_obj_xml_member_obj_cn = (?msi)(?:\)CN\=(?[^\,]+)\,(CN|DN|DC|OU) #EXTRACT-ms_ad_obj_xml_member_obj_lkp = (?msi)(?:\)(?[^\<]+) EXTRACT-ms_ad_obj_xml_member_obj_dsam = (?msi)(?:\)(?\S+)\x5C{1}(?[^\<]+) EXTRACT-ms_ad_obj_xml_member_obj_sec_id = (?msi)\(?[^\<]+) EXTRACT-ms_ad_obj_xml_ou_obj_guid = (?msi)(?:(ObjectGUID)\'\>\{(?[^\}]+))\}.*?\'ObjectClass\'\>organizationalUnit\< EXTRACT-ms_ad_obj_xml_ou_obj_dn = (?msi)(?:(ObjectDN|NewObjectDN)\'\>(?[^\<]+))\<.*?\'ObjectClass\'\>organizationalUnit\< EXTRACT-ms_ad_obj_xml_chg_gp_guid = (?msi)(?:AttributeLDAPDisplayName\'\>gPLink).*?cn\=\{(?[^\}]+) EXTRACT-ms_ad_obj_xml_gpo_obj_guid = (?msi)(?:(ObjectGUID)\'\>\{(?[^\}]+))\}.*?\'ObjectClass\'\>groupPolicyContainer\< EXTRACT-ms_ad_obj_xml_gpo_obj_cn = (?msi)(?:(ObjectDN)\'\>CN\=\{(?[^\}]+))\}.*?\'ObjectClass\'\>groupPolicyContainer\< EXTRACT-ms_ad_obj_xml_sourcename = (?msi)\[^\']+) EXTRACT-ms_ad_obj_xml_logname_from_channel = (?msi)(?:\)(?[^\<]+) EXTRACT-ms_ad_obj_xml_install_product = (?msi)(?:\>(1033|1042|1040)\<\/EventID\>).*(?:\)\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\ EXTRACT-ms_ad_obj_xml_product_name = (?msi)(?:(\|Product|Produkt)(\:|\sName\:))(?[^(\<|\.|\-)]+) EXTRACT-ms_ad_obj_xml_1022_product_info = (?msi)(?:\>(1022)\<\/EventID\>).*(?:\\)(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\> EXTRACT-ms_ad_obj_xml_1035_6_product_info = (?msi)(?:\>(1034|1035)\<\/EventID\>).*(?:\\)(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+)) #EXTRACT-ms_ad_obj_xml_1005_6_product_name = (?msi)(?:EventCode\=(1005|1006)).*(?:Message\=)(?[^\s\-]+)\s\-(?[^$]+) EXTRACT-ms_ad_obj_xml_1036_product_info = (?msi)(?:\>1036\<\/EventID\>).*(?:\\)(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+))\<\/Data\>\(|(?[^\<]+)) EXTRACT-ms_ad_obj_xml_nApps = (?msi)(?:\)(?[^\<]+) EXTRACT-ms_ad_obj_xml_ldap_n = (?msi)(?:(AttributeLDAPDisplayName)\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_dn = (?msi)(?:(ObjectDN)\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_old_dn = (?msi)(?:(OldObjectDN)\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_new_dn = (?msi)(?:(NewObjectDN)\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_corr_id = (?msi)(?:(OpCorrelationID)\'\>)(?[^\<]+) EXTRACT-ms_ad_obj_xml_n_guid = (?msi)(?:(ObjectDN)\'\>).*(?:CN\=\{)(?[^\}]+) EXTRACT-ms_ad_obj_xml_guid = (?msi)(?:(ObjectGUID)\'\>)(?[^\<]+) #EXTRACT-ms_ad_obj_xml_ena_user = (?msi)(?:\4722).*(?:\'Target(?(User))Name\'\>(?!\S+\$\<)) #LOOKUP-ms_ad_obj_changes_std = AD_Audit_Change_EventCodes_Std EventCode AS EventCode OUTPUTNEW change_action AS msad_action change_category AS change_category obj_type signature AS change_signature #LOOKUP-ms_ad_obj_changes_adv = AD_Audit_Change_EventCodes_Adv EventCode AS EventCode obj_type AS ObjectClass OUTPUTNEW change_action AS msad_action,obj_type,signature AS change_signature,change_category AS change_category EVAL-user_type = if(isnull(user_obj),NULL,"user") EVAL-src_user_type = if(isnull(src_user),NULL,"user") EVAL-user_obj_email = if(isnull(user_obj_email),if(match(user,"(?=.{1,64}@\S)"),lower(user),if(isnull(User_Principal_Name),NULL,lower(User_Principal_Name))),lower(user_obj_email)) EVAL-dir_svcs_action = if(OperationType="%%14674","Value Added",if(OperationType="%%14675","Value Deleted","Unknown")) EVAL-member_obj_class = replace(member_obj_class,"^.*\|","") EVAL-group_obj_ldap_v = if(ObjectClass=="group",LDAP_Display_Name."|".Value,NULL) EVAL-user_obj_ldap_v = if(ObjectClass=="user",LDAP_Display_Name."|".Value,NULL) EVAL-gpo_obj_ldap_v = if(ObjectClass=="groupPolicyContainer",LDAP_Display_Name."|".Value,NULL) EVAL-ou_obj_ldap_v = if(ObjectClass=="organizationalUnit",LDAP_Display_Name."|".Value,NULL) EVAL-comp_obj_ldap_v = if(ObjectClass=="computer",LDAP_Display_Name."|".Value,NULL) EVAL-Old_DN = lower(replace(Old_DN,"\x5C{1}","")) EVAL-New_DN = lower(replace(New_DN,"\x5C{1}","")) EVAL-DN = lower(replace(DN,"\x5C{1}","")) EVAL-user_obj_dn = lower(replace(user_obj_dn,"\x5C{1}","")) EVAL-user_obj_lkp = if(lower(obj_type)="user" OR lower(ObjectClass)=="user",if(isnull(DN) AND isnull(Old_DN),lower(user_obj),mvdedup(mvappend(lower(replace(DN,"\x5C{1}","")),lower(replace(New_DN,"\x5C{1}","")),lower(replace(Old_DN,"\x5C{1}",""))))),if(isnull(user_obj),lower(src_user),lower(user_obj))) EVAL-group_dn = if(ObjectClass="group",lower(replace(ObjectDN,"\x5C{1}","")),lower(replace(group_dn,"\x5C{1}",""))) EVAL-user_group = lower(replace(user_group,"\x5C{1}","")) EVAL-Group_Name = lower(replace(Group_Name,"\x5C{1}","")) EVAL-group_obj_dn = lower(replace(group_obj_dn,"\x5C{1}","")) EVAL-group_obj_id = lower(replace(group_obj_id,"\x5C{1}","")) EVAL-group_obj_lkp = if(isnull(user_group),if(isnull(Group_Name),if(isnull(group_obj_dn),if(isnull(group_obj_id),if(isnull(group_dn),NULL,lower(replace(group_dn,"\x5C{1}",""))),lower(replace(group_obj_id,"\x5C{1}",""))),lower(replace(group_obj_dn,"\x5C{1}",""))),lower(replace(Group_Name,"\x5C{1}",""))),lower(replace(user_group,"\x5C{1}",""))) EVAL-comp_obj_dn = lower(replace(comp_obj_dn,"\x5C{1}","")) EVAL-comp_obj_sam = if(isnull(comp_obj_sam),lower(replace(comp_obj_dn,"\x5C{1}","")),comp_obj_sam) EVAL-ou_obj_dn = lower(replace(ou_obj_dn,"\x5C{1}","")) EVAL-cn = if(isnull(cn),name,if(match("\x5C{1}",cn),replace(cn,"\x5C{1}",""),cn)) EVAL-distinguishedName = lower(replace(distinguishedName,"\x5C{1}","")) EVAL-member_obj_dn = lower(replace(member_obj_dn,"\x5C{1}","")) EVAL-member_obj_sam = if(isnull(member_obj_sam),if(isnull(member_obj_secid),lower(replace(member_obj_dn,"\x5C{1}","")),lower(member_obj_secid)),lower(replace(member_obj_sam,"\x5C{1}",""))) EVAL-member_obj_cn = lower(replace(member_obj_cn,"\x5C{1}","")) #EVAL-member_obj_id = if(isnull(member_obj_lkp),if(isnull(member_obj_dn),if(isnull(member_obj_cn),if(isnull(member_obj_secid),if(isnull(member_obj_sam),NULL,lower(member_obj_sam)),lower(replace(member_obj_id,"\S+\x5C{1}",""))),lower(replace(member_obj_cn,"\x5C{1}",""))),lower(replace(member_obj_dn,"\x5C{1}",""))),lower(member_obj_lkp)) EVAL-member_obj_lkp = mvdedup(mvappend(lower(replace(member_obj_cn,"\x5C{1}","")),lower(replace(member_obj_dn,"\x5C{1}","")),lower(replace(member_obj_id,"\x5C{1}","")),lower(member_obj_sam))) EVAL-obj_type = case((lower(obj_type)="user" OR lower(obj_type)="administrator" OR lower(obj_type)="account"),"user",(lower(obj_type)="grouppolicycontainer" OR lower(obj_type)="group policy"),"grouppolicycontainer",(lower(obj_type)="ou" OR lower(obj_type)="organizational unit" OR lower(obj_type)="organizationalunit" OR lower(obj_type)="container"),"organizationalunit",(lower(obj_type)="groups" OR lower(obj_type)="group"),"group",lower(obj_type)="object",lower(ObjectClass),isnotnull(obj_type),lower(obj_type)) EVAL-msad_action = if(msad_action="change" OR msad_action="changed" OR msad_action="set" OR msad_action="reset","modified",if(msad_action="add","added",if(EventID="4722","enabled",msad_action))) EVAL-user = if(isnull(user_obj_dn),if(isnull(user_obj),lower(user),lower(user_obj)),lower(replace(user_obj_dn,"\x5C{1}",""))) [source::WMI:WinEventLog:Security] EVAL-user_type = if(isnull(sys_user),if(isnull(user),if(isnull(comp_obj_sam),if(isnull(user_obj_dn),NULL,"user"),"computer"),"user"),"system") EVAL-src_user_type = if(isnull(src_user),if(isnull(sys_user),if(isnull(comp_obj_sam),NULL,"computer"),"system"),"user") EVAL-user_obj_email = if(isnull(user_obj_email),if(match(user,"(?=.{1,64}@\S)"),user,if(isnull(User_Principal_Name),NULL,User_Principal_Name)),user_obj_email) EVAL-group_obj_ldap_v = if(Class=="group",LDAP_Display_Name."|".Value,NULL) EVAL-user_obj_ldap_v = if(Class=="user",LDAP_Display_Name."|".Value,NULL) EVAL-gpo_obj_ldap_v = if(Class=="groupPolicyContainer",LDAP_Display_Name."|".Value,NULL) EVAL-ou_obj_ldap_v = if(Class=="organizationalUnit",LDAP_Display_Name."|".Value,NULL) EVAL-comp_obj_ldap_v = if(Class=="computer",LDAP_Display_Name."|".Value,NULL) EVAL-MSADChangedAttributes = if(isnotnull(Old_DN),"Object Moved - ########From DN: ".Old_DN."########To DN: ".New_DN,MSADChangedAttributes) EVAL-Old_DN = lower(replace(Old_DN,"\x5C{1}","")) EVAL-New_DN = lower(replace(New_DN,"\x5C{1}","")) EVAL-DN = lower(replace(DN,"\x5C{1}","")) EVAL-cn = if(isnull(cn),lower(name),if(match("\x5C{1}",lower(cn)),lower(replace(cn,"\x5C{1}","")),lower(cn))) EVAL-distinguishedName = lower(replace(distinguishedName,"\x5C{1}","")) EVAL-user_obj_dn = lower(replace(user_obj_dn,"\x5C{1}","")) EVAL-member_obj_sam = if(isnull(member_obj_sam),if(isnull(member_obj_secid),lower(member_obj_dn),lower(member_obj_secid)),lower(member_obj_sam)) EVAL-member_obj_cn = lower(replace(member_obj_cn,"\x5C{1}","")) EVAL-obj_type = lower(obj_type) EVAL-msad_action = if(msad_action="change" OR msad_action="changed" OR msad_action="set" OR msad_action="reset","modified",if(msad_action="add","added",msad_action)) EVAL-member_obj_id = case(isnull(member_obj_sam) AND isnotnull(member_obj_cn),lower(member_obj_cn),match(member_obj_sam,"(?i)^CN\="),lower(member_obj_cn),isnotnull(member_obj_sam) AND NOT match(member_obj_sam,"(?i)^CN\="),lower(member_obj_sam),isnull(member_obj_sam) AND isnull(member_obj_cn),lower(member_obj_dn)) EVAL-user = lower(user) EVAL-src_user = lower(src_user) #LOOKUP-ms_ad_obj_changes = AD_Audit_Change_EventCodes EventCode AS EventCode obj_type AS obj_type OUTPUTNEW change_action AS change_action change_category AS change_category signature AS change_signature [ActiveDirectory] SEDCMD-dn_backslash = s/\x5C{1}\,/,/g EXTRACT-ms_ad_obj_admon_dc_suffix = (?msi)(?:dcName\=(LDAP\:\/\/|)[a-zA-Z0-9_\-]+)\.(?[^(\r|\n|\/)]+) EXTRACT-ms_ad_obj_admon_dc_val = (?msi)(?:objectCategory\=.*)(?:\,CN\=(Configuration|Deleted\sObjects)\,DC\=)(?[^(\r|\n|\|)]+) EVAL-dc_val = if(isnull(dc_val),dc_suffix,replace(dc_val,"(\,DC\=)","."))