# Copyright 2004-2013 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Windows Security Event log parser
#
# DESCRIPTION:
# This library is used to process logs from Windows systems. Windows
# XP or W2K servers can be configured with a LCE Client for Windows
# or can forward their events via netbios to another Windows server
# which runs the LCE Client. In both cases, the Windows LCE
# Client will attempt to conduct a reverse netbios or DNS lookup of
# the hostname to convert it to an API address for the LCE server.
#
# LAST UPDATE: $Date$
#############################################
# LOGIN USERS (attempts/failures,successes) #
#############################################
# Per MS KBA 140714
# Interactive logon Event ID 528 Type 2
# Network logon Event ID 528 Type 3
# Net Use connection Event ID 528 Type 3
# Unlock Event ID 528 Type 7
# Remote logon Event ID 528 Type 10
# Cached logon Event ID 528 Type 11
# Interactive logoff Event ID 538 Type 2
# Network logoff Event ID 538 Type 3
# Net use disconnection Event ID 538 Type 3
# Autodisconnect Event ID 538 Type 3
# moved ids 3213 3215 3259 3270 4273 3284 3325 to os win audit prm
# For a better description of event ids please refer to the link below
# http://www.microsoft.com/technet/support/ee/ee_advanced.aspx
# Event ID 680
# 0x0 Success
# 0xC0000064 user name does not exist
# 0xC000006A user name is correct but the password is wrong
# 0xC0000234 user is currently locked out
# 0xC0000072 account is currently disabled
# 0xC000006F user tried to logon outside his day of week or time of day restrictions
# 0xC0000070 workstation restriction
# 0xC0000193 account expiration
# 0xC0000071 expired password
# 0xC0000224 user is required to change password at next logon
# 0xC0000225 evidently a bug in Windows and not a risk
id=3200
name=This Windows security event log indicates that a successful Logon Attempt occurred.
match=ecu
match=ty
match=Security
match=Secur
match=!Account Name
match=tem
match=Lo
match=pt
match=,Success Audit,
match=,Security,680,Success Audit,
match=Logon attempt by:
match=Logon account:
match=ce
match=Source Workstation:
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Logon account:\s*([A-Za-z0-9$_.-]{1,25})
log=event:Windows-Logon sensor:$1 srcip:$2 user:$3 type:login event2:WindowsEvent-680
NEXT
id=3201
name=This Windows security event log indicates that login failure has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,529,Failure Audit,
match=!ADMINISTRATOR
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User Name:\s*([A-Za-z0-9$_.-]{1,25})
log=event:Windows-Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529
NEXT
id=3202
name=This Windows security event log indicates that an administrator login attempt failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=,Security,529,Failure Audit,
match=AT
match=RA
match=ADMINISTRATOR
match=IN
match=ST
match=ailure
match=TR
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Administrator_Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529
NEXT
id=3203
name=This Windows security event log indicates that a successful interactive logon occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
match=!ADMINISTRATOR
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*2
log=event:Windows-Successful_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3204
name=This Windows security event log indicates that successful interactive ADMINISTRATOR logon occurred.
# Note, example line fails to be matched for match=ADMINISTRATOR
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
match=AT
match=RA
match=ADMINISTRATOR
match=IN
match=ST
match=TR
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:[^0-9]{1,7}2
log=event:Windows-Successful_Administrator_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3205
name=This Windows security event log indicates that a successful logoff occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,538,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Successful_Logoff sensor:$1 type:logout dstip:$2 event2:WindowsEvent-538
NEXT
id=3206
name=This Windows security event log indicates that a pre-authentication login attempt failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=!User Name
match=,Security,675,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Pre-Authentication_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-675
NEXT
id=3207
name=This Windows security event log indicates that special privileges have been assigned.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,576,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s+Domain:
log=event:Windows-Special_Privileges_Assigned type:system sensor:$1 dstip:$2 event2:WindowsEvent-576
NEXT
id=3208
name=This Windows security event log indicates that a service ticket has been granted.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,673,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Service_Ticket_Granted type:system sensor:$1 srcip:$2 dstip:$3 event2:WindowsEvent-673
NEXT
id=3209
name=This Windows security event log indicates that an account was used for a login.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,680,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Account Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Workstation:
log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 user:$3 type:login event2:WindowsEvent-680
NEXT
id=3210
name=This Windows security event log indicates that an authentication ticket has been granted.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,672,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Supplied
log=event:Windows-Authentication_Ticket_Granted type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-672
NEXT
id=3211
name=This Windows security event log indicates that a handle was closed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,562,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Handle_Closed type:system sensor:$1 dstip:$2 event2:WindowsEvent-562
NEXT
id=3212
name=This Windows security event log indicates that a trusted logon process occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,515,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Trusted_Logon_Process type:login sensor:$1 dstip:$2 event2:WindowsEvent-515
NEXT
id=3214
name=This Windows security event log indicates that a privileged service was called.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,577,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Privileged_Service_Called type:system sensor:$1 dstip:$2 event2:WindowsEvent-577
NEXT
id=3216
name=This Windows security event log indicates that the Kerberos policy has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,617,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Kerberos_Policy_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-617
NEXT
id=3217
name=This Windows security event log indicates that a security enabled global group member has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,633,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Enabled_Global_Group_Member type:system sensor:$1 dstip:$2 event2:WindowsEvent-633
NEXT
id=3218
name=This Windows security event log indicates that a ticket previously granted has been renewed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,674,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Ticket_Granted_Renewed type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-674
NEXT
id=3219
name=This Windows security event log indicates that an authentication ticket request has failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,676,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Authentication_Ticket_Request_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-676
NEXT
id=3220
name=This Windows security event log indicates that a service ticket request failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,677,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Service_Ticket_Request_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-677
NEXT
id=3222
name=This Windows security event log indicates that a logon failed. In Windows Server 2003, Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed authentication attempts.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,681,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Logon_Failed type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-681
NEXT
id=3223
name=This Windows security event log indicates that a successful network logon has occurred.
# note - ID 3294 handles the case when there is a user name provided in a 540 event login
match=ser
match=User Name:
match=User
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,540,Success Audit,
match=Lo
match=Successful Network Logon:
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-540
NEXT
id=3224
name=This Windows security event log indicates that a password reset attempt has failed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,627,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Password_Set_Failed type:system sensor:$1 dstip:$2 event2:WindowsEvent-627
NEXT
id=3225
name=This Windows security event log indicates that a successful network logon has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain.*Logon Type:\s+3
log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3226
name=This Windows security event log indicates that an IP address conflict exists.
match=IP
match=tem
match=ystem
match=indo
match=Windows
match=rr
match=ss
match=Windows - System Error : There is an IP address conflict with another system on the network
log=event:Windows-IP_Conflict type:error
NEXT
id=3227
name=This Windows security event log indicates that a time change has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,520,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Time_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-520
NEXT
id=3228
name=This Windows security event log indicates that a user account was deleted.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,630,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Account_Deleted type:system sensor:$1 dstip:$2 event2:WindowsEvent-630
NEXT
id=3229
name=This Windows security event log indicates that a user account has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,642,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-User_Account_Changed type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-642
NEXT
id=3230
name=This Windows security event log indicates that a user account has been created.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,624,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-User_Account_Created type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-624
NEXT
id=3231
name=This Windows security event log indicates that a user password has been set.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,628,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-User_Password_Set type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-628
################
# AUDIT ISSUES #
################
NEXT
id=3232
name=This Windows security event log indicates that the audit policy has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,612,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Audit_Policy_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-612
NEXT
id=3233
name=This Windows security event log indicates that the Audit log was cleared.
match=ecu
match=ty
match=Security
match=Sec
match=ce
match=Au
match=,Success Audit,
match=,Security,517,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Audit_Log_Cleared type:system sensor:$1 dstip:$2 event2:WindowsEvent-517
NEXT
id=3234
name=This Windows security event log indicates that a user account has been enabled.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,626,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Enabled type:system sensor:$1 dstip:$2 event2:WindowsEvent-626
NEXT
id=3236
name=This Windows security event log indicates that this account is disabled.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,531,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Currently_Disabled sensor:$1 srcip:$3 dstip:$2 type:login-failure event2:WindowsEvent-531
NEXT
id=3238
name=This Windows security event log indicates that this user account is disabled.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,629,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Target Account Name:\s+(?:\S+\\)?([a-zA-Z0-9._-]+)
log=event:Windows-User_Account_Disabled sensor:$1 dstip:$2 user:$3 type:system event2:WindowsEvent-629
NEXT
id=3239
name=This Windows security event log indicates that the user password has expired.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,2242,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Passwd_Expired sensor:$1 dstip:$2 type:system event2:WindowsEvent-2242
NEXT
id=3240
name=This Windows security event log indicates that Windows account password expired.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,535,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Passwd_Expired sensor:$1 dstip:$2 srcip:$3 type:system event2:WindowsEvent-535
NEXT
id=3241
name=This Windows security event log indicates that this account has expired.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,1330,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Passwd_Expired sensor:$1 dstip:$2 type:system event2:WindowsEvent-1330
NEXT
id=3242
name=This Windows security event log indicates that a user was granted access.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,560,Success Audit,
match=!SeSecurityPrivilege
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Primary User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Primary Domain:
log=event:Windows-Successful_Access_Grant type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-560
NEXT
id=3243
name=This Windows security event log indicates that the restore mode password for the domain has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,698,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Directoryservice_Restore_Mode_Password_Changed sensor:$1 dstip:$2 type:system event2:WindowsEvent-698
NEXT
id=3244
name=This Windows security event log indicates that an account name was changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,685
match=,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Name_Changed sensor:$1 dstip:$2 type:system event2:WindowsEvent-685
NEXT
id=3245
name=This Windows security event log indicates that a windows security enabled global group was changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,63
match=lo
match=le
match=ed
match=,Security Enabled Global Group
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Enabled_Global_Group_Changes type:system sensor:$1 dstip:$2 event2:WindowsEvent-631_634
NEXT
id=3246
name=This Windows security event log indicates that a windows security enabled local group has changed
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,63
match=Lo
match=le
match=ed
match=,Security Enabled Local Group
match=cal
regex=,Security,63[5-9],.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Enabled_Local_Group_Changes type:system sensor:$1 dstip:$2 event2:WindowsEvent-635_639
NEXT
id=3247
name=This Windows security event log indicates that a Windows security enabled universal group has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,6
match=le
match=ed
match=,Security Enabled Universal Group
regex=Security,(659|66[0-4]),.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Security_Enabled_Universal_Group_Changes type:system sensor:$2 dstip:$3 event2:WindowsEvent-659-660_664
NEXT
id=3248
name=This Windows security event log indicates that a user account has expired.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,532,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Expired sensor:$1 dstip:$2 srcip:$3 type:login-failure event2:WindowsEvent-532
NEXT
id=3249
name=This Windows security event log indicates that a Windows special privileged login has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,576,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:
log=event:Windows-Special_Privilege_New_Logon sensor:$1 type:login dstip:$2 user:$3 event2:WindowsEvent-576
NEXT
id=3250
name=This Windows security event log indicates that a Windows logon failure because of an invalid logon type has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,534,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logon_Failure_Invalid_Logon_Type type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-534
NEXT
id=3251
name=This Windows security event log indicates that an attempt to install a Windows service has failed.
match=ecu
match=ty
match=Security
match=Secur
match=,Security Audit,
match=,Security,601,Security Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Service_Installation_Attempt sensor:$1 dstip:$2 type:error event2:WindowsEvent-601
NEXT
id=3252
name=This Windows security event log indicates that a logon failure occurred.
match=ecu
match=ty
match=Security
match=Secur
match=Security,530
match=,Security Audit,
match=,Security,530,Security Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logon_Failure_Incorrect_Logon_Time sensor:$1 dstip:$2 srcip:$3 type:login-failure event2:WindowsEvent-530
NEXT
id=3253
name=This Windows security event log indicates that system access was granted.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,621,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-System_Access_Grant type:system sensor:$1 dstip:$2 event2:WindowsEvent-621
NEXT
id=3254
name=This Windows security event log indicates that domain security policy change has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,643,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Domain_Security_Policy_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-643
NEXT
id=3255
name=This Windows security event log indicates that a user account had a privilege change.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,608,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Priviledge_Change sensor:$1 type:system dstip:$2 event2:WindowsEvent-608
NEXT
id=3256
name=This Windows security event log indicates that a new process was created.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,592,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-New_Process_Created sensor:$1 srcip:$2 type:process event2:WindowsEvent-592
NEXT
id=3257
name=This Windows security event log indicates that Windows process exited
match=!actual log
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,593,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Process_Exited sensor:$1 dstip:$2 type:process event2:WindowsEvent-593
NEXT
id=3258
name=This Windows security event log indicates that this Windows host has shutdown.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,513,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Host_Shutdown sensor:$1 dstip:$2 type:restart event2:WindowsEvent-513
NEXT
id=3260
name=This Windows security event log indicates that a successful network logon has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=Success Audit,
match=,Security,540,Success Audit,
match=Lo
match=Successful Network Logon:
match=Source Network Address:
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Source Network Address:\s*-
log=event:Windows-Successful_Network_Login sensor:$1 type:login dstip:$2 user:$3 event2:WindowsEvent-540
NEXT
id=3261
name=This Windows security event log indicates that a windows account has been locked out.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,539,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-539
NEXT
id=3262
name=This Windows security event log indicates that a Windows logon with credentials has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,552,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:
log=event:Windows-Logon_With_Credentials type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-552
NEXT
id=3263
name=This Windows security event log indicates that a previous session has reconnected to this system.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,682,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Session_Reconnected type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-682
NEXT
id=3264
name=This Windows security event log indicates that a process was assigned a primary token.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,600,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Process_Assigned_Primary_Token sensor:$1 type:system dstip:$2 event2:WindowsEvent-600
NEXT
id=3265
name=This Windows security event log indicates that a an object's privileges have changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,560,Success Audit,
match=le
match=SeSecurityPrivilege
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Privilege_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-560
NEXT
id=3266
name=This Windows security event log indicates that the directory replication agent is in operation.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,836,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-836
NEXT
id=3267
name=This Windows security event log indicates that the directory replication agent is in operation.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,837,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-837
NEXT
id=3268
name=This Windows security event log indicates that the directory replication agent is in operation.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,835,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-835
NEXT
id=3269
name=This Windows security event log indicates that a user had an error during logon.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,537,Failure Audit,
match=!Source Network Address: -
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-537
NEXT
id=3271
name=This Windows security event log indicates that the password policy checking API was called.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,697,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Password_Checking type:system sensor:$1 dstip:$2 event2:WindowsEvent-697
NEXT
id=3272
name=This Windows security event log indicates that a new process has opened a network socket and is accepting traffic.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,861,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-New_Process_Accepting_Traffic type:system sensor:$1 dstip:$2 event2:WindowsEvent-861
NEXT
id=3274
name=The Windows security event log indicates that a login failure has occurred as a result of a bad password.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=,Security,680,Failure Audit,
match=ailure
match=rr
match=Error Code:
match=0xC000006A
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Bad_Password type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3275
name=The Windows security event log indicates that a login failure has occurred as a result of a bad user account.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000064
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Bad_Account type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3276
name=The Windows security event log indicates that a login failure has occurred because the account was used during unauthorized hours.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC000006F
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Restriction type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3277
name=The Windows security event log indicates that a login failure has occurred because the originating host is unauthorized to login to this server.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000070
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Illegal_Host type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3278
name=The Windows security event log indicates that a login failure has occurred with an expired password.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000071
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Expired_Password type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3279
name=The Windows security event log indicates that a login failure has occurred to an account which has been locked by the system administrator.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000072
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3280
name=The Windows security event log indicates that a login failure has occurred to an account which has expired.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000193
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Account_Expired type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3281
name=The Windows security event log indicates that a login failure has occurred to an account which has been locked.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=0xC0000234
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure_Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3282
name=The Windows security event log indicates that a login failure has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,680,Failure Audit,
match=rr
match=Error Code:
match=!0xC000006A
match=!0xC0000064
match=!0xC000006F
match=!0xC0000070
match=!0xC0000071
match=!0xC0000072
match=!0xC0000234
match=!0xC0000193
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failure type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680
NEXT
id=3283
name=The Windows security event indicates that a user has logged out of their Windows session.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,551,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logout type:logout sensor:$1 dstip:$2 event2:WindowsEvent-551
NEXT
id=3285
name=The Windows security event indicates a computer account has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,646,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Computer_Account_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-646
NEXT
id=3286
name=The Windows security event indicates the windows firewall has changed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,851,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Firewall_Application_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-851
NEXT
id=3287
name=The Windows security indicates the windows firewall could not be started.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,860,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Firewall_Application_Could_Not_Be_Started type:error sensor:$1 dstip:$2 event2:WindowsEvent-860
NEXT
id=3288
name=This Windows security event log indicates that a new process has opened a network socket and is accepting traffic.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,861,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Application_Listening_For_Traffic type:system sensor:$1 dstip:$2 event2:WindowsEvent-861
NEXT
id=3289
name=This Windows security event login failure, account is currently disabled.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit
match=ailure
match=,Security,531,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Login_Failed_Account_Disabled type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-531
NEXT
id=3290
name=This Windows security event log indicates that a successful network login has occurred.
match=!Source Address
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=Success Audit,
match=,Security,540,Success Audit,
match=!Source Network Address:
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Successful_Network_Login sensor:$1 type:login dstip:$2 event2:WindowsEvent-540
NEXT
id=3291
name=This Windows security event log indicates that a privileged service failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Security,577,Failure Audit
match=ailure
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Privileged_Service_Failed type:error sensor:$1 dstip:$2 event2:WindowsEvent-577
NEXT
id=3292
name=This Windows security event log indicates that IPSec services failed to get a complete list of network interfaces.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Security,615,Failure Audit
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-IPsec_Failed type:error sensor:$1 dstip:$2 event2:WindowsEvent-615
NEXT
id=3293
name=This Windows security event log indicates that a session disconnected from a workstation.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Security,683,Success Audit
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Session_Disconnect type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-683
NEXT
id=3294
name=This Windows security event log indicates that a successful network logon has occurred.
# note - ID 3223 handles the case when there is no user name provided in a 540 event login
match=ser
match=User Name:
match=User
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,540,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 srcip:$4 event2:WindowsEvent-540
NEXT
id=3295
name=This Windows security event log indicates that a successful batch logon occurred. When Windows executes a batched task, the Scheduled Task service creates a logon session for the task to run as the user account specified when the task was created.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+.*Logon Type:\s*4
log=event:Windows-Successful_Batch_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3296
name=This Windows security event log indicates that a successful service logon has occurred. Each service receives its own login session when they first start.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*5
log=event:Windows-Successful_Service_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3297
name=This Windows security event log indicates that a user session was unlocked. This occurs when a screen saver or system has been unlocked after a previous login.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*7
log=event:Windows-Successful_Unlock type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3298
name=This Windows security event log indicates that a remote interactive session has logged into the computer such as through Remote Desktop, Terminal Services or Remote Assistance.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*10
log=event:Windows-Successful_Remote_Session_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3299
name=This Windows security event log indicates that a remote user used their cache login to enter the domain. To facilitate mobile users, Windows systems will cache a hash of the credentials of previous interactive login sessions. If no domain controller is available, a system may still enter the domain by using these stored hashes.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*11
log=event:Windows-Successful_Cached_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3320
name=This Windows security event log indicates an authentication package has been loaded.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,514,Success Audit,
match=,An authentication package has been loaded
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Authentication_Package_Loaded type:system sensor:$1 dstip:$2 event2:WindowsEvent-514
NEXT
id=3321
name=This Windows security event log indicates the user audit policy was refreshed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,806,Success Audit,
match=,Per User Audit Policy was refreshed.
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Audit_Policy_Refreshed type:system sensor:$1 dstip:$2 event2:WindowsEvent-806
NEXT
id=3322
name=This Windows security event log indicates a failed backup.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,596,Failure Audit,
match=,Backup of data protection master key.
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Failed_Audit_Of_Master_Key type:system sensor:$1 dstip:$2 event2:WindowsEvent-596
NEXT
#id=3324
#
# This ID is reserved for a user tracking login event.
# DO NOT USE IT OTHERWISE.
#
#NEXT
id=3326
name=This Windows security event log indicates that an authentication ticket was not granted.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,672,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)(?:@\S+)?\s+Supp
log=event:Windows-Authentication_Ticket_Not_Granted type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-672
NEXT
id=3327
name=This Windows security event log indicates that a successful RunAs command was invoked. This means that an authenticated user has launched another program with different credentials.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,528,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*9
log=event:Windows-Successful_RunAs_Command type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528
NEXT
id=3328
name=This Windows security event indicates that an account has been locked.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,644,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller
log=event:Windows-Account_Locked type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-644
NEXT
id=3329
name=This Windows security event indicates a port was listed as an exception when the Windows Firewall started.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,850,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Port number: ([0-9]+)
log=event:Windows-Port_Exception type:system sensor:$1 dstip:$2 dstport:$3 event2:WindowsEvent-850
NEXT
id=3330
name=This Windows security event indicates a task has been created or modified.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,602,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Task_Created_Or_Modified type:system sensor:$1 dstip:$2 event2:WindowsEvent-602
NEXT
id=3331
name=This Windows security event log indicates that this user is not allowed to logon to this computer.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,533,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Not_Allowed_Login sensor:$1 dstip:$2 type:login-failure event2:WindowsEvent-533
NEXT
id=3332
name=This Windows security event log indicates that the Netlogon componet is not active.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,536,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Netlogon_Not_Active sensor:$1 dstip:$2 type:login-failure event2:WindowsEvent-536
NEXT
id=3333
name=This Windows security event log indicates that internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,516,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Audit_Failure sensor:$1 dstip:$2 type:error event2:WindowsEvent-516
NEXT
id=3334
name=This Windows security event log indicates that it is unable to log events to the security log.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=Security,521
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Unable_To_Log_Events sensor:$1 dstip:$2 type:error event2:WindowsEvent-521
NEXT
id=3335
name=This Windows security event log indicates that a users rights were removed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,609,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-User_Account_Privilege_Removed sensor:$1 dstip:$2 type:system event2:WindowsEvent-609
NEXT
id=3336
name=This Windows security event log indicates that system security access was removed.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,622,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-System_Security_Access_Removed sensor:$1 dstip:$2 type:system event2:WindowsEvent-622
NEXT
id=3337
name=This Windows security event log indicates that a service ticket has been granted.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,673,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)(?:@\S+)?\s+User Domain.*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Service_Ticket_Request_Fail type:access-denied sensor:$1 srcip:$2 user:$3 dstip:$4 event2:WindowsEvent-673
NEXT
id=3338
name=This Windows security event log indicates that a pre-authentication login attempt failed.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,675,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Pre-Authentication_Failed type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-675
NEXT
id=3339
name=This Windows security event log indicates that an access control list was set for members of the administrators group.
match=Security
match=Secur
match=in
match=User Name:
match=Logon
match=Lo
match=get
match=ar
match=Do
match=omain
match=User
match=ser
match=ce
match=le
match=ecu
match=ty
match=ss
match=Success Audit
match=,Success Audit,
match=,Security,684,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-Admin_ACLs_Set type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-684
NEXT
id=3340
name=This Windows security event log indicates that a successful network logon has occurred.
# note - ID 3223 handles the case when there is no user name provided in a 540 event login
# note - ID 3294 handles the case when there is a user name provided in a 540 event login
# note - ID 3340 handles the case when there is a user name provided, but no Source Network Address
match=ser
match=User Name:
match=User
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,540,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-540
NEXT
id=3341
name=This Windows security event log indicates that a user password has been set, but an audit failure has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ss
match=,Failure Audit,
match=,Security,628,Failure Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-User_Password_Set_Failed_Audit type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-628
NEXT
id=3342
name=This Windows security event log indicates a user account was unlocked.
match=ecu
match=ty
match=Security
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,671,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain:
log=event:Windows-User_Account_Unlocked type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-671
NEXT
id=3343
name=This Windows security event log indicates that a user had an error during logon.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,537,Failure Audit,
match=Source Network Address: -
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-537
NEXT
id=3344
name=This Windows security event log indicates that a user had an error during logon.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,537,Failure Audit,
match=!Source Network Address:
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-537
NEXT
id=3345
name=This Windows security event log indicates mapping was attempted.
match=ecu
match=ty
match=Security
match=Secur
match=,Success Audit,
match=ss
match=,Security,678,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Mapping_Attempted type:system sensor:$1 dstip:$2 event2:WindowsEvent-678
NEXT
id=3346
name=This Windows security event log indicates that a previous session has reconnected to this system.
match=!Client Address
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=ss
match=,Success Audit,
match=,Security,682,Success Audit,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Session_Reconnected type:system sensor:$1 srcip:$2 event2:WindowsEvent-682
NEXT
id=3347
name=This Windows security event log indicates that a Global Group Member has been removed. Member may be a user, computer or another group.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,656,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Global_Group_Member_Removed type:system sensor:$1 srcip:$2 event2:WindowsEvent-656
NEXT
id=3348
name=This Windows security event log indicates that a new computer account has been created.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,645,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-New_Computer_Account_Created type:system sensor:$1 srcip:$2 event2:WindowsEvent-645
NEXT
id=3349
name=This Windows security event log indicates that a security enabled global group has changed.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,641,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Global_Group_Changed type:system sensor:$1 srcip:$2 event2:WindowsEvent-641
NEXT
id=23350
name=This Windows security event log indicates that some trusted domain information has been modified.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,620,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Trusted_Domain_Information_Modified type:system sensor:$1 srcip:$2 event2:WindowsEvent-620
NEXT
id=23351
name=This Windows security event log indicates that a group type has changed.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,668,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Group_Type_Changed type:system sensor:$1 srcip:$2 event2:WindowsEvent-668
NEXT
id=23352
name=This Windows security event log indicates that windows has started.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,512,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Started type:system sensor:$1 srcip:$2 event2:WindowsEvent-512
NEXT
id=23353
name=This Windows security event log indicates that a security enabled universal group was created.
match=ecu
match=ty
match=Security,
match=Secur
match=ce
match=Audit
match=,Security,658,
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Windows-Universal_Group_Created type:system sensor:$1 srcip:$2 event2:WindowsEvent-658
NEXT
id=23354
name=This Windows security event log indicates that login failure has occurred.
match=ecu
match=ty
match=Security
match=Secur
match=ail
match=,Failure Audit,
match=ailure
match=,Security,529,Failure Audit,
match=!ADMINISTRATOR
regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User Name:\s+Domain
log=event:Windows-Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529