# Copyright 2004-2013 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Windows Security Event log parser # # DESCRIPTION: # This library is used to process logs from Windows systems. Windows # XP or W2K servers can be configured with a LCE Client for Windows # or can forward their events via netbios to another Windows server # which runs the LCE Client. In both cases, the Windows LCE # Client will attempt to conduct a reverse netbios or DNS lookup of # the hostname to convert it to an API address for the LCE server. # # LAST UPDATE: $Date$ ############################################# # LOGIN USERS (attempts/failures,successes) # ############################################# # Per MS KBA 140714 # Interactive logon Event ID 528 Type 2 # Network logon Event ID 528 Type 3 # Net Use connection Event ID 528 Type 3 # Unlock Event ID 528 Type 7 # Remote logon Event ID 528 Type 10 # Cached logon Event ID 528 Type 11 # Interactive logoff Event ID 538 Type 2 # Network logoff Event ID 538 Type 3 # Net use disconnection Event ID 538 Type 3 # Autodisconnect Event ID 538 Type 3 # moved ids 3213 3215 3259 3270 4273 3284 3325 to os win audit prm # For a better description of event ids please refer to the link below # http://www.microsoft.com/technet/support/ee/ee_advanced.aspx # Event ID 680 # 0x0 Success # 0xC0000064 user name does not exist # 0xC000006A user name is correct but the password is wrong # 0xC0000234 user is currently locked out # 0xC0000072 account is currently disabled # 0xC000006F user tried to logon outside his day of week or time of day restrictions # 0xC0000070 workstation restriction # 0xC0000193 account expiration # 0xC0000071 expired password # 0xC0000224 user is required to change password at next logon # 0xC0000225 evidently a bug in Windows and not a risk id=3200 name=This Windows security event log indicates that a successful Logon Attempt occurred. match=ecu match=ty match=Security match=Secur match=!Account Name match=tem match=Lo match=pt match=,Success Audit, match=,Security,680,Success Audit, match=Logon attempt by: match=Logon account: match=ce match=Source Workstation: regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Logon account:\s*([A-Za-z0-9$_.-]{1,25}) log=event:Windows-Logon sensor:$1 srcip:$2 user:$3 type:login event2:WindowsEvent-680 NEXT id=3201 name=This Windows security event log indicates that login failure has occurred. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,529,Failure Audit, match=!ADMINISTRATOR regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User Name:\s*([A-Za-z0-9$_.-]{1,25}) log=event:Windows-Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529 NEXT id=3202 name=This Windows security event log indicates that an administrator login attempt failed. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=,Security,529,Failure Audit, match=AT match=RA match=ADMINISTRATOR match=IN match=ST match=ailure match=TR regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Administrator_Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529 NEXT id=3203 name=This Windows security event log indicates that a successful interactive logon occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, match=!ADMINISTRATOR regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*2 log=event:Windows-Successful_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3204 name=This Windows security event log indicates that successful interactive ADMINISTRATOR logon occurred. # Note, example line fails to be matched for match=ADMINISTRATOR match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, match=AT match=RA match=ADMINISTRATOR match=IN match=ST match=TR regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:[^0-9]{1,7}2 log=event:Windows-Successful_Administrator_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3205 name=This Windows security event log indicates that a successful logoff occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,538,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Successful_Logoff sensor:$1 type:logout dstip:$2 event2:WindowsEvent-538 NEXT id=3206 name=This Windows security event log indicates that a pre-authentication login attempt failed. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=!User Name match=,Security,675,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Pre-Authentication_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-675 NEXT id=3207 name=This Windows security event log indicates that special privileges have been assigned. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,576,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s+Domain: log=event:Windows-Special_Privileges_Assigned type:system sensor:$1 dstip:$2 event2:WindowsEvent-576 NEXT id=3208 name=This Windows security event log indicates that a service ticket has been granted. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,673,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Ticket_Granted type:system sensor:$1 srcip:$2 dstip:$3 event2:WindowsEvent-673 NEXT id=3209 name=This Windows security event log indicates that an account was used for a login. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,680,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Account Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Workstation: log=event:Windows-Account_Used_For_Login sensor:$1 dstip:$2 user:$3 type:login event2:WindowsEvent-680 NEXT id=3210 name=This Windows security event log indicates that an authentication ticket has been granted. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,672,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Supplied log=event:Windows-Authentication_Ticket_Granted type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-672 NEXT id=3211 name=This Windows security event log indicates that a handle was closed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,562,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Handle_Closed type:system sensor:$1 dstip:$2 event2:WindowsEvent-562 NEXT id=3212 name=This Windows security event log indicates that a trusted logon process occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,515,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Trusted_Logon_Process type:login sensor:$1 dstip:$2 event2:WindowsEvent-515 NEXT id=3214 name=This Windows security event log indicates that a privileged service was called. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,577,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Privileged_Service_Called type:system sensor:$1 dstip:$2 event2:WindowsEvent-577 NEXT id=3216 name=This Windows security event log indicates that the Kerberos policy has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,617,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Kerberos_Policy_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-617 NEXT id=3217 name=This Windows security event log indicates that a security enabled global group member has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,633,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Enabled_Global_Group_Member type:system sensor:$1 dstip:$2 event2:WindowsEvent-633 NEXT id=3218 name=This Windows security event log indicates that a ticket previously granted has been renewed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,674,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Ticket_Granted_Renewed type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-674 NEXT id=3219 name=This Windows security event log indicates that an authentication ticket request has failed. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,676,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Authentication_Ticket_Request_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-676 NEXT id=3220 name=This Windows security event log indicates that a service ticket request failed. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,677,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Ticket_Request_Failed type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-677 NEXT id=3222 name=This Windows security event log indicates that a logon failed. In Windows Server 2003, Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed authentication attempts. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,681,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Logon_Failed type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-681 NEXT id=3223 name=This Windows security event log indicates that a successful network logon has occurred. # note - ID 3294 handles the case when there is a user name provided in a 540 event login match=ser match=User Name: match=User match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,540,Success Audit, match=Lo match=Successful Network Logon: regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-540 NEXT id=3224 name=This Windows security event log indicates that a password reset attempt has failed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,627,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Password_Set_Failed type:system sensor:$1 dstip:$2 event2:WindowsEvent-627 NEXT id=3225 name=This Windows security event log indicates that a successful network logon has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain.*Logon Type:\s+3 log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3226 name=This Windows security event log indicates that an IP address conflict exists. match=IP match=tem match=ystem match=indo match=Windows match=rr match=ss match=Windows - System Error : There is an IP address conflict with another system on the network log=event:Windows-IP_Conflict type:error NEXT id=3227 name=This Windows security event log indicates that a time change has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,520,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Time_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-520 NEXT id=3228 name=This Windows security event log indicates that a user account was deleted. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,630,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Account_Deleted type:system sensor:$1 dstip:$2 event2:WindowsEvent-630 NEXT id=3229 name=This Windows security event log indicates that a user account has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,642,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-User_Account_Changed type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-642 NEXT id=3230 name=This Windows security event log indicates that a user account has been created. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,624,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-User_Account_Created type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-624 NEXT id=3231 name=This Windows security event log indicates that a user password has been set. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,628,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-User_Password_Set type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-628 ################ # AUDIT ISSUES # ################ NEXT id=3232 name=This Windows security event log indicates that the audit policy has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,612,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Audit_Policy_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-612 NEXT id=3233 name=This Windows security event log indicates that the Audit log was cleared. match=ecu match=ty match=Security match=Sec match=ce match=Au match=,Success Audit, match=,Security,517,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Audit_Log_Cleared type:system sensor:$1 dstip:$2 event2:WindowsEvent-517 NEXT id=3234 name=This Windows security event log indicates that a user account has been enabled. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,626,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Enabled type:system sensor:$1 dstip:$2 event2:WindowsEvent-626 NEXT id=3236 name=This Windows security event log indicates that this account is disabled. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,531,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Currently_Disabled sensor:$1 srcip:$3 dstip:$2 type:login-failure event2:WindowsEvent-531 NEXT id=3238 name=This Windows security event log indicates that this user account is disabled. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,629,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Target Account Name:\s+(?:\S+\\)?([a-zA-Z0-9._-]+) log=event:Windows-User_Account_Disabled sensor:$1 dstip:$2 user:$3 type:system event2:WindowsEvent-629 NEXT id=3239 name=This Windows security event log indicates that the user password has expired. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,2242,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Passwd_Expired sensor:$1 dstip:$2 type:system event2:WindowsEvent-2242 NEXT id=3240 name=This Windows security event log indicates that Windows account password expired. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,535,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Passwd_Expired sensor:$1 dstip:$2 srcip:$3 type:system event2:WindowsEvent-535 NEXT id=3241 name=This Windows security event log indicates that this account has expired. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,1330,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Passwd_Expired sensor:$1 dstip:$2 type:system event2:WindowsEvent-1330 NEXT id=3242 name=This Windows security event log indicates that a user was granted access. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,560,Success Audit, match=!SeSecurityPrivilege regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Primary User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Primary Domain: log=event:Windows-Successful_Access_Grant type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-560 NEXT id=3243 name=This Windows security event log indicates that the restore mode password for the domain has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,698,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Directoryservice_Restore_Mode_Password_Changed sensor:$1 dstip:$2 type:system event2:WindowsEvent-698 NEXT id=3244 name=This Windows security event log indicates that an account name was changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,685 match=,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Name_Changed sensor:$1 dstip:$2 type:system event2:WindowsEvent-685 NEXT id=3245 name=This Windows security event log indicates that a windows security enabled global group was changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,63 match=lo match=le match=ed match=,Security Enabled Global Group regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Enabled_Global_Group_Changes type:system sensor:$1 dstip:$2 event2:WindowsEvent-631_634 NEXT id=3246 name=This Windows security event log indicates that a windows security enabled local group has changed match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,63 match=Lo match=le match=ed match=,Security Enabled Local Group match=cal regex=,Security,63[5-9],.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Enabled_Local_Group_Changes type:system sensor:$1 dstip:$2 event2:WindowsEvent-635_639 NEXT id=3247 name=This Windows security event log indicates that a Windows security enabled universal group has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,6 match=le match=ed match=,Security Enabled Universal Group regex=Security,(659|66[0-4]),.*,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Security_Enabled_Universal_Group_Changes type:system sensor:$2 dstip:$3 event2:WindowsEvent-659-660_664 NEXT id=3248 name=This Windows security event log indicates that a user account has expired. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,532,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Expired sensor:$1 dstip:$2 srcip:$3 type:login-failure event2:WindowsEvent-532 NEXT id=3249 name=This Windows security event log indicates that a Windows special privileged login has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,576,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain: log=event:Windows-Special_Privilege_New_Logon sensor:$1 type:login dstip:$2 user:$3 event2:WindowsEvent-576 NEXT id=3250 name=This Windows security event log indicates that a Windows logon failure because of an invalid logon type has occurred. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,534,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon_Failure_Invalid_Logon_Type type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-534 NEXT id=3251 name=This Windows security event log indicates that an attempt to install a Windows service has failed. match=ecu match=ty match=Security match=Secur match=,Security Audit, match=,Security,601,Security Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Installation_Attempt sensor:$1 dstip:$2 type:error event2:WindowsEvent-601 NEXT id=3252 name=This Windows security event log indicates that a logon failure occurred. match=ecu match=ty match=Security match=Secur match=Security,530 match=,Security Audit, match=,Security,530,Security Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon_Failure_Incorrect_Logon_Time sensor:$1 dstip:$2 srcip:$3 type:login-failure event2:WindowsEvent-530 NEXT id=3253 name=This Windows security event log indicates that system access was granted. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,621,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Access_Grant type:system sensor:$1 dstip:$2 event2:WindowsEvent-621 NEXT id=3254 name=This Windows security event log indicates that domain security policy change has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,643,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Domain_Security_Policy_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-643 NEXT id=3255 name=This Windows security event log indicates that a user account had a privilege change. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,608,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Priviledge_Change sensor:$1 type:system dstip:$2 event2:WindowsEvent-608 NEXT id=3256 name=This Windows security event log indicates that a new process was created. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,592,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-New_Process_Created sensor:$1 srcip:$2 type:process event2:WindowsEvent-592 NEXT id=3257 name=This Windows security event log indicates that Windows process exited match=!actual log match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,593,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Process_Exited sensor:$1 dstip:$2 type:process event2:WindowsEvent-593 NEXT id=3258 name=This Windows security event log indicates that this Windows host has shutdown. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,513,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Host_Shutdown sensor:$1 dstip:$2 type:restart event2:WindowsEvent-513 NEXT id=3260 name=This Windows security event log indicates that a successful network logon has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=Success Audit, match=,Security,540,Success Audit, match=Lo match=Successful Network Logon: match=Source Network Address: regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Source Network Address:\s*- log=event:Windows-Successful_Network_Login sensor:$1 type:login dstip:$2 user:$3 event2:WindowsEvent-540 NEXT id=3261 name=This Windows security event log indicates that a windows account has been locked out. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,539,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-539 NEXT id=3262 name=This Windows security event log indicates that a Windows logon with credentials has occurred. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,552,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain: log=event:Windows-Logon_With_Credentials type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-552 NEXT id=3263 name=This Windows security event log indicates that a previous session has reconnected to this system. match=ecu match=ty match=Security, match=Secur match=ce match=ss match=,Success Audit, match=,Security,682,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Session_Reconnected type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-682 NEXT id=3264 name=This Windows security event log indicates that a process was assigned a primary token. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,600,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Process_Assigned_Primary_Token sensor:$1 type:system dstip:$2 event2:WindowsEvent-600 NEXT id=3265 name=This Windows security event log indicates that a an object's privileges have changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,560,Success Audit, match=le match=SeSecurityPrivilege regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Privilege_Change type:system sensor:$1 dstip:$2 event2:WindowsEvent-560 NEXT id=3266 name=This Windows security event log indicates that the directory replication agent is in operation. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,836,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-836 NEXT id=3267 name=This Windows security event log indicates that the directory replication agent is in operation. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,837,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-837 NEXT id=3268 name=This Windows security event log indicates that the directory replication agent is in operation. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,835,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Directory_Replication_Operation type:system sensor:$1 dstip:$2 event2:WindowsEvent-835 NEXT id=3269 name=This Windows security event log indicates that a user had an error during logon. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,537,Failure Audit, match=!Source Network Address: - regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-537 NEXT id=3271 name=This Windows security event log indicates that the password policy checking API was called. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,697,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Password_Checking type:system sensor:$1 dstip:$2 event2:WindowsEvent-697 NEXT id=3272 name=This Windows security event log indicates that a new process has opened a network socket and is accepting traffic. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,861,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-New_Process_Accepting_Traffic type:system sensor:$1 dstip:$2 event2:WindowsEvent-861 NEXT id=3274 name=The Windows security event log indicates that a login failure has occurred as a result of a bad password. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=,Security,680,Failure Audit, match=ailure match=rr match=Error Code: match=0xC000006A regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Bad_Password type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3275 name=The Windows security event log indicates that a login failure has occurred as a result of a bad user account. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000064 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Bad_Account type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3276 name=The Windows security event log indicates that a login failure has occurred because the account was used during unauthorized hours. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC000006F regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Restriction type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3277 name=The Windows security event log indicates that a login failure has occurred because the originating host is unauthorized to login to this server. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000070 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Illegal_Host type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3278 name=The Windows security event log indicates that a login failure has occurred with an expired password. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000071 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Expired_Password type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3279 name=The Windows security event log indicates that a login failure has occurred to an account which has been locked by the system administrator. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000072 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3280 name=The Windows security event log indicates that a login failure has occurred to an account which has expired. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000193 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Account_Expired type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3281 name=The Windows security event log indicates that a login failure has occurred to an account which has been locked. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=0xC0000234 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure_Account_Locked type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3282 name=The Windows security event log indicates that a login failure has occurred. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,680,Failure Audit, match=rr match=Error Code: match=!0xC000006A match=!0xC0000064 match=!0xC000006F match=!0xC0000070 match=!0xC0000071 match=!0xC0000072 match=!0xC0000234 match=!0xC0000193 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failure type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-680 NEXT id=3283 name=The Windows security event indicates that a user has logged out of their Windows session. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,551,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logout type:logout sensor:$1 dstip:$2 event2:WindowsEvent-551 NEXT id=3285 name=The Windows security event indicates a computer account has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,646,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Computer_Account_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-646 NEXT id=3286 name=The Windows security event indicates the windows firewall has changed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,851,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Firewall_Application_Changed type:system sensor:$1 dstip:$2 event2:WindowsEvent-851 NEXT id=3287 name=The Windows security indicates the windows firewall could not be started. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,860,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Firewall_Application_Could_Not_Be_Started type:error sensor:$1 dstip:$2 event2:WindowsEvent-860 NEXT id=3288 name=This Windows security event log indicates that a new process has opened a network socket and is accepting traffic. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,861,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Application_Listening_For_Traffic type:system sensor:$1 dstip:$2 event2:WindowsEvent-861 NEXT id=3289 name=This Windows security event login failure, account is currently disabled. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit match=ailure match=,Security,531,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Login_Failed_Account_Disabled type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-531 NEXT id=3290 name=This Windows security event log indicates that a successful network login has occurred. match=!Source Address match=ecu match=ty match=Security match=Secur match=ce match=ss match=Success Audit, match=,Security,540,Success Audit, match=!Source Network Address: regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Successful_Network_Login sensor:$1 type:login dstip:$2 event2:WindowsEvent-540 NEXT id=3291 name=This Windows security event log indicates that a privileged service failed. match=ecu match=ty match=Security match=Secur match=ail match=,Security,577,Failure Audit match=ailure regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Privileged_Service_Failed type:error sensor:$1 dstip:$2 event2:WindowsEvent-577 NEXT id=3292 name=This Windows security event log indicates that IPSec services failed to get a complete list of network interfaces. match=ecu match=ty match=Security match=Secur match=ail match=,Security,615,Failure Audit regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-IPsec_Failed type:error sensor:$1 dstip:$2 event2:WindowsEvent-615 NEXT id=3293 name=This Windows security event log indicates that a session disconnected from a workstation. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Security,683,Success Audit regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Session_Disconnect type:system sensor:$1 dstip:$2 srcip:$3 event2:WindowsEvent-683 NEXT id=3294 name=This Windows security event log indicates that a successful network logon has occurred. # note - ID 3223 handles the case when there is no user name provided in a 540 event login match=ser match=User Name: match=User match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,540,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*:\s+User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Source Network Address: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 srcip:$4 event2:WindowsEvent-540 NEXT id=3295 name=This Windows security event log indicates that a successful batch logon occurred. When Windows executes a batched task, the Scheduled Task service creates a logon session for the task to run as the user account specified when the task was created. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+.*Logon Type:\s*4 log=event:Windows-Successful_Batch_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3296 name=This Windows security event log indicates that a successful service logon has occurred. Each service receives its own login session when they first start. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*5 log=event:Windows-Successful_Service_Logon type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3297 name=This Windows security event log indicates that a user session was unlocked. This occurs when a screen saver or system has been unlocked after a previous login. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*7 log=event:Windows-Successful_Unlock type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3298 name=This Windows security event log indicates that a remote interactive session has logged into the computer such as through Remote Desktop, Terminal Services or Remote Assistance. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*10 log=event:Windows-Successful_Remote_Session_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3299 name=This Windows security event log indicates that a remote user used their cache login to enter the domain. To facilitate mobile users, Windows systems will cache a hash of the credentials of previous interactive login sessions. If no domain controller is available, a system may still enter the domain by using these stored hashes. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*11 log=event:Windows-Successful_Cached_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3320 name=This Windows security event log indicates an authentication package has been loaded. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,514,Success Audit, match=,An authentication package has been loaded regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Authentication_Package_Loaded type:system sensor:$1 dstip:$2 event2:WindowsEvent-514 NEXT id=3321 name=This Windows security event log indicates the user audit policy was refreshed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,806,Success Audit, match=,Per User Audit Policy was refreshed. regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Audit_Policy_Refreshed type:system sensor:$1 dstip:$2 event2:WindowsEvent-806 NEXT id=3322 name=This Windows security event log indicates a failed backup. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,596,Failure Audit, match=,Backup of data protection master key. regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Failed_Audit_Of_Master_Key type:system sensor:$1 dstip:$2 event2:WindowsEvent-596 NEXT #id=3324 # # This ID is reserved for a user tracking login event. # DO NOT USE IT OTHERWISE. # #NEXT id=3326 name=This Windows security event log indicates that an authentication ticket was not granted. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,672,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)(?:@\S+)?\s+Supp log=event:Windows-Authentication_Ticket_Not_Granted type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-672 NEXT id=3327 name=This Windows security event log indicates that a successful RunAs command was invoked. This means that an authenticated user has launched another program with different credentials. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,528,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Domain:.*Logon Type:\s*9 log=event:Windows-Successful_RunAs_Command type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-528 NEXT id=3328 name=This Windows security event indicates that an account has been locked. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,644,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller log=event:Windows-Account_Locked type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-644 NEXT id=3329 name=This Windows security event indicates a port was listed as an exception when the Windows Firewall started. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,850,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Port number: ([0-9]+) log=event:Windows-Port_Exception type:system sensor:$1 dstip:$2 dstport:$3 event2:WindowsEvent-850 NEXT id=3330 name=This Windows security event indicates a task has been created or modified. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,602,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Task_Created_Or_Modified type:system sensor:$1 dstip:$2 event2:WindowsEvent-602 NEXT id=3331 name=This Windows security event log indicates that this user is not allowed to logon to this computer. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,533,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Not_Allowed_Login sensor:$1 dstip:$2 type:login-failure event2:WindowsEvent-533 NEXT id=3332 name=This Windows security event log indicates that the Netlogon componet is not active. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,536,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Netlogon_Not_Active sensor:$1 dstip:$2 type:login-failure event2:WindowsEvent-536 NEXT id=3333 name=This Windows security event log indicates that internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,516,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Audit_Failure sensor:$1 dstip:$2 type:error event2:WindowsEvent-516 NEXT id=3334 name=This Windows security event log indicates that it is unable to log events to the security log. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=Security,521 regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Unable_To_Log_Events sensor:$1 dstip:$2 type:error event2:WindowsEvent-521 NEXT id=3335 name=This Windows security event log indicates that a users rights were removed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,609,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-User_Account_Privilege_Removed sensor:$1 dstip:$2 type:system event2:WindowsEvent-609 NEXT id=3336 name=This Windows security event log indicates that system security access was removed. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,622,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-System_Security_Access_Removed sensor:$1 dstip:$2 type:system event2:WindowsEvent-622 NEXT id=3337 name=This Windows security event log indicates that a service ticket has been granted. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,673,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)(?:@\S+)?\s+User Domain.*Client Address:\s*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Service_Ticket_Request_Fail type:access-denied sensor:$1 srcip:$2 user:$3 dstip:$4 event2:WindowsEvent-673 NEXT id=3338 name=This Windows security event log indicates that a pre-authentication login attempt failed. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,675,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Pre-Authentication_Failed type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-675 NEXT id=3339 name=This Windows security event log indicates that an access control list was set for members of the administrators group. match=Security match=Secur match=in match=User Name: match=Logon match=Lo match=get match=ar match=Do match=omain match=User match=ser match=ce match=le match=ecu match=ty match=ss match=Success Audit match=,Success Audit, match=,Security,684,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-Admin_ACLs_Set type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-684 NEXT id=3340 name=This Windows security event log indicates that a successful network logon has occurred. # note - ID 3223 handles the case when there is no user name provided in a 540 event login # note - ID 3294 handles the case when there is a user name provided in a 540 event login # note - ID 3340 handles the case when there is a user name provided, but no Source Network Address match=ser match=User Name: match=User match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,540,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-Successful_Network_Login type:login sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-540 NEXT id=3341 name=This Windows security event log indicates that a user password has been set, but an audit failure has occurred. match=ecu match=ty match=Security match=Secur match=ss match=,Failure Audit, match=,Security,628,Failure Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-User_Password_Set_Failed_Audit type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-628 NEXT id=3342 name=This Windows security event log indicates a user account was unlocked. match=ecu match=ty match=Security match=Secur match=ce match=ss match=,Success Audit, match=,Security,671,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User Name:\s*([A-Za-z0-9$!_ .-]{1,25}?)\s+Caller Domain: log=event:Windows-User_Account_Unlocked type:system sensor:$1 dstip:$2 user:$3 event2:WindowsEvent-671 NEXT id=3343 name=This Windows security event log indicates that a user had an error during logon. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,537,Failure Audit, match=Source Network Address: - regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-537 NEXT id=3344 name=This Windows security event log indicates that a user had an error during logon. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,537,Failure Audit, match=!Source Network Address: regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Logon-Error type:login-failure sensor:$1 dstip:$2 event2:WindowsEvent-537 NEXT id=3345 name=This Windows security event log indicates mapping was attempted. match=ecu match=ty match=Security match=Secur match=,Success Audit, match=ss match=,Security,678,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Mapping_Attempted type:system sensor:$1 dstip:$2 event2:WindowsEvent-678 NEXT id=3346 name=This Windows security event log indicates that a previous session has reconnected to this system. match=!Client Address match=ecu match=ty match=Security, match=Secur match=ce match=ss match=,Success Audit, match=,Security,682,Success Audit, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Session_Reconnected type:system sensor:$1 srcip:$2 event2:WindowsEvent-682 NEXT id=3347 name=This Windows security event log indicates that a Global Group Member has been removed. Member may be a user, computer or another group. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,656, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Global_Group_Member_Removed type:system sensor:$1 srcip:$2 event2:WindowsEvent-656 NEXT id=3348 name=This Windows security event log indicates that a new computer account has been created. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,645, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-New_Computer_Account_Created type:system sensor:$1 srcip:$2 event2:WindowsEvent-645 NEXT id=3349 name=This Windows security event log indicates that a security enabled global group has changed. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,641, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Global_Group_Changed type:system sensor:$1 srcip:$2 event2:WindowsEvent-641 NEXT id=23350 name=This Windows security event log indicates that some trusted domain information has been modified. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,620, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Trusted_Domain_Information_Modified type:system sensor:$1 srcip:$2 event2:WindowsEvent-620 NEXT id=23351 name=This Windows security event log indicates that a group type has changed. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,668, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Group_Type_Changed type:system sensor:$1 srcip:$2 event2:WindowsEvent-668 NEXT id=23352 name=This Windows security event log indicates that windows has started. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,512, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Started type:system sensor:$1 srcip:$2 event2:WindowsEvent-512 NEXT id=23353 name=This Windows security event log indicates that a security enabled universal group was created. match=ecu match=ty match=Security, match=Secur match=ce match=Audit match=,Security,658, regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Windows-Universal_Group_Created type:system sensor:$1 srcip:$2 event2:WindowsEvent-658 NEXT id=23354 name=This Windows security event log indicates that login failure has occurred. match=ecu match=ty match=Security match=Secur match=ail match=,Failure Audit, match=ailure match=,Security,529,Failure Audit, match=!ADMINISTRATOR regex=,([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* User Name:\s+Domain log=event:Windows-Logon_Failure type:login-failure sensor:$1 srcip:$2 event2:WindowsEvent-529