windows-auth Configuration

« windows-auth »
v0.3 by crowdsecurity
Log parser

Parse windows authentication failure events (id 4625)

Installation

cscli parsers install crowdsecurity/windows-auth

Description

A parser for windows auth events read from the events log.

Only accepts events with from the Security channel with ID 4625.

YAML Configuration

1onsuccess: next_stage
2#debug: true
3filter: "evt.Parsed.Channel == 'Security' && evt.Parsed.EventID == '4625'"
4name: crowdsecurity/windows-auth
5description: "Parse windows authentication failure events (id 4625)"
6statics:
7    - meta: source_ip
8      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='IpAddress']")
9    - meta: username
10      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='TargetUserName']")
11    - meta: status
12      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='Status']")
13    - meta: sub_status
14      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='SubStatus']")
15    - meta: logon_type
16      expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='LogonType']")
17    - meta: log_type
18      value: windows_failed_auth

Hub configuration

« windows-auth »v0.3 by crowdsecurityLog parser

« windows-auth »
v0.3 by crowdsecurity
Log parser