1filter: "evt.Line.Module == 'wineventlog'"
2onsuccess: next_stage
3name: crowdsecurity/windows-eventlog
4statics:
5 - meta: datasource_path
6 expression: evt.Line.Src
7 - meta: datasource_type
8 expression: evt.Line.Module
9 - target: evt.StrTime
10
11 expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/TimeCreated", "SystemTime")
12 - parsed: Channel
13 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Channel")
14 - parsed: EventID
15 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/EventID")
16 - parsed: Source
17 expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Provider", "Name")
18 - parsed: Computer
19 expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Computer")
20 - parsed: UserSID
21 expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Security", "UserID")
22 - parsed: program
23 expression: evt.Line.Labels.type
24---
25filter: "evt.Line.Module != 'wineventlog'"
26onsuccess: next_stage
27name: crowdsecurity/windows-non-eventlog
28statics:
29 - parsed: message
30 expression: evt.Line.Raw
31 - parsed: program
32 expression: evt.Line.Labels.type
33 - meta: datasource_path
34 expression: evt.Line.Src
35 - meta: datasource_type
36 expression: evt.Line.Module
37
38