Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Windows

 

Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

Note

This content extension does not install when the Parent Filename custom property is present from Cisco AMP V.1.0.0. Delete Parent Filename before you install this content extension.

JSA Custom Properties for Microsoft Windows Content Extension

JSA Custom Properties for Microsoft Windows Content Extension V1.0.5

The following table shows the custom event properties that are updated in JSA Custom Properties for Microsoft Windows Content Extension V1.0.5.

Table 1: Updated Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.5

Name

Optimized

Capture Group

Regex

GroupID

Yes

1

Group ID[:\s\\=]*(\d+)

Parent Process Name

Yes

Yes

1

1

Process Name.*\\(.*?)\s+Target Process

Creator Process Name[:\s]+(?:.*\\)?(.*?)\s+Process Command Line

Parent Process Path

Yes

Yes

1

1

Process Name[:\s\\=]+(.*?)\s+(?:Target Process|&&)

Creator Process Name[:\s]+(.*?)\s+Process Command Line:

(Back to top)Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

JSA Custom Properties for Microsoft Windows Content Extension V1.0.4

The following table shows the custom event properties that are new or updated in JSA Custom Properties for Microsoft Windows Content Extension V1.0.4.

Table 2: New or Updated Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.4

Name

Optimized

Capture Group

Regex

Access Mask

Yes

1

Access Mask[:\s\\=]*\s+(0[^\s&]+)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.

Accesses

Yes

Yes

1

1

Accesses[:\s\\=]*(.*?)\s+(?:Access (?:Check Results|Mask|Reasons)|Properties|Privileges|&&|$)

Operation Type[:\s\\=]*(.*?)(?:\s+Process Information|&&)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.

Account Security ID

No

No

1

1

User ID[:\s\\=]*(.*?)\s+(?:Service\s|&&)

Subject:\s+?Security ID:\s+(.*?)\s+(?:Subject:|Account Name)

Note: The Subject:\s+ ... regex is disabled by default, as it can return many event matches and affect performance.

Computer Name

No

No

No

No

No

1

1

1

1

1

Workstation Name[:\s\\=]+([^\s&]+)\s+Source

Source Workstation[:\s\\=]+([^\s&]+)\s+Error

Caller Computer Name[:\s\\=]+([^\s&]+)(?:\s\s|$)

from the computer ([^\s]+)

Error Code

Yes

Yes

Yes

Yes

Yes

Yes

1

1

1

1

1

1

Error Code[:\\\s=]*([^\s&]+)

error status[:\\\s=]+([^\s&\.]+)

Result Code[:\\\s=]*([^\s&]+)

Error value[:\\\s=]+([^\s:&]+)

Failure Code[:\\\s=]*([^\s&]+)

Status[:\\\s=]*([^\s&]+)

EventID

Yes

Yes

Yes

1

1

1

(?:EventID|EventIDCode|externalId)[:\s\\=]+(\d+)

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

Extended Error Code

Yes

1

Sub[\s,_]*Status[:\\\s=]+([^\s&]+)

Filename

Yes

Yes

Yes

1

1

1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*?\\([^\\]*?)\s+(?:Handle ID|&&)

Relative Target Name:\s.*\\(.*?)\s+Access Request Information:

file:.*\\(.*?)\sowned\sby

File Directory

Yes

1

file:(.*?)\\[^\\]*?\s+owned\sby

Relative Target Name:\s+(.*)\\.*?\s+Access Request Information:

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+(.*?)\\[^\\]*?\s+(?:Handle ID|&&)

File Extension

Yes

Yes

Yes

1

1

1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*?\\.*?\.([^\\\.]*?)\s+(?:Handle ID|&&)

Relative Target Name[:\s]*.*\\[^\.]*?\.(.*?)\s+Access Request Information:

file:.*\\.*?\.(.*?)\sowned\sby

File Path

No

1

file:(.*?)\sowned\sby

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\\=]+(.*?)\s+(?:Handle ID| &&)

Relative Target Name:\s+(.*?)\s+Access Request Information:

Group Domain

No

No

No

1

1

1

(?:Group Domain|Target Domain)[:=\s\\]+([^\s]+)

Group[\s\:]+.*?Account Domain[\s\:\\=]+([^\s]+)

(?:Group Domain|New Domain)[:=\s\\]+([^\s]+)

Group Name

Yes

Yes

Yes

1

1

1

(?:Group Name|New Account Name)[:=\s\\]+(.*?)\s+(?:Group Domain|New Domain|Group:|&&)

(?:Group Name|Target Account Name)[:=\s\\]+(.*?)\s+(?:Group Domain|Target Domain|Group:|&&)

Group[\s\:]+.*?Account Name[\s\:\\=]+(.*?)\s+(?:Account Domain|&&)

Group Security ID

No

No

No

No

1

1

1

1

Group[:\s]*Security ID[:=\s\\]+(.*?)\s+(?:Group Name|Group:|Account Name|&&)

Group[:\s]*Security ID[:=\s\\]+(.*?)\s+(?:Group Name|Group:|&&)

Target Account ID[:=\s\\]+(.*?)\s+(?:Caller User Name|&&)

New Account ID[:\s\\=]+(.*?)(?:\s+Caller User Name|&&)

GroupID

No

1

Group ID[:\s\\=]*(\d+)

Home Directory

No

1

Home Directory[:\s]*(.*?)\s+Home Drive:

Initiator User Name

Yes

1

Subject.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)

Logon Type

Yes

1

Logon Type[:\s\\=]+(\d+)

Message

No

1

Message=(.+)

ObjectName

Yes

Yes

1

1

Object Name[:\s\\=]+(.*?)\s+(?:Object Value Name|&&)

Object Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&)

Note: The Success Audit event in the System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.

ObjectType

No

1

Object Type[:\s\\=]*([^\s&]*)

Parent Process Name

No

No

1

1

Process Name.*\\(.*?)\s+Target Process

Creator Process Name[:\s]+(?:.*\\)?(.*?)\s+Process Command Line

Parent Process Path

No

No

1

1

Process Name[:\s\\=]+(.*?)\s+(?:Target Process|&&)

Creator Process Name[:\s]+(.*?)\s+Process Command Line:

Process CommandLine

Yes

1

Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type|\t|\s\s|&&)

Process Name

Yes

Yes

Yes

1

1

1

Process Name[:\s\\=]+(?:.*\\)+(.*?)\s+(?:Network Information|\s|&&)

New Process Name[:\s\\=]+.*?\\([^\\]*?)\s+(?:Token Elevation Type:|&&)

Target Process Name.*\\(.*?)\s+(?:New Token Information|&&)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.

Process Path

No

No

No

1

1

1

New Process Name[:\s\\=]*(.*?)\s+(?:Token Elevation Type:|&&)

Caller Process Name[:\s\\=]+(.*?)\s+(?:Network Information|&&)

Record Number

No

1

RecordNumber=(\d*)

Registry Key

Yes

Yes

Yes

Yes

1

1

1

1

Object Name[:\s\\=]+\\REGISTRY\\USER\\.*?\\.*?(\\.*?)\s+(?:Object Value Name|&&)

Object Type[:\s\\=]+Key.*?Object Name[:\s\\=]+\\REGISTRY\\USER\\.*?\\.*?(\\.*?)\s+(?:Handle ID|&&)

Object Type[:\s\\=]+Key.*?Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.*?)\s+(?:Handle ID|&&)

Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.*?)\s+(?:Object Value Name|&&)

Registry Value Data

Yes

1

New Value[:\\=]\s+(.+)

Registry Value Name

Yes

1

Object Value Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&)

SAM Account Name

No

1

S(?:AM|am) Account Name[:\s]*(.*?)\s+Display Name:

Scope

No

1

Scope:\s(.*?)\s+(\d+|$)

Service Name

Yes

Yes

Yes

1

1

1

Service Name[:\s\\=]*(.*?)\s+(?:Service ID:|&&)

\\SYSTEM\\ControlSet\d*\\Services\\(.*?)\s+Object Value Name

Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&)

Share Name

Yes

1

Share Name[:\s].*?\\([^\\]*?)\s+Share Path:

Share Path

No

No

1

1

Share Path[\:\s]*(.*)

Share Path[\:\s]*(.*?)\s+Access Request Information:

Target Account Security ID

No

No

No

No

No

No

No

No

No

No

No

1

2

1

1

1

1

1

1

1

1

1

New Logon.*?Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

(Assigned\sTo|Removed\sFrom):\s+(.*?)\s+?(Assigned|Removed)\sBy:

New Token Information[:\=\s\\]+Security ID[:\=\s\\]+(.*?)\s+(?:Account Name|&&|\s)

Target Subject[:\s]*Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

Member[\:\s]+(?:Security )?ID[\:\s\\=]+(.*?)\s+(?:(?:Target\s)?Account Name|&&)

Target Account ID[:\s\\=]+(.*?)\s+(?:Caller Machine Name|&&)

Target Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Account Domain|Caller User Name|&&)

Target Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Caller User Name|&&)

New Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Caller User Name|&&)

Account That Was Locked Out[:\s]*Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

Account For Which Logon Failed.*?Security ID[\:\\\=\s]+(.*?)\s+(?:Account Name|&&)

Target Computer Domain

No

No

No

1

1

1

New Computer Account:.*Account Domain:\s(.*?)\s+Attributes:

Computer Account That Was Changed:.*Account Domain:\s(.*?)\s+Changed Attributes:

Target Computer:.*Account Domain:\s(.*?)\s+Additional Information:

Target Computer Name

No

No

No

1

1

1

Target Computer:.*Account Name[:\s]*(.*?)\s+Account Domain:

Computer Account That Was Changed:.*Account Name[:\s]*(.*?)\s+Account Domain:

New Computer Account:.*Account Name[:\s]*(.*?)\s+Account Domain:

Target User Domain

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

New Account.*?Account Domain[\:\\\=\s]+([^\s]+)

Target Account.*?Domain[\:\\\=\s]+([^\s]+)

Target Account.*?Account Domain[\:\\\=\s]+([^\s]+)

New Domain[\:\\\=\s]+([^\s]+)

Target.*?Domain[\:\\\=\s]+([^\s]+)

Target.*?Domain[:\s\\=]+([^\s]+)

Target Account ID[\:\\\=\s]+([^\s\\]+)(?:\\.*?)\s+Caller

Target Domain[\:\\\=\s]+([^\s]+)

Member[\:\s]+(?:Security )?ID[\:\s]+([^\s\\]*?)\\.*?\s+(?:Target\s)?Account Name

New Logon:.*?Account Domain[\:\\\=\s]+([^\s]+)

Account That Was Locked Out[\s\:]*Security ID[\:\\\=\s]+([^\s\\]+)(?:\\.*?)\s+Account Name

Account For Which Logon Failed.*?Account Domain[\:\\\=\s]+([^\s]+)

New Token Information:.*?Account Domain[\:\\\=\s]+([^\s]+)

Target Subject.*?Account Domain[\:\\\=\s]+([^\s]+)

dntdom=([^\s]+)

Target User Name

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Target Account.*?Name[\:\\\=\s]+(.*?)\s+(?:New Right:|Removed Right:|&&|\s)

Member[\:\s]+(?:Security )?ID[\:\s]+(?:[^\s\\]*?)\\(.*?)\s+(?:Target\s)?Account Name

Whose Credentials Were Used:.*?Name:[\:\\\=\s]+(.*?)\s+(?:Account Domain|Target Domain:|&&)

Account That Was Locked Out.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Additional Information|&&)

Target Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|Target Domain:|&&)

Target Account.*?Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|Target Domain:|&&)

Account For Which Logon Failed.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)

Target Account.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&|\s)

Target Account Name[\:\\\=\s]+(.*?)\s+(?:Target Account ID:|&&)

duser=([^&]*?)\s+duid

New Account Name[:\s]*(.*?)\s*(?:Additional Information:|&&)

Target Subject.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)

New Account.*?Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|New Domain:|&&)

New Token Information:.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|&&)

Target User Name[:\s\\=]*(.*?)\s*(?:Target Domain:|&&)

New Logon.*?Name:[\:\\\=\s]+(.*?)\s+(?:Account Domain|Target Domain:|&&)

TaskName

No

No

1

1

Task Name[\:\s\\=]*\\(.*?)\s+(?:Task Content:|&&)

Task Name[\:\s\\=]*\\(.*?)\s+(?:Task New Content:|&&)

Ticket Encryption Type

Yes

1

Ticket Encryption Type[\s:\\=]*(0[xX][0-9a-fA-F]+)

User Domain

No

No

No

No

No

No

1

1

1

1

1

1

Account Information:.*?Account Domain[\:\\\=\s]+([^\s]+)

Supplied Realm Name[:\s]+([^\s]+)

Caller Domain:\s+([^\s]+)

Subject.*?Domain[\:\\\=\s]{2,}([^\s]+)

User domain:\s+([^\s]+)

Primary Domain[:\s\\=]*([^\s]+)

User Principal Name

No

1

User Principal Name[:\s]*(.*?)\s+Home Directory:

User Right

No

1

User\sRight:\s+(.*?)\s+?(Assigned\sTo|Removed\sFrom):

User Workstations

No

1

User Workstations[:\s]*(.*?)\s+Password Last Set:

The following custom event properties are removed from JSA Custom Properties for Microsoft Windows Content Extension V1.0.4. The removal will not affect your environment. You can review your property usage and update to the replacement property as needed.

Table 3: Replaced Custom Properties in V1.0.4

Removed custom property

Replaced by

Account Locked Out Account Name

Target User Name

Account Locked Out Security ID

Target Account Security ID

Account Logon Failed Account Domain

Target User Domain

Account Logon Failed Account Name

Target User Name

Account Logon Failed Security ID

Target Account Security ID

AccountDomain

User Domain

AccountName

Initiator User Name

Caller Computer Name

Computer Name

Caller Domain

User Domain

Caller Process Name

Process Path

File

Filename

File Extension

Member Account Name

Target User Name

Member Security ID

Target Account Security ID

New Account Domain

Target User Domain

New Account Name

Target User Name

New Account Security ID

Target Account Security ID

New Logon Account Domain

Target User Domain

New Logon Account Name

Target User Name

New Logon Security ID

Target Account Security ID

New Process Name

Process Name

The original property (New Process Name) returned the process path (directory and name together). The new property (Process Name) returns only the process name.

New Token Account Domain

Target User Domain

New Token Account Name

Target User Name

New Token Security ID

Target Account Security ID

Primary Domain

User Domain

Realm

User Domain

Source Workstation

Computer Name

Subject Account Domain

User Domain

Subject Account Name

Initiator User Name

Subject Security ID

Account Security ID

Target Account Domain

Target User Domain

Target Account Name

Target User Name

Target Domain

Target User Domain

Target Process Name

Process Name

(Back to top)Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

JSA Custom Properties for Microsoft Windows Content Extension V1.0.1

The following table shows the custom event properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.1.

Table 4: Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.1

Name

Optimized

Capture Group

Regex

Accesses

Yes

1

[\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):)

Account Locked Out Account Name

No

2

\s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s

Account Locked Out Security ID

No

2

\s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s

Account Logon Failed Account Domain

No

2

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s

Account Logon Failed Account Name

No

2

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s

Account Logon Failed Security ID

No

1

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s

Account Security ID

No

2

\s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s

AccountDomain

Yes

3

\s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

AccountID

Yes

1

Deprecated

AccountName

Yes

Yes

Yes

1

1

1

Deprecated

Deprecated

Deprecated

Assigning Process Image File Name

No

2

\s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s

Caller Computer Name

No

1

\s\sCaller\sComputer\sName:\s(.*?)(\s$|\t)

Caller Domain

No

2

\sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:)

Caller Process Name

No

1

\s\sCaller\sProcess\sName:\s(.*?)\s\s

Caller User Name

No

3

\sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:)

ChangedAttributes

Yes

1

Changed\sAttributes:\s+(.*)

Client Domain

No

2

\s\sClient\sDomain:(\s{0,2})(.*?)\s\s

Client User Name

No

2

\s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s

Computer

No

7

(\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t

Credentials Used Account Domain

No

3

\s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

Credentials Used Account Name

No

3

\s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s

Domain

No

4

(\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:)

Error Code

No

8

(\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([ .:,]|$)

Event ID Code

No

1

\tEventIDCode=(.*?)\t

EventID

Yes

Yes

Yes

1

1

1

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

EventID=(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

File

No

3

(\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby)

Group Domain

No

No

2

3

(\s|\t)Group\sDomain:\s*(.*?)(\s\s|\t)

\s(Target|Group)\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Group Name

No

No

2

6

(\s|\t)Group\sName:\s*(.*?)(\t|\s(\s|Group\sDomain:))

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain|Group\sDomain:)

Group Security ID

No

No

3

3

(\s|\t)Group:(\s+|\t)Security\sID:\s*(.*?)(\s\s|\t)

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group):\s{1,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(|\s|Caller\sUser\sName:)

GroupID

Yes

1

Group ID: (\d+)

Home Directory

No

2

\s\sHome\sDirectory:(\s{1,2})(.*?)\s\s

Logon Type

No

1

\sLogon\sType:\s+(\d+)(\s|$)

Member Account Name

No

5

(\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):)

Member Security ID

No

4

(\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:))

Message

No

1

(\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+)

New Account Domain

No

6

\s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s

New Account Name

No

5

\s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s

New Account Security ID

No

2

\s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s

New Logon Account Domain

No

3

\s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

New Logon Account Name

No

3

\s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s

New Logon Security ID

No

3

\s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s

New Process Image File Name

No

3

\s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s

New Process Name

No

2

\sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:)

New Token Account Domain

No

2

\s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s

New Token Account Name

No

2

\s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s

New Token Security ID

No

1

\s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s

ObjectName

Yes

Yes

1

1

Deprecated

Deprecated

ObjectType

Yes

1

Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress):

Primary Domain

No

2

\s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s

Primary User Name

No

2

\s\sPrimary\sUser\sName:(\s?)(.*?)\s\s

Process Name

No

2

\s\sProcess\sName:\s(\s?)(.*?)(\s\s|$)

Realm

Yes

1

Supplied Realm Name: (.*?)[ ]

Record Number

No

1

\tRecordNumber=(.*?)\t

SAM Account Name

No

2

\sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:)

Scope

Yes

1

Scope:\s(.*?)\s+(\d+|$)

Secondary User Name

No

1

\tSecondaryUserName=(.*?)\t

Service Name

No

5

\s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:)

Share Name

No

2

\sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:)

Source Workstation

Yes

6

(\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:)

Subject Account Domain

No

5

(\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:)

Subject Account Name

No

5

(\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:)

Subject Security ID

No

5

(\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:)

Target Account Domain

No

3

\s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t)

Target Account Name

No

6

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:)

Target Account Security ID

No

No

3

2

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(\s|Caller\sUser\sName:)

(Assigned\sTo|Removed\sFrom):\s*(.*?)\s+?(Assigned|Removed)\sBy:

Target Domain

No

2

\sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Target Process Name

No

1

\s\sTarget\sProcess\sName:\s(.*?)\s\s

Target User Name

No

1

\s\sTarget\sUser\sName:\s(.*?)\s\s

User Account

No

1

\sUser\saccount:\s(.*?)\sUser\sdomain:

User Domain

No

2

\sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:)

User Name

No

3

(\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:)

User Principal Name

No

1

\s\sUser\sPrincipal\sName:\s(.*?)\s\s

User Right

No

1

User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$):

User Workstations

No

1

\s\sUser\sWorkstations:\s(.*?)\s\s

(Back to top)Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

JSA Custom Properties for Microsoft Windows Content Extension V1.0.0

The following table shows the custom event properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.0.

Table 5: Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

Accesses

Yes

1

[\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):)

Account Locked Out Account Name

No

2

\s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s

Account Locked Out Security ID

No

2

\s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s

Account Logon Failed Account Domain

No

2

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s

Account Logon Failed Account Name

No

2

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s

Account Logon Failed Security ID

No

1

\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s

Account Security ID

No

2

\s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s

AccountDomain

Yes

3

\s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

AccountID

Yes

1

Target Account ID: (.*?)

AccountName

Yes

Yes

Yes

1

1

1

New Account Name: (.*?)

Target Account Name: (.*?)

Account Name:\s*(.+?)\s+(Additional Information|Account Domain|Service Information|SID History|Access Granted|Access Removed|Group|Display Name|Supplied Realm Name|Workstation|New Domain):

Assigning Process Image File Name

No

2

\s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s

Caller Computer Name

No

1

\s\sCaller\sComputer\sName:\s(.*?)(\s$|\t)

Caller Domain

No

2

\sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:)

Caller Process Name

No

1

\s\sCaller\sProcess\sName:\s(.*?)\s\s

Caller User Name

No

3

\sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:)

ChangedAttributes

Yes

1

Changed\sAttributes:\s+(.*)

Client Domain

No

2

\s\sClient\sDomain:(\s{0,2})(.*?)\s\s

Client User Name

No

2

\s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s

Computer

No

7

(\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t

Credentials Used Account Domain

No

3

\s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

Credentials Used Account Name

No

3

\s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s

Domain

No

4

(\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:)

Error Code

No

8

(\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([ .:,]|$)

Event ID Code

No

1

\tEventIDCode=(.*?)\t

EventID

Yes

Yes

Yes

1

1

1

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

EventID=(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

File

No

3

(\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby)

Group Domain

No

No

2

3

(\s|\t)Group\sDomain:\s*(.*?)(\s\s|\t)

\s(Target|Group)\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Group Name

No

No

2

6

(\s|\t)Group\sName:\s*(.*?)(\t|\s(\s|Group\sDomain:))

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain|Group\sDomain:)

Group Security ID

No

No

3

3

(\s|\t)Group:(\s+|\t)Security\sID:\s*(.*?)(\s\s|\t)

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group):\s{1,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(|\s|Caller\sUser\sName:)

GroupID

Yes

1

Group ID: (\d+)

Home Directory

No

2

\s\sHome\sDirectory:(\s{1,2})(.*?)\s\s

Logon Type

No

1

\sLogon\sType:\s+(\d+)(\s|$)

Member Account Name

No

5

(\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):)

Member Security ID

No

4

(\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:))

Message

No

10

(\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+)

New Account Domain

No

6

\s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s

New Account Name

No

5

\s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s

New Account Security ID

No

2

\s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s

New Logon Account Domain

No

3

\s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s

New Logon Account Name

No

3

\s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s

New Logon Security ID

No

3

\s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s

New Process Image File Name

No

3

\s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s

New Process Name

No

2

\sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:)

New Token Account Domain

No

2

\s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s

New Token Account Name

No

2

\s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s

New Token Security ID

No

1

\s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s

ObjectName

Yes

Yes

1

1

Object Name: (.*?)

New Process Name: (.*?)

ObjectType

Yes

1

Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress):

Primary Domain

No

2

\s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s

Primary User Name

No

2

\s\sPrimary\sUser\sName:(\s?)(.*?)\s\s

Process Name

No

2

\s\sProcess\sName:\s(\s?)(.*?)(\s\s|$)

Realm

Yes

1

Supplied Realm Name: (.*?)[ ]

Record Number

No

1

\tRecordNumber=(.*?)\t

SAM Account Name

No

2

\sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:)

Scope

Yes

1

Scope:\s(.*?)\s+(\d+|$)

Secondary User Name

No

1

\tSecondaryUserName=(.*?)\t

Service Name

No

5

\s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:)

Share Name

No

2

\sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:)

Source Workstation

Yes

6

(\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:)

Subject Account Domain

No

5

(\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:)

Subject Account Name

No

5

(\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:)

Subject Security ID

No

5

(\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:)

Target Account Domain

No

3

\s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t)

Target Account Name

No

6

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:)

Target Account Security ID

No

No

3

2

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(\s|Caller\sUser\sName:)

(Assigned\sTo|Removed\sFrom):\s*(.*?)\s+?(Assigned|Removed)\sBy:

Target Domain

No

2

\sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Target Process Name

No

1

\s\sTarget\sProcess\sName:\s(.*?)\s\s

Target User Name

No

1

\s\sTarget\sUser\sName:\s(.*?)\s\s

User Account

No

1

\sUser\saccount:\s(.*?)\sUser\sdomain:

User Domain

No

2

\sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:)

User Name

No

3

(\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:)

User Principal Name

No

1

\s\sUser\sPrincipal\sName:\s(.*?)\s\s

User Right

No

1

User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$):

User Workstations

No

1

\s\sUser\sWorkstations:\s(.*?)\s\s

(Back to top)Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.