Microsoft Windows

Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

Note

This content extension does not install when the Parent Filename custom property is present from Cisco AMP V.1.0.0. Delete Parent Filename before you install this content extension.

JSA Custom Properties for Microsoft Windows Content Extension

JSA Custom Properties for Microsoft Windows Content Extension V1.0.5
JSA Custom Properties for Microsoft Windows Content Extension V1.0.4
JSA Custom Properties for Microsoft Windows Content Extension V1.0.1
JSA Custom Properties for Microsoft Windows Content Extension V1.0.0

JSA Custom Properties for Microsoft Windows Content Extension V1.0.5

The following table shows the custom event properties that are updated in JSA Custom Properties for Microsoft Windows Content Extension V1.0.5.

Table 1: Updated Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.5

Name	Optimized	Capture Group	Regex
GroupID	Yes	1	Group ID[:\s\\=]*(\d+)
Parent Process Name	Yes Yes	1 1	Process Name.\\(.?)\s+Target Process Creator Process Name[:\s]+(?:.\\)?(.?)\s+Process Command Line
Parent Process Path	Yes Yes	1 1	Process Name[:\s\\=]+(.?)\s+(?:Target Process\|&&) Creator Process Name[:\s]+(.?)\s+Process Command Line:

Name

Optimized

Capture Group

Regex

GroupID

Yes

Group ID[:\s\\=]*(\d+)

Parent Process Name

Yes

Process Name.*\\(.*?)\s+Target Process

Creator Process Name[:\s]+(?:.*\\)?(.*?)\s+Process Command Line

Parent Process Path

Yes

Process Name[:\s\\=]+(.*?)\s+(?:Target Process|&&)

Creator Process Name[:\s]+(.*?)\s+Process Command Line:

(Back to top)Use the JSA Custom Properties for Microsoft Windows Content Extension to expand JSA searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

JSA Custom Properties for Microsoft Windows Content Extension V1.0.4

The following table shows the custom event properties that are new or updated in JSA Custom Properties for Microsoft Windows Content Extension V1.0.4.

Table 2: New or Updated Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.4

Name	Optimized	Capture Group	Regex
Access Mask	Yes	1	Access Mask[:\s\\=]\s+(0[^\s&]+) Note:* The `System.Information` expression for this regex is disabled by default, as it can return many event matches and affect performance.
Accesses	Yes Yes	1 1	Accesses[:\s\\=](.?)\s+(?:Access (?:Check Results\|Mask\|Reasons)\|Properties\|Privileges\|&&\|$) Operation Type[:\s\\=](.?)(?:\s+Process Information\|&&) Note: The `System.Information` expression for this regex is disabled by default, as it can return many event matches and affect performance.
Account Security ID	No No	1 1	User ID[:\s\\=](.?)\s+(?:Service\s\|&&) Subject:\s+?Security ID:\s+(.?)\s+(?:Subject:\|Account Name) Note:* The `Subject:\s+ ...` regex is disabled by default, as it can return many event matches and affect performance.
Computer Name	No No No No No	1 1 1 1 1	Workstation Name[:\s\\=]+([^\s&]+)\s+Source Source Workstation[:\s\\=]+([^\s&]+)\s+Error Caller Computer Name[:\s\\=]+([^\s&]+)(?:\s\s\|$) from the computer ([^\s]+)
Error Code	Yes Yes Yes Yes Yes Yes	1 1 1 1 1 1	Error Code[:\\\s=]([^\s&]+) error status[:\\\s=]+([^\s&\.]+) Result Code[:\\\s=]([^\s&]+) Error value[:\\\s=]+([^\s:&]+) Failure Code[:\\\s=]([^\s&]+) Status[:\\\s=]([^\s&]+)
EventID	Yes Yes Yes	1 1 1	(?:EventID\|EventIDCode\|externalId)[:\s\\=]+(\d+) \d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+) LEEF:[0-9\.]+\\|Microsoft\\|Windows\\|.+\\|(\d+)\\|
Extended Error Code	Yes	1	Sub[\s,_]*Status[:\\\s=]+([^\s&]+)
Filename	Yes Yes Yes	1 1 1	Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.?\\([^\\]?)\s+(?:Handle ID\|&&) Relative Target Name:\s.\\(.?)\s+Access Request Information: file:.\\(.?)\sowned\sby
File Directory	Yes	1	file:(.?)\\[^\\]?\s+owned\sby Relative Target Name:\s+(.)\\.?\s+Access Request Information: Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+(.?)\\[^\\]?\s+(?:Handle ID\|&&)
File Extension	Yes Yes Yes	1 1 1	Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.?\\.?\.([^\\\.]?)\s+(?:Handle ID\|&&) Relative Target Name[:\s].\\[^\.]?\.(.?)\s+Access Request Information: file:.\\.?\.(.?)\sowned\sby
File Path	No	1	file:(.?)\sowned\sby Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\\=]+(.?)\s+(?:Handle ID\| &&) Relative Target Name:\s+(.*?)\s+Access Request Information:
Group Domain	No No No	1 1 1	(?:Group Domain\|Target Domain)[:=\s\\]+([^\s]+) Group[\s\:]+.*?Account Domain[\s\:\\=]+([^\s]+) (?:Group Domain\|New Domain)[:=\s\\]+([^\s]+)
Group Name	Yes Yes Yes	1 1 1	(?:Group Name\|New Account Name)[:=\s\\]+(.?)\s+(?:Group Domain\|New Domain\|Group:\|&&) (?:Group Name\|Target Account Name)[:=\s\\]+(.?)\s+(?:Group Domain\|Target Domain\|Group:\|&&) Group[\s\:]+.?Account Name[\s\:\\=]+(.?)\s+(?:Account Domain\|&&)
Group Security ID	No No No No	1 1 1 1	Group[:\s]Security ID[:=\s\\]+(.?)\s+(?:Group Name\|Group:\|Account Name\|&&) Group[:\s]Security ID[:=\s\\]+(.?)\s+(?:Group Name\|Group:\|&&) Target Account ID[:=\s\\]+(.?)\s+(?:Caller User Name\|&&) New Account ID[:\s\\=]+(.?)(?:\s+Caller User Name\|&&)
GroupID	No	1	Group ID[:\s\\=]*(\d+)
Home Directory	No	1	Home Directory[:\s](.?)\s+Home Drive:
Initiator User Name	Yes	1	Subject.?Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain\|&&)
Logon Type	Yes	1	Logon Type[:\s\\=]+(\d+)
Message	No	1	Message=(.+)
ObjectName	Yes Yes	1 1	Object Name[:\s\\=]+(.?)\s+(?:Object Value Name\|&&) Object Name[:\s\\=]+(.?)\s+(?:Handle ID\|&&) Note: The `Success Audit` event in the `System.Information` expression for this regex is disabled by default, as it can return many event matches and affect performance.
ObjectType	No	1	Object Type[:\s\\=]([^\s&])
Parent Process Name	No No	1 1	Process Name.\$.?)\s+Target Process Creator Process Name[:\s]+(?:.\$?(.?)\s+Process Command Line
Parent Process Path	No No	1 1	Process Name[:\s\\=]+(.?)\s+(?:Target Process\|&&) Creator Process Name[:\s]+(.?)\s+Process Command Line:
Process CommandLine	Yes	1	Process Command Line[:\s\\=]+(.?)\s(?:Token Elevation Type\|\t\|\s\s\|&&)
Process Name	Yes Yes Yes	1 1 1	Process Name[:\s\\=]+(?:.\\)+(.?)\s+(?:Network Information\|\s\|&&) New Process Name[:\s\\=]+.?\\([^\\]?)\s+(?:Token Elevation Type:\|&&) Target Process Name.\\(.?)\s+(?:New Token Information\|&&) Note: The `System.Information` expression for this regex is disabled by default, as it can return many event matches and affect performance.
Process Path	No No No	1 1 1	New Process Name[:\s\\=](.?)\s+(?:Token Elevation Type:\|&&) Caller Process Name[:\s\\=]+(.*?)\s+(?:Network Information\|&&)
Record Number	No	1	RecordNumber=(\d*)
Registry Key	Yes Yes Yes Yes	1 1 1 1	Object Name[:\s\\=]+\\REGISTRY\\USER\\.?\\.?(\\.?)\s+(?:Object Value Name\|&&) Object Type[:\s\\=]+Key.?Object Name[:\s\\=]+\\REGISTRY\\USER\\.?\\.?(\\.?)\s+(?:Handle ID\|&&) Object Type[:\s\\=]+Key.?Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.?)\s+(?:Handle ID\|&&) Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.?)\s+(?:Object Value Name\|&&)
Registry Value Data	Yes	1	New Value[:\\=]\s+(.+)
Registry Value Name	Yes	1	Object Value Name[:\s\\=]+(.*?)\s+(?:Handle ID\|&&)
SAM Account Name	No	1	S(?:AM\|am) Account Name[:\s](.?)\s+Display Name:
Scope	No	1	Scope:\s(.*?)\s+(\d+\|$)
Service Name	Yes Yes Yes	1 1 1	Service Name[:\s\\=](.?)\s+(?:Service ID:\|&&) \\SYSTEM\\ControlSet\d\\Services\\(.?)\s+Object Value Name Service Name[\:\s\=\\](.?)\s+(?:Service File Name:\|&&)
Share Name	Yes	1	Share Name[:\s].?\\([^\\]?)\s+Share Path:
Share Path	No No	1 1	Share Path[\:\s](.) Share Path[\:\s](.?)\s+Access Request Information:
Target Account Security ID	No No No No No No No No No No No	1 2 1 1 1 1 1 1 1 1 1	New Logon.?Security ID[:\s\\=]+(.?)\s+(?:Account Name\|&&) (Assigned\sTo\|Removed\sFrom):\s+(.?)\s+?(Assigned\|Removed)\sBy: New Token Information[:\=\s\\]+Security ID[:\=\s\\]+(.?)\s+(?:Account Name\|&&\|\s) Target Subject[:\s]Security ID[:\s\\=]+(.?)\s+(?:Account Name\|&&) Member[\:\s]+(?:Security )?ID[\:\s\\=]+(.?)\s+(?:(?:Target\s)?Account Name\|&&) Target Account ID[:\s\\=]+(.?)\s+(?:Caller Machine Name\|&&) Target Account.?ID[:\s\\=]+(.?)\s+(?:Account Name\|Account Domain\|Caller User Name\|&&) Target Account.?ID[:\s\\=]+(.?)\s+(?:Account Name\|Caller User Name\|&&) New Account.?ID[:\s\\=]+(.?)\s+(?:Account Name\|Caller User Name\|&&) Account That Was Locked Out[:\s]Security ID[:\s\\=]+(.?)\s+(?:Account Name\|&&) Account For Which Logon Failed.?Security ID[\:\\\=\s]+(.?)\s+(?:Account Name\|&&)
Target Computer Domain	No No No	1 1 1	New Computer Account:.Account Domain:\s(.?)\s+Attributes: Computer Account That Was Changed:.Account Domain:\s(.?)\s+Changed Attributes: Target Computer:.Account Domain:\s(.?)\s+Additional Information:
Target Computer Name	No No No	1 1 1	Target Computer:.Account Name[:\s](.?)\s+Account Domain: Computer Account That Was Changed:.Account Name[:\s](.?)\s+Account Domain: New Computer Account:.Account Name[:\s](.*?)\s+Account Domain:
Target User Domain	No No No No No No No No No No No No No No No	1 1 1 1 1 1 1 1 1 1 1 1 1 1 1	New Account.?Account Domain[\:\\\=\s]+([^\s]+) Target Account.?Domain[\:\\\=\s]+([^\s]+) Target Account.?Account Domain[\:\\\=\s]+([^\s]+) New Domain[\:\\\=\s]+([^\s]+) Target.?Domain[\:\\\=\s]+([^\s]+) Target.?Domain[:\s\\=]+([^\s]+) Target Account ID[\:\\\=\s]+([^\s\\]+)(?:\\.?)\s+Caller Target Domain[\:\\\=\s]+([^\s]+) Member[\:\s]+(?:Security )?ID[\:\s]+([^\s\\]?)\\.?\s+(?:Target\s)?Account Name New Logon:.?Account Domain[\:\\\=\s]+([^\s]+) Account That Was Locked Out[\s\:]Security ID[\:\\\=\s]+([^\s\\]+)(?:\\.?)\s+Account Name Account For Which Logon Failed.?Account Domain[\:\\\=\s]+([^\s]+) New Token Information:.?Account Domain[\:\\\=\s]+([^\s]+) Target Subject.?Account Domain[\:\\\=\s]+([^\s]+) dntdom=([^\s]+)
Target User Name	Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes	1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1	Target Account.?Name[\:\\\=\s]+(.?)\s+(?:New Right:\|Removed Right:\|&&\|\s) Member[\:\s]+(?:Security )?ID[\:\s]+(?:[^\s\\]?)\\(.?)\s+(?:Target\s)?Account Name Whose Credentials Were Used:.?Name:[\:\\\=\s]+(.?)\s+(?:Account Domain\|Target Domain:\|&&) Account That Was Locked Out.?Account Name[\:\\\=\s]+(.?)\s+(?:Additional Information\|&&) Target Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain:\|Target Domain:\|&&) Target Account.?Name[\:\\\=\s]+(.?)\s+(?:Account Domain:\|Target Domain:\|&&) Account For Which Logon Failed.?Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain\|&&) Target Account.?Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain\|&&\|\s) Target Account Name[\:\\\=\s]+(.?)\s+(?:Target Account ID:\|&&) duser=([^&]?)\s+duid New Account Name[:\s](.?)\s(?:Additional Information:\|&&) Target Subject.?Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain\|&&) New Account.?Name[\:\\\=\s]+(.?)\s+(?:Account Domain:\|New Domain:\|&&) New Token Information:.?Account Name[\:\\\=\s]+(.?)\s+(?:Account Domain:\|&&) Target User Name[:\s\\=](.?)\s(?:Target Domain:\|&&) New Logon.?Name:[\:\\\=\s]+(.*?)\s+(?:Account Domain\|Target Domain:\|&&)
TaskName	No No	1 1	Task Name[\:\s\\=]\\(.?)\s+(?:Task Content:\|&&) Task Name[\:\s\\=]\\(.?)\s+(?:Task New Content:\|&&)
Ticket Encryption Type	Yes	1	Ticket Encryption Type[\s:\\=]*(0[xX][0-9a-fA-F]+)
User Domain	No No No No No No	1 1 1 1 1 1	Account Information:.?Account Domain[\:\\\=\s]+([^\s]+) Supplied Realm Name[:\s]+([^\s]+) Caller Domain:\s+([^\s]+) Subject.?Domain[\:\\\=\s]{2,}([^\s]+) User domain:\s+([^\s]+) Primary Domain[:\s\\=]*([^\s]+)
User Principal Name	No	1	User Principal Name[:\s](.?)\s+Home Directory:
User Right	No	1	User\sRight:\s+(.*?)\s+?(Assigned\sTo\|Removed\sFrom):
User Workstations	No	1	User Workstations[:\s](.?)\s+Password Last Set:

The following custom event properties are removed from JSA Custom Properties for Microsoft Windows Content Extension V1.0.4. The removal will not affect your environment. You can review your property usage and update to the replacement property as needed.

Table 3: Replaced Custom Properties in V1.0.4

Removed custom property	Replaced by
Account Locked Out Account Name	Target User Name
Account Locked Out Security ID	Target Account Security ID
Account Logon Failed Account Domain	Target User Domain
Account Logon Failed Account Name	Target User Name
Account Logon Failed Security ID	Target Account Security ID
AccountDomain	User Domain
AccountName	Initiator User Name
Caller Computer Name	Computer Name
Caller Domain	User Domain
Caller Process Name	Process Path
File	Filename File Extension
Member Account Name	Target User Name
Member Security ID	Target Account Security ID
New Account Domain	Target User Domain
New Account Name	Target User Name
New Account Security ID	Target Account Security ID
New Logon Account Domain	Target User Domain
New Logon Account Name	Target User Name
New Logon Security ID	Target Account Security ID
New Process Name	Process Name The original property (New Process Name) returned the process path (directory and name together). The new property (Process Name) returns only the process name.
New Token Account Domain	Target User Domain
New Token Account Name	Target User Name
New Token Security ID	Target Account Security ID
Primary Domain	User Domain
Realm	User Domain
Source Workstation	Computer Name
Subject Account Domain	User Domain
Subject Account Name	Initiator User Name
Subject Security ID	Account Security ID
Target Account Domain	Target User Domain
Target Account Name	Target User Name
Target Domain	Target User Domain
Target Process Name	Process Name

JSA Custom Properties for Microsoft Windows Content Extension V1.0.1

The following table shows the custom event properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.1.

Table 4: Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.1

Name	Optimized	Capture Group	Regex
Accesses	Yes	1	[\s\s\|\t]Accesses:\s{0,2}(.*?)($\|\s+(Access\s(Check\sResults\|Mask\|Reasons)\|Privileges):)
Account Locked Out Account Name	No	2	\s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.?)\s\sAccount\sName:\s\s+(.?)\s\s
Account Locked Out Security ID	No	2	\s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s
Account Logon Failed Account Domain	No	2	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.?)\s\sAccount\sDomain:\s\s(.?)\s\s
Account Logon Failed Account Name	No	2	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.?)\s\sAccount\sName:\s\s(.?)\s\s
Account Logon Failed Security ID	No	1	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s
Account Security ID	No	2	\s\sAccount\sInformation:\s\s(Security\|.+User)\sID:\s+(.*?)\s\s
AccountDomain	Yes	3	\s\sAccount\sInformation:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
AccountID	Yes	1	Deprecated
AccountName	Yes Yes Yes	1 1 1	Deprecated Deprecated Deprecated
Assigning Process Image File Name	No	2	\s\sAssigning\sProcess\sInformation:\s\s(.?)\s\sImage\sFile\sName:\s(.?)\s\s
Caller Computer Name	No	1	\s\sCaller\sComputer\sName:\s(.*?)(\s$\|\t)
Caller Domain	No	2	\sCaller\sDomain:(\s?)(.*?)\s(\s\|Caller\sLogon\sID:)
Caller Process Name	No	1	\s\sCaller\sProcess\sName:\s(.*?)\s\s
Caller User Name	No	3	\sCaller\sUser(\sN\|n)ame:(\s?)(.*?)\s(\s\|Caller\sDomain:)
ChangedAttributes	Yes	1	Changed\sAttributes:\s+(.*)
Client Domain	No	2	\s\sClient\sDomain:(\s{0,2})(.*?)\s\s
Client User Name	No	2	\s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s
Computer	No	7	(\tComputer=\|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.?)\t(.?)\t(.?)\t(.?)\t)(.*?)\t
Credentials Used Account Domain	No	3	\s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
Credentials Used Account Name	No	3	\s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s
Domain	No	4	(\s\|Successful\sLogon:\s(.?))\sDomain:(\s{1,2})(.?)\s(\s\|Logon\sID:)
Error Code	No	8	(\s\|[Mm]essage=)[Ee]rror(:\|(\s([Cc]ode((\swas\|\sreturned\s.+\sprocessor)?)(:?)\|status:\|value:\|:)))\s?(.*?)([ .:,]\|$)
Event ID Code	No	1	\tEventIDCode=(.*?)\t
EventID	Yes Yes Yes	1 1 1	\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+) EventID=(\d+) LEEF:[0-9\.]+\\|Microsoft\\|Windows\\|.+\\|(\d+)\\|
File	No	3	(\s\|,)\s[Ff]ile:(\s?)(.*?)(,\s\|\sowned\sby)
Group Domain	No No	2 3	(\s\|\t)Group\sDomain:\s(.?)(\s\s\|\t) \s(Target\|Group)\sDomain:(\s?)(.*?)\s(\s\|Target\sAccount\sID:)
Group Name	No No	2 6	(\s\|\t)Group\sName:\s(.?)(\t\|\s(\s\|Group\sDomain:)) \s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged\|Group)((:\s\s(.?)\s\sAccount)?)\sName:(\s{0,2})(.?)\s(\s\|Target\sDomain\|Group\sDomain:)
Group Security ID	No No	3 3	(\s\|\t)Group:(\s+\|\t)Security\sID:\s(.?)(\s\s\|\t) \s((Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged\|Group):\s{1,3}Security\|Target\sAccount)\sID:\s{0,2}(.*?)\s(\|\s\|Caller\sUser\sName:)
GroupID	Yes	1	Group ID: (\d+)
Home Directory	No	2	\s\sHome\sDirectory:(\s{1,2})(.*?)\s\s
Logon Type	No	1	\sLogon\sType:\s+(\d+)(\s\|$)
Member Account Name	No	5	(\s\|\t)Member(:(\s+?\|\t).?(\s+?\|\t)Account)?\sName:\s(.*?)(\t\|\s+?(Group\|Member\sID):)
Member Security ID	No	4	(\s\|\t)Member(:(\s+?\|\t)Security)?\sID:\s(.?)(\t\|(\s+?(Target\s)?Account\sName:))
Message	No	1	(\t[Mm]essage=\|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.?)\t(.?)\t(.?)\t(.?)\t(.?)\t(.?)\t(\t?))(.+)
New Account Domain	No	6	\s\sNew\sAccount((\sName)?):\s(.?)\s\s(Account\|New)\sDomain:(\s{1,2})(.?)\s\s
New Account Name	No	5	\s\sNew\sAccount((:\s\s(.?)\s\sAccount)?)\sName:(\s{1,2})(.?)\s\s
New Account Security ID	No	2	\s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s
New Logon Account Domain	No	3	\s\sNew\sLogon:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
New Logon Account Name	No	3	\s\sNew\sLogon:\s\s(.?)\s\sAccount\sName:(\s{1,2})(.?)\s\s
New Logon Security ID	No	3	\s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s
New Process Image File Name	No	3	\s\s(New\sProcess\sInformation\|A\snew\sprocess\shas\sbeen\screated):\s\s(.?)\s\sImage\sFile\sName:\s(.?)\s\s
New Process Name	No	2	\sNew\sProcess\sName:(\s?)(.*?)\s(\s\|Token\sElevation\sType:)
New Token Account Domain	No	2	\s\sNew\sToken\sInformation:\s\s(.?)\s\sAccount\sDomain:\s\s(.?)\s\s
New Token Account Name	No	2	\s\sNew\sToken\sInformation:\s\s(.?)\s\sAccount\sName:\s\s(.?)\s\s
New Token Security ID	No	1	\s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s
ObjectName	Yes Yes	1 1	Deprecated Deprecated
ObjectType	Yes	1	Object\sType:\s{0,2}(.*?)\s+(Object\sName\|Process\sID\|Source\sAddress):
Primary Domain	No	2	\s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s
Primary User Name	No	2	\s\sPrimary\sUser\sName:(\s?)(.*?)\s\s
Process Name	No	2	\s\sProcess\sName:\s(\s?)(.*?)(\s\s\|$)
Realm	Yes	1	Supplied Realm Name: (.*?)[ ]
Record Number	No	1	\tRecordNumber=(.*?)\t
SAM Account Name	No	2	\sS(AM\|am)\sAccount\sName:\s?(.*?)\s(\s\|SID\sHistory:)
Scope	Yes	1	Scope:\s(.*?)\s+(\d+\|$)
Secondary User Name	No	1	\tSecondaryUserName=(.*?)\t
Service Name	No	5	\s(\s\|Service\sInformation:\s)(Service\sName\|Server:\s\s(.?)\s\sService):(\s{0,2})(.?)\s(\s\|Server:\|Service\sFile\sName:)
Share Name	No	2	\sShare\sName:(\s{0,2})(.*?)\s(\s\|Share\sPath:)
Source Workstation	Yes	6	(\sSource\sWorkstation\|The\slogon\sto\saccount:\s(.?)\sby:\s(.?)\sfrom\sworkstation\|(\s\|Authentication\sPackage:\s(.?))\sWorkstation\sName\|Caller\sWorkstation):\s(.?)\s(\s\|Caller\sUser\sName:\|Error\sCode:)
Subject Account Domain	No	5	(\s\s\|\t)Subject(\s?):\s(.?)\sAccount\sDomain:(\s{0,2})(.?)\s(\s\|Logon\sID:)
Subject Account Name	No	5	(\s\s\|\t)Subject(\s?):\s(.?)\sAccount\sName:(\s{0,2})(.?)\s(\s\|Account\sDomain:)
Subject Security ID	No	5	(\s\s\|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s\|Account\sName:)
Target Account Domain	No	3	\s\s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged):\s\s(.?)\s\sAccount\sDomain:\s{0,2}(.?)(\s\s\|\s$\|\t)
Target Account Name	No	6	\s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.?)\s\sAccount)?)\sName:(\s{0,2})(.?)\s(\s\|Target\sDomain:)
Target Account Security ID	No No	3 2	\s((Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security\|Target\sAccount)\sID:\s{0,2}(.?)\s(\s\|Caller\sUser\sName:) (Assigned\sTo\|Removed\sFrom):\s(.*?)\s+?(Assigned\|Removed)\sBy:
Target Domain	No	2	\sTarget\sDomain:(\s?)(.*?)\s(\s\|Target\sAccount\sID:)
Target Process Name	No	1	\s\sTarget\sProcess\sName:\s(.*?)\s\s
Target User Name	No	1	\s\sTarget\sUser\sName:\s(.*?)\s\s
User Account	No	1	\sUser\saccount:\s(.*?)\sUser\sdomain:
User Domain	No	2	\sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s\|\w+:)
User Name	No	3	(\s\|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s\|\w+:)
User Principal Name	No	1	\s\sUser\sPrincipal\sName:\s(.*?)\s\s
User Right	No	1	User\sRight:\s(.?)\s+?(Assigned\sTo\|Removed\sFrom\|$):
User Workstations	No	1	\s\sUser\sWorkstations:\s(.*?)\s\s

JSA Custom Properties for Microsoft Windows Content Extension V1.0.0

The following table shows the custom event properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.0.

Table 5: Custom Event Properties in JSA Custom Properties for Microsoft Windows Content Extension V1.0.0

Name	Optimized	Capture Group	Regex
Accesses	Yes	1	[\s\s\|\t]Accesses:\s{0,2}(.*?)($\|\s+(Access\s(Check\sResults\|Mask\|Reasons)\|Privileges):)
Account Locked Out Account Name	No	2	\s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.?)\s\sAccount\sName:\s\s+(.?)\s\s
Account Locked Out Security ID	No	2	\s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s
Account Logon Failed Account Domain	No	2	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.?)\s\sAccount\sDomain:\s\s(.?)\s\s
Account Logon Failed Account Name	No	2	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.?)\s\sAccount\sName:\s\s(.?)\s\s
Account Logon Failed Security ID	No	1	\s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s
Account Security ID	No	2	\s\sAccount\sInformation:\s\s(Security\|.+User)\sID:\s+(.*?)\s\s
AccountDomain	Yes	3	\s\sAccount\sInformation:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
AccountID	Yes	1	Target Account ID: (.*?)
AccountName	Yes Yes Yes	1 1 1	New Account Name: (.?) Target Account Name: (.?) Account Name:\s*(.+?)\s+(Additional Information\|Account Domain\|Service Information\|SID History\|Access Granted\|Access Removed\|Group\|Display Name\|Supplied Realm Name\|Workstation\|New Domain):
Assigning Process Image File Name	No	2	\s\sAssigning\sProcess\sInformation:\s\s(.?)\s\sImage\sFile\sName:\s(.?)\s\s
Caller Computer Name	No	1	\s\sCaller\sComputer\sName:\s(.*?)(\s$\|\t)
Caller Domain	No	2	\sCaller\sDomain:(\s?)(.*?)\s(\s\|Caller\sLogon\sID:)
Caller Process Name	No	1	\s\sCaller\sProcess\sName:\s(.*?)\s\s
Caller User Name	No	3	\sCaller\sUser(\sN\|n)ame:(\s?)(.*?)\s(\s\|Caller\sDomain:)
ChangedAttributes	Yes	1	Changed\sAttributes:\s+(.*)
Client Domain	No	2	\s\sClient\sDomain:(\s{0,2})(.*?)\s\s
Client User Name	No	2	\s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s
Computer	No	7	(\tComputer=\|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.?)\t(.?)\t(.?)\t(.?)\t)(.*?)\t
Credentials Used Account Domain	No	3	\s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
Credentials Used Account Name	No	3	\s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s
Domain	No	4	(\s\|Successful\sLogon:\s(.?))\sDomain:(\s{1,2})(.?)\s(\s\|Logon\sID:)
Error Code	No	8	(\s\|[Mm]essage=)[Ee]rror(:\|(\s([Cc]ode((\swas\|\sreturned\s.+\sprocessor)?)(:?)\|status:\|value:\|:)))\s?(.*?)([ .:,]\|$)
Event ID Code	No	1	\tEventIDCode=(.*?)\t
EventID	Yes Yes Yes	1 1 1	\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+) EventID=(\d+) LEEF:[0-9\.]+\\|Microsoft\\|Windows\\|.+\\|(\d+)\\|
File	No	3	(\s\|,)\s[Ff]ile:(\s?)(.*?)(,\s\|\sowned\sby)
Group Domain	No No	2 3	(\s\|\t)Group\sDomain:\s(.?)(\s\s\|\t) \s(Target\|Group)\sDomain:(\s?)(.*?)\s(\s\|Target\sAccount\sID:)
Group Name	No No	2 6	(\s\|\t)Group\sName:\s(.?)(\t\|\s(\s\|Group\sDomain:)) \s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged\|Group)((:\s\s(.?)\s\sAccount)?)\sName:(\s{0,2})(.?)\s(\s\|Target\sDomain\|Group\sDomain:)
Group Security ID	No No	3 3	(\s\|\t)Group:(\s+\|\t)Security\sID:\s(.?)(\s\s\|\t) \s((Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged\|Group):\s{1,3}Security\|Target\sAccount)\sID:\s{0,2}(.*?)\s(\|\s\|Caller\sUser\sName:)
GroupID	Yes	1	Group ID: (\d+)
Home Directory	No	2	\s\sHome\sDirectory:(\s{1,2})(.*?)\s\s
Logon Type	No	1	\sLogon\sType:\s+(\d+)(\s\|$)
Member Account Name	No	5	(\s\|\t)Member(:(\s+?\|\t).?(\s+?\|\t)Account)?\sName:\s(.*?)(\t\|\s+?(Group\|Member\sID):)
Member Security ID	No	4	(\s\|\t)Member(:(\s+?\|\t)Security)?\sID:\s(.?)(\t\|(\s+?(Target\s)?Account\sName:))
Message	No	10	(\t[Mm]essage=\|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.?)\t(.?)\t(.?)\t(.?)\t(.?)\t(.?)\t(\t?))(.+)
New Account Domain	No	6	\s\sNew\sAccount((\sName)?):\s(.?)\s\s(Account\|New)\sDomain:(\s{1,2})(.?)\s\s
New Account Name	No	5	\s\sNew\sAccount((:\s\s(.?)\s\sAccount)?)\sName:(\s{1,2})(.?)\s\s
New Account Security ID	No	2	\s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s
New Logon Account Domain	No	3	\s\sNew\sLogon:\s\s(.?)\s\sAccount\sDomain:(\s{1,2})(.?)\s\s
New Logon Account Name	No	3	\s\sNew\sLogon:\s\s(.?)\s\sAccount\sName:(\s{1,2})(.?)\s\s
New Logon Security ID	No	3	\s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s
New Process Image File Name	No	3	\s\s(New\sProcess\sInformation\|A\snew\sprocess\shas\sbeen\screated):\s\s(.?)\s\sImage\sFile\sName:\s(.?)\s\s
New Process Name	No	2	\sNew\sProcess\sName:(\s?)(.*?)\s(\s\|Token\sElevation\sType:)
New Token Account Domain	No	2	\s\sNew\sToken\sInformation:\s\s(.?)\s\sAccount\sDomain:\s\s(.?)\s\s
New Token Account Name	No	2	\s\sNew\sToken\sInformation:\s\s(.?)\s\sAccount\sName:\s\s(.?)\s\s
New Token Security ID	No	1	\s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s
ObjectName	Yes Yes	1 1	Object Name: (.?) New Process Name: (.?)
ObjectType	Yes	1	Object\sType:\s{0,2}(.*?)\s+(Object\sName\|Process\sID\|Source\sAddress):
Primary Domain	No	2	\s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s
Primary User Name	No	2	\s\sPrimary\sUser\sName:(\s?)(.*?)\s\s
Process Name	No	2	\s\sProcess\sName:\s(\s?)(.*?)(\s\s\|$)
Realm	Yes	1	Supplied Realm Name: (.*?)[ ]
Record Number	No	1	\tRecordNumber=(.*?)\t
SAM Account Name	No	2	\sS(AM\|am)\sAccount\sName:\s?(.*?)\s(\s\|SID\sHistory:)
Scope	Yes	1	Scope:\s(.*?)\s+(\d+\|$)
Secondary User Name	No	1	\tSecondaryUserName=(.*?)\t
Service Name	No	5	\s(\s\|Service\sInformation:\s)(Service\sName\|Server:\s\s(.?)\s\sService):(\s{0,2})(.?)\s(\s\|Server:\|Service\sFile\sName:)
Share Name	No	2	\sShare\sName:(\s{0,2})(.*?)\s(\s\|Share\sPath:)
Source Workstation	Yes	6	(\sSource\sWorkstation\|The\slogon\sto\saccount:\s(.?)\sby:\s(.?)\sfrom\sworkstation\|(\s\|Authentication\sPackage:\s(.?))\sWorkstation\sName\|Caller\sWorkstation):\s(.?)\s(\s\|Caller\sUser\sName:\|Error\sCode:)
Subject Account Domain	No	5	(\s\s\|\t)Subject(\s?):\s(.?)\sAccount\sDomain:(\s{0,2})(.?)\s(\s\|Logon\sID:)
Subject Account Name	No	5	(\s\s\|\t)Subject(\s?):\s(.?)\sAccount\sName:(\s{0,2})(.?)\s(\s\|Account\sDomain:)
Subject Security ID	No	5	(\s\s\|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s\|Account\sName:)
Target Account Domain	No	3	\s\s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged):\s\s(.?)\s\sAccount\sDomain:\s{0,2}(.?)(\s\s\|\s$\|\t)
Target Account Name	No	6	\s(Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.?)\s\sAccount)?)\sName:(\s{0,2})(.?)\s(\s\|Target\sDomain:)
Target Account Security ID	No No	3 2	\s((Target\sAccount\|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security\|Target\sAccount)\sID:\s{0,2}(.?)\s(\s\|Caller\sUser\sName:) (Assigned\sTo\|Removed\sFrom):\s(.*?)\s+?(Assigned\|Removed)\sBy:
Target Domain	No	2	\sTarget\sDomain:(\s?)(.*?)\s(\s\|Target\sAccount\sID:)
Target Process Name	No	1	\s\sTarget\sProcess\sName:\s(.*?)\s\s
Target User Name	No	1	\s\sTarget\sUser\sName:\s(.*?)\s\s
User Account	No	1	\sUser\saccount:\s(.*?)\sUser\sdomain:
User Domain	No	2	\sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s\|\w+:)
User Name	No	3	(\s\|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s\|\w+:)
User Principal Name	No	1	\s\sUser\sPrincipal\sName:\s(.*?)\s\s
User Right	No	1	User\sRight:\s(.?)\s+?(Assigned\sTo\|Removed\sFrom\|$):
User Workstations	No	1	\s\sUser\sWorkstations:\s(.*?)\s\s