Microsoft Windows
Use the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension to expand QRadar searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.
For a list of events ID's and names that the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension are based on, see here.
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.2
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1
- IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7
The Key Length custom property is new to IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7. This custom property sets the default custom extraction of Key Length from DSM payload.
Name | New or Updated | Capture Group | Regex | Description |
---|---|---|---|---|
Engine Version | New | 1 | .*\bEngineVersion=([\.0-9]*)\b.* |
New custom event property. |
Host Version | New | 1 | .*\bHostVersion=([\.0-9]*)\b.* |
New custom event property. |
SID History | New | 1 | .*\s+SID History:\s+(S-\S+)\b.* |
New custom event property. |
Delegation | New | 1 | AllowedToDelegateTo:\s*(.*\S)\s+Old UAC Value: |
New custom event property. |
LDAP Display Name | New | 1 | LDAP Display Name:\s*(.*\S)\s+Syntax \(OID\): |
New custom event property. |
Object Class | New | 1 | Object.*Class:\s*(\S*) |
New custom event property. |
Registry Key | Updated | 1 | TargetObject:\s+(.*?)\\[^\\]+(?:\s+[^:]+|$) |
Updated regular expression. |
Registry Value Name | Updated | 1 | TargetObject:\s+.*?\\([^\\]+?)(?:\s+[^:]+|$) |
Updated regular expression. |
Registry Value Data | Updated | 1 | Details:\s+(.*?)(?:\s+User:\s+|$ |
Updated regular expression. |
Pipe Name | Updated |
Changed category to any / any. Changed property name from PipeName to Pipe Name. |
||
Key Length | Updated | Changed type from alphanumeric to numeric. | ||
Event ID | Updated | Changed property name from EventID to Event ID. | ||
Object Type | Updated | Changed property name from ObjectType to Object Type. | ||
Group ID | Updated | Changed property name from GroupID to Group ID. | ||
Oject Name | Updated | Changed property name from ObjectName to Object Name. | ||
Target Username | Updated | Changed property name from Target User Name to Target Username. | ||
Command | Updated | Changed property name from Process CommandLine to Command. | ||
Task Name | Updated | Changed property name from TaskName to Task Name. | ||
Share Path | Updated | Changed property name from SharePath to Share Path. | ||
Initiator Username | Updated | Changed property name from Initiator User Name to Initiator Username. | ||
Machine Identifier | Updated |
Changed property name from Machine ID to Machine Identifier. Changed property name from Computer Name to Machine Identifier. Changed property name from User Workstations to Machine Identifier. |
||
Process ID | Updated | Changed property name from Process Id to Process ID. | ||
Process GUID | Updated | Changed property name from Process Guid to Process GUID. | ||
Parent Process GUID | Updated | Changed property name from Parent Process Guid to Parent Process GUID. | ||
URL Host | Updated | Changed property name from UrlHost to URL Host. | ||
Process Path | Updated | Changed property name from Image to Process Path. | ||
Start Address | Updated | Changed property name from StartAddress to Start Address. | ||
Destination Hostname | Updated | Changed property name from Destination Host Name to Destination Hostname. | ||
Service Filename | Updated | Changed property name from ServiceFileName to Service Filename. | ||
Parent Command | Updated | Changed property name from ParentCommandLine to Parent Command. |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6
The Key Length custom property is new to IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6. This custom property sets the default custom extraction of Key Length from DSM payload.
Name | Custom Property ID | Capture Group | Regex |
---|---|---|---|
Key Length | c732c6c4-3e1d-4116-88c5-b2df0782f711 | 1 | Subject.*?Domain[\:\\\=\s]+(.*?)\s+(?:Logon ID) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5
The following table shows the updated regex expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5.
Name | Regex Expression ID | Optimized | Capture Group | Regex |
---|---|---|---|---|
File | aec96349-bf39-40a6-b549-373a835f7fbd | Yes | 1 | file:.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\sowned\sby |
Image Loaded | 29f5ac46-341e-49b6-8fc3-513b0cc26c23 | Yes | 1 | ImageLoaded:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+FileVersion |
Object Name | 27b28d8b-2876-4e1d-8126-4b643dfe6881 | Yes | 1 | Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
4a691bc1-d1a4-4356-8027-2fa93a55c0e5 | Yes | 1 | Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
|
ac769579-8e07-4755-aab0-0bc6489c7325 | Yes | 1 | Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
|
d9f7021c-7b5f-46ff-8bdf-c7d277052955 | Yes | 1 | Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
|
db21bfe3-3ee3-49d2-9160-c28e204649a7 | Yes | 1 | Object Name:\s+.*?\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
|
Relative Target Name | 32ac2a10-1a1b-4f40-8296-9275ce9627e0 | Yes | 1 | Relative Target Name:\s+[^.\s]+\.(?!.*\.[0-9]{1,2}\.)([^\\]*?)\s+Access Request
Information |
793f755e-dc59-466c-bf41-67d9715b9be2 | Yes | 1 | Relative Target Name:\s+[^.\s]+\.(?!.*\.[0-9]{1,2}\.)([^\\]*?)\s+Access Request
Information |
|
Target Filename | 028e41cb-74f7-41d3-b5bd-378c5a1fb01d | Yes | 1 | TargetFilename:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+CreationUtcTime |
9662fc2c-61e5-48cf-9d00-412d7534a0c8 | Yes | 1 | TargetFilename:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+CreationUtcTime |
|
e4349d47-a2dd-46c7-a028-1f1457560a3b | Yes | 1 | TargetFilename:\s+.*?\.([^\\]*?)\s+Hashes |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4
The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Consumer Destination | Yes | 1 | Destination:\s+"(.*?)"$ |
Relative Target Name | No | 1 | Relative Target Name[:\s\\=]*\s+([^&]*?)\s+Access |
The following table shows the custom event properties that have new expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Process Name | Yes | 1 | SourceImage\:\s(?:.*\\)?([\w\.\-\d]+)\sTargetProcessG |
Process Path | Yes | 1 | SourceImage\:\s+(.*?)\s+TargetProcessGUID |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3
The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Attribute New Value | No | 1 | Value: ([^\s]*?)(?:\s|$) |
Authentication Package | Yes | 1 | Authentication Package:\s+(.*?)\s+Transited |
Initiated | Yes | 1 | Initiated:\s+(.*?)\s+SourceIsIpv6 |
Logon Process | Yes | 1 | Logon Process:\s+(.*?)\s+Authentication |
Target Server Name | No | 1 | Target Server Name:\s(.*?)\sAdditional |
The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
PipeName | Yes | 1 | PipeName\:\s(.*)\sImage |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.2
The Process CommandLine custom property received an update to remove a duplicate regex expression.
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1
The following table shows the custom event properties that have new expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
User Domain | Yes | 1 | Subject.*?Domain[\:\\\=\s]+(.*?)\s+(?:Logon ID) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
File Extension | Yes | 1 | ImageLoaded:\s+.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+FileVersion |
Filename | Yes | 1 | ImageLoaded:\s+.*?([^\\]*?)\s+FileVersion |
Integrity Level | Yes | 1 | IntegrityLevel:\s(\w+) |
ParentCommandLine | Yes | 1 | ParentCommandLine:\s(.*) |
Process Id | Yes | 1 | ProcessId:\s+(\d+) |
Process Name | Yes | 1 |
|
Signed | Yes | 1 | Signed:\s(true|false) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8
The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Encoded Argument | Yes | 1 |
|
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Service Name | Yes | 1 | (?i)Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&) |
ServiceFileName | Yes | 1 | (?i)Service\sFile\sName\:\s*(.*)\sService\sType |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Process Name | Yes | 1 |
|
Terminated Process Name | Yes | 1 |
|
Target File Directory | No | 1 | cs-bytes[=\s\t](\d+) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Destination Host Name | Yes | 1 | DestinationHostname:\s+(.+?)\s+ |
EventID | Yes | 1 |
|
Filename | Yes | 1 | TargetFilename:\s?.*\\(.*?)\s+CreationUtcTime |
Process Guid | No | 1 | ProcessGuid: \{(.*?)\} |
Process Id | No | 1 | ProcessId:\s+(\d+) |
Process Name | Yes | 1 |
|
Target File Directory | Yes | 1 | TargetFilename:\s+(.*?)\s+CreationUtcTime: |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
PipeName | Yes | 1 | PipeName\:\s\\(.*)\sImage |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
MD5 Hash | Yes | 1 |
|
Process CommandLine | Yes | 1 | Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type) |
Process Name | Yes | 1 | Process Name[:\s\\=]+(?:.*\\)?(.*?)\s+(?:Network
Information|\s|&&) |
SHA1 Hash | Yes | 1 | SHA1=(\w+) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2
All file extension regex values were updated to account for hidden executable extension and to exclude file versioning.
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
File Directory | Yes | 1 |
|
File Extension | Yes | 1 |
|
Filename | Yes | 1 | TargetFilename:\s?.*\\(.*?)\s+Hashes |
IMP Hash | Yes | 1 | IMPHASH=(\S+) |
MD5 Hash | No | 1 | MD5=([^\,]+) |
ObjectType | Yes | 1 | Object Type[:\s\\=]*([^\s&]*) |
Process Name | Yes | 1 |
|
SHA1 Hash | No | 1 | SHA1=(\w+) |
SHA256 Hash | Yes | 1 | SHA256=([^\,]+) |
Start Address | Yes | 1 | StartAddress:\s(.*?)\s |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Record Number | Yes | 1 | RecordNumber=(\d*) |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0
The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
File Directory | Yes | 1 |
|
File Extension | Yes | 1 |
|
Filename | Yes | 1 |
|
Hostname | Yes | 1 | Host Name = ([^\s]+) |
Image | Yes | 1 |
|
IMP Hash | Yes | 1 |
|
Machine ID | Yes | 1 | Computer=([^\s]+) |
MD5 Hash | Yes | 1 |
|
Message | Yes | 1 | subject(?:[^,]*?,){11}([^,]*?)\, |
Parent Process Guid | Yes | 1 | ParentProcessGuid: \{(.*?)\} |
Parent Process ID | Yes | 1 | ParentProcessId:\s+(\d+) |
Parent Process Name | Yes | 1 | ParentImage:\s?.*\\([^\s]+)\sParentCommandLine |
Parent Process Path | Yes | 1 | ParentImage:\s*(.+?)\s+ParentCommandLine: |
Process CommandLine | Yes | 1 |
|
Process Id | Yes | 1 | ProcessId:\s+(\d+) |
Process Name | Yes | 1 |
|
Process Path | Yes | 1 |
|
Registry Key | Yes | 1 | TargetObject:\s+(.*)\\.*\s+Details: |
Registry Value Data | Yes | 1 | Details:\s+(.*) |
Rule Name | Yes | 1 | RuleName[:\s\\=]+([^\s&]+)\s+EventType |
SHA256 Hash | Yes | 1 |
|
Target User Name | Yes | 1 | Account Name:\s+.*?Account Name:\s+([^\s]*) |
Token Elevation Type | Yes | 1 | Token Elevation Type: (%%\d{4}) |
UrlHost | Yes | 1 |
|
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5
The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
GroupID | Yes | 1 | Group ID[:\s\\=]*(\d+) |
Parent Process Name | Yes Yes |
1 1 |
|
Parent Process Path | Yes Yes |
1 1 |
|
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4
The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Access Mask | Yes | 1 |
Note: The
System.Information expression for this regex is disabled by default, as
it can return many event matches and affect performance. |
Accesses | Yes Yes |
1 1 |
Note: The
System.Information expression for this regex is disabled by default, as
it can return many event matches and affect performance. |
Account Security ID | No No |
1 1 |
Note: The
Subject:\s+ ... regex is disabled by default, as it can return many event
matches and affect performance. |
Computer Name | No No No No No |
1 1 1 1 1 |
|
Error Code | Yes Yes Yes Yes Yes Yes |
1 1 1 1 1 1 |
|
EventID | Yes Yes Yes |
1 1 1 |
|
Extended Error Code | Yes | 1 | Sub[\s,_]*Status[:\\\s=]+([^\s&]+) |
Filename | Yes Yes Yes |
1 1 1 |
|
File Directory | Yes | 1 |
|
File Extension | Yes Yes Yes |
1 1 1 |
|
File Path | No | 1 |
|
Group Domain | No No No |
1 1 1 |
|
Group Name | Yes Yes Yes |
1 1 1 |
|
Group Security ID | No No No No |
1 1 1 1 |
|
GroupID | No | 1 | Group ID[:\s\\=]*(\d+) |
Home Directory | No | 1 | Home Directory[:\s]*(.*?)\s+Home Drive: |
Initiator User Name | Yes | 1 | Subject.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account
Domain|&&) |
Logon Type | Yes | 1 | Logon Type[:\s\\=]+(\d+) |
Message | No | 1 | Message=(.+) |
ObjectName | Yes Yes |
1 1 |
Note: The
Success Audit event in the System.Information expression
for this regex is disabled by default, as it can return many event matches and affect
performance. |
ObjectType | No | 1 | Object Type[:\s\\=]*([^\s&]*) |
Parent Process Name | No No |
1 1 |
|
Parent Process Path | No No |
1 1 |
|
Process CommandLine | Yes | 1 | Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation
Type|\t|\s\s|&&) |
Process Name | Yes Yes Yes |
1 1 1 |
Note: The
System.Information expression for this regex is disabled by default, as
it can return many event matches and affect performance. |
Process Path | No No No |
1 1 1 |
|
Record Number | No | 1 | RecordNumber=(\d*) |
Registry Key | Yes Yes Yes Yes |
1 1 1 1 |
|
Registry Value Data | Yes | 1 | New Value[:\\=]\s+(.+) |
Registry Value Name | Yes | 1 | Object Value Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&) |
SAM Account Name | No | 1 | S(?:AM|am) Account Name[:\s]*(.*?)\s+Display Name: |
Scope | No | 1 | Scope:\s(.*?)\s+(\d+|$) |
Service Name | Yes Yes Yes |
1 1 1 |
|
Share Name | Yes | 1 | Share Name[:\s].*?\\([^\\]*?)\s+Share Path: |
Share Path | No No |
1 1 |
|
Target Account Security ID | No No No No No No No No No No No |
1 2 1 1 1 1 1 1 1 1 1 |
|
Target Computer Domain | No No No |
1 1 1 |
|
Target Computer Name | No No No |
1 1 1 |
|
Target User Domain | No No No No No No No No No No No No No No No |
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 |
|
Target User Name | Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes |
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 |
|
TaskName | No No |
1 1 |
|
Ticket Encryption Type | Yes | 1 | Ticket Encryption Type[\s:\\=]*(0[xX][0-9a-fA-F]+) |
User Domain | No No No No No No |
1 1 1 1 1 1 |
|
User Principal Name | No | 1 | User Principal Name[:\s]*(.*?)\s+Home Directory: |
User Right | No | 1 | User\sRight:\s+(.*?)\s+?(Assigned\sTo|Removed\sFrom): |
User Workstations | No | 1 | User Workstations[:\s]*(.*?)\s+Password Last Set: |
The following custom event properties are removed from IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4. The removal will not affect your environment. You can review your property usage and update to the replacement property as needed.
Removed custom property | Replaced by |
---|---|
Account Locked Out Account Name | Target User Name |
Account Locked Out Security ID | Target Account Security ID |
Account Logon Failed Account Domain | Target User Domain |
Account Logon Failed Account Name | Target User Name |
Account Logon Failed Security ID | Target Account Security ID |
AccountDomain | User Domain |
AccountName | Initiator User Name |
Caller Computer Name | Computer Name |
Caller Domain | User Domain |
Caller Process Name | Process Path |
File | Filename File Extension |
Member Account Name | Target User Name |
Member Security ID | Target Account Security ID |
New Account Domain | Target User Domain |
New Account Name | Target User Name |
New Account Security ID | Target Account Security ID |
New Logon Account Domain | Target User Domain |
New Logon Account Name | Target User Name |
New Logon Security ID | Target Account Security ID |
New Process Name | Process Name The original property (New Process Name) returned the process path (directory and name together). The new property (Process Name) returns only the process name. |
New Token Account Domain | Target User Domain |
New Token Account Name | Target User Name |
New Token Security ID | Target Account Security ID |
Primary Domain | User Domain |
Realm | User Domain |
Source Workstation | Computer Name |
Subject Account Domain | User Domain |
Subject Account Name | Initiator User Name |
Subject Security ID | Account Security ID |
Target Account Domain | Target User Domain |
Target Account Name | Target User Name |
Target Domain | Target User Domain |
Target Process Name | Process Name |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1
The following table shows the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Accesses | Yes | 1 | [\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):) |
Account Locked Out Account Name | No | 2 | \s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s |
Account Locked Out Security ID | No | 2 | \s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s |
Account Logon Failed Account Domain | No | 2 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s |
Account Logon Failed Account Name | No | 2 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s |
Account Logon Failed Security ID | No | 1 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s |
Account Security ID | No | 2 | \s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s |
AccountDomain | Yes | 3 | \s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
AccountID | Yes | 1 | Deprecated |
AccountName | Yes Yes Yes |
1 1 1 |
Deprecated Deprecated Deprecated |
Assigning Process Image File Name | No | 2 | \s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s |
Caller Computer Name | No | 1 | \s\sCaller\sComputer\sName:\s(.*?)(\s$|\t) |
Caller Domain | No | 2 | \sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:) |
Caller Process Name | No | 1 | \s\sCaller\sProcess\sName:\s(.*?)\s\s |
Caller User Name | No | 3 | \sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:) |
ChangedAttributes | Yes | 1 | Changed\sAttributes:\s+(.*) |
Client Domain | No | 2 | \s\sClient\sDomain:(\s{0,2})(.*?)\s\s |
Client User Name | No | 2 | \s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s |
Computer | No | 7 | (\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t |
Credentials Used Account Domain | No | 3 | \s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
Credentials Used Account Name | No | 3 | \s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s |
Domain | No | 4 | (\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:) |
Error Code | No | 8 | (\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([
.:,]|$) |
Event ID Code | No | 1 | \tEventIDCode=(.*?)\t |
EventID | Yes Yes Yes |
1 1 1 |
|
File | No | 3 | (\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby) |
Group Domain | No No |
2 3 |
|
Group Name | No No |
2 6 |
|
Group Security ID | No No |
3 3 |
|
GroupID | Yes | 1 | Group ID: (\d+) |
Home Directory | No | 2 | \s\sHome\sDirectory:(\s{1,2})(.*?)\s\s |
Logon Type | No | 1 | \sLogon\sType:\s+(\d+)(\s|$) |
Member Account Name | No | 5 | (\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):) |
Member Security ID | No | 4 | (\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:)) |
Message | No | 1 | (\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+) |
New Account Domain | No | 6 | \s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s |
New Account Name | No | 5 | \s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s |
New Account Security ID | No | 2 | \s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s |
New Logon Account Domain | No | 3 | \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
New Logon Account Name | No | 3 | \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s |
New Logon Security ID | No | 3 | \s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s |
New Process Image File Name | No | 3 | \s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s |
New Process Name | No | 2 | \sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:) |
New Token Account Domain | No | 2 | \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s |
New Token Account Name | No | 2 | \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s |
New Token Security ID | No | 1 | \s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s |
ObjectName | Yes Yes |
1 1 |
Deprecated Deprecated |
ObjectType | Yes | 1 | Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress): |
Primary Domain | No | 2 | \s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s |
Primary User Name | No | 2 | \s\sPrimary\sUser\sName:(\s?)(.*?)\s\s |
Process Name | No | 2 | \s\sProcess\sName:\s(\s?)(.*?)(\s\s|$) |
Realm | Yes | 1 | Supplied Realm Name: (.*?)[ ] |
Record Number | No | 1 | \tRecordNumber=(.*?)\t |
SAM Account Name | No | 2 | \sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:) |
Scope | Yes | 1 | Scope:\s(.*?)\s+(\d+|$) |
Secondary User Name | No | 1 | \tSecondaryUserName=(.*?)\t |
Service Name | No | 5 | \s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:) |
Share Name | No | 2 | \sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:) |
Source Workstation | Yes | 6 | (\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:) |
Subject Account Domain | No | 5 | (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:) |
Subject Account Name | No | 5 | (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:) |
Subject Security ID | No | 5 | (\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:) |
Target Account Domain | No | 3 | \s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t) |
Target Account Name | No | 6 | \s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:) |
Target Account Security ID | No No |
3 2 |
|
Target Domain | No | 2 | \sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:) |
Target Process Name | No | 1 | \s\sTarget\sProcess\sName:\s(.*?)\s\s |
Target User Name | No | 1 | \s\sTarget\sUser\sName:\s(.*?)\s\s |
User Account | No | 1 | \sUser\saccount:\s(.*?)\sUser\sdomain: |
User Domain | No | 2 | \sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:) |
User Name | No | 3 | (\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:) |
User Principal Name | No | 1 | \s\sUser\sPrincipal\sName:\s(.*?)\s\s |
User Right | No | 1 | User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$): |
User Workstations | No | 1 | \s\sUser\sWorkstations:\s(.*?)\s\s |
IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0
The following table shows the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Accesses | Yes | 1 | [\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):) |
Account Locked Out Account Name | No | 2 | \s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s |
Account Locked Out Security ID | No | 2 | \s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s |
Account Logon Failed Account Domain | No | 2 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s |
Account Logon Failed Account Name | No | 2 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s |
Account Logon Failed Security ID | No | 1 | \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s |
Account Security ID | No | 2 | \s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s |
AccountDomain | Yes | 3 | \s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
AccountID | Yes | 1 | Target Account ID: (.*?) |
AccountName | Yes Yes Yes |
1 1 1 |
|
Assigning Process Image File Name | No | 2 | \s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s |
Caller Computer Name | No | 1 | \s\sCaller\sComputer\sName:\s(.*?)(\s$|\t) |
Caller Domain | No | 2 | \sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:) |
Caller Process Name | No | 1 | \s\sCaller\sProcess\sName:\s(.*?)\s\s |
Caller User Name | No | 3 | \sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:) |
ChangedAttributes | Yes | 1 | Changed\sAttributes:\s+(.*) |
Client Domain | No | 2 | \s\sClient\sDomain:(\s{0,2})(.*?)\s\s |
Client User Name | No | 2 | \s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s |
Computer | No | 7 | (\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t |
Credentials Used Account Domain | No | 3 | \s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
Credentials Used Account Name | No | 3 | \s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s |
Domain | No | 4 | (\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:) |
Error Code | No | 8 | (\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([
.:,]|$) |
Event ID Code | No | 1 | \tEventIDCode=(.*?)\t |
EventID | Yes Yes Yes |
1 1 1 |
|
File | No | 3 | (\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby) |
Group Domain | No No |
2 3 |
|
Group Name | No No |
2 6 |
|
Group Security ID | No No |
3 3 |
|
GroupID | Yes | 1 | Group ID: (\d+) |
Home Directory | No | 2 | \s\sHome\sDirectory:(\s{1,2})(.*?)\s\s |
Logon Type | No | 1 | \sLogon\sType:\s+(\d+)(\s|$) |
Member Account Name | No | 5 | (\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):) |
Member Security ID | No | 4 | (\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:)) |
Message | No | 10 | (\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+) |
New Account Domain | No | 6 | \s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s |
New Account Name | No | 5 | \s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s |
New Account Security ID | No | 2 | \s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s |
New Logon Account Domain | No | 3 | \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s |
New Logon Account Name | No | 3 | \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s |
New Logon Security ID | No | 3 | \s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s |
New Process Image File Name | No | 3 | \s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s |
New Process Name | No | 2 | \sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:) |
New Token Account Domain | No | 2 | \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s |
New Token Account Name | No | 2 | \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s |
New Token Security ID | No | 1 | \s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s |
ObjectName | Yes Yes |
1 1 |
|
ObjectType | Yes | 1 | Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress): |
Primary Domain | No | 2 | \s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s |
Primary User Name | No | 2 | \s\sPrimary\sUser\sName:(\s?)(.*?)\s\s |
Process Name | No | 2 | \s\sProcess\sName:\s(\s?)(.*?)(\s\s|$) |
Realm | Yes | 1 | Supplied Realm Name: (.*?)[ ] |
Record Number | No | 1 | \tRecordNumber=(.*?)\t |
SAM Account Name | No | 2 | \sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:) |
Scope | Yes | 1 | Scope:\s(.*?)\s+(\d+|$) |
Secondary User Name | No | 1 | \tSecondaryUserName=(.*?)\t |
Service Name | No | 5 | \s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:) |
Share Name | No | 2 | \sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:) |
Source Workstation | Yes | 6 | (\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:) |
Subject Account Domain | No | 5 | (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:) |
Subject Account Name | No | 5 | (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:) |
Subject Security ID | No | 5 | (\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:) |
Target Account Domain | No | 3 | \s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t) |
Target Account Name | No | 6 | \s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:) |
Target Account Security ID | No No |
3 2 |
|
Target Domain | No | 2 | \sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:) |
Target Process Name | No | 1 | \s\sTarget\sProcess\sName:\s(.*?)\s\s |
Target User Name | No | 1 | \s\sTarget\sUser\sName:\s(.*?)\s\s |
User Account | No | 1 | \sUser\saccount:\s(.*?)\sUser\sdomain: |
User Domain | No | 2 | \sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:) |
User Name | No | 3 | (\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:) |
User Principal Name | No | 1 | \s\sUser\sPrincipal\sName:\s(.*?)\s\s |
User Right | No | 1 | User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$): |
User Workstations | No | 1 | \s\sUser\sWorkstations:\s(.*?)\s\s |
The following table shows the event ID's and event names which the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension are based on
Event ID | Event Name |
---|---|
1 | Process Create |
2 | A process changed a file creation time |
3 | Network connection detected |
5 | Process terminated |
7 | Image loaded |
8 | Create RemoteThread |
10 | ProcessAccess |
11 | FileCreate |
13 | Registry Event (Value Set) |
15 | FileCreateStreamHash |
22 | DNS Query |
23 | File Delete |
513 | Success Audit: A user account was created |
537 | Logon failure - The Logon attempt failed for other reasons |
627 | Success Audit: Change Password Attempt Succeeded |
631 | Group Created |
632 | Global Group Member Added |
634 | Group Deleted |
636 | Local Group Member Added |
637 | Local Group Member Removed |
850 | Windows Firewall Configuration |
4103 | Module Logging Command Invocation |
4104 | Script Block Executed/Compiled |
4624 | Success Audit: An account was successfully logged on |
4625 | Failure Audit: An account failed to log on |
4648 | Success Audit: A logon was successful using explicit credentials |
4656 | Failure Audit: A handle to an object was requested |
4657 | Success Audit: A registry value was modified |
4662 | Success Audit: An operation was performed on an object |
4663 | Success Audit: An attempt was made to access an object |
4670 | Success Audit: Permissions on an object were changed |
4688 | Success Audit: A new process has been created |
4689 | Success Audit: A process has exited |
4696 | Success Audit: A primary token was assigned to process |
4698 | Success Audit: A scheduled task was created |
4702 | Success Audit: A scheduled task was updated |
4720 | Success Audit: A user account was created |
4723 | Success Audit: An attempt was made to change an account's password |
4725 | Success Audit: A user account was disabled |
4726 | A user account was deleted |
4727 | Success Audit: A security-enabled global group was created |
4728 | Success Audit: A member was added to a security-enabled global group |
4729 | Success Audit: A member was removed from a security-enabled global group |
4730 | Success Audit: A security-enabled global group was deleted |
4732 | Success Audit: A member was added to a security-enabled local group |
4733 | Success Audit: A member was removed from a security-enabled local group |
4735 | Success Audit: A security-enabled local group was changed |
4737 | Success Audit: A security-enabled global group was changed |
4738 | Success Audit: A user account was changed |
4740 | Success Audit: A user account was locked out |
4741 | Success Audit: A computer account was created |
4742 | Success Audit: A computer account was changed |
4743 | Success Audit: A computer account was deleted |
4754 | Success Audit: A security-enabled universal group was created |
4755 | Success Audit: A security-enabled universal group was changed |
4756 | Success Audit: A member was added to a security-enabled universal group |
4761 | Success Audit: A member was added to a security-disabled universal group |
4762 | Success Audit: A member was removed from a security-disabled universal group |
4767 | Success Audit: A user account was unlocked |
4768 | Success Audit: A Kerberos authentication ticket (TGT) was requested |
4769 | Failure Audit: A Kerberos service ticket was rejected |
5140 | A network share object was accessed |
5142 | Network Share Object Added |
5145 | Success Audit: Network Share Object Checked for Access |