#FULLNAME: NTsyslog
#VERSION: 1.0
#DESCRIPTION: This program formats all System, Security, and Application events into a single line and sends them to a syslog host. This ruleset aims at analyzing the logs returned by the ntsyslog application, which converts NT events to syslog.

#####
#
# Copyright (C) 2003 Vincent Glaume
# Currently supported by G Ramon Gomez <gene at gomezbrothers dot com>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#####

#DESCRIPTION:Windows Event ID 515 - A trusted logon process has registered
#CATEGORY:Authentication
#LOG:Jul 11 09:33:18 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 515 NT AUTHORITY\SYSTEM  A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.     Logon Process Name:KSecDD
regex=security\[success\] 515 (.*)  A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.     Logon Process Name:([\w\\]+); \
 classification.text=Logon process started; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=515; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com183.html; \
 id=1400; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=$2 has registered as a trusted logon process; \
 source(0).process.name=$2; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 last

#DESCRIPTION:Windows Event ID 528 - Successful Logon
#CATEGORY:Authentication
#LOG:Jul 11 13:44:11 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 528 SACRAMENTO\ggomez  Successful Logon:  User Name:ggomez  Domain:SACRAMENTO  Logon ID:(0x0,0x16AC1854)  Logon Type:7  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:SMF-ENG-GGOMEZ  Logon GUID: {621924db-649e-3b17-b41a-215e55680eb3}
regex=security\[success\] 528 (.*) Successful Logon:  User Name:([\w ]+)  Domain:(.+)  Logon ID:\(.*\)  Logon Type:(\d+)  Logon Process:(\w+) .* Workstation Name:(\S+); \
 classification.text=Logon; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=528; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
 id=1401; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=$2 successfully logged on on $6 ($3 domain) via $5; \
 source(0).process.name=$5; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$6; \
 source(0).node.name=$6; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).user.user_id(0).type=current-user; \
 target(0).user.user_id(0).name=$2; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$4; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$3; \
 last

#DESCRIPTION:Windows Event ID 538 - User Logoff
#CATEGORY:Authentication
#LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3
regex=security\[success\] 538 .* User Logoff:\s+User Name:([\w ]+) Domain:([\w ]+) Logon ID:\S+ Logon Type:(\d+); \
 classification.text=Logoff; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=538; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com199.html; \
 id=1402; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=$1 logged off; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$3; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$2; \
 last

#DESCRIPTION:Windows Event ID 560 - Object Open (Currently broken on Windows 2003; verify against older Windows)
#CATEGORY:Authentication
#LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 560 NT AUTHORITY\SYSTEM  Object Open:  Object Server:Security Account Manager  Object Type:SAM_DOMAIN  Object Name:SMF-ENG-GGOMEZ  Handle ID:1290248  Operation ID:{0,378510053}  Process ID:944  Image File Name: C:\WINDOWS\system32\lsass.exe  Primary User Name:SMF-ENG-GGOMEZ$  Primary Domain:RES  Primary Logon ID:(0x0,0x3E7)  Client User Name:SMF-ENG-GGOMEZ$  Client Domain:RES  Client Logon ID:(0x0,0x3E7)  Accesses: %%1537 %%1538 %%1539 %%1540 %%5392 %%5393 %%5394 %%5395 %%5396 %%5398 %%5399 %%5400 %%5401 %%5402   Privileges:-  Restricted Sid Count: 0
regex=security\[success\] 560 (.*) Object Open:\s* Object Server:[\w\s]+ Object Type:[\w\_]+\s* Object Name:([\w-]+)\s* Handle ID:\d+\s* Operation ID:.*\s* Process ID:(\d+) [\S ]+ Primary User Name:(\S*)\s* Primary Domain:\S+\s* Primary Logon ID:\S*\s* Client User Name:(\S+)\s* Client Domain; \
 classification.text=Object opened; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=560; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com202.html; \
 id=1403; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=$3 opened an object $2; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 source(0).user.user_id(2).type=current-user; \
 source(0).user.user_id(2).name=$5; \
 source(0).process.pid=$3; \
 last

#DESCRIPTION:Windows Event ID 562 - Object closed
#CATEGORY:Authentication
#LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 562 NT AUTHORITY\SYSTEM  Handle Closed:  Object Server:Security Account Manager  Handle ID:1093856  Process ID:944  Image File Name: C:\WINDOWS\system32\lsass.exe
regex=security\[success\] 562 (.*) Handle Closed:  Object Server:[\w\s]+  Handle ID:(\d+)  Process ID:(\d+)  Image File Name: (.+); \
 classification.text=Object closed; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=562; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com204.html; \
 id=1404; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Object Handle $2 closed; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).process.pid=$3; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Handle ID; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Image; \
 additional_data(1).data=$4; \
 last

#DESCRIPTION:Windows Event ID 577 - Privileged Service Called
#CATEGORY:Authentication
#LOG:Jul 11 15:09:21 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 577 NT AUTHORITY\SYSTEM  Privileged Service Called:  Server: NT Local Security Authority / Authentication Service  Service:LsaRegisterLogonProcess()  Primary User Name:SMF-ENG-GGOMEZ$  Primary Domain:RES  Primary Logon ID:(0x0,0x3E7)  Client User Name:SMF-ENG-GGOMEZ$  Client Domain:RES  Client Logon ID:(0x0,0x3E7)  Privileges:SeTcbPrivilege
regex= security\[success\] 577 (.*)  Privileged Service Called:  Server:.+  Service:(.*)  Primary User Name:(.+)  Primary Domain:.+  Primary Logon ID:\(.*\)  Client User Name:(.+)  Client Domain:.+  Client Logon ID:.+  Privileges:(.+); \
 classification.text=User privilege exercised; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=577; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com213.html; \
 id=1406; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Service $2 called with the following privileges: $5; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$3; \
 source(0).user.user_id(2).type=current-user; \
 source(0).user.user_id(2).name=$4; \
 target(0).node.address(0).category=unknown; \
 target(0).node.address(0).address=$2; \
 target(0).node.name=$2; \
 last

#DESCRIPTION:Windows Event ID 643 - Domain Policy Changed
#CATEGORY:Account Management
#LOG:Oct 31 18:02:39 192.168.1.100 security[success] 643 NT AUTHORITY\SYSTEM  Domain Policy Changed: Password Policy modified  Domain:ELMW2  Domain ID:ELMW2  Caller User Name:W2DC$  Caller Domain:ELMW2  Caller Logon ID:(0x0,0x3E7)  Privileges:-
regex= security\[success\] 643 (.*)  Domain Policy Changed: Password Policy  modified  Domain:(.+)  Domain ID: .+  Caller User Name:(.+); \
 classification.text=Password policy modified; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=643; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com263.html; \
 id=1407; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=User $3 modified the password policy for the $2 domain; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$3; \
 last

#DESCRIPTION:Windows Event ID 680 - Account Used for Logon
#CATEGORY:Authentication
#LOG:Oct 22 20:57:03 smf-syslog-02 smf-dc-01/smf-dc-01 security[success] Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Account Name:  DRankin  Workstation:   SMF-HLP-16
regex= security\[success\].*Account Used for Logon by: (.+)  Account Name: (.+)  Workstation: (.+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=680; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com304.html; \
 id=1408; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon attempt on $3 using the $2 account; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$3; \
 source(0).process.name=$1; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 last

#DESCRIPTION:Windows Event ID 682 - Session reconnected to winstation
#CATEGORY:Authentication
#LOG:Oct 31 18:02:39 192.168.1.100 security[success] 682 NT AUTHORITY\SYSTEM  Session reconnected to winstation:  User Name:Jean Dupond  Domain:IBM17M  Logon ID:(0x0,0x1F5A9C)  Session Name:Console  Client Name:Unknown  Client Address:1.1.1.1
regex= security\[success\] 682 (.*)  Session reconnected to winstation:  User Name:([\w ]+)  Domain:.+  Logon ID:\(.+\)  Session Name:.+  Client Name:(.+)  Client Address:([\d\.]+); \
 classification.text=Remote control user reconnected; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=682; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com306.html; \
 id=1409; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Session reconnection from $5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).node.address(1).category=unknown; \
 source(0).node.address(1).address=$3; \
 source(0).node.name=$3; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last

#DESCRIPTION:Windows Event ID 683 - Session disconnected from winstation
#CATEGORY:Authentication
#LOG:Oct 31 18:02:39 192.168.1.100 security[success] 683 NT AUTHORITY\SYSTEM  Session disconnected from winstation:  User Name:administrator  Domain:ELMW2  Logon ID:(0x0,0x5BAA5)  Session Name:Unknown  Client Name:CPQ  Client Address:10.42.42.90
regex= security\[success\] 683 (.*)  Session disconnected from winstation:  User Name:([\w ]+)  Domain:.+  Logon ID:\(.+\)  Session Name:.+  Client Name:(.+)  Client Address:([\d\.]+); \
 classification.text=Remote control user disconnected; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=683; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com307.html; \
 id=1410; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Session reconnection from $4; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).node.address(1).category=unknown; \
 source(0).node.address(1).address=$3; \
 source(0).node.name=$3; \
 source(0).user.user_id(0).type=target-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$2; \
 last

#DESCRIPTION:Windows Event ID other - Security Success message
#CATEGORY:Generic
#regex= security\[success\] (\d+); \
# classification.text=Windows Event ID [$1]; \
# id=1411; \
# revision=1; \
# analyzer(0).name=NTsyslog; \
# analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
# analyzer(0).class=Service; \
# assessment.impact.severity=low; \
# assessment.impact.type=other; \
# assessment.impact.description=Security Success message with identifier #$1; \
# last

#DESCRIPTION:Windows Event ID other - Security Failure message
#CATEGORY:Generic
#regex= security\[failure\] (\d+); \
# classification.text=Windows Event ID [$1]; \
# id=1416; \
# revision=1; \
# analyzer(0).name=NTsyslog; \
# analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
# analyzer(0).class=Service; \
# assessment.impact.severity=medium; \
# assessment.impact.type=other; \
# assessment.impact.description=Security Failure message with identifier #$1; \
# last

#DESCRIPTION:Windows Event ID 529 or 534 - Logon Failure
#CATEGORY:Authentication
#LOG:Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM  Logon Failure:  Reason:Unknown user name or bad password  User Name:administrator  Domain:ITG  Logon Type:2  Logon Process:Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Workstation Name:WEBBRAIN
regex=security\[failure\] (529|534) .+ Logon Failure:  Reason:(.+)  User Name:([\w ]+)  Domain:(.+)  Logon Type:(\d+)  Logon Process:(\w+)    Authentication Package:.+  Workstation Name:(.+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=$1; \
 id=1412; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon as $3 failed: $2; \
 source(0).process.name=$6; \
 target(0).node.address(0).category=unknown; \
 target(0).node.address(0).address=$7; \
 target(0).node.name=$7; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$3; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$5; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$4; \
 last

#DESCRIPTION:Windows Event ID 578 - Privileged object operation
#CATEGORY:Authentication
#LOG:Dec  9 17:42:49 testdb.itg.sac.tfs security[failure] 578 ITG\mzirion  Privileged object operation:  Object Server:Security  Object Handle:4294967295  Process ID:3540  Primary User Name:TESTDB$  Primary Domain:ITG  Primary Logon ID:(0x0,0x3E7)  Client User Name:mzirion  Client Domain:ITG  Client Logon ID:(0x2,0x5E829351)  Privileges:SeIncreaseBasePriorityPrivilege
regex=security\[failure\] 578 .+ Privileged object operation:  Object Server:Security  Object Handle:\d+  Process ID:(\d+)  Primary User Name:(.+)  Primary Domain:(.+)  Primary Logon ID:\(.*\)  Client User Name:([\w ]+)  Client.+Privileges:(\S+); \
 classification.text=User privilege exercised; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=578; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com214.html; \
 id=1413; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 target(0).process.pid=$1; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Authentication domain; \
 additional_data(0).data=$3; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Privileges; \
 additional_data(1).data=$5; \
 last

#DESCRIPTION:Windows Event ID 627 - Attemptation to change password
#CATEGORY:Account Management
#LOG:Dec  7 20:07:49 testdb.itg.sac.tfs security[failure] 627 NT AUTHORITY\SYSTEM  Change Password Attempt:  Target Account Name:TsInternetUser  Target Domain:TESTDB  Target Account ID: %{S-1-5-21-854245398-413027322-725345543-1000}  Caller User Name:TESTDB$  Caller Domain:ITG  Caller Logon ID:(0x0,0x3E7)  Privileges:-
regex= security\[failure\] 627 (.+)  Change Password Attempt:  Target Account Name:(.+)  Target Domain:(.+)  Target Account ID:.+  Caller User Name:(.+); \
 classification.text=Password change; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=627; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com247.html; \
 id=1414; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 assessment.impact.description=$4 attempted to change the password for $2 on the $3 domain; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Authentication domain; \
 additional_data(0).data=$3; \
 last

#DESCRIPTION:Windows Event ID 681 - Logon to account
#CATEGORY:Authentication
#LOG:Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: tfslegalask@itg.sac.tfs  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: MRFREEZE  failed. The error code was: 3221225572
regex=security\[failure\] 681 (.+)  The logon to account: (\S+)  by:.+  from workstation: (\w+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=681; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com326.html; \
 id=1415; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Service; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon as $2 from $3 failed; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last