So, we need to start parsing Windows Security logs and, boy oh boy, are they all over the place...

Since Microsoft doesn't seem to stick with dedicated field names and log formats between the various event types, this is a daunting task...

This means that we will basically need to setup custom processors in our OpenPipeline pipeline for each event ID we are interested in parsing.

I just built one for 4740 (Account Lockout), and, before I start building pipelines for each ID we're interested in, I was hoping somebody has already done some of this work and would be willing to share!

To kickstart the party, I'll share my parser for 4740 events here:

parse content, """LD:winlog.message EOLWIN
EOLWIN?
'Subject:' EOLWIN
LD 'Security ID:' SPACE LD:winlog.subject.sid EOLWIN
LD 'Account Name:' SPACE LD:winlog.subject.account.name EOLWIN
LD 'Account Domain:' SPACE LD:winlog.subject.account.domain EOLWIN
LD 'Logon ID:' SPACE LD:winlog.subject.logon.id EOLWIN
EOLWIN?
'Account That Was Locked Out:' EOLWIN
LD 'Security ID:' SPACE LD:winlog.account.sid EOLWIN
LD 'Account Name:' SPACE LD:winlog.account.name EOLWIN
EOLWIN?
'Additional Information:' EOLWIN
LD 'Caller Computer Name:' SPACE LD:winlog.account.computer_name"""

Even if you just have one or two parsers for Windows Security events, please feel free to share!  Hopefully we can make a nice little "repository" of helpful Windows Security parsers here for people to use!

And please share classic parsers too!  They usually work perfectly with OpenPipeline or can be made to work with very little modification.

Thanks!