Rules (XIF)
[MODEL: dataset = microsoft_windows_raw]
// supported channels/providers
filter channel in ("System", "Application","Directory Service") or provider_name in("Microsoft-Windows-PowerShell", "Microsoft-Windows-TaskScheduler", "Microsoft-Windows-Windows Firewall With Advanced Security", "Microsoft-Windows-Windows Defender","Microsoft-Windows-ActiveDirectory_DomainService") or provider_name contains "Microsoft-Windows-Security-"
| alter event_id_num = to_integer(event_id), // used for filtering by event id ranges
event_id_string = to_string(event_id),
task_str = to_string(task)
| alter // Extract fields
action = arrayindex(regextract(message, "Action:\s*(\S+)"), 0),
action_status = arrayindex(regextract(message, "Action Status:\s*(.+?)\s+(?:\w+\s+)?\w+:"), 0),
Command_Name = arrayindex(regextract(message, "Command Name = (.*?)\s{2, }"), 0),
Command_Path = arrayindex(regextract(message, "Command Path = (.*?)\s{2, }"), 0),
dc_name = event_data -> DCName,
detection_type = arrayindex(regextract(message, "Detection Type:\s*(.+?)\s+Detection"), 0), // microsoft defender
detection_source = arrayindex(regextract(message, "Detection Source:\s*(.+?)\s+User"), 0), // microsoft defender
defender_signature_version = arrayindex(regextract(message, "Signature Version:\s*(.+?)\s+Engine"), 0), // microsoft defender
defender_security_intelligence_version = coalesce(event_data -> ["Current security intelligence Version"], event_data -> ["AV security intelligence version"]), // microsoft defender
defender_engine_version = coalesce(event_data -> ["Current Engine Version"], arrayindex(regextract(message, "Engine Version:\s*([\d\.]+)\s"), 0), arrayindex(regextract(message, "Engine Version:\s*(.+?)$"), 0)), // microsoft defender
defender_security_intelligence_type = event_data -> ["Security intelligence Type"],
error_code = coalesce(event_data -> error, arrayindex(regextract(message,"Error Code:\s*\S+"), 0)),
error_message = coalesce(event_data -> ["Error Description"], event_data -> ErrorMessage, arrayindex(regextract(message, "Error Description:\s*([^\.]+\.)"), 0)),
failure_code = arrayindex(regextract(message, "Failure Code:\s*(\S+)"), 0),
event_data_param1 = event_data -> param1,
event_data_param2 = event_data -> param2,
event_attributes = event_data -> Attributes,
event_fwlink = event_data->["FWLink"],
execution_name = event_data -> ["Execution Name"],
SubjectKeyIdentifier = event_data -> SubjectKeyIdentifier,
event_name = arrayindex(regextract(message, "^([^:.(]+)"), 0),
TicketEncryptionType = to_string(event_data -> TicketEncryptionType),
IpPort = coalesce(event_data -> IpPort, event_data -> SourcePort),
IpAddress = coalesce(event_data -> IpAddress, event_data -> SourceAddress),
DestAddress = coalesce(event_data -> DestAddress, ""),
Ipv6Address = arrayindex(regextract(message, "Source\s+Network\s+Address:\s+((?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}|(?:[a-fA-F0-9]{1,4}:){1,7}:|:(?::[a-fA-F0-9]{1,4}){1,7}|::)\s?"), 0),
LogLevel = lowercase(log_level),
logonType = event_data -> LogonType,
Failure_Reason = arrayindex(regextract(message,"Failure Reason:\s*(.*?)(?:\.|\s+\S+:|$)"),0),
message_action = arrayindex(regextract(message, "action \"([^\"]+)\""), 0),
message_instance = arrayindex(regextract(message, "instance \"([^\"]+)\""), 0),
message_processID = arrayindex(regextract(message, "process ID \"([^\"]+)\""), 0),
message_task = arrayindex(regextract(message , "task \"([^\"]+)\""), 0),
new_value = event_data -> ["New Value"],
old_value = event_data -> ["Old Value"],
file_path = coalesce(arrayindex(regextract(message , "Path:\s*([^\n]+)\n"), 0), arrayindex(regextract(message , "Path:\s*([^,]*?)(?:\s{2}|,|$)"), 0), event_data -> Path),
process_name_format = coalesce(event_data -> ProcessName, event_data -> ["Process Name"], arrayindex(regextract(message, "Process Name:\s*([^,]*?)(?:\s{2}|,)"), 0), arrayindex(regextract(message, "Process Name:\s*([^\n\r]+)"), 0)),
product_name = event_data -> ["Product Name"], // microsoft defender event ids 1000 - 1005
product_version = event_data -> ["Product Version"], // microsoft defender event ids 1000 - 1005
rule_name1 = arraystring(regextract(message, "Rule\s+Name\:\s+(.*)\b\s+Modifying\s*User:"), ""),
rule_name2 = arraystring(regextract(message, "Rule\s*Name\:\s+(.*[^\w\s])\s+Modifying\s*User"), ""),
scan_id = event_data -> ["Scan ID"], // windows defender event ids 1000 - 1005
scan_type = event_data -> ["Scan Type"], // windows defender event ids 1000 - 1005
scan_params = event_data -> ["Scan Parameters"], // windows defender event ids 1000 - 1005
scan_duration = multiply(add(add(multiply(to_integer(event_data -> ["Scan Time Hours"]), 3600), multiply(to_integer(event_data -> ["Scan Time Minutes"]), 60)), to_integer(event_data -> ["Scan Time Seconds"])), 1000), // windows defender event ids 1000 - 1005
severity = arrayindex(regextract(message, "Severity:\s*(\w+)"), 0),
Script_Name = arrayindex(regextract(arrayindex(regextract(message, "Script Name = (.*?)\s{2, }"), 0), "\\([^\\]+)$"), 0),
Script_Path = coalesce(event_data -> Path, arrayindex(regextract(message, "Script Name = (.*?)\s{2, }"), 0)),
target_username = event_data -> TargetUserName,
// source_threat_combined = concat("[", detection_source, "]", " ", threat_category),
target_user_sid = event_data -> TargetUserSid,
target_domain_name = event_data -> TargetDomainName,
threat_id = if(provider_name = "Microsoft-Windows-Windows Defender" and ((event_id_num >= 1006 and event_id_num <= 1012) or event_id_num = 1015 or (event_id_num >= 1116 and event_id_num <= 1119)), arrayindex(regextract(message, "ID:\s*(\w+)\s+\w+:"), 0)),
threat_category = if(provider_name = "Microsoft-Windows-Windows Defender" and ((event_id_num >= 1006 and event_id_num <= 1012) or event_id_num = 1015 or (event_id_num >= 1116 and event_id_num <= 1119)), arrayindex(regextract(message, "Category:\s*(.+?)\s+\w+:"), 0)),
threat_name = if(provider_name = "Microsoft-Windows-Windows Defender" and ((event_id_num >= 1006 and event_id_num <= 1012) or event_id_num = 1015 or (event_id_num >= 1116 and event_id_num <= 1119)), arrayindex(regextract(message, "Name:\s*(.+?)\s+ID:"), 0)),
user_domain = coalesce(user -> domain, event_data -> Domain, if(event_data -> SubjectDomainName in ("-", " - "), null, event_data -> SubjectDomainName), if(user_data -> SubjectDomainName in ("-", " - "), null, user_data -> SubjectDomainName)),
user_name = coalesce(user -> name, event_data -> User, event_data -> SubjectUserName, user_data -> SubjectUserName, arrayindex(regextract(message, "User:\s*(?:[^\\]+\\)*(\S+)"), 0), arrayindex(regextract(message, "User \"([^\"]+)\""), 0), if(channel="Application" and event_data -> param3 contains "*\\*", event_data -> param3),event_data -> ["Detection User"],event_data -> ["Requester"]),
user_sid = coalesce(event_data -> SID, event_data -> SubjectUserSid, user -> identifier, user -> SubjectUserSid, event_data -> UserSid, if(provider_name = "Microsoft-Windows-Windows Firewall With Advanced Security", arrayindex(regextract(message, "Modifying\s*User\:\s+(.*)\b\s+Modifying\s+Application:"), 0))),
user_type = user -> type,
check_task_string = if(task_str ~= "\d+", null, task_str)
| alter // post-extraction processing & validations
check_rule_name1 = if(rule_name1 ~= "\S", rule_name1, null),
check_rule_name2 = if(rule_name2 ~= "\S", rule_name2, null),
check_Command_Path = if(Command_Path ~= "\S", Command_Path, null),
check_Command_Name = if(Command_Name ~= "\S", Command_Name, null),
check_Script_Name = if(Script_Name ~= "\S", Script_Name, null),
check_Script_Path = if(Script_Path ~= "\S", Script_Path, null),
check_message_task = if(message_task ~= "\S", message_task, null),
check_message_processID = if(message_processID ~= "\S", message_processID, null),
check_message_action = if(message_action ~= "\S", message_action, null),
check_fw_description = if(provider_name = "Microsoft-Windows-Windows Firewall With Advanced Security", arraystring(regextract(message, "^[^\.]+\."), ""), null),
check_fw_process_name = if(provider_name = "Microsoft-Windows-Windows Firewall With Advanced Security", arraystring(regextract(message, "Modifying\s*Application:\s+\S+\\([^\.]+\.exe)"), ""), null),
get_message_instance_exe_path = if(message_instance ~= "exe", message_instance, null),
get_message_instance_exe_process = if(message_instance ~= "exe", arrayindex(regextract(message_instance, "\\([a-zA-Z0-9]+\.exe)$"), 0), null)
| alter event_type = coalesce(event_action, to_string(task), check_message_task, event_name) // set event type
| alter // XDM mappings
xdm.alert.category = threat_category,
xdm.alert.description = coalesce(if(channel="System", error_code, check_fw_description != null, check_fw_description, error_message), if(event_id_string in ("4886", "4887", "4888","4897","4898"), object_create("FW_link", event_fwlink, "Disposition", event_data -> Disposition, "cdc", arrayindex(regextract(event_attributes, "cdc:([^\n]+)") ,0), "rmd", arrayindex(regextract(event_attributes, "rmd:([^\n]+)") ,0), "ccm", arrayindex(regextract(event_attributes, "ccm:([^\n]+)") ,0), "error_code", event_data -> Status, "sub_error_code", event_data -> SubStatus))),
xdm.alert.original_threat_name = threat_name,
xdm.alert.original_threat_id = threat_id,
xdm.alert.original_alert_id = activity_id,
xdm.alert.severity = severity,
xdm.event.description = coalesce(message, if(channel="System", event_data -> updateTitle), if(channel="Application", event_data -> param3)),
xdm.event.duration = to_integer(scan_duration),
xdm.event.id = event_id_string,
xdm.event.log_level = if(LogLevel="information", XDM_CONST.LOG_LEVEL_INFORMATIONAL, LogLevel="error", XDM_CONST.LOG_LEVEL_ERROR, LogLevel="warning", XDM_CONST.LOG_LEVEL_WARNING, LogLevel="critical", XDM_CONST.LOG_LEVEL_CRITICAL, to_string(coalesce(to_string(opcode), log_level))),
xdm.event.operation_sub_type = coalesce(check_message_action, detection_type, arrayindex(regextract(message, "(^.*?)\."), 0), if(channel="System", event_data_param2)),
xdm.event.original_event_type = event_type,
xdm.event.outcome_reason = coalesce(if(channel="Application" and check_task_string = "TM", event_data_param2), action_status, error_message, Failure_Reason),
xdm.event.outcome = if(event_result = "success", XDM_CONST.OUTCOME_SUCCESS, event_result="failure", XDM_CONST.OUTCOME_FAILED, coalesce(event_result, action, error_code, failure_code)),
xdm.event.type = channel,
xdm.event.tags = arraycreate(execution_name),
xdm.logon.type = if(logonType="2", XDM_CONST.LOGON_TYPE_INTERACTIVE, logonType="3", XDM_CONST.LOGON_TYPE_NETWORK, logonType="4", XDM_CONST.LOGON_TYPE_BATCH , logonType="5", XDM_CONST.LOGON_TYPE_SERVICE , logonType ="6", XDM_CONST.LOGON_TYPE_PROXY , logonType="7", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS , logonType="8", XDM_CONST.LOGON_TYPE_NETWORK_CLEARTEXT, logonType="9", XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS , logonType="10", XDM_CONST.LOGON_TYPE_REMOTE_INTERACTIVE , logonType="11", XDM_CONST.LOGON_TYPE_CACHED_INTERACTIVE, logonType="12", XDM_CONST.LOGON_TYPE_CACHED_REMOTE_INTERACTIVE , logonType="13", XDM_CONST.LOGON_TYPE_CACHED_UNLOCK, logonType),
xdm.network.rule = coalesce(check_rule_name1, check_rule_name2, threat_id),
xdm.observer.action = action,
xdm.observer.type = provider_name,
xdm.observer.unique_identifier = provider_guid,
xdm.observer.version = product_version,
xdm.session_context_id = to_string(record_id),
xdm.source.agent.type = coalesce(defender_security_intelligence_type, detection_source),
xdm.source.agent.version = defender_engine_version,
xdm.source.agent.content_version = coalesce(defender_signature_version, defender_security_intelligence_version),
xdm.source.application.name = coalesce(if(channel="System", event_data_param1), arrayindex(regextract(message, "HostApplication=([\S]+)"), 0), product_name),
xdm.source.application.version = product_version,
xdm.target.user.ou = if(event_id_string in ("4728","4729"), arrayindex(regextract(message, "Member:\n*.*?\n*\s*Account\s+Name:\s*(.*)"), 0)),
xdm.source.host.fqdn = coalesce(event_data -> FQDN, event_data -> WorkstationName),
xdm.source.host.hostname = coalesce(host_name, computer_name, if(user_name contains "*$", user_name), if(channel="System", event_data -> HostName), if(channel="Application" and check_task_string = "Devices", event_data_param1)),
xdm.source.host.os = os_subtype,
xdm.source.host.os_family = XDM_CONST.OS_FAMILY_WINDOWS,
xdm.source.ipv4 = if(IpAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", arrayindex(regextract(IpAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0)),
xdm.source.ipv6 = if(IpAddress ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", arrayindex(regextract(IpAddress, "((?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4})"), 0),if(Ipv6Address != null,Ipv6Address)),
xdm.source.port = if(IpPort~="\d+", to_integer(IpPort), null),
xdm.source.process.command_line = coalesce(if(check_Command_Name != null and check_Command_Name != "", check_Command_Name), process_cmd, event_data -> CommandLine),
xdm.source.process.executable.directory = arraystring(regextract(message, "Modifying\s*Application:\s+(\S+)"), ""),
xdm.source.process.executable.filename = if(check_Script_Name != null and check_Script_Name != "", check_Script_Name, null),
xdm.source.process.executable.md5 = process_md5,
xdm.source.process.executable.path = coalesce(get_message_instance_exe_path, process_name_format, if(channel="Application", event_data -> Module), if(check_Script_Path != null and check_Script_Path != "", check_Script_Path), if(check_Command_Path != null and check_Command_Path != "", check_Command_Path), process_path, file_path),
xdm.source.process.executable.sha256 = process_sha256,
xdm.source.process.name = coalesce(check_fw_process_name, get_message_instance_exe_process,event_data -> ParentProcessName ,arrayindex(regextract(process_name_format, "\\([^\\]+)$"), 0), if(channel="System", process_name_format), process_name),
xdm.source.process.pid = to_integer(coalesce(check_message_processID, to_string(process_pid), if(channel="System", event_data -> ProcessID))),
xdm.target.process.pid = to_integer(event_data -> NewProcessID),
xdm.source.process.thread_id = to_integer(process_thread_id),
xdm.source.user.domain = user_domain,
xdm.source.user.identifier = user_sid,
xdm.source.user.user_type = if(user_type contains "User", XDM_CONST.USER_TYPE_REGULAR, user_type contains "Service", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT , user_type contains "Computer", XDM_CONST.USER_TYPE_MACHINE_ACCOUNT , user_type),
xdm.source.user.username = user_name,
xdm.target.ipv4 = if(DestAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", arrayindex(regextract(DestAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0)),
xdm.target.file.path = file_path,
xdm.target.port = coalesce(to_integer(event_data -> DestPort) ,to_integer(0)),
xdm.target.resource.id = coalesce(scan_id, SubjectKeyIdentifier),
xdm.target.resource.type = scan_type,
xdm.target.resource_before.value = old_value,
xdm.target.resource.value = coalesce(new_value, scan_params),
xdm.target.user.domain = coalesce(target_domain_name, if(channel="System", dc_name)),
xdm.target.user.groups = if(target_username not contains "*$" AND event_type = "Security Group Management", arraycreate(target_username)),
xdm.target.user.identifier = target_user_sid,
xdm.logon.package_name = event_data -> AuthenticationPackageName,
xdm.event.operation = if(event_id_num = 4624,"AUTH_LOGIN"),
xdm.logon.is_elevated = if(event_id_num = 4624, if(event_data -> ElevatedToken in ("%%1843", "No"), to_boolean("FALSE"), event_data -> ElevatedToken in ("%%1842","Yes"), to_boolean("TRUE"))),
xdm.logon.is_virtual_account = if(event_id_num = 4624, if(event_data -> VirtualAccount in ("%%1843", "No"), to_boolean("FALSE"), event_data -> VirtualAccount in ("%%1842","Yes"), to_boolean("TRUE"))),
xdm.auth.service = event_data -> LogonProcessName,
xdm.target.process.name = event_data -> NewProcessName,
xdm.logon.is_restricted_admin_mode = if(event_id_num = 4624, if(event_data -> RestrictedAdminMode in ("-", "No"), to_boolean("FALSE"), event_data -> RestrictedAdminMode = "Yes", to_boolean("TRUE"))),
xdm.auth.kerberos_tgt.encryption_type = if(event_id_string in ("4768", "4770"), if(TicketEncryptionType="0x01", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, TicketEncryptionType="0x02", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, TicketEncryptionType="0x03", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, TicketEncryptionType="0x04", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW, TicketEncryptionType="0x05", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5, TicketEncryptionType="0x06", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_RAW, TicketEncryptionType="0x07", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1, TicketEncryptionType="0x08", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_HMAC_SHA1, TicketEncryptionType="0x09", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DSAWITHSHA1_CMSOID, TicketEncryptionType="0x0A", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_MD5WITHRSAENCRYPTION_CMSOID, TicketEncryptionType="0x0B", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SHA1WITHRSAENCRYPTION_CMSOID, TicketEncryptionType="0x0C", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC2CBC_ENVOID, TicketEncryptionType="0x0D", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAENCRYPTION_ENVOID, TicketEncryptionType="0x0E", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAES_OAEP_ENV_OID, TicketEncryptionType="0x0F", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_EDE3_CBC_ENV_OID, TicketEncryptionType="0x10", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1_KD, TicketEncryptionType="0x11", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA1_96, TicketEncryptionType="0x12", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA1_96, TicketEncryptionType="0x13", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA256_128, TicketEncryptionType="0x14", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA384_192, TicketEncryptionType="0x17", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC, TicketEncryptionType="0x18", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC_EXP, TicketEncryptionType="0x19", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA128_CTS_CMAC, TicketEncryptionType="0x1A", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA256_CTS_CMAC, TicketEncryptionType="0x41", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SUBKEY_KEYMATERIAL, TicketEncryptionType)),
xdm.auth.kerberos_tgs.encryption_type = if(event_id_string in ("4769","4771", "4772"), if(TicketEncryptionType="0x01", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, TicketEncryptionType="0x02", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, TicketEncryptionType="0x03", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, TicketEncryptionType="0x04", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW, TicketEncryptionType="0x05", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5, TicketEncryptionType="0x06", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_RAW, TicketEncryptionType="0x07", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1, TicketEncryptionType="0x08", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_HMAC_SHA1, TicketEncryptionType="0x09", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DSAWITHSHA1_CMSOID, TicketEncryptionType="0x0A", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_MD5WITHRSAENCRYPTION_CMSOID, TicketEncryptionType="0x0B", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SHA1WITHRSAENCRYPTION_CMSOID, TicketEncryptionType="0x0C", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC2CBC_ENVOID, TicketEncryptionType="0x0D", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAENCRYPTION_ENVOID, TicketEncryptionType="0x0E", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAES_OAEP_ENV_OID, TicketEncryptionType="0x0F", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_EDE3_CBC_ENV_OID, TicketEncryptionType="0x10", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1_KD, TicketEncryptionType="0x11", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA1_96, TicketEncryptionType="0x12", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA1_96, TicketEncryptionType="0x13", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA256_128, TicketEncryptionType="0x14", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA384_192, TicketEncryptionType="0x17", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC, TicketEncryptionType="0x18", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC_EXP, TicketEncryptionType="0x19", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA128_CTS_CMAC, TicketEncryptionType="0x1A", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA256_CTS_CMAC, TicketEncryptionType="0x41", XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SUBKEY_KEYMATERIAL, TicketEncryptionType)),
xdm.auth.kerberos_tgt.error_code = if(event_id_string in ("4768", "4770"), if(failure_code="0x0", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, failure_code="0x1", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, failure_code="0x2", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, failure_code="0x3", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO, failure_code="0x4", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO, failure_code="0x5", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_OLD_MAST_KVNO, failure_code="0x6", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_PRINCIPAL_UNKNOWN, failure_code="0x7", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_PRINCIPAL_UNKNOWN, failure_code="0x8", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PRINCIPAL_NOT_UNIQUE, failure_code="0x9", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NULL_KEY, failure_code="0xA", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANNOT_POSTDATE, failure_code="0xB", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NEVER_VALID, failure_code="0xC", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_POLICY, failure_code="0xD", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BADOPTION, failure_code="0xE", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_ETYPE_NOSUPP, failure_code="0xF", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SUMTYPE_NOSUPP, failure_code="0x10", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PADATA_TYPE_NOSUPP, failure_code="0x11", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TRTYPE_NOSUPP, failure_code="0x12", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_REVOKED, failure_code="0x13", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_REVOKED, failure_code="0x14", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TGT_REVOKED, failure_code="0x15", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NOTYET, failure_code="0x16", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_NOTYET, failure_code="0x17", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_EXPIRED, failure_code="0x18", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_FAILED, failure_code="0x19", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_REQUIRED, failure_code="0x1A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVER_NOMATCH, failure_code="0x1B", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_MUST_USE_USER2USER, failure_code="0x1C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PATH_NOT_ACCEPTED, failure_code="0x1D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SVC_UNAVAILABLE, failure_code="0x1F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BAD_INTEGRITY, failure_code="0x20", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_EXPIRED, failure_code="0x21", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_NYV, failure_code="0x22", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_REPEAT, failure_code="0x23", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOT_US, failure_code="0x24", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADMATCH, failure_code="0x25", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_SKEW, failure_code="0x26", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADADDR, failure_code="0x27", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADVERSION, failure_code="0x28", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MSG_TYPE, failure_code="0x29", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MODIFIED, failure_code="0x2A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADORDER, failure_code="0x2C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADKEYVER, failure_code="0x2D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOKEY, failure_code="0x2E", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MUT_FAIL, failure_code="0x2F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADDIRECTION, failure_code="0x30", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_METHOD, failure_code="0x31", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADSEQ, failure_code="0x32", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_INAPP_CKSUM, failure_code="0x33", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_PATH_NOT_ACCEPTED, failure_code="0x34", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_RESPONSE_TOO_BIG, failure_code="0x3C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_GENERIC, failure_code="0x3D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_FIELD_TOOLONG, failure_code="0x3E", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__CLIENT_NOT_TRUSTED, failure_code="0x3F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__KDC_NOT_TRUSTED, failure_code="0x40", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__INVALID_SIG, failure_code="0x41", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_TOO_WEAK, failure_code="0x42", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CERTIFICATE_MISMATCH, failure_code="0x43", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NO_TGT, failure_code="0x44", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_WRONG_REALM, failure_code="0x45", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_USER_TO_USER_REQUIRED, failure_code="0x46", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANT_VERIFY_CERTIFICATE, failure_code="0x47", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_INVALID_CERTIFICATE, failure_code="0x48", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOKED_CERTIFICATE, failure_code="0x49", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNKNOWN, failure_code="0x4A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNAVAILABLE, failure_code="0x4B", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NAME_MISMATCH, failure_code="0x4C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KDC_NAME_MISMATCH, to_string(failure_code))),
xdm.auth.kerberos_tgs.error_code = if(event_id_string in ("4769", "4771", "4772"), if(failure_code="0x0", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, failure_code="0x1", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, failure_code="0x2", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, failure_code="0x3", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO, failure_code="0x4", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO, failure_code="0x5", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_OLD_MAST_KVNO, failure_code="0x6", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_PRINCIPAL_UNKNOWN, failure_code="0x7", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_PRINCIPAL_UNKNOWN, failure_code="0x8", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PRINCIPAL_NOT_UNIQUE, failure_code="0x9", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NULL_KEY, failure_code="0xA", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANNOT_POSTDATE, failure_code="0xB", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NEVER_VALID, failure_code="0xC", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_POLICY, failure_code="0xD", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BADOPTION, failure_code="0xE", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_ETYPE_NOSUPP, failure_code="0xF", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SUMTYPE_NOSUPP, failure_code="0x10", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PADATA_TYPE_NOSUPP, failure_code="0x11", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TRTYPE_NOSUPP, failure_code="0x12", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_REVOKED, failure_code="0x13", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_REVOKED, failure_code="0x14", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TGT_REVOKED, failure_code="0x15", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NOTYET, failure_code="0x16", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_NOTYET, failure_code="0x17", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_EXPIRED, failure_code="0x18", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_FAILED, failure_code="0x19", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_REQUIRED, failure_code="0x1A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVER_NOMATCH, failure_code="0x1B", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_MUST_USE_USER2USER, failure_code="0x1C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PATH_NOT_ACCEPTED, failure_code="0x1D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SVC_UNAVAILABLE, failure_code="0x1F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BAD_INTEGRITY, failure_code="0x20", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_EXPIRED, failure_code="0x21", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_NYV, failure_code="0x22", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_REPEAT, failure_code="0x23", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOT_US, failure_code="0x24", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADMATCH, failure_code="0x25", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_SKEW, failure_code="0x26", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADADDR, failure_code="0x27", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADVERSION, failure_code="0x28", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MSG_TYPE, failure_code="0x29", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MODIFIED, failure_code="0x2A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADORDER, failure_code="0x2C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADKEYVER, failure_code="0x2D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOKEY, failure_code="0x2E", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MUT_FAIL, failure_code="0x2F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADDIRECTION, failure_code="0x30", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_METHOD, failure_code="0x31", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADSEQ, failure_code="0x32", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_INAPP_CKSUM, failure_code="0x33", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_PATH_NOT_ACCEPTED, failure_code="0x34", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_RESPONSE_TOO_BIG, failure_code="0x3C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_GENERIC, failure_code="0x3D", XDM_CONST.KERBEROS_ERROR_CODE_ERR_FIELD_TOOLONG, failure_code="0x3E", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__CLIENT_NOT_TRUSTED, failure_code="0x3F", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__KDC_NOT_TRUSTED, failure_code="0x40", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__INVALID_SIG, failure_code="0x41", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_TOO_WEAK, failure_code="0x42", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CERTIFICATE_MISMATCH, failure_code="0x43", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NO_TGT, failure_code="0x44", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_WRONG_REALM, failure_code="0x45", XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_USER_TO_USER_REQUIRED, failure_code="0x46", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANT_VERIFY_CERTIFICATE, failure_code="0x47", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_INVALID_CERTIFICATE, failure_code="0x48", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOKED_CERTIFICATE, failure_code="0x49", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNKNOWN, failure_code="0x4A", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNAVAILABLE, failure_code="0x4B", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NAME_MISMATCH, failure_code="0x4C", XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KDC_NAME_MISMATCH, to_string(failure_code))),
xdm.target.user.username = coalesce(if(target_username not contains "*$" AND event_type != "Security Group Management", target_username), if(event_id_string in ("4886", "4887", "4888","4897","4898"), event_data -> Subject));