├── default
    ├── pipelines
    │   ├── Yasmin
    │   │   └── conf.yml
    │   ├── WinHostMon
    │   │   └── conf.yml
    │   ├── WinNetMon
    │   │   └── conf.yml
    │   ├── WinRegistry
    │   │   └── conf.yml
    │   ├── WindowsXMLEvents
    │   │   └── conf.yml
    │   ├── WinDNS
    │   │   └── conf.yml
    │   ├── Perfmon
    │   │   └── conf.yml
    │   ├── route.yml
    │   ├── WindowsClassicXMLEvents
    │   │   └── conf.yml
    │   ├── NX_Log
    │   │   └── conf.yml
    │   └── WindowsClassicEvents
    │   │   └── conf.yml
    ├── samples.yml
    └── pack.yml
├── package.json
├── samples
    ├── ie80CU.json
    ├── VCHrav.json
    ├── Jtmfrq.json
    ├── 2FiJff.json
    ├── XNPzEl.json
    ├── UChiMU.json
    ├── 5rMBYv.json
    └── g9Eeo4.json
├── data
    └── samples
    │   ├── ie80CU.json
    │   ├── VCHrav.json
    │   ├── Jtmfrq.json
    │   ├── 2FiJff.json
    │   ├── XNPzEl.json
    │   ├── UChiMU.json
    │   └── 5rMBYv.json
├── .github
    └── workflows
    │   └── release.yml
├── README.md
└── LICENSE


/default/pipelines/Yasmin/conf.yml:
--------------------------------------------------------------------------------
1 | output: default
2 | groups: {}
3 | asyncFuncTimeout: 1000
4 | functions: []
5 | 


--------------------------------------------------------------------------------
/default/pipelines/WinHostMon/conf.yml:
--------------------------------------------------------------------------------
1 | output: default
2 | groups: {}
3 | asyncFuncTimeout: 1000
4 | functions: []
5 | 


--------------------------------------------------------------------------------
/default/pipelines/WinNetMon/conf.yml:
--------------------------------------------------------------------------------
1 | output: default
2 | groups: {}
3 | asyncFuncTimeout: 1000
4 | functions: []
5 | 


--------------------------------------------------------------------------------
/default/pipelines/WinRegistry/conf.yml:
--------------------------------------------------------------------------------
1 | output: default
2 | groups: {}
3 | asyncFuncTimeout: 1000
4 | functions: []
5 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
1 | {"name":"cribl-windows-events","version":"1.0.3","author":"David Maislin - Cribl","description":"Streamlining Windows Events - Support for XML.Classic and NXLog event formats","displayName":"Microsoft Windows Events","tags":{}}


--------------------------------------------------------------------------------
/samples/ie80CU.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"1/10/2022 2:02:15 PM 0CA4 PACKET  000000BACC9F20F0 UDP Rcv 10.18.243.201   9161   Q [0001   D   NOERROR] A      (11)abcnetapp01(4)corp(5)acme1(3)com(0)","_time":1641844935,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 2:02:18 PM 0CA4 PACKET  000000BACC408120 UDP Rcv 10.18.243.201   db7e   Q [0001   D   NOERROR] TXT    (17)_nfsv4idmapdomain(5)acme1(3)com(0)","_time":1641844938,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1028 PACKET  00000154CDF89CC0 UDP Rcv 10.10.85.50     29b8   Q [0001   D   NOERROR] SRV    (5)_ldap(4)_tcp(8)acmehost(6)_sites(11)ABC-DE-FG01(3)abc(4)acme(3)abc(0)","_time":1641848590,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1368 PACKET  00000154CE6CE180 UDP Rcv 10.132.24.47    358e   Q [0001   D   NOERROR] AAAA   (1)0(13)north-acme123(4)pool(3)abc(3)com(0)","_time":1641848590,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1368 PACKET  00000154CCFB44A0 UDP Rcv 10.132.24.47    5774   Q [0001   D   NOERROR] A      (1)0(13)north-acme123(4)pool(3)abc(3)com(0)","_time":1641848590,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/ie80CU.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"1/10/2022 2:02:15 PM 0CA4 PACKET  000000BACC9F20F0 UDP Rcv 10.18.243.201   9161   Q [0001   D   NOERROR] A      (11)abcnetapp01(4)corp(5)acme1(3)com(0)","_time":1641844935,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 2:02:18 PM 0CA4 PACKET  000000BACC408120 UDP Rcv 10.18.243.201   db7e   Q [0001   D   NOERROR] TXT    (17)_nfsv4idmapdomain(5)acme1(3)com(0)","_time":1641844938,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1028 PACKET  00000154CDF89CC0 UDP Rcv 10.10.85.50     29b8   Q [0001   D   NOERROR] SRV    (5)_ldap(4)_tcp(8)acmehost(6)_sites(11)ABC-DE-FG01(3)abc(4)acme(3)abc(0)","_time":1641848590,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1368 PACKET  00000154CE6CE180 UDP Rcv 10.132.24.47    358e   Q [0001   D   NOERROR] AAAA   (1)0(13)north-acme123(4)pool(3)abc(3)com(0)","_time":1641848590,"cribl_breaker":"Break on newlines"},{"_raw":"1/10/2022 3:03:10 PM 1368 PACKET  00000154CCFB44A0 UDP Rcv 10.132.24.47    5774   Q [0001   D   NOERROR] A      (1)0(13)north-acme123(4)pool(3)abc(3)com(0)","_time":1641848590,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/default/pipelines/WindowsXMLEvents/conf.yml:
--------------------------------------------------------------------------------
 1 | output: default
 2 | groups: {}
 3 | asyncFuncTimeout: 1000
 4 | functions:
 5 |   - id: comment
 6 |     filter: "true"
 7 |     disabled: null
 8 |     conf:
 9 |       comment: >-
10 |         Description:  This pipeline reduce XML events using the parseWinEvent
11 |         custom LogStream function
12 | 
13 |         Author:       David Maislin - david@cribl.io
14 | 
15 |         Date:         2021-05-14
16 | 
17 |         Note:         Come find me on Slack - https://cribl.io/community - cribl-community.slack.com
18 |   - id: comment
19 |     filter: "true"
20 |     disabled: null
21 |     conf:
22 |       comment: Please enable Descriptions - (Select top left three bars)
23 |   - id: comment
24 |     filter: "true"
25 |     disabled: null
26 |     conf:
27 |       comment: The XML Processing group turns the _raw XML event into JSON
28 |   - id: eval
29 |     filter: "true"
30 |     disabled: false
31 |     conf:
32 |       add:
33 |         - name: _raw
34 |           value: C.Text.parseWinEvent(_raw,['0x0','-'])
35 |     description: Parse XML to a JSON _raw string Put any values like ['0x0','-'] in the
36 |       brackets to remove fields with those values.
37 | 


--------------------------------------------------------------------------------
/default/samples.yml:
--------------------------------------------------------------------------------
 1 | 2FiJff:
 2 |   sampleName: 5-Windows_XML_Events
 3 |   created: 1620943415156
 4 |   size: 6682
 5 |   numEvents: 5
 6 |   modified: 1620948213159
 7 | UChiMU:
 8 |   sampleName: 5-Windows_Classic_XML_Message_Events
 9 |   created: 1620943431798
10 |   size: 12078
11 |   numEvents: 5
12 |   modified: 1620948652434
13 | XNPzEl:
14 |   sampleName: 5-Windows_Classic_Events
15 |   created: 1620943469167
16 |   size: 10690
17 |   numEvents: 5
18 |   modified: 1620948288457
19 | 5rMBYv:
20 |   sampleName: 50-WinNetMon.log
21 |   created: 1621425760688
22 |   size: 23208
23 |   numEvents: 50
24 |   modified: 1621425760691.15
25 | g9Eeo4:
26 |   sampleName: 50-WinHostMon.log
27 |   created: 1621427205345
28 |   size: 31253
29 |   numEvents: 50
30 |   modified: 1621427205343.5725
31 | VCHrav:
32 |   sampleName: 10-WinRegistry.log
33 |   created: 1621427853584
34 |   size: 4862
35 |   numEvents: 10
36 |   modified: 1621427853582.2275
37 | ie80CU:
38 |   sampleName: 5-Windows_DNS
39 |   created: 1643221438920
40 |   size: 1131
41 |   numEvents: 5
42 |   modified: 1643221438918.203
43 | Jtmfrq:
44 |   sampleName: 5-NXLog.json
45 |   created: 1646665007243
46 |   size: 6376
47 |   numEvents: 5
48 | dw9xld:
49 |   sampleName: 487-PerfmonMk.json
50 |   created: 1646680489688
51 |   size: 2096109
52 |   numEvents: 487
53 |   modified: 1646680489694.2256
54 | 


--------------------------------------------------------------------------------
/default/pipelines/WinDNS/conf.yml:
--------------------------------------------------------------------------------
 1 | output: default
 2 | groups: {}
 3 | asyncFuncTimeout: 1000
 4 | functions:
 5 |   - id: mask
 6 |     filter: "true"
 7 |     disabled: null
 8 |     conf:
 9 |       rules:
10 |         - matchRegex: /\(\d+\)(.+)\(\d+\)/
11 |           replaceExpr: g1.replace(/\(\d+\)/g, '.')
12 |       fields:
13 |         - _raw
14 |   - id: regex_extract
15 |     filter: "true"
16 |     disabled: false
17 |     conf:
18 |       source: _raw
19 |       iterations: 100
20 |       overwrite: false
21 |       regex: /(?<Date>\d+(?:\/\d+){2})\s(?<Time>\d+(?:\:\d+){2}\s\w+)\s(?<ThreadId>\w+)\s+(?<Context>\w+)\s+(?<InternalPacketIdentifier>[A-F0-9a-f]+)\s+(?<Protocol>\w+)\s+(?<SendReceiveIndicator>\w+)\s(?<RemoteIP>[0-9.:]+)\s+(?<Xid>[0-9A-Fa-f]+)\s(?<QueryType>\s|R)\s(?<Opcode>[A-Za-z]|\?)\s\[(?<Flags>[A-F0-9]+)\s+(?<Flags_Char>[ATDR])\s+(?<ResponseCode>[^\]]+)\]\s+(?<QuestionType>\w+)\s+(?<QuestionName>.*)/gm
22 |   - id: eval
23 |     filter: "true"
24 |     disabled: false
25 |     conf:
26 |       add:
27 |         - name: QueryType
28 |           value: "QueryType != '' ? 'Q' : QueryType"
29 |   - id: suppress
30 |     filter: "true"
31 |     disabled: false
32 |     conf:
33 |       allow: 1
34 |       suppressPeriodSec: 30
35 |       dropEventsMode: true
36 |       maxCacheSize: 50000
37 |       cacheIdleTimeoutPeriods: 2
38 |       numEventsIdleTimeoutTrigger: 10000
39 |       keyExpr: "`${QuestionName} ${RemoteIP} ${QuestionType}`"
40 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
 1 | name: Build Release
 2 | on:
 3 |   push:
 4 |     tags:
 5 |       - 'v?[0-9]+.[0-9]+.[0-9]+'
 6 |       - 'v?[0-9]+.[0-9]+.[0-9]+-[RT]C[0-9]+'
 7 | 
 8 | jobs:
 9 |   release:
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |       - name: Checkout
13 |         uses: actions/checkout@v2
14 | 
15 |       - name: Get GitHub slug info
16 |         uses: rlespinasse/github-slug-action@3.5.1
17 | 
18 |       - name: Pack it up!
19 |         run: tar --exclude-vcs --exclude='./.github' -czf /tmp/${{ github.event.repository.name }}-${{ env.GITHUB_SHA_SHORT }}-${{ env.GITHUB_REF_SLUG_CS }}.crbl .
20 | 
21 |       - name: Release
22 |         if: ${{ success() }}
23 |         id: release
24 |         uses: softprops/action-gh-release@5e3f23f92c903aac25270f66388fdcb366c5b549
25 |         with:
26 |           prerelease: ${{ contains(github.ref, 'RC') || contains(github.ref, 'TC') }}
27 |           files: /tmp/${{ github.event.repository.name }}-${{ env.GITHUB_SHA_SHORT }}-${{ env.GITHUB_REF_SLUG_CS }}.crbl
28 |         env:
29 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
30 | 
31 |       - name: Get release info
32 |         if: ${{ success() }}
33 |         id: release_info
34 |         uses: cardinalby/git-get-release-action@1.1.1
35 |         with:
36 |           releaseId: "${{ steps.release.outputs.id }}"
37 |         env:
38 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
39 | 
40 |       - name: Extract timestamp
41 |         if: ${{ success() }}
42 |         run: |
43 |           echo "TIMESTAMP=$(date +%s -d "${{ steps.release_info.outputs.published_at }}")" >> $GITHUB_ENV
44 | 
45 |       - name: Slack notification (production releases only)
46 |         if: ${{ success() && steps.release_info.outputs.prerelease == 'false' }}
47 |         id: slack
48 |         uses: wearerequired/slack-messaging-action@v1
49 |         with:
50 |           bot_token: ${{ secrets.SLACK_BOT_TOKEN }}
51 |           channel_id: ${{ secrets.SLACK_CHANNEL_ID }}
52 |           payload: >-
53 |             {
54 |               "attachments": [
55 |                 {
56 |                   "fallback": "${{ github.event.repository.name }} has been updated.",
57 |                   "color": "#00cccc",
58 |                   "pretext": "A new release for ${{ github.event.repository.name }} was published on Github!",
59 |                   "title": "${{ github.event.repository.name }} - ${{ steps.release_info.outputs.tag_name }}",
60 |                   "title_link": "${{ steps.release_info.outputs.html_url }}",
61 |                   "text": ${{ toJSON(steps.release_info.outputs.body) }},
62 |                   "footer": "PackBot",
63 |                   "footer_icon": "https://cribl.io/favicon.ico",
64 |                   "ts": ${{ env.TIMESTAMP }}
65 |                 }
66 |               ]
67 |             }
68 | 


--------------------------------------------------------------------------------
/default/pipelines/Perfmon/conf.yml:
--------------------------------------------------------------------------------
  1 | output: default
  2 | groups:
  3 |   kPcIuv:
  4 |     name: Reduction Examples
  5 |     index: 4
  6 |     disabled: true
  7 | asyncFuncTimeout: 1000
  8 | functions:
  9 |   - id: regex_extract
 10 |     filter: "true"
 11 |     disabled: null
 12 |     conf:
 13 |       source: _raw
 14 |       iterations: 100
 15 |       overwrite: false
 16 |       regexList: []
 17 |       regex: /^(?<_KEY_0>\w+)=(?<_VALUE_0>.+)/gm
 18 |   - id: mask
 19 |     filter: "true"
 20 |     disabled: false
 21 |     conf:
 22 |       rules:
 23 |         - matchRegex: /(^(?:.+\n){4})/
 24 |           replaceExpr: "''"
 25 |       fields:
 26 |         - _raw
 27 |   - id: event_breaker
 28 |     filter: "true"
 29 |     disabled: false
 30 |     conf:
 31 |       existingOrNew: new
 32 |       shouldMarkCriblBreaker: true
 33 |       ruleType: header
 34 |       maxEventBytes: 51200
 35 |       timestampAnchorRegex: /^/
 36 |       timestamp:
 37 |         type: auto
 38 |         length: 150
 39 |       timestampTimezone: local
 40 |       timestampEarliest: -420weeks
 41 |       timestampLatest: +1week
 42 |       delimiterRegex: /\t/
 43 |       fieldsLineRegex: /(.+)/
 44 |       headerLineRegex: /instance/
 45 |       nullFieldVal: "-"
 46 |       cleanFields: true
 47 |       eventBreakerRegex: /[\n\r]+(?!\s)/
 48 |       existingRule: ""
 49 |   - id: numerify
 50 |     filter: "true"
 51 |     disabled: false
 52 |     conf:
 53 |       format: none
 54 |       ignoreFields: []
 55 |       filterExpr: ""
 56 |       digits: 0
 57 |   - id: drop
 58 |     filter: Page_Writes_sec==0
 59 |     disabled: true
 60 |     conf: {}
 61 |     groupId: kPcIuv
 62 |     description: Drop via Filter
 63 |   - id: suppress
 64 |     filter: "true"
 65 |     disabled: true
 66 |     conf:
 67 |       allow: 1
 68 |       suppressPeriodSec: 120
 69 |       dropEventsMode: true
 70 |       maxCacheSize: 50000
 71 |       cacheIdleTimeoutPeriods: 2
 72 |       numEventsIdleTimeoutTrigger: 10000
 73 |       keyExpr: "`${host}:${instance}`"
 74 |     groupId: kPcIuv
 75 |     description: Time based suppression
 76 |   - id: sampling
 77 |     filter: "true"
 78 |     disabled: true
 79 |     conf:
 80 |       rules:
 81 |         - filter: IO_Data_Operations_sec==0
 82 |           rate: 250
 83 |         - filter: Interrupts_sec==0
 84 |           rate: 250
 85 |     groupId: kPcIuv
 86 |     description: Event sampling
 87 |   - id: aggregation
 88 |     filter: "true"
 89 |     disabled: true
 90 |     conf:
 91 |       passthrough: false
 92 |       preserveGroupBys: true
 93 |       sufficientStatsOnly: false
 94 |       metricsMode: true
 95 |       timeWindow: 120s
 96 |       aggregations:
 97 |         - max(Handle_Count).as(Max_Handle_Count)
 98 |         - avg(Interrupts_sec).as(Avg_Interrupts_sec)
 99 |       cumulative: false
100 |       flushOnInputClose: true
101 |       groupbys:
102 |         - host
103 |         - instance
104 |       add:
105 |         - name: index
106 |           value: "'My_New_Perfmon_Metrics_Index'"
107 |     description: Passthru - Metrics at the end
108 |     groupId: kPcIuv
109 | 


--------------------------------------------------------------------------------
/default/pack.yml:
--------------------------------------------------------------------------------
1 | logo: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFkAAAAyCAYAAAA3OHc2AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAhGVYSWZNTQAqAAAACAAFARIAAwAAAAEAAQAAARoABQAAAAEAAABKARsABQAAAAEAAABSASgAAwAAAAEAAgAAh2kABAAAAAEAAABaAAAAAAAAAEgAAAABAAAASAAAAAEAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAWaADAAQAAAABAAAAMgAAAABAnoG8AAAACXBIWXMAAAsTAAALEwEAmpwYAAACamlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNi4wLjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyIKICAgICAgICAgICAgeG1sbnM6ZXhpZj0iaHR0cDovL25zLmFkb2JlLmNvbS9leGlmLzEuMC8iPgogICAgICAgICA8dGlmZjpPcmllbnRhdGlvbj4xPC90aWZmOk9yaWVudGF0aW9uPgogICAgICAgICA8dGlmZjpSZXNvbHV0aW9uVW5pdD4yPC90aWZmOlJlc29sdXRpb25Vbml0PgogICAgICAgICA8ZXhpZjpQaXhlbFlEaW1lbnNpb24+MTA4MDwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4xOTIwPC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6Q29sb3JTcGFjZT4xPC9leGlmOkNvbG9yU3BhY2U+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpivtlTAAAF70lEQVR4Ae1bW4scRRT+qnvu27jG6CYh6yIEQUyCBsQgrOCLREVERRFBX8Q3/TU++OIP0BfRxQfxBiIseAMf1H0Q9cmYTVbXKDOZnZ7uLr9T07XZbDqzM53qRqEO213ddfnOqa9P1SzndANeKmdAudKgtQ6VUmm/338MWr+BMPxLI2gAmSMVAaBTwmUIVAClQuI6xEaWpDq9VUG9FkXRp3Y+LownCc7EPrClhSi6ezwcoqlckSA2ZtANmttsIUljpFlKosm7ZlOu2RpgZyRt0mev2O5SikizNg9PIWpHoJPcbhp2UfO7myhckmzMCFIyQNHrn43w5gsNffxRYLzDmn2zNb1nOZGOZgfq/OeIX3kL6onn8clP7+LtzddxpPkwEn1z2E3Vweb4I7y68n7yyIlz7RTxeBar5unjnOQsjbmuSeloJ8R7V0L1+BpwRSrmMWtPX3G5Ho8Pebw4MDjDZICv4m2c0WvYYfvNQHc4+Fu6xcupIAHckMrCyfBCcU6y1aJD7pkn6dGLp6E6F2l6SVU6AdpLwKkfgJAYpCJUTSzzUUbhKbSyrXx/tppnLzWxW8ER3Bl+T0zZ4ylk2bWUnPkMZsiGKI5Hr8P4Ei/EQYyzzDDYduEYwQkXDJa5liruzyN2SfUACS5C6XLYmkihjjCiCrmuSszSrgrc404Y8CTX4AmeZE9yDQzUoMJ7sie5BgZqUOE92ZNcAwM1qPCe7EmugYEaVHhP9iTXwEANKrwn/+9JNoEtG92y5Tyzmj7mauRser9ijXaMLYt7uaitLtQpse8WTQx4CtoMdfKYO5wocU0GNYMmsyMcnueSmIeDRH8DKgjArIlRNKFcgp7TxFIqGJoBUxk7iSQfNHIa6vS26kjWzO8xjIyYpxGJUhIBLiHCSrAF/MGSSVSRjNgD1o/1FmKmnxQkBTW/CLQisGBJjLoqqYDkiV9oJqr1XTS+dw+D7n9zNtz+ZVbziDiXPKz2LVArX0IzM6KI0WAW4yjbInUcbXrixK/nAZa+4snMjKglHAv+pDdX9/PknuSW7BH0trOrGH98nnNxtAyZIdHMVMfDAVZXnsKDy5cIPSf2xHWvPux8ONP/aMuWRGmFE/vNjaOTe5Jzwwaqi2HYo7+4EeGnQzfucVl3uW1EWUJPdIMuPp3mOb480+fG6BzFOclDZn4XmJJb/znD098AZ3l9mSu+7GKUnXKRg79mxvud+zM8+0AP6a9raP/2EnTrDL1ymz3Koktu+jBU/B3iEx9Q0ZNMHJo3Gv7bJFvrEnG9VOFHstTfnwE+yAH3LesFgyWJ0wm6Mi+jkJ/sF5L8j1VZrlT8vZAnKXt/ReLck62dgRDJtbdCJ7vAy7KK+EIAf5iADR4GUxTIjyj/ECyToE3eCzqfgH040qdI8oc0aRID+R5LcIzjSXTp1VCk6Nq6snO/FqXgzsyHJ3llhC/Fmd3T1BX0vVGV0CBjDsmJh7wdYEQuTJ3868btQgvjeaPtM+k55Szo9F59KO8z88ApmMVNYp2XihnwJFdMsMB7kj3JNTBQgwrvyZ7kGhioQYX3ZE9yDQzUoMJ7sie5BgZqUOE92ZNcAwM1qPCeXAPJlUXhrO02tmVLWz9LacfcONJrW2w5C6rtY9Ftaevdl5WRLIFEiW92edzGo6wiiSf3BIzHbkpPLkwdP/DTh3kt6HOQZboKAOPJihhG5L4aKTv3A60xWQwytCEslXG0PRq2ZVMjTiI4woV82yfZlnRjLm454nqR9JWxb3/65vquZWuckxyGksfR6DQwviOCXu0CQ3pOWT+R+HyXJK8ToNfkSSrku77OUWavH+L9kHMvjW48WakviNlNSHODh/HzsoQWjXNOciuUV4UUzp3udX+/T77mz9WK6fa6yJK9dQV9Dbck20CcfA649xle54BSWGqsDntvcff2sXW7pUYj001ZMKrRdv5OgEuS7bQu9PsDfqOrLwdB/gbU7mTKXwhHMdeIWdkSBjcJP6uyPK4BFHYzpn3VaJEPk98oG3EAniP5onoG/gXss6TatVF26AAAAABJRU5ErkJggg==
2 | 


--------------------------------------------------------------------------------
/default/pipelines/route.yml:
--------------------------------------------------------------------------------
  1 | id: default
  2 | groups: {}
  3 | routes:
  4 |   - id: EowzcS
  5 |     name: Windows_XML_Events
  6 |     final: true
  7 |     disabled: false
  8 |     pipeline: WindowsXMLEvents
  9 |     description: Process Windows XML Events
 10 |     clones: []
 11 |     enableOutputExpression: false
 12 |     outputExpression: null
 13 |     filter: /^<Event xmlns=/.test(_raw)
 14 |     output: default
 15 |   - id: QLzBMK
 16 |     name: Windows_Classic_Events
 17 |     final: true
 18 |     disabled: false
 19 |     pipeline: WindowsClassicEvents
 20 |     description: ""
 21 |     clones: []
 22 |     enableOutputExpression: false
 23 |     outputExpression: null
 24 |     filter: /^\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+[\r\n]+LogName=(?:Security|Application|System)/.test(_raw)
 25 |     output: default
 26 |   - id: ILTBBd
 27 |     name: Windows_Classic_Events_Embedded_XML
 28 |     final: true
 29 |     disabled: false
 30 |     pipeline: WindowsClassicXMLEvents
 31 |     description: Windows Classic Events with Embedded XML in the Message
 32 |     clones: []
 33 |     enableOutputExpression: false
 34 |     outputExpression: null
 35 |     filter: /XML:/.test(_raw)
 36 |     output: default
 37 |   - id: kydWmM
 38 |     name: Windows_Powershell_Events
 39 |     final: true
 40 |     disabled: false
 41 |     pipeline: WindowsClassicEvents
 42 |     description: ""
 43 |     clones: []
 44 |     enableOutputExpression: false
 45 |     outputExpression: null
 46 |     filter: /^\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+[\r\n]+LogName=Microsoft-Windows-PowerShell/.test(_raw)
 47 |     output: default
 48 |   - id: g2B9K0
 49 |     name: WinRegistry
 50 |     final: true
 51 |     disabled: false
 52 |     pipeline: WindowsClassicEvents
 53 |     description: ""
 54 |     clones: []
 55 |     enableOutputExpression: false
 56 |     outputExpression: null
 57 |     filter: /^.+[\n\r]+event_status/.test(_raw)
 58 |     output: default
 59 |   - id: pRE5ms
 60 |     name: WinNetMon
 61 |     final: true
 62 |     disabled: false
 63 |     pipeline: WindowsClassicEvents
 64 |     description: ""
 65 |     clones: []
 66 |     enableOutputExpression: false
 67 |     outputExpression: null
 68 |     filter: /^AddressFamily=/.test(_raw)
 69 |     output: default
 70 |   - id: CdkAjp
 71 |     name: WinHostMon
 72 |     final: true
 73 |     disabled: false
 74 |     pipeline: WindowsClassicEvents
 75 |     description: ""
 76 |     clones: []
 77 |     enableOutputExpression: false
 78 |     outputExpression: null
 79 |     filter: /^Type=/.test(_raw)
 80 |     output: default
 81 |   - id: XLAPBy
 82 |     name: Windows_DNS
 83 |     final: true
 84 |     disabled: false
 85 |     pipeline: WinDNS
 86 |     description: ""
 87 |     clones: []
 88 |     enableOutputExpression: false
 89 |     outputExpression: null
 90 |     filter: /^\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+.+?(?:UDP|TCP)/.test(_raw)
 91 |     output: default
 92 |   - id: Cgl8gW
 93 |     name: NXLog
 94 |     final: true
 95 |     disabled: false
 96 |     pipeline: NX_Log
 97 |     description: ""
 98 |     clones: []
 99 |     enableOutputExpression: false
100 |     outputExpression: null
101 |     filter: /^\<\d+\>\w+\s\d+\s\d+:\d+:\d+/.test(_raw)
102 |     output: default
103 |   - id: ZSttHj
104 |     name: Perfmon
105 |     final: true
106 |     disabled: false
107 |     pipeline: Perfmon
108 |     description: ""
109 |     clones: []
110 |     enableOutputExpression: false
111 |     outputExpression: null
112 |     filter: /collection=/.test(_raw)
113 |     output: default
114 |   - id: default
115 |     name: default
116 |     final: true
117 |     disabled: false
118 |     pipeline: main
119 |     description: ""
120 |     clones: []
121 |     enableOutputExpression: false
122 |     outputExpression: null
123 |     filter: "true"
124 |     output: default
125 | comments: []
126 | 


--------------------------------------------------------------------------------
/default/pipelines/WindowsClassicXMLEvents/conf.yml:
--------------------------------------------------------------------------------
  1 | output: default
  2 | groups:
  3 |   EmwFXi:
  4 |     name: Embedded XML
  5 |     description: Classic Windows Events with Embedded XML
  6 |     index: 2
  7 | asyncFuncTimeout: 1000
  8 | functions:
  9 |   - id: comment
 10 |     filter: "true"
 11 |     disabled: null
 12 |     conf:
 13 |       comment: >-
 14 |         Description:  This pipeline converts Windows Classic with embedded XML
 15 |         in the Message to JSON
 16 | 
 17 |         Author:       David Maislin - david@cribl.io
 18 | 
 19 |         Date:         2022-01-09
 20 | 
 21 |         Note:         Come find me on Slack - https://cribl.io/community - cribl-community.slack.com
 22 |   - id: comment
 23 |     filter: "true"
 24 |     disabled: null
 25 |     conf:
 26 |       comment: Please enable Descriptions - (Select top left three bars)
 27 |   - id: mask
 28 |     filter: "true"
 29 |     disabled: false
 30 |     conf:
 31 |       rules:
 32 |         - matchRegex: /^/
 33 |           replaceExpr: "'Timestamp='"
 34 |       fields:
 35 |         - _raw
 36 |     description: Make timestamp align with the keys and values
 37 |     groupId: EmwFXi
 38 |   - id: mask
 39 |     filter: "true"
 40 |     disabled: false
 41 |     conf:
 42 |       rules:
 43 |         - matchRegex: /\r/gm
 44 |           replaceExpr: "'\\n'"
 45 |         - matchRegex: /\n+/gm
 46 |           replaceExpr: "'\\n'"
 47 |       fields:
 48 |         - _raw
 49 |     description: Remove all of the redundant carriage returns (\r) and new line feeds (\n)
 50 |       and replace with only a single new line feed
 51 |     groupId: EmwFXi
 52 |   - id: regex_extract
 53 |     filter: "true"
 54 |     disabled: false
 55 |     conf:
 56 |       source: _raw
 57 |       iterations: 100
 58 |       overwrite: true
 59 |       regex: /(?<_raw>[\S\s]+)Additional Data(?<XML>[\S\s]+)/gm
 60 |       regexList: []
 61 |     description: Pull XML into __xml internal field
 62 |     groupId: EmwFXi
 63 |   - id: mask
 64 |     filter: XML
 65 |     disabled: false
 66 |     conf:
 67 |       rules:
 68 |         - matchRegex: /\s\n/gm
 69 |           replaceExpr: "'\\n'"
 70 |       fields:
 71 |         - _raw
 72 |     groupId: EmwFXi
 73 |     description: Remove trailing spaces
 74 |   - id: regex_extract
 75 |     filter: XML
 76 |     disabled: false
 77 |     conf:
 78 |       source: _raw
 79 |       iterations: 100
 80 |       overwrite: false
 81 |       regex: /(?<_KEY_0>[^=]+=)(?<_VALUE_0>[^\n]+)\n/gm
 82 |     description: Extract remaining Key=Value pairs from _raw
 83 |     groupId: EmwFXi
 84 |   - id: eval
 85 |     filter: XML
 86 |     disabled: false
 87 |     conf:
 88 |       add:
 89 |         - value: C.Text.parseWinEvent(XML)
 90 |           name: XML
 91 |     description: Parse XML fields and transform it into JSON
 92 |     groupId: EmwFXi
 93 |   - id: mask
 94 |     filter: XML
 95 |     disabled: false
 96 |     conf:
 97 |       rules:
 98 |         - matchRegex: /\s\n/gm
 99 |           replaceExpr: "'\\n'"
100 |         - matchRegex: /:\s/gm
101 |           replaceExpr: "':'"
102 |       fields:
103 |         - _raw
104 |     description: 'Fix any spaces before delimiters like \s: such as "Subject  :" or at the
105 |       end of fields'
106 |     groupId: EmwFXi
107 |   - id: mask
108 |     filter: XML
109 |     disabled: false
110 |     conf:
111 |       rules:
112 |         - replaceExpr: "`${g1.replace(/\\s/gm,'')}=`"
113 |           matchRegex: /^([A-Za-z0-9 ].+?)(:)/gm
114 |       fields:
115 |         - _raw
116 |     description: 'Remove spaces in Keys such as "Activity ID" and set : to ='
117 |     groupId: EmwFXi
118 |   - id: serde
119 |     filter: XML
120 |     disabled: false
121 |     conf:
122 |       mode: extract
123 |       type: json
124 |       srcField: XML
125 |       remove: []
126 |     description: Extract XML field to top level fields
127 |     groupId: EmwFXi
128 |   - id: serialize
129 |     filter: XML
130 |     disabled: false
131 |     conf:
132 |       type: json
133 |       dstField: _raw
134 |       fields:
135 |         - "!_*"
136 |         - "!cribl_*"
137 |         - "!XML*"
138 |         - "*"
139 |     description: Serialize all the needed fields to _raw
140 |     groupId: EmwFXi
141 |   - id: eval
142 |     filter: XML
143 |     disabled: false
144 |     conf:
145 |       keep:
146 |         - _*
147 |         - cribl_*
148 |       remove:
149 |         - "*"
150 |       add:
151 |         - name: _raw
152 |           value: JSON.parse(_raw)
153 |     description: Convert _raw JSON String to Object Literal
154 |     groupId: EmwFXi
155 | 


--------------------------------------------------------------------------------
/samples/VCHrav.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2604\nprocess_image=\"c:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2604\nprocess_image=\"c:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=740\nprocess_image=\"c:\\Windows\\System32\\lsass.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\\replica set configuration file\"\ndata_type=\"REG_EXPAND_SZ\"\ndata=\"\\\\?\\C:\\System Volume Information\\DFSR\\Config\\Replica_1CCEB9E6-5E07-49A9-B88E-B1A65844CE6C.XML\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\\config source\"\ndata_type=\"REG_DWORD\"\ndata=\"0x00000001(1)\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\access checks\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\volumes\\7eebd808-0000-0000-0000-100000000000\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\volumes\\7eebd808-0000-0000-0000-100000000000\\volume configuration file\"\ndata_type=\"REG_EXPAND_SZ\"\ndata=\"\\\\.\\C:\\System Volume Information\\DFSR\\Config\\Volume_7EEBD808-0000-0000-0000-100000000000.XML\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=740\nprocess_image=\"c:\\Windows\\System32\\lsass.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/VCHrav.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2604\nprocess_image=\"c:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2604\nprocess_image=\"c:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=740\nprocess_image=\"c:\\Windows\\System32\\lsass.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\\replica set configuration file\"\ndata_type=\"REG_EXPAND_SZ\"\ndata=\"\\\\?\\C:\\System Volume Information\\DFSR\\Config\\Replica_1CCEB9E6-5E07-49A9-B88E-B1A65844CE6C.XML\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\\config source\"\ndata_type=\"REG_DWORD\"\ndata=\"0x00000001(1)\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\access checks\\replication groups\\1cceb9e6-5e07-49a9-b88e-b1a65844ce6c\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\volumes\\7eebd808-0000-0000-0000-100000000000\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=2652\nprocess_image=\"c:\\Windows\\System32\\dfsrs.exe\"\nregistry_type=\"SetValue\"\nkey_path=\"HKLM\\system\\controlset001\\services\\dfsr\\parameters\\volumes\\7eebd808-0000-0000-0000-100000000000\\volume configuration file\"\ndata_type=\"REG_EXPAND_SZ\"\ndata=\"\\\\.\\C:\\System Volume Information\\DFSR\\Config\\Volume_7EEBD808-0000-0000-0000-100000000000.XML\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00.000\nevent_status=\"(0)The operation completed successfully.\"\npid=740\nprocess_image=\"c:\\Windows\\System32\\lsass.exe\"\nregistry_type=\"CreateKey\"\nkey_path=\"HKLM\\system\\controlset001\\services\\tcpip\\parameters\"\ndata_type=\"REG_NONE\"\ndata=\"\"","_time":1621342800,"source":"WinRegistry","host":"host.acme.com","sourcetype":"WinRegistry","cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Windows Pack
  2 | ----
  3 | Deprecated release.  Please seek out other releases:
  4 | https://github.com/criblpacks/cribl-splunk-forwarder-windows-classic-events-to-json
  5 | https://github.com/criblpacks/cribl-splunk-forwarder-windows-xml-events-to-json
  6 | 
  7 | 
  8 | This pack is targeted for collections of Window events in the Classic or newer XML format. For events in the Classic format, sometimes the Message field contains XML.  These Message fields are also taken into consideration.  The `WindowsClassicEvents` and `WindowsXMLEvents` pipelines inside the pack gives you the ability to shape events into JSON or Key=Value format and dramatically reduce event sizes.
  9 | 
 10 | # Important Information
 11 | ---
 12 | ```
 13 | This pack may be incompatible with some Splunk dashboards that depend on specific field extractions.
 14 | The Windows-TA will also not work with this pack as all events are in a clean universal format.
 15 | 
 16 | Please review various Splunk add-ons and configuration files such as props.conf or transforms.conf and make adjustments as necessary.
 17 | The final output is JSON, but you can use Serialize to change to other formats if necessary.
 18 | JSON or KV formats can be auto-extracted in Splunk
 19 | 
 20 | In Splunk:
 21 | Step 1: Disable the Windows-TA
 22 | Step 2: If events are transformed to JSON set kv_mode=json
 23 | Step 3: Evaluate the fields and dashboards and see if you need to make alias in Splunk or add a Rename function in LogStream.
 24 | ```
 25 | 
 26 | # What to Expect
 27 | ---
 28 | * Classic Event Reduction:  Expect up to 70% reduction in the event size.
 29 | * XML Event Reduction:  Expect a range from 25%-50% reduction in the event size.
 30 | 
 31 | ## Requirements
 32 | ---
 33 | Before you begin, ensure that you have met the following requirements:
 34 | 
 35 | 1. Create a Route with with a filter for your Windows events
 36 | 2. Select the `Windows` pack as the pipeline.
 37 | 
 38 | ## Installation
 39 | ---
 40 | Download the most recent .crbl file in the repo [`releases page`](https://github.com/criblpacks/cribl-windows-events/releases)
 41 | 
 42 | ## Release Notes
 43 | ---
 44 | ### NO MORE RELEASES
 45 | - Deprecated release.  Please seek out other releases here and in our official [Cribl Packs Dispensary](https://packs.cribl.io)
 46 | 
 47 | * [`CLASSIC`](https://github.com/criblpacks/cribl-splunk-forwarder-windows-classic-events-to-json)
 48 | 
 49 | * [`XML`](https://github.com/criblpacks/cribl-splunk-forwarder-windows-xml-events-to-json)
 50 | 
 51 | ### Version 1.0.3 - 2022-04-01
 52 | - Changed Classic Pipeline to work on _raw due to Mask performance issues on __internal fields.
 53 | 
 54 | ### Version 1.0.2 - 2022-03-21
 55 | - Minor cleanup
 56 | 
 57 | ### Version 1.0.0 - 2022-03-09
 58 | - Added support for Windows events from NXLog
 59 | - Added support for Windows Perfmon
 60 | 
 61 | ### Version 0.9.3 - 2022-02-07
 62 | - Improved XML pipeline to keep full nesting of JSON
 63 | - Added support for other nested data in the Message
 64 | 
 65 | ### Version 0.9.2 - 2022-01-31
 66 | - Added support for when there are entire code blocks {} or scripts in the Message like event code 4104
 67 | - Added support for nuances in event code 1644
 68 | 
 69 | ### Version 0.9.1 - 2022-01-27
 70 | - Added Classic with Embedded XML Message Route and Pipeline
 71 | 
 72 | ### Version 0.9.0 - 2022-01-26
 73 | - Complete rewrite of Windows Classic Event Processing pipeline
 74 | - Added support for WinEvent, WinHost, Active Directory as they all work with Classic or XML events
 75 | - Added Route and pipeline for Windows DNS events
 76 | 
 77 | ### Version 0.5.5 - 2021-08-19
 78 | - Added Field Filter Expression to Classic Pipeline final Parser to optionally remove values of '-'
 79 | - Updated Eval to keep cribl_breaker from drop all fields
 80 | - Updated sample data
 81 | 
 82 | ### Version 0.5.4 - 2021-08-13
 83 | - Added support for new Display name of Pack
 84 | - Added support for PowerShell events
 85 | - Fixed Regex to ensure it gets the last Key=Value that doesn't contain a return
 86 | 
 87 | ### Version 0.5.3 - 2021-07-19
 88 | - Removed unnecessary Parser function at the end of the WindowsXML pipeline as this step contradicts the Eval functions above
 89 | 
 90 | ### Version 0.5.2 - 2021-07-16
 91 | - Updated the README with additional release notes
 92 | 
 93 | ### Version 0.5.1 - 2021-07-13
 94 | - Updated README with information for installing the pack
 95 | - Added actions for publishing .crbl from repo when new release is cut
 96 | 
 97 | ### Version 0.5.0 - 2021-07-10
 98 | Initial release! Windows events are big and ugly and LogStream Packs are beautiful!
 99 | 
100 | Support for: WindowsXMLEvents and WindowsClassicEvents
101 | 
102 | 
103 | ## Contributing to the Pack
104 | ---
105 | Discuss this pack on our Community Slack channel [#packs](https://cribl-community.slack.com/archives/C021UP7ETM3).
106 | 
107 | ## Contact
108 | ---
109 | The author of this pack is David Maislin and can be contacted at <david@cribl.io>.
110 | 
111 | ## License
112 | ---
113 | This Pack uses the following license: [`Apache 2.0`](https://github.com/criblio/appscope/blob/master/LICENSE).
114 | 


--------------------------------------------------------------------------------
/samples/Jtmfrq.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t1377326\tFri Jan 28 13:33:30 2022\t4634\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tLogoff\t\tAn account was logged off.    Subject:   Security ID:  S-1-5-21-55707212-1548826408-2619092472-50115   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x1d9d0bf98    Logon Type:   2    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\t952188769","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t510951\tFri Jan 28 13:33:30 2022\t4674\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tSensitive Privilege Use\t\tAn operation was attempted on a privileged object.    Subject:   Security ID:  S-1-5-21-55707212-1548826408-2619092472-97425   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0xb15a4    Object:   Object Server: Security   Object Type: -   Object Name: -   Object Handle: 0x8350    Process Information:   Process ID: 0x3ff0   Process Name: D:\\xxxxx\\xxxxx\\file.exe    Requested Operation:   Desired Access: 1048577   Privileges:  SeBackupPrivilege\t1036644788","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t374182\tFri Jan 28 13:33:30 2022\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tLogon\t\tAn account was successfully logged on.    Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Logon Type:   3    Impersonation Level:  Impersonation    New Logon:   Security ID:  S-1-5-21-828144833-3262232118-2855860117-77205   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x3AEFC979   Logon GUID:  {A633D583-2957-9FFD-13B5-954D79156382}    Process Information:   Process ID:  0x0   Process Name:  -    Network Information:   Workstation Name: -   Source Network Address: -   Source Port:  -    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.    The impersonation level field indicates the extent to which a process in the logon session can impersonate.    The authentication information fields provide detailed information about this specific logon request.   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.   - Transited services indicate which intermediate services have participated in this logon request.   - Package name indicates which sub-protocol was used among the NTLM protocols.   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\t788385306","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 12:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t513611\tFri Jan 28 12:33:30 2022\t4688\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tProcess Creation\t\tA new process has been created.    Creator Subject:   Security ID:  S-1-5-21-478741036-1442749419-1446792091-219251   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x34BAC    Target Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Process Information:   New Process ID:  0x233c   New Process Name: C:\\Windows\\System32\\file.exe   Token Elevation Type: %%1936   Mandatory Label:  S-1-16-12288   Creator Process ID: 0x25f8   Creator Process Name: C:\\Windows\\System32\\cmd.exe   Process Command Line: \\??\\C:\\Windows\\system32\\file.exe 0xffffffff -ForceV1    Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.    Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.    Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.    Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\t460046410","_time":1643394810,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t2186686\tFri Jan 28 13:33:30 2022\t4672\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tSpecial Logon\t\tSpecial privileges assigned to new logon.    Subject:   Security ID:  S-1-5-18   Account Name:  jsmith$   Account Domain:  CLOUD   Logon ID:  0x25628E94C    Privileges:  SeSecurityPrivilege     SeBackupPrivilege     SeRestorePrivilege     SeTakeOwnershipPrivilege     SeDebugPrivilege     SeSystemEnvironmentPrivilege     SeImpersonatePrivilege     SeTcbPrivilege     SeLoadDriverPrivilege\t198601217","_time":1643398410,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/Jtmfrq.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t1377326\tFri Jan 28 13:33:30 2022\t4634\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tLogoff\t\tAn account was logged off.    Subject:   Security ID:  S-1-5-21-55707212-1548826408-2619092472-50115   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x1d9d0bf98    Logon Type:   2    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\t952188769","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t510951\tFri Jan 28 13:33:30 2022\t4674\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tSensitive Privilege Use\t\tAn operation was attempted on a privileged object.    Subject:   Security ID:  S-1-5-21-55707212-1548826408-2619092472-97425   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0xb15a4    Object:   Object Server: Security   Object Type: -   Object Name: -   Object Handle: 0x8350    Process Information:   Process ID: 0x3ff0   Process Name: D:\\xxxxx\\xxxxx\\file.exe    Requested Operation:   Desired Access: 1048577   Privileges:  SeBackupPrivilege\t1036644788","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t374182\tFri Jan 28 13:33:30 2022\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tLogon\t\tAn account was successfully logged on.    Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Logon Type:   3    Impersonation Level:  Impersonation    New Logon:   Security ID:  S-1-5-21-828144833-3262232118-2855860117-77205   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x3AEFC979   Logon GUID:  {A633D583-2957-9FFD-13B5-954D79156382}    Process Information:   Process ID:  0x0   Process Name:  -    Network Information:   Workstation Name: -   Source Network Address: -   Source Port:  -    Detailed Authentication Information:   Logon Process:  Kerberos   Authentication Package: Kerberos   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is created. It is generated on the computer that was accessed.    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.    The impersonation level field indicates the extent to which a process in the logon session can impersonate.    The authentication information fields provide detailed information about this specific logon request.   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.   - Transited services indicate which intermediate services have participated in this logon request.   - Package name indicates which sub-protocol was used among the NTLM protocols.   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\t788385306","_time":1643398410,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 12:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t513611\tFri Jan 28 12:33:30 2022\t4688\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tProcess Creation\t\tA new process has been created.    Creator Subject:   Security ID:  S-1-5-21-478741036-1442749419-1446792091-219251   Account Name:  jsmith   Account Domain:  acme.com   Logon ID:  0x34BAC    Target Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Process Information:   New Process ID:  0x233c   New Process Name: C:\\Windows\\System32\\file.exe   Token Elevation Type: %%1936   Mandatory Label:  S-1-16-12288   Creator Process ID: 0x25f8   Creator Process Name: C:\\Windows\\System32\\cmd.exe   Process Command Line: \\??\\C:\\Windows\\system32\\file.exe 0xffffffff -ForceV1    Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.    Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.    Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.    Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\t460046410","_time":1643394810,"cribl_breaker":"Break on newlines"},{"_raw":"<14>Jan 28 13:33:30 myhost.acme.com MSWinEventLog\t1\tSecurity\t2186686\tFri Jan 28 13:33:30 2022\t4672\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tmyhost.acme.com\tSpecial Logon\t\tSpecial privileges assigned to new logon.    Subject:   Security ID:  S-1-5-18   Account Name:  jsmith$   Account Domain:  CLOUD   Logon ID:  0x25628E94C    Privileges:  SeSecurityPrivilege     SeBackupPrivilege     SeRestorePrivilege     SeTakeOwnershipPrivilege     SeDebugPrivilege     SeSystemEnvironmentPrivilege     SeImpersonatePrivilege     SeTcbPrivilege     SeLoadDriverPrivilege\t198601217","_time":1643398410,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/samples/2FiJff.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598720</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='948'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>ADMINISTRATOR</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598721</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='2508'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>EC2AMAZ-CPMK6J5$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0xa58ba5</Data><Data Name='PrivilegeList'>SeSecurityPrivilege\n            SeBackupPrivilege\n            SeRestorePrivilege\n            SeTakeOwnershipPrivilege\n            SeDebugPrivilege\n            SeSystemEnvironmentPrivilege\n            SeLoadDriverPrivilege\n            SeImpersonatePrivilege\n            SeDelegateSessionUserImpersonatePrivilege\n            SeEnableDelegationPrivilege</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598722</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='2508'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>JSMITH</Data><Data Name='TargetDomainName'>ACME.POC</Data><Data Name='TargetLogonId'>0xa58ba5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{A9F7AB8C-F5DA-B736-AF84-F1A02DFA3FA4}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>51932</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4634</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598723</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='780'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>JSMITH</Data><Data Name='TargetDomainName'>ACME</Data><Data Name='TargetLogonId'>0xa58ba5</Data><Data Name='LogonType'>3</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598724</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='948'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>SCAN</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/2FiJff.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598720</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='948'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>ADMINISTRATOR</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598721</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='2508'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>EC2AMAZ-CPMK6J5$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0xa58ba5</Data><Data Name='PrivilegeList'>SeSecurityPrivilege\n            SeBackupPrivilege\n            SeRestorePrivilege\n            SeTakeOwnershipPrivilege\n            SeDebugPrivilege\n            SeSystemEnvironmentPrivilege\n            SeLoadDriverPrivilege\n            SeImpersonatePrivilege\n            SeDelegateSessionUserImpersonatePrivilege\n            SeEnableDelegationPrivilege</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598722</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='2508'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>JSMITH</Data><Data Name='TargetDomainName'>ACME.POC</Data><Data Name='TargetLogonId'>0xa58ba5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{A9F7AB8C-F5DA-B736-AF84-F1A02DFA3FA4}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>51932</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4634</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598723</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='780'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>JSMITH</Data><Data Name='TargetDomainName'>ACME</Data><Data Name='TargetLogonId'>0xa58ba5</Data><Data Name='LogonType'>3</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-9876-A1B2-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2020-05-18T08:00:00.000000000Z'/><EventRecordID>1598724</EventRecordID><Correlation/><Execution ProcessID='740' ThreadID='948'/><Channel>Security</Channel><Computer>host.acme.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>SCAN</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data></EventData></Event>","_time":1621342800,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/default/pipelines/NX_Log/conf.yml:
--------------------------------------------------------------------------------
  1 | output: default
  2 | groups: {}
  3 | asyncFuncTimeout: 1000
  4 | functions:
  5 |   - id: comment
  6 |     filter: "true"
  7 |     disabled: null
  8 |     conf:
  9 |       comment: NX_Log
 10 |   - id: auto_timestamp
 11 |     filter: "true"
 12 |     disabled: null
 13 |     conf:
 14 |       srcField: _raw
 15 |       dstField: _time
 16 |       defaultTimezone: local
 17 |       timeExpression: time.getTime() / 1000
 18 |       offset: 0
 19 |       maxLen: 150
 20 |       defaultTime: now
 21 |       latestDateAllowed: +1week
 22 |       earliestDateAllowed: -420weeks
 23 |       timestamps:
 24 |         - regex: /^(?:\S+\s){8}((?:\S+\s){4}\d+)/
 25 |           strptime: "%a %b %d %H:%M:%S %Y"
 26 |   - id: regex_extract
 27 |     filter: "true"
 28 |     disabled: false
 29 |     conf:
 30 |       source: _raw
 31 |       iterations: 100
 32 |       overwrite: false
 33 |       regex: /^.+?MSWinEventLog\t(?<criticality>[^\t]+)\t(?<LogName>[^\t]+)\t(?<RecordNumber>[^\t]+)\t(?<end_time>[^\t]+)\t(?<EventCode>[^\t]+)\t(?<SourceName>[^\t]+)\t(?<User>[^\t]+)\t(?<SidType>[^\t]+)\t(?<Type>[^\t]+)\t(?<ComputerName>[^\t]+)\t(?<CategoryString>[^\t]+)\t(?<DataString>[^\t]*)\t(?<Message>.+)\t/gm
 34 |     description: Initial Field Extraction
 35 |   - id: mask
 36 |     filter: "true"
 37 |     disabled: false
 38 |     conf:
 39 |       rules:
 40 |         - matchRegex: /\s{3,4}/gm
 41 |           replaceExpr: "`\\n`"
 42 |       fields:
 43 |         - Message
 44 |     description: Replace 3 or 4 spaces with new line feed
 45 |   - id: mask
 46 |     filter: "true"
 47 |     disabled: false
 48 |     conf:
 49 |       rules:
 50 |         - matchRegex: /([ A-Za-z()]+):/gm
 51 |           replaceExpr: "`${g1.replace(/ /gm,'_')}:`"
 52 |       fields:
 53 |         - Message
 54 |     description: "Replace all spaces in keys and after colon :"
 55 |   - id: mask
 56 |     filter: "true"
 57 |     disabled: false
 58 |     conf:
 59 |       rules:
 60 |         - matchRegex: /\n\s/gm
 61 |           replaceExpr: "','"
 62 |       fields:
 63 |         - Message
 64 |     description: Bring values up and comma delimit them.
 65 |   - id: mask
 66 |     filter: "true"
 67 |     disabled: false
 68 |     conf:
 69 |       rules:
 70 |         - matchRegex: /:\n(?!.+:[^A-Za-z])/gm
 71 |           replaceExpr: "':  '"
 72 |       fields:
 73 |         - Message
 74 |     description: Find values on their own line and bring them up
 75 |   - id: eval
 76 |     filter: "true"
 77 |     disabled: false
 78 |     conf:
 79 |       add:
 80 |         - value: Message.match(/^(?!.+:)(?<MessageText>.+)/gm).join('\n')
 81 |           name: MessageText
 82 |     description: Place Message Text into a field called MessageText
 83 |   - id: mask
 84 |     filter: "true"
 85 |     disabled: false
 86 |     conf:
 87 |       rules:
 88 |         - matchRegex: /^(?!.+:)(?<MessageText>.+)/gm
 89 |           replaceExpr: "''"
 90 |         - matchRegex: /^\n/gm
 91 |           replaceExpr: "''"
 92 |       fields:
 93 |         - Message
 94 |     description: Remove extra text from Message
 95 |   - id: mask
 96 |     filter: "true"
 97 |     disabled: false
 98 |     conf:
 99 |       rules:
100 |         - matchRegex: "/: +/g"
101 |           replaceExpr: "':'"
102 |       fields:
103 |         - Message
104 |     description: Remove spaces after colons
105 |   - id: mask
106 |     filter: "true"
107 |     disabled: false
108 |     conf:
109 |       rules:
110 |         - matchRegex: /\\/gm
111 |           replaceExpr: "'\\\\\\\\'"
112 |       fields:
113 |         - Message
114 |     description: Escape required characters that the JSON format requires.
115 |   - id: mask
116 |     filter: "true"
117 |     disabled: false
118 |     conf:
119 |       rules:
120 |         - matchRegex: /:(.+)/gm
121 |           replaceExpr: '`:"${g1}",`'
122 |         - matchRegex: /^(.+?):/gm
123 |           replaceExpr: '`"${g1}":`'
124 |       fields:
125 |         - Message
126 |     description: Quote JSON
127 |   - id: mask
128 |     filter: "true"
129 |     disabled: false
130 |     conf:
131 |       rules:
132 |         - matchRegex: /:$/gm
133 |           replaceExpr: "':{'"
134 |       fields:
135 |         - Message
136 |     description: "Add { after : for child objects. Will add extra at top."
137 |   - id: mask
138 |     filter: "true"
139 |     disabled: false
140 |     conf:
141 |       rules:
142 |         - matchRegex: /("\w+":{)/gm
143 |           replaceExpr: "`}\\n${g1}`"
144 |       fields:
145 |         - Message
146 |     description: Add closing } for child objects (will miss bottom)
147 |   - id: mask
148 |     filter: "true"
149 |     disabled: false
150 |     conf:
151 |       rules:
152 |         - matchRegex: /$/
153 |           replaceExpr: "'\\n}'"
154 |       fields:
155 |         - Message
156 |     description: Insert closing bracket at end
157 |   - id: mask
158 |     filter: "true"
159 |     disabled: false
160 |     conf:
161 |       rules:
162 |         - matchRegex: /^\n/gm
163 |           replaceExpr: "''"
164 |       fields:
165 |         - Message
166 |     description: Remove blank lines again?
167 |   - id: mask
168 |     filter: "true"
169 |     disabled: false
170 |     conf:
171 |       rules:
172 |         - matchRegex: /,\n}/gm
173 |           replaceExpr: "'\\n},'"
174 |       fields:
175 |         - Message
176 |     description: Remove extra comma from child objects
177 |   - id: mask
178 |     filter: "true"
179 |     disabled: false
180 |     conf:
181 |       rules:
182 |         - matchRegex: /}\n/
183 |           replaceExpr: "'{\\n'"
184 |       fields:
185 |         - Message
186 |     description: Remove deliberate top }\n and make opening JSON {
187 |   - id: mask
188 |     filter: "true"
189 |     disabled: null
190 |     conf:
191 |       rules:
192 |         - matchRegex: /,$/
193 |           replaceExpr: "''"
194 |       fields:
195 |         - Message
196 |     description: Remove last , at end
197 |   - id: mask
198 |     filter: "true"
199 |     disabled: false
200 |     conf:
201 |       rules:
202 |         - matchRegex: /$/
203 |           replaceExpr: "'\\n}'"
204 |       fields:
205 |         - Message
206 |     description: Add } to end
207 |   - id: eval
208 |     filter: JSON.parse(Message)
209 |     disabled: null
210 |     conf:
211 |       add:
212 |         - name: Message
213 |           value: JSON.parse(Message)
214 |     description: Parse Message into a JSON object
215 |   - id: serialize
216 |     filter: "true"
217 |     disabled: false
218 |     conf:
219 |       type: json
220 |       dstField: _raw
221 |       fields:
222 |         - "!_*"
223 |         - "!cribl_breaker"
224 |         - "!MessageText"
225 |         - "!index"
226 |         - "!source"
227 |         - "!sourcetype"
228 |         - "!host"
229 |         - "*"
230 |       cleanFields: false
231 |     description: Serialize required fields to _raw
232 |   - id: eval
233 |     filter: "true"
234 |     disabled: false
235 |     conf:
236 |       keep:
237 |         - _*
238 |         - cribl_breaker
239 |         - index
240 |         - host
241 |         - source
242 |         - sourcetype
243 |         - MessageText
244 |       remove:
245 |         - "*"
246 |       add:
247 |         - name: _raw
248 |           value: JSON.parse(_raw)
249 |     description: Parse _raw into a JSON object
250 |   - id: eval
251 |     filter: "true"
252 |     disabled: false
253 |     conf:
254 |       remove:
255 |         - MessageText
256 |     description: Enable to remove the MessageText field to reduce the event size
257 | 


--------------------------------------------------------------------------------
/samples/XNPzEl.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=7901151\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x124c\r\r\n\tNew Process Name:\tC:\\Windows\\SysWOW64\\xcopy.exe\r\r\n\tToken Elevation Type:\t%%1936\r\r\n\tMandatory Label:\t\tS-1-16-16384\r\r\n\tCreator Process ID:\t0x1844\r\r\n\tCreator Process Name:\tC:\\Windows\\SysWOW64\\cmd.exe\r\r\n\tProcess Command Line:\txcopy  /y patch-lists ..\\..\\Patch\\\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=57285993\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x1294\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0xaec\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=198227973\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x534\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0x20a8\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=33837186\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x1dc\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0x12f4\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=33837187\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x110\r\r\n\tNew Process Name:\tC:\\Windows\\System32\\cmd.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0xc4c\r\r\n\tProcess Command Line:\tC:\\WINDOWS\\system32\\cmd.exe /c \"C:\\Program Files (x86)\\MicroStrategy\\Services Registration\\bin\\check-mobile.bat\"\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"}]
2 | 


--------------------------------------------------------------------------------
/data/samples/XNPzEl.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=7901151\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x124c\r\r\n\tNew Process Name:\tC:\\Windows\\SysWOW64\\xcopy.exe\r\r\n\tToken Elevation Type:\t%%1936\r\r\n\tMandatory Label:\t\tS-1-16-16384\r\r\n\tCreator Process ID:\t0x1844\r\r\n\tCreator Process Name:\tC:\\Windows\\SysWOW64\\cmd.exe\r\r\n\tProcess Command Line:\txcopy  /y patch-lists ..\\..\\Patch\\\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=57285993\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x1294\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0xaec\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=198227973\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x534\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0x20a8\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=33837186\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x1dc\r\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0x12f4\r\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -a\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"},{"_raw":"05/18/2021 08:00:00 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4688\r\nEventType=0\r\nType=Information\r\nComputerName=host.acme.com\r\nTaskCategory=Process Creation\r\nOpCode=Info\r\nRecordNumber=33837187\r\nKeywords=Audit Success\r\nMessage=A new process has been created.\r\r\n\r\r\nCreator Subject:\r\r\n\tSecurity ID:\t\tS-1-5-18\r\r\n\tAccount Name:\t\tHOST$\r\r\n\tAccount Domain:\t\tacme\r\r\n\tLogon ID:\t\t0x3E7\r\r\n\r\r\nTarget Subject:\r\r\n\tSecurity ID:\t\tS-1-0-0\r\r\n\tAccount Name:\t\t-\r\r\n\tAccount Domain:\t\t-\r\r\n\tLogon ID:\t\t0x0\r\r\n\r\r\nProcess Information:\r\r\n\tNew Process ID:\t\t0x110\r\r\n\tNew Process Name:\tC:\\Windows\\System32\\cmd.exe\r\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\r\n\tCreator Process ID:\t0xc4c\r\r\n\tProcess Command Line:\tC:\\WINDOWS\\system32\\cmd.exe /c \"C:\\Program Files (x86)\\MicroStrategy\\Services Registration\\bin\\check-mobile.bat\"\r\r\n\r\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\r\n\r\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\r\n\r\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\r\n\r\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","_time":1621342800,"cribl_breaker":"Break on newlines"}]
2 | 


--------------------------------------------------------------------------------
/samples/UChiMU.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=2405099840\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: 3ef8dbcb-566c-424e-9251-6ccf2dfc325e \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://host.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1202\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=2405099831\nKeywords=Audit Success, Classic\nMessage=The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: 00000000-0000-0000-0000-000000000000 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n  <AuditType>FreshCredentials</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>N/A</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>ACM\\devapi</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>N/A</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>N/A</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244478\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: 22658e56-5789-4f1e-8e1c-ecd411a85388 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://margaritaville.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1202\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244469\nKeywords=Audit Success, Classic\nMessage=The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: 00000000-0000-0000-0000-000000000000 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n  <AuditType>FreshCredentials</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>N/A</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>ACM\\admin_Margaritaville</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>N/A</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>N/A</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244463\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: b76b8db7-9b6a-415d-9824-61e435eeb720 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://ACM2016test.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/UChiMU.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=2405099840\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: 3ef8dbcb-566c-424e-9251-6ccf2dfc325e \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://host.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1202\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=2405099831\nKeywords=Audit Success, Classic\nMessage=The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: 00000000-0000-0000-0000-000000000000 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n  <AuditType>FreshCredentials</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>N/A</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>ACM\\devapi</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>N/A</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>N/A</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244478\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: 22658e56-5789-4f1e-8e1c-ecd411a85388 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://margaritaville.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1202\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244469\nKeywords=Audit Success, Classic\nMessage=The Federation Service validated a new credential. See XML for details. \r\n\r\nActivity ID: 00000000-0000-0000-0000-000000000000 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"FreshCredentialAudit\">\r\n  <AuditType>FreshCredentials</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>N/A</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>ACM\\admin_Margaritaville</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>N/A</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>N/A</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"},{"_raw":"03/18/2021 08:00:00 AM\nLogName=Security\nSourceName=AD FS Auditing\nEventCode=1200\nEventType=0\nType=Information\nComputerName=host.acme.com\nUser=NOT_TRANSLATED\nSid=S-1-5-21-3621038248-1234567890-1962556353-6139\nSidType=0\nTaskCategory=3\nOpCode=Info\nRecordNumber=4602244463\nKeywords=Audit Success, Classic\nMessage=The Federation Service issued a valid token. See XML for details. \r\n\r\nActivity ID: b76b8db7-9b6a-415d-9824-61e435eeb720 \r\n\r\nAdditional Data \r\nXML: <?xml version=\"1.0\" encoding=\"utf-16\"?>\r\n<AuditBase xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"AppTokenAudit\">\r\n  <AuditType>AppToken</AuditType>\r\n  <AuditResult>Success</AuditResult>\r\n  <FailureType>None</FailureType>\r\n  <ErrorCode>N/A</ErrorCode>\r\n  <ContextComponents>\r\n    <Component xsi:type=\"ResourceAuditComponent\">\r\n      <RelyingParty>https://ACM2016test.acme.com/XRMServices/2011/Organization.svc</RelyingParty>\r\n      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>\r\n      <UserId>N/A</UserId>\r\n    </Component>\r\n    <Component xsi:type=\"AuthNAuditComponent\">\r\n      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</PrimaryAuth>\r\n      <DeviceAuth>false</DeviceAuth>\r\n      <DeviceId>N/A</DeviceId>\r\n      <MfaPerformed>false</MfaPerformed>\r\n      <MfaMethod>N/A</MfaMethod>\r\n      <TokenBindingProvidedId>false</TokenBindingProvidedId>\r\n      <TokenBindingReferredId>false</TokenBindingReferredId>\r\n      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>\r\n    </Component>\r\n    <Component xsi:type=\"ProtocolAuditComponent\">\r\n      <OAuthClientId>N/A</OAuthClientId>\r\n      <OAuthGrant>N/A</OAuthGrant>\r\n    </Component>\r\n    <Component xsi:type=\"RequestAuditComponent\">\r\n      <Server>http://login.acme.com/adfs/services/trust</Server>\r\n      <AuthProtocol>N/A</AuthProtocol>\r\n      <NetworkLocation>Intranet</NetworkLocation>\r\n      <IpAddress>127.0.0.1</IpAddress>\r\n      <ForwardedIpAddress />\r\n      <ProxyIpAddress>N/A</ProxyIpAddress>\r\n      <NetworkIpAddress>N/A</NetworkIpAddress>\r\n      <ProxyServer>N/A</ProxyServer>\r\n      <UserAgentString>N/A</UserAgentString>\r\n      <Endpoint>/adfs/services/trust/13/usernamemixed</Endpoint>\r\n    </Component>\r\n  </ContextComponents>\r\n</AuditBase>","_time":1616072400,"cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright 2021 Cribl, Inc
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/samples/5rMBYv.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=43140\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=43140\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=0127.0.0.1.res.spectrum.com\nRemoteAddress=127.0.0.1\nRemotePort=55073\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/data/samples/5rMBYv.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=host.acme.com\nRemoteAddress=127.0.0.1\nRemotePort=53444\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=20","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=57696\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=accept\nPacketTypeId=1\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"ec2amaz-cpmk6j5$\"\nUserSid=s-1-5-20\nUserId=0-3e4\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=40","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=35810\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=inbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=20\nIPsecProtected=0\nTransportHeaderSizeBytes=32","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=37676\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=43140\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=127.0.0.1\nRemoteAddress=127.0.0.1\nRemotePort=43140\nProcessName=\"unknown\"\nUserName=\"unknown\"\nUserSid=unknown\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"outbound","host":"host.acme.com","sourcetype":"WinNetMon:Outbound:All","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"AddressFamily=ipv4\nAddressFamilyId=2\nPacketType=transport\nPacketTypeId=2\nDirection=outbound\nProtocol=TCP\nProtocolId=6\nLocalAddress=127.0.0.1\nLocalPort=3389\nRemoteHostName=0127.0.0.1.res.spectrum.com\nRemoteAddress=127.0.0.1\nRemotePort=55073\nProcessName=\"c:\\windows\\system32\\svchost.exe\"\nUserName=\"nt authority\\network service\"\nUserSid=s-1-5-20\nUserId=0-0\nHeaderSizeBytes=0\nIPsecProtected=0\nTransportHeaderSizeBytes=0","_time":1621342800,"source":"inbound","host":"host.acme.com","sourcetype":"WinNetMon:Inbound:All","index":"default","cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------
/default/pipelines/WindowsClassicEvents/conf.yml:
--------------------------------------------------------------------------------
  1 | output: default
  2 | groups:
  3 |   74Mz02:
  4 |     name: Initial Event Cleanup
  5 |     index: 4
  6 |     description: Turn off every group/function and review each step to understand each step
  7 |       of the event processing.
  8 |     disabled: false
  9 |   KaPK3t:
 10 |     name: Shape Event into a JSON format.
 11 |     index: 5
 12 |     disabled: false
 13 |     description: Carefully review the events after the clean up phase and transform them
 14 |       into JSON
 15 |   MHboFX:
 16 |     name: FInal Cleanup
 17 |     index: 6
 18 |     disabled: false
 19 |     description: Transform JSON String to JSON Object so you can also get at fields within
 20 |       _raw.
 21 |   I4naCl:
 22 |     name: Drop, Suppress, Sample, Dynamic Sampling & Aggregations  - Off by Default
 23 |     description: Volume reduction examples - Off by Default - Toggle one function on at a
 24 |       time to see the results. Use Sample Data captures over a large time window
 25 |       to see dramatic reduction.
 26 |     disabled: true
 27 |     index: 8
 28 |   OW2pX5:
 29 |     name: Change to other formats - Off by Default
 30 |     description: These next two functions demonstrate how to Parse and Reserialize from one
 31 |       format such as JSON to another such as KEY = Value - Off by Default
 32 |     disabled: true
 33 |     index: 9
 34 | asyncFuncTimeout: 1000
 35 | functions:
 36 |   - id: comment
 37 |     filter: "true"
 38 |     disabled: null
 39 |     conf:
 40 |       comment: Please enable Descriptions - (Select top left three grey bars).  Please
 41 |         review the Pack Settings/README first.
 42 |   - id: comment
 43 |     filter: "true"
 44 |     disabled: null
 45 |     conf:
 46 |       comment: >-
 47 |         Description:  This pipeline converts Windows Classic events to JSON
 48 | 
 49 |         Author:       David Maislin - david@cribl.io
 50 | 
 51 |         Date:         2022-01-26
 52 | 
 53 |         Note:         Come find me on Slack - https://cribl.io/community - cribl-community.slack.com
 54 |   - id: comment
 55 |     filter: "true"
 56 |     disabled: null
 57 |     conf:
 58 |       comment: >-
 59 |         There are probably a million different formats and wonky things that
 60 |         happen with the older Windows Classic Event format.
 61 | 
 62 |         Thousands of Windows events from many customers were reviewed, each one very different from the other.  In the beginning I thought that there was a magical Rosetta stone that I could use with simple functions to convert to JSON, but I learned that there simply are no magic rules to follow. Disable all functions and step though each and every function, enabling them one at a time to ensure that your event is properly processed.
 63 | 
 64 | 
 65 |         I did attempt to convert using the code function but then realized that many would have difficulty tweaking the exceptions.
 66 | 
 67 |         My hope is that we can transform these steps into an out of the box default function in the future.
 68 |   - id: comment
 69 |     filter: "true"
 70 |     disabled: null
 71 |     conf:
 72 |       comment: |-
 73 |         1. Select the gear icon at the top right of Sample Data
 74 |         2. Select Show internal fields
 75 |         3. Select Render Whitespace
 76 |         4. Internal fields are not passed to the Destination.
 77 |   - id: mask
 78 |     filter: "true"
 79 |     disabled: false
 80 |     conf:
 81 |       rules:
 82 |         - matchRegex: /(Creating Scriptblock.+:)([\S\s]+)(\nScriptBlock ID+:.+)/gm
 83 |           replaceExpr: "`${g1}${g2.replace(/[\\s\\r\\n]+/gm,' ')}${g3}`"
 84 |         - matchRegex: /({)([\S\s]+)([}{])gg/gm
 85 |           replaceExpr: "`${g1}${g2.replace(/[\\s\\r\\n]+/gm,' ')}${g3}`"
 86 |       fields:
 87 |         - _raw
 88 |     groupId: 74Mz02
 89 |     description: Event 4104 - Edge Case to handle early curly braces
 90 |   - id: mask
 91 |     filter: "true"
 92 |     disabled: null
 93 |     conf:
 94 |       rules:
 95 |         - matchRegex: /(Message=)([\S\s]+)(^[\S\s]+)/gm
 96 |           replaceExpr: "`${g1}${g2.replace(/\\r/gm,'\\n')}${g3}`"
 97 |         - matchRegex: /\n\s+at\s/gm
 98 |           replaceExpr: "' at '"
 99 |       fields:
100 |         - _raw
101 |     groupId: 74Mz02
102 |     description: Event 1309 - Stack Trace
103 |   - id: mask
104 |     filter: "true"
105 |     disabled: false
106 |     conf:
107 |       rules:
108 |         - matchRegex: /^/
109 |           replaceExpr: "'Timestamp='"
110 |       fields:
111 |         - _raw
112 |     description: Add Timestamp key name to make it uniform like the rest of the event. The
113 |       Timestamp field is removed (optional) at the end of the pipeline since
114 |       _time is already extracted.
115 |     groupId: 74Mz02
116 |   - id: mask
117 |     filter: "true"
118 |     disabled: false
119 |     conf:
120 |       rules:
121 |         - matchRegex: /^( +)/gm
122 |           replaceExpr: "''"
123 |       fields:
124 |         - _raw
125 |     description: Remove any beginning spaces in the event.  Not all events have them, but
126 |       in the test samples I reviewed, I did notice exceptions.  Sometimes the
127 |       spaces re-appear.
128 |     groupId: 74Mz02
129 |   - id: mask
130 |     filter: "true"
131 |     disabled: false
132 |     conf:
133 |       rules:
134 |         - matchRegex: /$/
135 |           replaceExpr: "' \\r\\n'"
136 |       fields:
137 |         - _raw
138 |     description: Add a \s\r\n to the end of the event to make parsing easier, "Sometimes
139 |       Regex is hard..."
140 |     groupId: 74Mz02
141 |   - id: mask
142 |     filter: "true"
143 |     disabled: false
144 |     conf:
145 |       rules:
146 |         - matchRegex: /^Additional Data.*[\r\n]+/gm
147 |           replaceExpr: "''"
148 |       fields:
149 |         - _raw
150 |     groupId: 74Mz02
151 |     description: Remove Additional Data line since it doesn't add any value
152 |   - id: comment
153 |     filter: "true"
154 |     disabled: null
155 |     conf:
156 |       comment: >-
157 |         There are so many unique instances where the values of the key exist on
158 |         one or more lines.  This next function handles various edge cases.
159 | 
160 | 
161 |         Example 1 (␍ & ↵): Key (new line) Value
162 | 
163 |         c_ip:␍↵
164 | 
165 |         123.45.48.67:12345·␍↵
166 | 
167 |         node:␍↵
168 | 
169 |         dc=qa,dc=acme,dc=dev·␍↵
170 | 
171 | 
172 |         Example 2: Key (new lines where value looks like it contains a key with a colon)
173 | 
174 |         Error value:
175 | 
176 |         0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:
177 |         	'CN=DEV-ACMEABCD01,CN=Servers,CN=ABCDEF01,CN=Sites,CN=Configuration,DC=acme,DC=com'
178 | 
179 |         Example 3: Key (new line, tab, value)
180 | 
181 | 
182 |         Example 4: Key (carriage returns, new lines followed by {) which can interfere with JSON structure
183 |     groupId: 74Mz02
184 |   - id: mask
185 |     filter: "true"
186 |     disabled: false
187 |     conf:
188 |       rules:
189 |         - matchRegex: /:\r\n(.+ ?)\r\n/gm
190 |           replaceExpr: "`:${g1}\\n`"
191 |         - matchRegex: /:\n\t/gm
192 |           replaceExpr: "':'"
193 |         - matchRegex: /:\r\n(.+)+[\r\n]/gm
194 |           replaceExpr: "`:${g1}\\n`"
195 |         - matchRegex: /:[\r\n]+{/gm
196 |           replaceExpr: "'{'"
197 |         - matchRegex: /\n"/gm
198 |           replaceExpr: "''"
199 |       fields:
200 |         - _raw
201 |     description: Edge Cases to collapse events to same line when key is on line 1 and value
202 |       is on line 2, etc. See Comment above
203 |     groupId: 74Mz02
204 |     final: false
205 |   - id: mask
206 |     filter: "true"
207 |     disabled: false
208 |     conf:
209 |       rules:
210 |         - matchRegex: /^(.+?:)(\n)^(.+)/gm
211 |           replaceExpr: "`${g1}${g3}`"
212 |       fields:
213 |         - _raw
214 |     groupId: 74Mz02
215 |     description: Event 1644 - Edge Case to collapse remaining events to same line when key
216 |       is on line 1 and value is on line 2, etc.
217 |     final: false
218 |   - id: mask
219 |     filter: "true"
220 |     disabled: false
221 |     conf:
222 |       rules:
223 |         - matchRegex: / +\r\n/gm
224 |           replaceExpr: "'\\r\\n'"
225 |         - matchRegex: / +\n/gm
226 |           replaceExpr: "'\\n'"
227 |         - matchRegex: / +\r/gm
228 |           replaceExpr: "'\\r'"
229 |       fields:
230 |         - _raw
231 |     description: Remove spaces at the end of each line.
232 |     groupId: 74Mz02
233 |   - id: mask
234 |     filter: "true"
235 |     disabled: false
236 |     conf:
237 |       rules:
238 |         - matchRegex: /\r+/gm
239 |           replaceExpr: "''"
240 |       fields:
241 |         - _raw
242 |     description: Remove Windows carriage returns characters displayed as␍which is the \r
243 |     groupId: 74Mz02
244 |   - id: mask
245 |     filter: "true"
246 |     disabled: false
247 |     conf:
248 |       rules:
249 |         - matchRegex: /^\n/gm
250 |           replaceExpr: "''"
251 |       fields:
252 |         - _raw
253 |     description: Remove empty lines.  Sometimes these come back as you process events,
254 |       merge event liens and I might repeat this when necessary.
255 |     groupId: 74Mz02
256 |   - id: mask
257 |     filter: "true"
258 |     disabled: false
259 |     conf:
260 |       rules:
261 |         - matchRegex: /  +/gm
262 |           replaceExpr: "' '"
263 |         - matchRegex: / :/gm
264 |           replaceExpr: "':'"
265 |         - matchRegex: "/: /gm"
266 |           replaceExpr: "':'"
267 |       fields:
268 |         - _raw
269 |     description: "Remove extra spaces and convert to single space and remove and spaces
270 |       before or after the keys : values since Windows event structure are so
271 |       unpredictable."
272 |     groupId: 74Mz02
273 |   - id: mask
274 |     filter: "true"
275 |     disabled: false
276 |     conf:
277 |       rules:
278 |         - matchRegex: /\\/gm
279 |           replaceExpr: "'\\\\\\\\'"
280 |         - matchRegex: /\"/gm
281 |           replaceExpr: "'\\\\\"'"
282 |         - matchRegex: /\n{/gm
283 |           replaceExpr: "' \\{'"
284 |         - matchRegex: /}\n/gm
285 |           replaceExpr: "'} '"
286 |       fields:
287 |         - _raw
288 |     description: Escape required characters that the JSON format requires.
289 |     groupId: 74Mz02
290 |   - id: mask
291 |     filter: "true"
292 |     disabled: false
293 |     conf:
294 |       rules:
295 |         - replaceExpr: "`\\t${g1.replace(/[\\s-]/gm,'_')}${g2}`"
296 |           matchRegex: /^\t((?:[\w()-]+ ?){1,4})(?=[:])([:])/gm
297 |         - matchRegex: /^((?:[\w()-]+ ?){1,4})(?=[:])([:])/gm
298 |           replaceExpr: "`${g1.replace(/[\\s-]/gm,'_')}${g2}`"
299 |       fields:
300 |         - _raw
301 |     description: Remove spaces in any Message Keys and replace with underscore
302 |     groupId: 74Mz02
303 |   - id: mask
304 |     filter: "true"
305 |     disabled: false
306 |     conf:
307 |       rules:
308 |         - matchRegex: "/^([A-Za-z_][^: =]+):(\\n.+)/gm"
309 |           replaceExpr: '`},\n"${g1}":{\n${g2}`'
310 |         - matchRegex: /^},\n/m
311 |           replaceExpr: "''"
312 |         - matchRegex: /(:{\n[\S\s]+)/
313 |           replaceExpr: "`${g1}}`"
314 |         - matchRegex: /{\n/
315 |           replaceExpr: "'{'"
316 |       fields:
317 |         - _raw
318 |     description: Add Quote and Bracket  to parent objects such as "Creator_Subject":{
319 |     groupId: KaPK3t
320 |   - id: mask
321 |     filter: "true"
322 |     disabled: false
323 |     conf:
324 |       rules:
325 |         - matchRegex: /^([^=]+)=(.*)/g
326 |           replaceExpr: '`"${g1}":"${g2}",`'
327 |         - matchRegex: /^\t+\n/gm
328 |           replaceExpr: "''"
329 |         - matchRegex: /:\t+/gm
330 |           replaceExpr: "':'"
331 |         - matchRegex: /^([^"}]\s+\w+[^:}{"]+)$/gm
332 |           replaceExpr: g1.split('\n')
333 |         - matchRegex: /\t/gm
334 |           replaceExpr: "''"
335 |       fields:
336 |         - _raw
337 |     description: Transform __raw into JSON, handling various event shapes and exceptions.
338 |     groupId: KaPK3t
339 |   - id: mask
340 |     filter: "true"
341 |     disabled: false
342 |     conf:
343 |       rules:
344 |         - matchRegex: /^(\w+)=(.+)/gm
345 |           replaceExpr: '`"${g1}":"${g2}",`'
346 |         - matchRegex: /^([\w()][\w()][\w()]+):(.*)/gm
347 |           replaceExpr: '`"${g1}":"${g2}",`'
348 |         - matchRegex: /,\n},/gm
349 |           replaceExpr: "'\\n},'"
350 |         - matchRegex: /,\n}/
351 |           replaceExpr: "'\\n}'"
352 |         - matchRegex: /^/
353 |           replaceExpr: "'{\\n'"
354 |         - matchRegex: /$/
355 |           replaceExpr: "'\\n}'"
356 |       fields:
357 |         - _raw
358 |     description: Transform __raw into JSON, handling various event shapes and exceptions.
359 |     groupId: KaPK3t
360 |   - id: mask
361 |     filter: "true"
362 |     disabled: false
363 |     conf:
364 |       rules:
365 |         - matchRegex: /^\n/gm
366 |           replaceExpr: "''"
367 |         - matchRegex: /^"(,)(\n)([^"}{].+)/gm
368 |           replaceExpr: '`${g1}${g3}"`'
369 |         - matchRegex: /^([^"{}][^=]+)=(.+)/gm
370 |           replaceExpr: '`"${g1}":"${g2}",`'
371 |       fields:
372 |         - _raw
373 |     description: Transform __raw into JSON, handling various event shapes and exceptions.
374 |     groupId: KaPK3t
375 |   - id: eval
376 |     filter: "true"
377 |     disabled: false
378 |     conf:
379 |       add:
380 |         - value: _raw.match(/^([^"}{].*)/gm).join('\n')
381 |           name: Message_Text
382 |     description: Extract freeform text from __raw to MessageText for safekeeping.
383 |     groupId: KaPK3t
384 |   - id: mask
385 |     filter: "true"
386 |     disabled: false
387 |     conf:
388 |       rules:
389 |         - matchRegex: /^([^"}{].*\n)/gm
390 |           replaceExpr: "''"
391 |         - matchRegex: /",\n}/
392 |           replaceExpr: "'\"\\n}'"
393 |         - matchRegex: /"\n"/
394 |           replaceExpr: "'\",\\n\"'"
395 |       fields:
396 |         - _raw
397 |     description: Remove freeform text from __raw because JSON requires a strict format.
398 |     groupId: KaPK3t
399 |   - id: serde
400 |     filter: "true"
401 |     disabled: false
402 |     conf:
403 |       mode: extract
404 |       type: json
405 |       srcField: _raw
406 |     description: Extract JSON to top level fields where you can manage fields quickly and
407 |       easily.
408 |     groupId: KaPK3t
409 |   - id: serialize
410 |     filter: "true"
411 |     disabled: false
412 |     conf:
413 |       type: json
414 |       dstField: _raw
415 |       fields:
416 |         - "!_*"
417 |         - "!cribl_*"
418 |         - "!index"
419 |         - "!source"
420 |         - "!sourcetype"
421 |         - "!host"
422 |         - "*"
423 |       cleanFields: false
424 |     description: Push all top level fields and Serialize into _raw, exclude default Splunk
425 |       fields first, and include the remaining fields.
426 |     groupId: MHboFX
427 |   - id: eval
428 |     filter: JSON.parse(_raw)
429 |     disabled: false
430 |     conf:
431 |       add:
432 |         - name: _raw
433 |           value: JSON.parse(_raw)
434 |     description: If a proper JSON String, turn into a JSON Object Literal which enables
435 |       easy manipulate of nested fields without the need for Regex
436 |     groupId: MHboFX
437 |   - id: eval
438 |     filter: "true"
439 |     disabled: false
440 |     conf:
441 |       remove:
442 |         - _raw.Timestamp
443 |         - _raw.Message_Text
444 |       keep: []
445 |     description: Feel free to adjust accordingly. You can double click and fields in _raw
446 |       to copy their key name and paste into the Remove Fields below.
447 |     groupId: MHboFX
448 |   - id: eval
449 |     filter: "true"
450 |     disabled: false
451 |     conf:
452 |       keep:
453 |         - cribl_*
454 |         - _raw*
455 |         - _time
456 |         - index
457 |         - host
458 |         - source
459 |         - sourcetype
460 |       remove:
461 |         - "*"
462 |     description: Keep Cribl fields and the default Splunk fields and remove all unnecessary
463 |       top level fields.  Feel free to adjust for extracted meta fields.
464 |     groupId: MHboFX
465 |   - id: comment
466 |     filter: "true"
467 |     disabled: null
468 |     conf:
469 |       comment: Learning Sections Below - Off by default
470 |   - id: comment
471 |     filter: "true"
472 |     disabled: true
473 |     conf:
474 |       comment: >-
475 |         The Drop Function uses a simple boolean (true/false) expression to drop
476 |         all events that match.
477 | 
478 |         If the Filter expression is matches and returns true, drop the event, otherwise do nothing. No state is tracked.
479 | 
480 |         In LogStream, an expression that returns undefined is the same as returning false.
481 | 
482 | 
483 |         References:
484 | 
485 |         https://docs.cribl.io/logstream/drop-function
486 |     groupId: I4naCl
487 |   - id: drop
488 |     filter: _raw.EventCode=='4776' && _raw.Message=='The computer attempted to
489 |       validate the credentials for an account.'
490 |     disabled: true
491 |     conf: {}
492 |     groupId: I4naCl
493 |   - id: comment
494 |     filter: "true"
495 |     disabled: true
496 |     conf:
497 |       comment: >-
498 |         The Suppress Function suppresses events over a time period, based on
499 |         evaluating a key expression.
500 | 
501 | 
502 |         References:
503 | 
504 |         https://docs.cribl.io/logstream/suppress-function
505 | 
506 |         https://docs.cribl.io/logstream/functions#shared-nothing
507 |     groupId: I4naCl
508 |   - id: suppress
509 |     filter: "true"
510 |     disabled: true
511 |     conf:
512 |       allow: 1
513 |       suppressPeriodSec: 30
514 |       dropEventsMode: true
515 |       maxCacheSize: 50000
516 |       cacheIdleTimeoutPeriods: 2
517 |       numEventsIdleTimeoutTrigger: 10000
518 |       keyExpr: "`${_raw.EventCode}:${_raw.Message}`"
519 |     groupId: I4naCl
520 |   - id: comment
521 |     filter: "true"
522 |     disabled: true
523 |     conf:
524 |       comment: >
525 |         The Sampling Function uses a Filter expression combined with Sampling
526 |         Rules to drop all but one out of the specified number of matching
527 |         events.
528 | 
529 |         You can define multiple Sampling Rules and use Filter expressions to determine the Sampling Rate.
530 | 
531 |         Each time an event goes through the Sampling function, an index-time sampled::<rate> field is added to it. You can use this field in your statistical functions, as necessary.
532 | 
533 | 
534 |         References:
535 | 
536 |         https://docs.cribl.io/logstream/sampling-function/
537 | 
538 |         https://docs.cribl.io/logstream/usecase-sampling/
539 | 
540 |         https://cribl.io/blog/sampling-for-added-visibility-and-efficiency/
541 |     groupId: I4naCl
542 |   - id: sampling
543 |     filter: "true"
544 |     disabled: true
545 |     conf:
546 |       rules:
547 |         - filter: _raw.EventCode=='4776' && _raw.Message=='The computer attempted to
548 |             validate the credentials for an account.'
549 |           rate: 5
550 |     groupId: I4naCl
551 |   - id: comment
552 |     filter: "true"
553 |     disabled: true
554 |     conf:
555 |       comment: >-
556 |         The Dynamic Sampling Function filters out events based on an expression,
557 |         a sample mode, and events' volume. Your sample mode’s configuration
558 |         determines what percentage of incoming events will be passed along to
559 |         the next step.
560 | 
561 | 
562 |         References:
563 | 
564 |         https://docs.cribl.io/logstream/dynamic-sampling-function
565 | 
566 |         https://cribl.io/blog/getting-smart-and-practical-with-dynamic-sampling
567 | 
568 |         https://docs.cribl.io/logstream/functions#shared-nothing
569 |     groupId: I4naCl
570 |   - id: dynamic_sampling
571 |     filter: "true"
572 |     disabled: true
573 |     conf:
574 |       mode: sqrt
575 |       keyExpr: "`${_raw.EventCode}:${_raw.Message}`"
576 |       samplePeriod: 30
577 |       minEvents: 30
578 |       maxSampleRate: 100
579 |     groupId: I4naCl
580 |   - id: comment
581 |     filter: "true"
582 |     disabled: true
583 |     conf:
584 |       comment: >-
585 |         The Aggregations Function performs aggregate statistics on event data.
586 | 
587 |         1. Select the gear icon at the top right of Sample Data
588 | 
589 |         2. Toggle (Show Dropped Events) to Off or ensure you scroll to the very bottom of the sample
590 | 
591 |         3. Select various Output Settings
592 | 
593 | 
594 |         References:
595 | 
596 |         https://docs.cribl.io/logstream/aggregations-function
597 | 
598 |         https://cribl.io/blog/engineering-deep-dive-streaming-aggregations-part-1-time-bucketing/
599 | 
600 |         https://cribl.io/blog/engineering-deep-dive-streaming-aggregations-part-2-memory-optimization
601 |     groupId: I4naCl
602 |   - id: aggregation
603 |     filter: "true"
604 |     disabled: true
605 |     conf:
606 |       passthrough: true
607 |       preserveGroupBys: true
608 |       sufficientStatsOnly: true
609 |       metricsMode: true
610 |       timeWindow: 60s
611 |       aggregations:
612 |         - count(_raw.EventCode).as(Count)
613 |         - dc(_raw.EventCode).as(DistinctCount)
614 |         - values(_raw.ComputerName).as(ValuesComputerNames)
615 |         - list(_raw.ComputerName).as(ListComputerNames)
616 |       cumulative: false
617 |       flushOnInputClose: true
618 |       groupbys:
619 |         - _raw.EventCode
620 |     groupId: I4naCl
621 |     description: For this example all OUTPUT SETTINGS are turned on.  Scroll to the bottom
622 |       of the Sample Data to view the results of the Aggregations
623 |   - id: comment
624 |     filter: "true"
625 |     disabled: true
626 |     conf:
627 |       comment: >
628 |         These next two functions demonstrate how to Parse and Reserialize from
629 |         one format such as JSON to another such as Key=Value Pairs
630 | 
631 | 
632 |         The JSON and Key=Value Pairs Types don't require you name every field.
633 | 
634 | 
635 |         Doc references:
636 | 
637 |         https://docs.cribl.io/logstream/introduction-reference#best-practices
638 | 
639 |         https://docs.cribl.io/logstream/serialize-function
640 | 
641 |         https://docs.cribl.io/logstream/parser-function
642 |     groupId: OW2pX5
643 |   - id: serde
644 |     filter: "true"
645 |     disabled: true
646 |     conf:
647 |       mode: extract
648 |       type: json
649 |       srcField: _raw
650 |     groupId: OW2pX5
651 |   - id: serialize
652 |     filter: "true"
653 |     disabled: true
654 |     conf:
655 |       type: kvp
656 |       fields:
657 |         - "!_*"
658 |         - "!cribl_*"
659 |         - "!index"
660 |         - "!source"
661 |         - "!sourcetype"
662 |         - "!host"
663 |         - "*"
664 |       dstField: _raw
665 |       cleanFields: false
666 |       delimChar: ","
667 |       quoteChar: '"'
668 |       escapeChar: \
669 |       nullValue: "-"
670 |     groupId: OW2pX5
671 |   - id: eval
672 |     filter: "true"
673 |     disabled: true
674 |     conf:
675 |       keep:
676 |         - _*
677 |         - cribl_*
678 |         - index
679 |         - source
680 |         - sourcetype
681 |         - host
682 |       remove:
683 |         - "*"
684 |     description: Keep Cribl fields and the default Splunk fields and remove all unnecessary
685 |       top level fields.  Feel free to adjust for extracted meta fields.
686 |     groupId: OW2pX5
687 |   - id: serde
688 |     filter: "true"
689 |     disabled: true
690 |     conf:
691 |       mode: extract
692 |       type: json
693 |       srcField: _raw
694 |   - id: drop
695 |     filter: "['4688','4689'].includes(_raw.EventCode)"
696 |     disabled: true
697 |     conf: {}
698 | 


--------------------------------------------------------------------------------
/samples/g9Eeo4.json:
--------------------------------------------------------------------------------
1 | [{"_raw":"Type=Disk\nName=\"C:\"\nDriveType=\"fixed\"\nTotalSpaceKB=83884028\nFreeSpaceKB=64632628\nFileSystem=\"NTFS\"","_time":1621342800,"source":"disk","host":"host.acme.com","sourcetype":"WinHostMon:Disk","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Computer\nName=\"host.acme.com\"\nDomain=\"cribl.poc\"\nManufacturer=\"Xen\"\nModel=\"HVM domU\"\nStatus=\"OK\"\nSystem Type=\"x64-based PC\"","_time":1621342800,"source":"computer","host":"host.acme.com","sourcetype":"WinHostMon:Computer","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Audio Endpoint\"\nDeviceID=\"SWD\\MMDEVAPI\\{3.0.0.00000002}.{6C26BA7D-F0B2-4225-B422-8168C5261E45}\"\nDeviceClass=\"AUDIOENDPOINT\"\nClassGuid=\"{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\"\nInfName=\"audioendpoint.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20160715000000\"\nDescription=\"Audio Endpoint\"\nHardWareID=\"MMDEVAPI\\AudioEndpoints\"\nCompatID=\"GenericAudioEndpoint\"\nDriverName=\nFriendlyName=\"Remote Audio\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic software device\"\nDeviceID=\"SWD\\SCDEVICEENUMBUS\\1\"\nDeviceClass=\"SOFTWAREDEVICE\"\nClassGuid=\nInfName=\"c_swdevice.inf\"\nManufacturer=\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic software device\"\nHardWareID=\nCompatID=\nDriverName=\nFriendlyName=\"Microsoft Passport Container Enumeration Bus\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic software device\"\nDeviceID=\"SWD\\SCDEVICEENUMBUS\\0\"\nDeviceClass=\"SOFTWAREDEVICE\"\nClassGuid=\nInfName=\"c_swdevice.inf\"\nManufacturer=\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic software device\"\nHardWareID=\nCompatID=\nDriverName=\nFriendlyName=\"Smart Card Device Enumeration Bus\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Local Print Queue\"\nDeviceID=\"SWD\\PRINTENUM\\{96D96094-317E-4961-9477-4F76E47AA93E}\"\nDeviceClass=\"PRINTQUEUE\"\nClassGuid=\"{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\"\nInfName=\"printqueue.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Local Print Queue\"\nHardWareID=\"PRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\"\nCompatID=\"GenPrintQueue\"\nDriverName=\nFriendlyName=\"Microsoft Print to PDF\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Local Print Queue\"\nDeviceID=\"SWD\\PRINTENUM\\{A24F8C55-8C7A-441A-8707-2F4493BEA0CF}\"\nDeviceClass=\"PRINTQUEUE\"\nClassGuid=\"{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\"\nInfName=\"printqueue.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Local Print Queue\"\nHardWareID=\"PRINTENUM\\{0f4130dd-19c7-7ab6-99a1-980f03b2ee4e}\"\nCompatID=\"GenPrintQueue\"\nDriverName=\nFriendlyName=\"Microsoft XPS Document Writer\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Local Print Queue\"\nDeviceID=\"SWD\\PRINTENUM\\PRINTQUEUES\"\nDeviceClass=\"PRINTQUEUE\"\nClassGuid=\"{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\"\nInfName=\"printqueue.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Local Print Queue\"\nHardWareID=\"PRINTENUM\\LocalPrintQueue\"\nCompatID=\"SWD\\GenericRaw\"\nDriverName=\nFriendlyName=\"Root Print Queue\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft Teredo Tunneling Adapter\"\nDeviceID=\"SWD\\IP_TUNNEL_VBUS\\TEREDO_TUNNEL_DEVICE\"\nDeviceClass=\"NET\"\nClassGuid=\"{4d36e972-e325-11ce-bfc1-08002be10318}\"\nInfName=\"nettun.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft Teredo Tunneling Adapter\"\nHardWareID=\"*TEREDO\"\nCompatID=\"SWD\\GenericRaw\"\nDriverName=\nFriendlyName=\"Teredo Tunneling Pseudo-Interface\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft ISATAP Adapter\"\nDeviceID=\"SWD\\IP_TUNNEL_VBUS\\ISATAP_0\"\nDeviceClass=\"NET\"\nClassGuid=\"{4d36e972-e325-11ce-bfc1-08002be10318}\"\nInfName=\"nettun.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft ISATAP Adapter\"\nHardWareID=\"*ISATAP\"\nCompatID=\"SWD\\GenericRaw\"\nDriverName=\nFriendlyName=\"Microsoft ISATAP Adapter\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic software device\"\nDeviceID=\"SWD\\IP_TUNNEL_VBUS\\IP_TUNNEL_DEVICE_ROOT\"\nDeviceClass=\"SOFTWAREDEVICE\"\nClassGuid=\"{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\"\nInfName=\"c_swdevice.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic software device\"\nHardWareID=\"(null)\"\nCompatID=\"SWD\\GenericRaw\"\nDriverName=\nFriendlyName=\"Microsoft IPv4 IPv6 Transition Adapter Bus\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic software device\"\nDeviceID=\"SWD\\MMDEVAPI\\MICROSOFTGSWAVETABLESYNTH\"\nDeviceClass=\"SOFTWAREDEVICE\"\nClassGuid=\nInfName=\"c_swdevice.inf\"\nManufacturer=\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic software device\"\nHardWareID=\nCompatID=\nDriverName=\nFriendlyName=\"Microsoft GS Wavetable Synth\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic software device\"\nDeviceID=\"SWD\\RADIO\\{3DB5895D-CC28-44B3-AD3D-6F01A782B8D2}\"\nDeviceClass=\"SOFTWAREDEVICE\"\nClassGuid=\nInfName=\"c_swdevice.inf\"\nManufacturer=\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic software device\"\nHardWareID=\nCompatID=\nDriverName=\nFriendlyName=\"Microsoft Radio Device Enumeration Bus\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Remote Desktop Device Redirector Bus\"\nDeviceID=\"ROOT\\RDPBUS\\0000\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"rdpbus.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Remote Desktop Device Redirector Bus\"\nHardWareID=\"ROOT\\RDPBUS\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"EC2 Windows Utility Device\"\nDeviceID=\"ROOT\\SYSTEM\\0001\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem12.inf\"\nManufacturer=\"Amazon Web Services, Inc.\"\nDriverProviderName=\"Amazon Web Services, Inc.\"\nDriverVersion=\"2.0.0.37\"\nDriverDate=\"20180824000000\"\nDescription=\"EC2 Windows Utility Device\"\nHardWareID=\"root\\ec2winutildriver\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Plug and Play Software Device Enumerator\"\nDeviceID=\"ROOT\\SYSTEM\\0000\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"swenum.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20160715000000\"\nDescription=\"Plug and Play Software Device Enumerator\"\nHardWareID=\"ROOT\\SWENUM\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft System Management BIOS Driver\"\nDeviceID=\"ROOT\\MSSMBIOS\\0000\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"mssmbios.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft System Management BIOS Driver\"\nHardWareID=\"ROOT\\mssmbios\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"NDIS Virtual Network Adapter Enumerator\"\nDeviceID=\"ROOT\\NDISVIRTUALBUS\\0000\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"ndisvirtualbus.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"NDIS Virtual Network Adapter Enumerator\"\nHardWareID=\"ROOT\\NdisVirtualBus\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft Basic Render Driver\"\nDeviceID=\"ROOT\\BASICRENDER\\0000\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"basicrender.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft Basic Render Driver\"\nHardWareID=\"ROOT\\BasicRender\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"ACPI Fixed Feature Button\"\nDeviceID=\"ACPI\\FIXEDBUTTON\\2&DABA3FF&1\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"ACPI Fixed Feature Button\"\nHardWareID=\"ACPI\\FixedButton\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Intel Processor\"\nDeviceID=\"ACPI\\GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_79_-_INTEL(R)_XEON(R)_CPU_E5-2686_V4_@_2.30GHZ\\_1\"\nDeviceClass=\"PROCESSOR\"\nClassGuid=\"{50127dc3-0f36-415e-a6cc-4cb3be910b65}\"\nInfName=\"cpu.inf\"\nManufacturer=\"Intel\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2969\"\nDriverDate=\"20090421000000\"\nDescription=\"Intel Processor\"\nHardWareID=\"ACPI\\GenuineIntel_-_Intel64_Family_6_Model_79\"\nCompatID=\"ACPI\\Processor\"\nDriverName=\nFriendlyName=\"Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Intel Processor\"\nDeviceID=\"ACPI\\GENUINEINTEL_-_INTEL64_FAMILY_6_MODEL_79_-_INTEL(R)_XEON(R)_CPU_E5-2686_V4_@_2.30GHZ\\_0\"\nDeviceClass=\"PROCESSOR\"\nClassGuid=\"{50127dc3-0f36-415e-a6cc-4cb3be910b65}\"\nInfName=\"cpu.inf\"\nManufacturer=\"Intel\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2969\"\nDriverDate=\"20090421000000\"\nDescription=\"Intel Processor\"\nHardWareID=\"ACPI\\GenuineIntel_-_Intel64_Family_6_Model_79\"\nCompatID=\"ACPI\\Processor\"\nDriverName=\nFriendlyName=\"Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"High precision event timer\"\nDeviceID=\"ACPI\\PNP0103\\0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"High precision event timer\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0103\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"AWS Interface\"\nDeviceID=\"XENBUS\\VEN_XS0001&DEV_IFACE&REV_00000003\\_\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem11.inf\"\nManufacturer=\"Amazon Inc.\"\nDriverProviderName=\"Amazon Inc.\"\nDriverVersion=\"8.2.7.5\"\nDriverDate=\"20191216000000\"\nDescription=\"AWS Interface\"\nHardWareID=\"XENBUS\\VEN_XS0001&DEV_IFACE&REV_00000003\"\nCompatID=\"XENBUS\\VEN_XS0001&DEV_IFACE&REV_00000003\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"AWS PV Network Device\"\nDeviceID=\"XENVIF\\VEN_XS0001&DEV_NET&REV_0000000B\\0\"\nDeviceClass=\"NET\"\nClassGuid=\"{4d36e972-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem84.inf\"\nManufacturer=\"Amazon Inc.\"\nDriverProviderName=\"Amazon Inc.\"\nDriverVersion=\"8.2.5.32\"\nDriverDate=\"20181119000000\"\nDescription=\"AWS PV Network Device\"\nHardWareID=\"XENVIF\\VEN_XS0001&DEV_NET&REV_0000000B\"\nCompatID=\"XENVIF\\VEN_XS0001&DEV_NET&REV_0000000B\"\nDriverName=\nFriendlyName=\"AWS PV Network Device #0\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"AWS PV Network Class\"\nDeviceID=\"XENBUS\\VEN_XS0001&DEV_VIF&REV_00000003\\_\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem4.inf\"\nManufacturer=\"Amazon Inc.\"\nDriverProviderName=\"Amazon Inc.\"\nDriverVersion=\"8.2.9.8\"\nDriverDate=\"20200708000000\"\nDescription=\"AWS PV Network Class\"\nHardWareID=\"XENBUS\\VEN_XS0001&DEV_VIF&REV_00000003\"\nCompatID=\"XENBUS\\VEN_XS0001&DEV_VIF&REV_00000003\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Disk drive\"\nDeviceID=\"SCSI\\DISK&VEN_AWS&PROD_PVDISK\\000000\"\nDeviceClass=\"DISKDRIVE\"\nClassGuid=\"{4d36e967-e325-11ce-bfc1-08002be10318}\"\nInfName=\"disk.inf\"\nManufacturer=\"(Standard disk drives)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.1613\"\nDriverDate=\"20060621000000\"\nDescription=\"Disk drive\"\nHardWareID=\"SCSI\\DiskAWS_____PVDISK__________2.0_\"\nCompatID=\"SCSI\\Disk\"\nDriverName=\nFriendlyName=\"AWS PVDISK SCSI Disk Device\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"AWS PV Storage Host Adapter\"\nDeviceID=\"XENBUS\\VEN_XS0001&DEV_VBD&REV_00000001\\_\"\nDeviceClass=\"SCSIADAPTER\"\nClassGuid=\"{4d36e97b-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem7.inf\"\nManufacturer=\"Amazon Inc.\"\nDriverProviderName=\"Amazon Inc.\"\nDriverVersion=\"8.3.2.2\"\nDriverDate=\"20191213000000\"\nDescription=\"AWS PV Storage Host Adapter\"\nHardWareID=\"XENBUS\\VEN_XS0001&DEV_VBD&REV_00000003\"\nCompatID=\"XENBUS\\VEN_XS0001&DEV_VBD&REV_00000003\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"AWS PV Bus\"\nDeviceID=\"PCI\\VEN_5853&DEV_0001&SUBSYS_00015853&REV_01\\3&267A616A&2&18\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"oem22.inf\"\nManufacturer=\"Amazon Inc.\"\nDriverProviderName=\nDriverVersion=\"8.2.8.4\"\nDriverDate=\"20200708000000\"\nDescription=\nHardWareID=\"PCI\\VEN_5853&DEV_0001&SUBSYS_00015853&REV_01\"\nCompatID=\"PCI\\VEN_5853&DEV_0001&REV_01\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Generic Non-PnP Monitor\"\nDeviceID=\"DISPLAY\\DEFAULT_MONITOR\\4&69F2B1A&0&UID0\"\nDeviceClass=\"MONITOR\"\nClassGuid=\"{4d36e96e-e325-11ce-bfc1-08002be10318}\"\nInfName=\"monitor.inf\"\nManufacturer=\"(Standard monitor types)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Generic Non-PnP Monitor\"\nHardWareID=\"MONITOR\\Default_Monitor\"\nCompatID=\"*PNP09FF\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft Basic Display Adapter\"\nDeviceID=\"PCI\\VEN_1013&DEV_00B8&SUBSYS_00015853&REV_00\\3&267A616A&2&10\"\nDeviceClass=\"DISPLAY\"\nClassGuid=\"{4d36e968-e325-11ce-bfc1-08002be10318}\"\nInfName=\"display.inf\"\nManufacturer=\"(Standard display types)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft Basic Display Adapter\"\nHardWareID=\"PCI\\VEN_1013&DEV_00B8&SUBSYS_00015853&REV_00\"\nCompatID=\"PCI\\VEN_1013&DEV_00B8&REV_00\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"IDE Channel\"\nDeviceID=\"PCIIDE\\IDECHANNEL\\4&2685F4CF&0&1\"\nDeviceClass=\"HDC\"\nClassGuid=\"{4d36e96a-e325-11ce-bfc1-08002be10318}\"\nInfName=\"mshdc.inf\"\nManufacturer=\"(Standard IDE ATA/ATAPI controllers)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2273\"\nDriverDate=\"20060621000000\"\nDescription=\"IDE Channel\"\nHardWareID=\"Intel-PIIX3\"\nCompatID=\"*PNP0600\"\nDriverName=\nFriendlyName=\"ATA Channel 1\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"IDE Channel\"\nDeviceID=\"PCIIDE\\IDECHANNEL\\4&2685F4CF&0&0\"\nDeviceClass=\"HDC\"\nClassGuid=\"{4d36e96a-e325-11ce-bfc1-08002be10318}\"\nInfName=\"mshdc.inf\"\nManufacturer=\"(Standard IDE ATA/ATAPI controllers)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2273\"\nDriverDate=\"20060621000000\"\nDescription=\"IDE Channel\"\nHardWareID=\"Intel-PIIX3\"\nCompatID=\"*PNP0600\"\nDriverName=\nFriendlyName=\"ATA Channel 0\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Intel(R) 82371SB PCI Bus Master IDE Controller\"\nDeviceID=\"PCI\\VEN_8086&DEV_7010&SUBSYS_00015853&REV_00\\3&267A616A&2&09\"\nDeviceClass=\"HDC\"\nClassGuid=\"{4d36e96a-e325-11ce-bfc1-08002be10318}\"\nInfName=\"mshdc.inf\"\nManufacturer=\"Intel\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2273\"\nDriverDate=\"20060621000000\"\nDescription=\"Intel(R) 82371SB PCI Bus Master IDE Controller\"\nHardWareID=\"PCI\\VEN_8086&DEV_7010&SUBSYS_00015853&REV_00\"\nCompatID=\"PCI\\VEN_8086&DEV_7010&REV_00\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Communications Port\"\nDeviceID=\"ACPI\\PNP0501\\1\"\nDeviceClass=\"PORTS\"\nClassGuid=\"{4d36e978-e325-11ce-bfc1-08002be10318}\"\nInfName=\"msports.inf\"\nManufacturer=\"(Standard port types)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Communications Port\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0501\"\nCompatID=\nDriverName=\nFriendlyName=\"Communications Port (COM1)\"","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Standard floppy disk controller\"\nDeviceID=\"ACPI\\PNP0700\\4&DBC3B45&0\"\nDeviceClass=\"FDC\"\nClassGuid=\"{4d36e969-e325-11ce-bfc1-08002be10318}\"\nInfName=\"fdc.inf\"\nManufacturer=\"(Standard floppy disk controllers)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"Standard floppy disk controller\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0700\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Standard PS/2 Keyboard\"\nDeviceID=\"ACPI\\PNP0303\\4&DBC3B45&0\"\nDeviceClass=\"KEYBOARD\"\nClassGuid=\"{4d36e96b-e325-11ce-bfc1-08002be10318}\"\nInfName=\"keyboard.inf\"\nManufacturer=\"(Standard keyboards)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.206\"\nDriverDate=\"20060621000000\"\nDescription=\"Standard PS/2 Keyboard\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0303\"\nCompatID=\"*PNP030B\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"PS/2 Compatible Mouse\"\nDeviceID=\"ACPI\\PNP0F13\\4&DBC3B45&0\"\nDeviceClass=\"MOUSE\"\nClassGuid=\"{4d36e96f-e325-11ce-bfc1-08002be10318}\"\nInfName=\"msmouse.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"PS/2 Compatible Mouse\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0F13\"\nCompatID=\"*PNP0F13\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"System speaker\"\nDeviceID=\"ACPI\\PNP0800\\4&DBC3B45&0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"System speaker\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0800\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"System CMOS/real time clock\"\nDeviceID=\"ACPI\\PNP0B00\\4&DBC3B45&0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"System CMOS/real time clock\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0B00\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"System timer\"\nDeviceID=\"ACPI\\PNP0100\\4&DBC3B45&0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"System timer\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0100\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Direct memory access controller\"\nDeviceID=\"ACPI\\PNP0200\\4&DBC3B45&0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"Direct memory access controller\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0200\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Programmable interrupt controller\"\nDeviceID=\"ACPI\\PNP0000\\4&DBC3B45&0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"Programmable interrupt controller\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0000\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Motherboard resources\"\nDeviceID=\"ACPI\\PNP0C02\\1\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"Motherboard resources\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0C02\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"PCI to ISA Bridge\"\nDeviceID=\"PCI\\VEN_8086&DEV_7000&SUBSYS_11001AF4&REV_00\\3&267A616A&2&08\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"Intel\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"PCI to ISA Bridge\"\nHardWareID=\"PCI\\VEN_8086&DEV_7000&SUBSYS_11001AF4&REV_00\"\nCompatID=\"PCI\\VEN_8086&DEV_7000&REV_00\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"CPU to PCI Bridge\"\nDeviceID=\"PCI\\VEN_8086&DEV_1237&SUBSYS_11001AF4&REV_02\\3&267A616A&2&00\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"Intel\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"CPU to PCI Bridge\"\nHardWareID=\"PCI\\VEN_8086&DEV_1237&SUBSYS_11001AF4&REV_02\"\nCompatID=\"PCI\\VEN_8086&DEV_1237&REV_02\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"PCI Bus\"\nDeviceID=\"ACPI\\PNP0A03\\0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"pci.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2938\"\nDriverDate=\"20060621000000\"\nDescription=\"PCI Bus\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0A03\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Motherboard resources\"\nDeviceID=\"ACPI\\PNP0C02\\2&DABA3FF&1\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"machine.inf\"\nManufacturer=\"(Standard system devices)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2155\"\nDriverDate=\"20060621000000\"\nDescription=\"Motherboard resources\"\nHardWareID=\"ACPI\\VEN_PNP&DEV_0C02\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"Microsoft ACPI-Compliant System\"\nDeviceID=\"ACPI_HAL\\PNP0C08\\0\"\nDeviceClass=\"SYSTEM\"\nClassGuid=\"{4d36e97d-e325-11ce-bfc1-08002be10318}\"\nInfName=\"acpi.inf\"\nManufacturer=\"Microsoft\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.2339\"\nDriverDate=\"20060621000000\"\nDescription=\"Microsoft ACPI-Compliant System\"\nHardWareID=\"ACPI_HAL\\PNP0C08\"\nCompatID=\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"},{"_raw":"Type=Driver\nDeviceName=\"ACPI x64-based PC\"\nDeviceID=\"ROOT\\ACPI_HAL\\0000\"\nDeviceClass=\"COMPUTER\"\nClassGuid=\"{4d36e966-e325-11ce-bfc1-08002be10318}\"\nInfName=\"hal.inf\"\nManufacturer=\"(Standard computers)\"\nDriverProviderName=\"Microsoft\"\nDriverVersion=\"10.0.14393.0\"\nDriverDate=\"20060621000000\"\nDescription=\"ACPI x64-based PC\"\nHardWareID=\"acpiapic\"\nCompatID=\"DETECTEDInternal\\ACPI_HAL\"\nDriverName=\nFriendlyName=","_time":1621342800,"source":"driver","host":"host.acme.com","sourcetype":"WinHostMon:Driver","index":"default","cribl_breaker":"Break on newlines"}]


--------------------------------------------------------------------------------