plugins/parsers/enrich-username-win.yaml

# parsers/s02-enrich:
name: custom/rdp-forbidden-usernames
description: "Detect RDP login attempts with forbidden usernames"
filter: "evt.Meta.event_id in ['4625']"
grok:
  pattern: "Account Name:\\s+(?P<username>\\S+)"
  apply_on: message
statics:
  - meta: username
    expression: evt.Parsed.username
Create enrich-username-win.yaml 2025-03-04 21:12:02 +00:00			`# parsers/s02-enrich:`
			`name: custom/rdp-forbidden-usernames`
			`description: "Detect RDP login attempts with forbidden usernames"`
			`filter: "evt.Meta.event_id in ['4625']"`
			`grok:`
			`pattern: "Account Name:\\s+(?P<username>\\S+)"`
			`apply_on: message`
			`statics:`
			`- meta: username`
			`expression: evt.Parsed.username`