From afa5dbd14105c2d9d10dac2b0c5ea33878967cdf Mon Sep 17 00:00:00 2001
From: ghostersk <68815071+ghostersk@users.noreply.github.com>
Date: Tue, 4 Mar 2025 21:12:02 +0000
Subject: [PATCH] Create enrich-username-win.yaml

---
 plugins/parsers/enrich-username-win.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 plugins/parsers/enrich-username-win.yaml

diff --git a/plugins/parsers/enrich-username-win.yaml b/plugins/parsers/enrich-username-win.yaml
new file mode 100644
index 0000000..03daa10
--- /dev/null
+++ b/plugins/parsers/enrich-username-win.yaml
@@ -0,0 +1,10 @@
+# parsers/s02-enrich:
+name: custom/rdp-forbidden-usernames
+description: "Detect RDP login attempts with forbidden usernames"
+filter: "evt.Meta.event_id in ['4625']"
+grok:
+  pattern: "Account Name:\\s+(?P<username>\\S+)"
+  apply_on: message
+statics:
+  - meta: username
+    expression: evt.Parsed.username