{
  // Windows Security Event XML parser — OCSF v1.3.0
  // Uses non-greedy patterns that stop at the next XML tag/quote
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "Microsoft",
    "metadata.product.name":        "Windows Security",
    "metadata.log_provider":        "winlogbeat",
    "Category":               "host",
    "dataSource.vendor":      "Microsoft",
    "dataSource.name":        "Windows Security",
    "dataSource.category":    "endpoint",
    "category_uid":           3,
    "category_name":          "IAM",
    "class_uid":              3002,
    "class_name":             "Authentication",
    "activity_id":            1,
    "type_uid":               300201,
    "status_id":              1,
    "severity_id":            1
  },

  patterns: {
    // Anything until next "<" — perfect for XML content
    untilLT: "[^<]*",
    // Anything until next ">"
    untilGT: "[^>]*",
    word: "\\S+",
    rest: ".*"
  },

  formats: [
    // 4625 = Failed logon → Detection Finding (HIGH)
    {
      id: "win_4625",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Windows Logon Failure (4625)",
        severity_id: 4, severity: "High",
        disposition_id: 2, disposition: "Blocked",
        status_id: 2, status: "Failure"
      },
      format: ".*<EventID>4625</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
      halt: true
    },

    // 4720 = User account created → Detection Finding (HIGH)
    {
      id: "win_4720",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Windows New User Account Created (4720)",
        severity_id: 4, severity: "High"
      },
      format: ".*<EventID>4720</EventID>.*<Data Name=\"TargetUserName\">$new_user=untilLT$</Data>.*",
      halt: true
    },

    // 4732 = User added to security group → Detection Finding (CRITICAL)
    {
      id: "win_4732",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Windows User Added to Privileged Group (4732)",
        severity_id: 5, severity: "Critical"
      },
      format: ".*<EventID>4732</EventID>.*<Data Name=\"MemberName\">$member=untilLT$</Data>.*<Data Name=\"TargetUserName\">$group_name=untilLT$</Data>.*",
      halt: true
    },

    // 1102 = Audit log cleared (anti-forensics) → Detection Finding (CRITICAL)
    {
      id: "win_1102",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Windows Audit Log Cleared (1102)",
        severity_id: 5, severity: "Critical"
      },
      format: ".*<EventID>1102</EventID>.*",
      halt: true
    },

    // 4624 = Successful logon (informational)
    {
      id: "win_4624",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        activity_id: 1, type_uid: 300201,
        status_id: 1, status: "Success"
      },
      format: ".*<EventID>4624</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
      halt: true
    }
  ]
}
