Feature/bits openvpn

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/formula.xp

@@ -0,0 +1,40 @@
+EVENTLOG = 'EventID="3"'
+!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client"
+
+action = "create"
+object = "task" 
+status = "success"
+
+object.name = $Data["jobTitle"] # Job name
+
+object.account.fullname = $Data["jobOwner"]
+object.account.name = csv(object.account.fullname, "\\", "")[1]
+object.account.domain = csv(object.account.fullname, "\\", "")[0]
+
+object.process.fullpath = $Data["processPath"]
+$process_name = csv(object.process.fullpath, "\\", "")
+object.process.name = $process_name[length($process_name) - 1] 
+object.process.id = $Data["processId"]
+
+object.id = $Data["jobId"]
+
+time = $TimeCreated["SystemTime"]
+
+msgid = $EventID
+
+$first_dot = find_substr($Computer, '.')
+if $first_dot != null then
+    event_src.fqdn = lower($Computer)
+    event_src.hostname = lower(substr($Computer, 0, $first_dot))
+else
+    event_src.hostname = lower($Computer)
+endif
+
+event_src.vendor = "microsoft"
+event_src.title = "windows"
+event_src.subsys = $Channel
+event_src.category = "Operating system"
+event_src.id = $Provider["Name"]
+
+
+id = "PT_Microsoft_Windows_eventlog_3_Bits_created_job"

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'A bitsadmin task has been created. Can be used to start a process'
+EventDescriptions:
+    - LocalizationId: '3_Bits_created_job_1'
+      EventDescription: 'On the {event_src.host} host, the user {object.account.fullname} creates a bitsadmin task - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'Создана задача bitsadmin. Может использоваться для запуска процесса'
+EventDescriptions:
+    - LocalizationId: '3_Bits_created_job_1'
+      EventDescription: 'На хосте {event_src.host} пользователем {object.account.fullname} cоздана задача bitsadmin - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/metainfo.yaml

@@ -0,0 +1,7 @@
+EventDescriptions:
+    - Criteria: id = "PT_Microsoft_Windows_eventlog_3_Bits_created_job"
+      LocalizationId: 3_Bits_created_job_1
+ObjectId: SEC-NF-553054921
+ExpertContext:
+    Created: 08.07.2024
+    Updated: 09.07.2024

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_1.js

@@ -0,0 +1,22 @@
+{
+    "action": "create",
+    "event_src.category": "Operating system",
+    "event_src.hostname": "msedgewin10",
+    "event_src.id": "Microsoft-Windows-Bits-Client",
+    "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational",
+    "event_src.title": "windows",
+    "event_src.vendor": "microsoft",
+    "id": "PT_Microsoft_Windows_eventlog_3_Bits_created_job",
+    "msgid": "3",
+    "object": "task",
+    "object.account.domain": "MSEDGEWIN10",
+    "object.account.fullname": "MSEDGEWIN10\\IEUser",
+    "object.account.name": "IEUser",
+    "object.id": "78E48D71-6706-4BEF-BE13-DD6596AECB77",
+    "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe",
+    "object.process.fullpath": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
+    "object.process.id": "2136",
+    "object.process.name": "GoogleUpdate.exe",
+    "status": "success",
+    "time": "2021-03-15T19:01:32.644Z"
+}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_2.js

@@ -0,0 +1 @@
+{}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_1.txt

@@ -0,0 +1 @@
+{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"3","Version":"2","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T19:01:32.644326Z"},"EventRecordID":"9407","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1356"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe"},{"Name":"jobId","text":"78E48D71-6706-4BEF-BE13-DD6596AECB77"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"processPath","text":"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe"},{"Name":"processId","text":"2136"}]}}}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_2.txt

@@ -0,0 +1 @@
+{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"3","Version":"2","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T19:01:32.644326Z"},"EventRecordID":"9407","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1356"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe"},{"Name":"jobId","text":"78E48D71-6706-4BEF-BE13-DD6596AECB77"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"processId","text":"2136"}]}}}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/formula.xp

@@ -0,0 +1,36 @@
+EVENTLOG = 'EventID="4"'
+!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client"
+
+action = "stop"
+object = "task" 
+status = "success"
+
+object.name = $Data["jobTitle"] # Job name
+
+object.account.fullname = $Data["User"]
+object.account.name = csv(object.account.fullname, "\\", "")[1]
+object.account.domain = csv(object.account.fullname, "\\", "")[0]
+object.id = $Data["jobId"]
+
+count.bytes = $Data["bytesTransferred"]
+
+time = $TimeCreated["SystemTime"]
+
+msgid = $EventID
+
+$first_dot = find_substr($Computer, '.')
+if $first_dot != null then
+    event_src.fqdn = lower($Computer)
+    event_src.hostname = lower(substr($Computer, 0, $first_dot))
+else
+    event_src.hostname = lower($Computer)
+endif
+
+event_src.vendor = "microsoft"
+event_src.title = "windows"
+event_src.subsys = $Channel
+event_src.category = "Operating system"
+event_src.id = $Provider["Name"]
+
+
+id = "PT_Microsoft_Windows_eventlog_4_Bits_finished_job"

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'The bitsadmin task has been completed'
+EventDescriptions:
+    - LocalizationId: '4_Bits_finished_job_1'
+      EventDescription: 'The bitsadmin task is executed on the {event_src.host} host - {object.name} created by the user {object.account.fullname}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'Выполнена задача bitsadmin'
+EventDescriptions:
+    - LocalizationId: '4_Bits_finished_job_1'
+      EventDescription: 'На хосте {event_src.host} выполнена задача bitsadmin - {object.name}, созданная пользователем {object.account.fullname}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/metainfo.yaml

@@ -0,0 +1,7 @@
+EventDescriptions:
+    - Criteria: id = "PT_Microsoft_Windows_eventlog_4_Bits_finished_job"
+      LocalizationId: 4_Bits_finished_job_1
+ObjectId: SEC-NF-679402722
+ExpertContext:
+    Created: 09.07.2024
+    Updated: 09.07.2024

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/norm_1.js

@@ -0,0 +1,20 @@
+{
+    "action": "stop",
+    "count.bytes": 1304160,
+    "event_src.category": "Operating system",
+    "event_src.hostname": "msedgewin10",
+    "event_src.id": "Microsoft-Windows-Bits-Client",
+    "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational",
+    "event_src.title": "windows",
+    "event_src.vendor": "microsoft",
+    "id": "PT_Microsoft_Windows_eventlog_4_Bits_finished_job",
+    "msgid": "4",
+    "object": "task",
+    "object.account.domain": "MSEDGEWIN10",
+    "object.account.fullname": "MSEDGEWIN10\\IEUser",
+    "object.account.name": "IEUser",
+    "object.id": "3774C88F-94AD-4FC0-A559-EA76B5D829D6",
+    "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe",
+    "status": "success",
+    "time": "2021-03-15T18:55:51.612Z"
+}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/raw_1.txt

@@ -0,0 +1 @@
+{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"4","Version":"1","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:55:51.612966Z"},"EventRecordID":"9406","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"8184"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"User","text":"MSEDGEWIN10\\IEUser"},{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe"},{"Name":"jobId","text":"3774C88F-94AD-4FC0-A559-EA76B5D829D6"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"fileCount","text":"1"},{"Name":"bytesTransferred","text":"1304160"},{"Name":"bytesTransferredFromPeer","text":"0"}]}}}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/formula.xp

@@ -0,0 +1,36 @@
+EVENTLOG = 'EventID="59"'
+!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client"
+
+action = "start"
+object = "task" 
+status = "success"
+
+object.name = $Data["name"] # Job name
+object.path = $Data["url"]
+object.value = $Data["fileLength"]
+object.id = $Data["Id"]
+
+$domain = csv(object.path, "/", "")[2]
+dst.fqdn = lower($domain)
+
+time = $TimeCreated["SystemTime"]
+
+msgid = $EventID
+
+$first_dot = find_substr($Computer, '.')
+if $first_dot != null then
+    event_src.fqdn = lower($Computer)
+    event_src.hostname = lower(substr($Computer, 0, $first_dot))
+else
+    event_src.hostname = lower($Computer)
+endif
+
+event_src.vendor = "microsoft"
+event_src.title = "windows"
+event_src.subsys = $Channel
+event_src.category = "Operating system"
+event_src.id = $Provider["Name"]
+
+
+id = "PT_Microsoft_Windows_eventlog_59_Bits_started_job"
+

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'The bitsadmin task has started'
+EventDescriptions:
+    - LocalizationId: '59_Bits_started_job_1'
+      EventDescription: 'The bitsadmin task has started on the {event_src.host} host - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'Начато выполнение задачи bitsadmin'
+EventDescriptions:
+    - LocalizationId: '59_Bits_started_job_1'
+      EventDescription: 'На хосте {event_src.host} началось выполнение задачи bitsadmin - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/metainfo.yaml

@@ -0,0 +1,7 @@
+EventDescriptions:
+    - Criteria: id = "PT_Microsoft_Windows_eventlog_59_Bits_started_job"
+      LocalizationId: 59_Bits_started_job_1
+ObjectId: SEC-NF-201142207
+ExpertContext:
+    Created: 09.07.2024
+    Updated: 09.07.2024

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/norm_1.js

@@ -0,0 +1,19 @@
+{
+    "action": "start",
+    "dst.fqdn": "r5---sn-5hnedn7l.gvt1.com",
+    "event_src.category": "Operating system",
+    "event_src.hostname": "msedgewin10",
+    "event_src.id": "Microsoft-Windows-Bits-Client",
+    "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational",
+    "event_src.title": "windows",
+    "event_src.vendor": "microsoft",
+    "id": "PT_Microsoft_Windows_eventlog_59_Bits_started_job",
+    "msgid": "59",
+    "object": "task",
+    "object.id": "3774C88F-94AD-4FC0-A559-EA76B5D829D6",
+    "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe",
+    "object.path": "http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes",
+    "object.value": "1304160",
+    "status": "success",
+    "time": "2021-03-15T18:55:38.049Z"
+}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/raw_1.txt

@@ -0,0 +1 @@
+{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"59","Version":"1","Level":"4","Task":"0","Opcode":"1","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:55:38.049422Z"},"EventRecordID":"9404","Correlation":{"ActivityID":"6125DC77-C387-4662-BB2F-F3816D1B4629"},"Execution":{"ProcessID":"8100","ThreadID":"4424"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"transferId","text":"6125DC77-C387-4662-BB2F-F3816D1B4629"},{"Name":"name","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe"},{"Name":"Id","text":"3774C88F-94AD-4FC0-A559-EA76B5D829D6"},{"Name":"url","text":"http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes"},{"Name":"peer"},{"Name":"fileTime","text":"2021-01-22T06:31:14.000000Z"},{"Name":"fileLength","text":"1304160"},{"Name":"bytesTotal","text":"1304160"},{"Name":"bytesTransferred","text":"0"},{"Name":"bytesTransferredFromPeer","text":"0"}]}}}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/formula.xp

@@ -0,0 +1,35 @@
+EVENTLOG = 'EventID="5"'
+!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client"
+
+action = "start"
+object = "task" 
+status = "failure"
+
+object.name = $Data["jobTitle"] # Job name
+
+object.account.fullname = $Data["User"]
+object.account.name = csv(object.account.fullname, "\\", "")[1]
+object.account.domain = csv(object.account.fullname, "\\", "")[0]
+object.id = $Data["jobId"]
+
+time = $TimeCreated["SystemTime"]
+
+msgid = $EventID
+
+$first_dot = find_substr($Computer, '.')
+if $first_dot != null then
+    event_src.fqdn = lower($Computer)
+    event_src.hostname = lower(substr($Computer, 0, $first_dot))
+else
+    event_src.hostname = lower($Computer)
+endif
+
+event_src.vendor = "microsoft"
+event_src.title = "windows"
+event_src.subsys = $Channel
+event_src.category = "Operating system"
+event_src.id = $Provider["Name"]
+
+
+id = "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job"
+

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'The bitsadmin task has been canceled'
+EventDescriptions:
+    - LocalizationId: '5_Bits_cancel_job_1'
+      EventDescription: 'The bitsadmin task has been canceled on the {event_src.host} host - {object.name } created by the user {object.account.fullname}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'Отменена задача bitsadmin'
+EventDescriptions:
+    - LocalizationId: '5_Bits_cancel_job_1'
+      EventDescription: 'На хосте {event_src.host} отменена задача bitsadmin - {object.name}, созданная пользователем {object.account.fullname}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/metainfo.yaml

@@ -0,0 +1,7 @@
+EventDescriptions:
+    - Criteria: id = "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job"
+      LocalizationId: 5_Bits_cancel_job_1
+ObjectId: SEC-NF-157405267
+ExpertContext:
+    Created: 09.07.2024
+    Updated: 09.07.2024

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/norm_1.js

@@ -0,0 +1,19 @@
+{
+    "action": "start",
+    "event_src.category": "Operating system",
+    "event_src.hostname": "msedgewin10",
+    "event_src.id": "Microsoft-Windows-Bits-Client",
+    "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational",
+    "event_src.title": "windows",
+    "event_src.vendor": "microsoft",
+    "id": "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job",
+    "msgid": "5",
+    "object": "task",
+    "object.account.domain": "MSEDGEWIN10",
+    "object.account.fullname": "MSEDGEWIN10\\IEUser",
+    "object.account.name": "IEUser",
+    "object.id": "D0CE1896-2836-4D3C-BF5C-C429B006A7C5",
+    "object.name": "6bfd95a1.png",
+    "status": "failure",
+    "time": "2021-03-15T18:50:22.964Z"
+}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/raw_1.txt

@@ -0,0 +1 @@
+{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"5","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:50:22.964064Z"},"EventRecordID":"9376","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1936"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"}},"EventData":{"Data":[{"Name":"User","text":"MSEDGEWIN10\\IEUser"},{"Name":"jobTitle","text":"6bfd95a1.png"},{"Name":"jobId","text":"D0CE1896-2836-4D3C-BF5C-C429B006A7C5"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"fileCount","text":"1"}]}}}

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/formula.xp

@@ -0,0 +1,37 @@
+EVENTLOG = 'EventID="60"'
+!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client"
+
+action = "stop"
+object = "task" 
+status = "success"
+
+object.name = $Data["name"] # Job name
+object.path = $Data["url"]
+object.value = $Data["fileLength"]
+object.id = $Data["Id"]
+
+$domain = csv(object.path, "/", "")[2]
+dst.fqdn = lower($domain)
+
+count.bytes_in = $Data["bytesTransferred"]
+
+time = $TimeCreated["SystemTime"]
+
+msgid = $EventID
+
+$first_dot = find_substr($Computer, '.')
+if $first_dot != null then
+    event_src.fqdn = lower($Computer)
+    event_src.hostname = lower(substr($Computer, 0, $first_dot))
+else
+    event_src.hostname = lower($Computer)
+endif
+
+event_src.vendor = "microsoft"
+event_src.title = "windows"
+event_src.subsys = $Channel
+event_src.category = "Operating system"
+event_src.id = $Provider["Name"]
+
+
+id = "PT_Microsoft_Windows_eventlog_60_Bits_stop_job"

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'bitsadmin task has been stopped'
+EventDescriptions:
+    - LocalizationId: '60_Bits_stop_job_1'
+      EventDescription: 'The bitsadmin task has been stopped on the {event_src.host} host - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'остановлено выполнение задачи bitsadmin'
+EventDescriptions:
+    - LocalizationId: '60_Bits_stop_job_1'
+      EventDescription: 'На хосте {event_src.host} остановлено выполнение задачи bitsadmin - {object.name}'

packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/metainfo.yaml

@@ -0,0 +1,7 @@
+EventDescriptions:
+    - Criteria: id = "PT_Microsoft_Windows_eventlog_60_Bits_stop_job"
+      LocalizationId: 60_Bits_stop_job_1
+ObjectId: SEC-NF-936295479
+ExpertContext:
+    Created: 09.07.2024
+    Updated: 09.07.2024