diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 2bcab24b75..e480276b68 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -29,6 +29,33 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "test_aaatm.json" + + ```json + + { + "message": "09/29/2023:07:40:56 GMT ADC-WEB1 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", + "event": { + "kind": "event", + "category": [ + "network" + ], + "type": [ + "connection" + ], + "code": "Message", + "dataset": "audit_aaatm", + "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"" + }, + "observer": { + "name": "ADC-WEB1" + }, + "@timestamp": "2023-09-29T07:40:56Z" + } + + ``` + + === "test_blocked_event.json" ```json @@ -322,7 +349,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "connection" ], "code": "TRAP_SENT", - "dataset": "audit_snmp" + "dataset": "audit_snmp", + "reason": "appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"" }, "@timestamp": "2023-07-04T09:03:41Z", "observer": { @@ -398,6 +426,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "Message", "dataset": "audit_sslvpn" }, + "observer": { + "name": "ADC-VPN" + }, "@timestamp": "2023-07-04T09:03:46Z", "citrix": { "adc": { diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 557e2f608f..0ea5fcef56 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -41,30 +41,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-01-07 14:09:58\",\"Hostname\":\"HOSTFOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6416,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13316,\"OpcodeValue\":0,\"RecordNumber\":16859866,\"ProcessID\":4,\"ThreadID\":6432,\"Channel\":\"Security\",\"Message\":\"A new external device was recognized by the system.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tHOSTFOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nDevice ID:\\tSCSI\\\\Disk&Ven_VMware&Prod_Virtual_disk\\\\5&e55476b&0&000100\\r\\n\\r\\nDevice Name:\\tVMware Virtual disk SCSI Disk Device\\r\\n\\r\\nClass ID:\\t\\t{4d36e967-e325-11ce-bfc1-08002be10318}\\r\\n\\r\\nClass Name:\\tDiskDrive\\r\\n\\r\\nVendor IDs:\\t\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____2.0_\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____\\r\\n\\t\\tSCSI\\\\DiskVMware__\\r\\n\\t\\tSCSI\\\\VMware__Virtual_disk____2\\r\\n\\t\\tVMware__Virtual_disk____2\\r\\n\\t\\tGenDisk\\r\\n\\t\\t\\r\\n\\t\\t\\r\\n\\r\\nCompatible IDs:\\t\\r\\n\\t\\tSCSI\\\\Disk\\r\\n\\t\\tSCSI\\\\RAW\\r\\n\\t\\t\\r\\n\\t\\t\\r\\n\\r\\nLocation Information:\\t\\r\\n\\t\\tBus Number 0, Target Id 1, LUN 0\\r\\n\\t\\t\",\"Category\":\"Plug and Play Events\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"HOSTFOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"DeviceId\":\"SCSI\\\\Disk&Ven_VMware&Prod_Virtual_disk\\\\5&e55476b&0&000100\",\"DeviceDescription\":\"VMware Virtual disk SCSI Disk Device\",\"ClassId\":\"{4d36e967-e325-11ce-bfc1-08002be10318}\",\"ClassName\":\"DiskDrive\",\"VendorIds\":\"\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____2.0_\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____\\r\\n\\t\\tSCSI\\\\DiskVMware__\\r\\n\\t\\tSCSI\\\\VMware__Virtual_disk____2\\r\\n\\t\\tVMware__Virtual_disk____2\\r\\n\\t\\tGenDisk\\r\\n\\t\\t\\r\\n\\t\\t\",\"CompatibleIds\":\"\\r\\n\\t\\tSCSI\\\\Disk\\r\\n\\t\\tSCSI\\\\RAW\\r\\n\\t\\t\\r\\n\\t\\t\",\"LocationInformation\":\"\\r\\n\\t\\tBus Number 0, Target Id 1, LUN 0\\r\\n\\t\\t\",\"EventReceivedTime\":\"2011-01-07 14:09:59\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6416", - "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tHOSTFOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&e55476b&0&000100\r\n\r\nDevice Name:\tVMware Virtual disk SCSI Disk Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tSCSI\\DiskVMware__Virtual_disk____2.0_\r\n\t\tSCSI\\DiskVMware__Virtual_disk____\r\n\t\tSCSI\\DiskVMware__\r\n\t\tSCSI\\VMware__Virtual_disk____2\r\n\t\tVMware__Virtual_disk____2\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tSCSI\\Disk\r\n\t\tSCSI\\RAW\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tBus Number 0, Target Id 1, LUN 0\r\n\t\t", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tHOSTFOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&e55476b&0&000100\r\n\r\nDevice Name:\tVMware Virtual disk SCSI Disk Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tSCSI\\DiskVMware__Virtual_disk____2.0_\r\n\t\tSCSI\\DiskVMware__Virtual_disk____\r\n\t\tSCSI\\DiskVMware__\r\n\t\tSCSI\\VMware__Virtual_disk____2\r\n\t\tVMware__Virtual_disk____2\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tSCSI\\Disk\r\n\t\tSCSI\\RAW\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tBus Number 0, Target Id 1, LUN 0\r\n\t\t" }, "action": { "record_id": 16859866, "type": "Security", "id": 6416, - "properties": [ - { - "ClassName": "DiskDrive", - "DeviceDescription": "VMware Virtual disk SCSI Disk Device", - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "HOSTFOO$", - "SubjectUserSid": "S-1-5-18", - "Task": 13316, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "ClassName": "DiskDrive", + "DeviceDescription": "VMware Virtual disk SCSI Disk Device", + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "HOSTFOO$", + "SubjectUserSid": "S-1-5-18", + "Task": 13316, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new external device was recognized by the system.", "outcome": "success" }, @@ -119,10 +117,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "type": [ "start" - ] + ], + "action": "authentication_network" }, "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "vm-foo", + "user": { + "name": "VM-FOO$", + "id": "S-1-5-18" + } + }, "server": { + "name": "vm-foo", "os": { "type": "windows" } @@ -131,22 +141,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "type": "Security", "id": 4625, - "properties": [ - { - "IpAddress": "-", - "IpPort": "-", - "LogonProcessName": "Schannel", - "LogonType": "3", - "ProcessName": "c:\\windows\\system32\\lsass.exe", - "Severity": "Info", - "SubjectDomainName": "CORPDOMAIN", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "VM-FOO$", - "SubjectUserSid": "S-1-5-18", - "TargetUserSid": "S-1-0-0", - "SourceName": "Microsoft-Windows-Security-Auditing" - } - ], + "properties": { + "IpAddress": "-", + "IpPort": "-", + "LogonProcessName": "Schannel", + "LogonType": "3", + "ProcessName": "c:\\windows\\system32\\lsass.exe", + "Severity": "Info", + "SubjectDomainName": "CORPDOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VM-FOO$", + "SubjectUserSid": "S-1-5-18", + "TargetUserSid": "S-1-0-0", + "SourceName": "Microsoft-Windows-Security-Auditing" + }, "name": "An account failed to log on", "outcome": "failure" }, @@ -172,7 +180,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "c:\\windows\\system32\\lsass.exe", - "name": "lsass.exe", + "name": "Schannel", "working_directory": "c:\\windows\\system32\\" }, "related": { @@ -196,26 +204,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-01-29 10:10:59\",\"Hostname\":\"HOSTFOO\",\"Keywords\":-9218868437227405312,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":4825,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12551,\"OpcodeValue\":0,\"RecordNumber\":5298486139,\"ProcessID\":1400,\"ThreadID\":1996,\"Channel\":\"Security\",\"Message\":\"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\\r\\n\\r\\nSubject:\\r\\n\\tUser Name:\\tUSERFOO\\r\\n\\tDomain:\\t\\tKEY\\r\\n\\tLogon ID:\\t0x67D43768\\r\\n\\r\\nAdditional Information:\\r\\n\\tClient Address:\\t1.1.1.1\\r\\n\\r\\n\\r\\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\",\"Category\":\"Other Logon/Logoff Events\",\"Opcode\":\"Info\",\"AccountName\":\"USERFOO\",\"AccountDomain\":\"KEY\",\"LogonID\":\"0x67d43768\",\"ClientAddress\":\"1.1.1.1\",\"EventReceivedTime\":\"2011-01-29 10:11:00\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4825", - "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tUSERFOO\r\n\tDomain:\t\tKEY\r\n\tLogon ID:\t0x67D43768\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.1.1.1\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tUSERFOO\r\n\tDomain:\t\tKEY\r\n\tLogon ID:\t0x67D43768\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.1.1.1\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop." }, "action": { "record_id": 5298486139, "type": "Security", "id": 4825, - "properties": [ - { - "AccountName": "USERFOO", - "ClientAddress": "1.1.1.1", - "EventType": "AUDIT_FAILURE", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "ERROR", - "Task": 12551, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9218868437227405312" - } - ], + "properties": { + "AccountName": "USERFOO", + "ClientAddress": "1.1.1.1", + "EventType": "AUDIT_FAILURE", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "ERROR", + "Task": 12551, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9218868437227405312" + }, "name": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group", "outcome": "failure" }, @@ -263,29 +269,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-23 11:20:47\",\"Hostname\":\"VWSERV.CORP.LOCAL\",\"Keywords\":4611686018427912192,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":514,\"SourceName\":\"Microsoft-Windows-DNSServer\",\"ProviderGuid\":\"{EB79061A-A566-4698-9119-3ED2807060E7}\",\"Version\":0,\"Task\":5,\"OpcodeValue\":0,\"RecordNumber\":1285844,\"ProcessID\":2580,\"ThreadID\":3344,\"Channel\":\"Microsoft-Windows-DNSServer/Audit\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .].\",\"Category\":\"ZONE_OP\",\"Opcode\":\"Info\",\"Zone\":\"mail.corp.net\",\"PropertyKey\":\"MasterServers\",\"NewValue\":\"1.1.1.1,2.2.2.2\",\"VirtualizationID\":\".\",\"EventReceivedTime\":\"2023-08-23 11:20:48\",\"SourceModuleName\":\"evtx_other\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "514", - "message": "The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .].", - "provider": "Microsoft-Windows-DNSServer" + "provider": "Microsoft-Windows-DNSServer", + "message": "The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .]." }, "action": { "record_id": 1285844, "type": "Microsoft-Windows-DNSServer/Audit", "id": 514, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "NewValue": "1.1.1.1,2.2.2.2", - "OpcodeValue": 0, - "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", - "Severity": "INFO", - "Task": 5, - "Zone": "mail.corp.net", - "SourceName": "Microsoft-Windows-DNSServer", - "Keywords": "4611686018427912192" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "NewValue": "1.1.1.1,2.2.2.2", + "OpcodeValue": 0, + "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", + "Severity": "INFO", + "Task": 5, + "Zone": "mail.corp.net", + "SourceName": "Microsoft-Windows-DNSServer", + "Keywords": "4611686018427912192" + } }, "log": { "hostname": "VWSERV.CORP.LOCAL", @@ -338,20 +342,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 764816422, "type": "Microsoft-Windows-FailoverClustering/DiagnosticVerbose", "id": 5408, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "VERBOSE", - "OpcodeValue": 0, - "ProviderGuid": "{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}", - "Severity": "DEBUG", - "Task": 0, - "SourceName": "Microsoft-Windows-FailoverClustering", - "Keywords": "1152921504606846976" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "VERBOSE", + "OpcodeValue": 0, + "ProviderGuid": "{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}", + "Severity": "DEBUG", + "Task": 0, + "SourceName": "Microsoft-Windows-FailoverClustering", + "Keywords": "1152921504606846976" + } }, "log": { "hostname": "foo.net", @@ -398,22 +400,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-10-05 23:50:40\",\"Hostname\":\"HOSTFOO\",\"Keywords\":36028797018963968,\"EventType\":\"ERROR\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":56,\"SourceName\":\"TermDD\",\"Task\":0,\"RecordNumber\":930150,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"System\",\"Message\":\"The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1.\",\"EventReceivedTime\":\"2011-10-18 09:34:39\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "56", - "message": "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1.", - "provider": "TermDD" + "provider": "TermDD", + "message": "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1." }, "action": { "record_id": 930150, "type": "System", "id": 56, - "properties": [ - { - "EventType": "ERROR", - "Severity": "ERROR", - "Task": 0, - "SourceName": "TermDD", - "Keywords": "36028797018963968" - } - ] + "properties": { + "EventType": "ERROR", + "Severity": "ERROR", + "Task": 0, + "SourceName": "TermDD", + "Keywords": "36028797018963968" + } }, "log": { "hostname": "HOSTFOO", @@ -459,9 +459,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-22 14:58:41\",\"Hostname\":\"hostfoo\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":4244505,\"ProcessID\":2932,\"ThreadID\":3956,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\\\r\\\\nRuleName: -\\\\r\\\\nUtcTime: 2023-08-22 12:58:41.279\\\\r\\\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\\\r\\\\nProcessId: 5524\\\\r\\\\nImage: C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\\r\\\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\\\r\\\\nDescription: Windows PowerShell\\\\r\\\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\\\r\\\\nCompany: Microsoft Corporation\\\\r\\\\nOriginalFileName: PowerShell.EXE\\\\r\\\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\\\r\\\\nCurrentDirectory: C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\\\\\r\\\\nUser: NT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\\\r\\\\nLogonId: 0x3E7\\\\r\\\\nTerminalSessionId: 0\\\\r\\\\nIntegrityLevel: System\\\\r\\\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\\\r\\\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\\\r\\\\nParentProcessId: 1776\\\\r\\\\nParentImage: C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\\r\\\\nParentCommandLine: \\\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\" service --run --name nscp\\\\r\\\\nParentUser: NT AUTHORITY\\\\\\\\SYSTEM\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2023-08-22 12:58:41.279\",\"ProcessGuid\":\"{478F86EF-B101-64E4-F904-00000000E900}\",\"Image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"FileVersion\":\"10.0.14409.1005 (rs1_srvoob.161208-1155)\",\"Description\":\"Windows PowerShell\",\"Product\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"PowerShell.EXE\",\"CommandLine\":\"powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\",\"CurrentDirectory\":\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\\",\"User\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"LogonGuid\":\"{478F86EF-58DE-64E4-E703-000000000000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"0\",\"IntegrityLevel\":\"System\",\"Hashes\":\"SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\",\"ParentProcessGuid\":\"{478F86EF-58E2-64E4-2600-00000000E900}\",\"ParentProcessId\":\"1776\",\"ParentImage\":\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\",\"ParentCommandLine\":\"\\\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\" service --run --name nscp\",\"ParentUser\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"EventReceivedTime\":\"2023-08-22 14:58:42\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", - "message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-22 12:58:41.279\\r\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\r\\nProcessId: 5524\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\r\\nCurrentDirectory: C:\\\\Program Files\\\\NSClient++\\\\\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\r\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\r\\nParentProcessId: 1776\\r\\nParentImage: C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\\r\\nParentCommandLine: \"C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\" service --run --name nscp\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows PowerShell" + "reason": "Windows PowerShell", + "message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-22 12:58:41.279\\r\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\r\\nProcessId: 5524\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\r\\nCurrentDirectory: C:\\\\Program Files\\\\NSClient++\\\\\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\r\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\r\\nParentProcessId: 1776\\r\\nParentImage: C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\\r\\nParentCommandLine: \"C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\" service --run --name nscp\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM" }, "@timestamp": "2023-08-22T12:58:41.279000Z", "process": { @@ -491,23 +491,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 4244505, "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, - "properties": [ - { - "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 1, - "User": "NT AUTHORITY\\\\SYSTEM", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 1, + "User": "NT AUTHORITY\\\\SYSTEM", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Process creation" }, "log": { @@ -553,26 +551,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-13 16:15:44\",\"Hostname\":\"\",\"Keywords\":-9182839640208441000,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":1201,\"SourceName\":\"AD FS Auditing\",\"Task\":3,\"RecordNumber\":1012533579,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Security\",\"Domain\":\"KEY\",\"AccountName\":\"\",\"UserID\":\"S-1-5-21-0000000000-0000000000-0000000000-000000\",\"AccountType\":\"User\",\"Message\":\"The Federation Service failed to issue a valid token. See XML for failure details. \\r\\n\\r\\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \\r\\n\\r\\nAdditional Data \\r\\nXML: \\r\\n\\r\\n AppToken\\r\\n Failure\\r\\n GenericError\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n N/A\\r\\n firstname.lastname@example.org\\r\\n \\r\\n \\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n false\\r\\n NotSet\\r\\n \\r\\n \\r\\n N/A\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n WSFederation\\r\\n Extranet\\r\\n 1.1.1.1,1.1.1.1,1.1.1.1\\r\\n 1.1.1.1,1.1.1.1,1.1.1.1\\r\\n N/A\\r\\n N/A\\r\\n proxy-server\\r\\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\\r\\n /adfs/ls/\\r\\n \\r\\n \\r\\n\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2012-09-13 16:15:45\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1201", - "message": "The Federation Service failed to issue a valid token. See XML for failure details. \r\n\r\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n AppToken\r\n Failure\r\n GenericError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n firstname.lastname@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Extranet\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n N/A\r\n N/A\r\n proxy-server\r\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\r\n /adfs/ls/\r\n \r\n \r\n", - "provider": "AD FS Auditing" + "provider": "AD FS Auditing", + "message": "The Federation Service failed to issue a valid token. See XML for failure details. \r\n\r\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n AppToken\r\n Failure\r\n GenericError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n firstname.lastname@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Extranet\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n N/A\r\n N/A\r\n proxy-server\r\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\r\n /adfs/ls/\r\n \r\n \r\n" }, "action": { "record_id": 1012533579, "type": "Security", "id": 1201, - "properties": [ - { - "AccountName": "", - "AccountType": "User", - "Domain": "KEY", - "EventType": "AUDIT_FAILURE", - "Severity": "ERROR", - "Task": 3, - "SourceName": "AD FS Auditing", - "Keywords": "-9182839640208441000", - "ProxyServer": "proxy-server" - } - ], + "properties": { + "AccountName": "", + "AccountType": "User", + "Domain": "KEY", + "EventType": "AUDIT_FAILURE", + "Severity": "ERROR", + "Task": 3, + "SourceName": "AD FS Auditing", + "Keywords": "-9182839640208441000", + "ProxyServer": "proxy-server" + }, "outcome": "failure" }, "log": { @@ -640,26 +636,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-20 15:54:13\",\"Hostname\":\"\",\"Keywords\":-9182839640208441000,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":1203,\"SourceName\":\"AD FS Auditing\",\"Task\":3,\"RecordNumber\":959944122,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Security\",\"Domain\":\"KEY\",\"AccountName\":\"\",\"UserID\":\"S-1-5-21-0000000000-0000000000-0000000000-000000\",\"AccountType\":\"User\",\"Message\":\"The Federation Service failed to validate a new credential. See XML for failure details. \\r\\n\\r\\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \\r\\n\\r\\nAdditional Data \\r\\nXML: \\r\\n\\r\\n FreshCredentials\\r\\n Failure\\r\\n CredentialValidationError\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n N/A\\r\\n username@example.org\\r\\n \\r\\n \\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n false\\r\\n NotSet\\r\\n \\r\\n \\r\\n N/A\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n WSFederation\\r\\n Intranet\\r\\n 1.1.1.1\\r\\n \\r\\n N/A\\r\\n N/A\\r\\n N/A\\r\\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\\r\\n /adfs/ls/\\r\\n \\r\\n \\r\\n\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2012-09-20 15:54:15\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1203", - "message": "The Federation Service failed to validate a new credential. See XML for failure details. \r\n\r\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n FreshCredentials\r\n Failure\r\n CredentialValidationError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n username@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Intranet\r\n 1.1.1.1\r\n \r\n N/A\r\n N/A\r\n N/A\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\r\n /adfs/ls/\r\n \r\n \r\n", - "provider": "AD FS Auditing" + "provider": "AD FS Auditing", + "message": "The Federation Service failed to validate a new credential. See XML for failure details. \r\n\r\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n FreshCredentials\r\n Failure\r\n CredentialValidationError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n username@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Intranet\r\n 1.1.1.1\r\n \r\n N/A\r\n N/A\r\n N/A\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\r\n /adfs/ls/\r\n \r\n \r\n" }, "action": { "record_id": 959944122, "type": "Security", "id": 1203, - "properties": [ - { - "AccountName": "", - "AccountType": "User", - "Domain": "KEY", - "EventType": "AUDIT_FAILURE", - "Severity": "ERROR", - "Task": 3, - "SourceName": "AD FS Auditing", - "Keywords": "-9182839640208441000", - "ProxyServer": "N/A" - } - ], + "properties": { + "AccountName": "", + "AccountType": "User", + "Domain": "KEY", + "EventType": "AUDIT_FAILURE", + "Severity": "ERROR", + "Task": 3, + "SourceName": "AD FS Auditing", + "Keywords": "-9182839640208441000", + "ProxyServer": "N/A" + }, "outcome": "failure" }, "log": { @@ -727,8 +721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2011-03-02 01:40:47\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":4611686018427387904,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":61,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":18732,\"ActivityID\":\"{5B327F5A-B797-4B7E-AB05-11A0E98A15AF}\",\"ProcessID\":5796,\"ThreadID\":12472,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.\",\"Opcode\":\"Arr\u00c3\u00aater\",\"transferId\":\"{5b327f5a-b797-4b7e-ab05-11a0e98a15af}\",\"name\":\"Font Download\",\"Id\":\"{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}\",\"url\":\"https://fs.microsoft.com/fs/windows/config.json\",\"hr\":\"2147954402\",\"fileTime\":\"1601-01-01T00:00:00.0000000Z\",\"fileLength\":\"18446744073709551615\",\"bytesTotal\":\"18446744073709551615\",\"bytesTransferred\":\"0\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2011-03-02 01:40:48\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "61", - "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", - "provider": "Microsoft-Windows-Bits-Client" + "provider": "Microsoft-Windows-Bits-Client", + "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2." }, "file": { "name": "font download", @@ -738,23 +732,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 18732, "type": "Microsoft-Windows-Bits-Client/Operational", "id": 61, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "WARNING", - "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", - "OpcodeValue": 2, - "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", - "Severity": "WARNING", - "Task": 0, - "bytesTransferred": "0", - "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "-1" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "WARNING", + "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", + "OpcodeValue": 2, + "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", + "Severity": "WARNING", + "Task": 0, + "bytesTransferred": "0", + "SourceName": "Microsoft-Windows-Bits-Client", + "Keywords": "4611686018427387904", + "BytesTotal": "-1" + } }, "log": { "hostname": "PCFOO.corp.net", @@ -824,23 +816,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 199, "type": "Microsoft-Windows-Bits-Client/Operational", "id": 16403, - "properties": [ - { - "AccountName": "userXYZ", - "AccountType": "User", - "Domain": "DESKTOP-FOOBARZ", - "EventType": "INFO", - "LocalName": "C:\\Users\\userXYZ\\Downloads\\sharpbits.zip", - "OpcodeValue": 0, - "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", - "Severity": "INFO", - "Task": 0, - "User": "DESKTOP-FOOBARZ\\userXYZ", - "jobTitle": "sharpbitsTest.zip", - "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904" - } - ] + "properties": { + "AccountName": "userXYZ", + "AccountType": "User", + "Domain": "DESKTOP-FOOBARZ", + "EventType": "INFO", + "LocalName": "C:\\Users\\userXYZ\\Downloads\\sharpbits.zip", + "OpcodeValue": 0, + "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", + "Severity": "INFO", + "Task": 0, + "User": "DESKTOP-FOOBARZ\\userXYZ", + "jobTitle": "sharpbitsTest.zip", + "SourceName": "Microsoft-Windows-Bits-Client", + "Keywords": "4611686018427387904" + } }, "file": { "owner": "DESKTOP-FOOBARZ\\userXYZ", @@ -910,8 +900,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-29 17:08:50\",\"Hostname\":\"DESKTOP-FOOBAR\",\"Keywords\":4611686018427387904,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":60,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":206,\"ActivityID\":\"{510DF63E-554F-4823-8F87-A23BDEDE0898}\",\"ProcessID\":7908,\"ThreadID\":2432,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0.\",\"Opcode\":\"Stop\",\"transferId\":\"{510df63e-554f-4823-8f87-a23bdede0898}\",\"name\":\"sharpbitsTestX.zip\",\"Id\":\"{c10c39b1-5f4e-47bc-a848-dc7505233471}\",\"url\":\"https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip\",\"hr\":\"0\",\"fileTime\":\"2018-02-05T22:41:26.0000000Z\",\"fileLength\":\"524444\",\"bytesTotal\":\"524444\",\"bytesTransferred\":\"524444\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2010-12-29 17:08:51\",\"SourceModuleName\":\"eventlog6\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "60", - "message": "BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0.", - "provider": "Microsoft-Windows-Bits-Client" + "provider": "Microsoft-Windows-Bits-Client", + "message": "BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0." }, "file": { "name": "sharpbitstestx.zip", @@ -922,23 +912,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 206, "type": "Microsoft-Windows-Bits-Client/Operational", "id": 60, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "Id": "{c10c39b1-5f4e-47bc-a848-dc7505233471}", - "OpcodeValue": 2, - "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", - "Severity": "INFO", - "Task": 0, - "bytesTransferred": "524444", - "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "524444" - } - ], + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "Id": "{c10c39b1-5f4e-47bc-a848-dc7505233471}", + "OpcodeValue": 2, + "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", + "Severity": "INFO", + "Task": 0, + "bytesTransferred": "524444", + "SourceName": "Microsoft-Windows-Bits-Client", + "Keywords": "4611686018427387904", + "BytesTotal": "524444" + }, "name": "BITS has stopped transferring the BITS Transfer job" }, "log": { @@ -1003,33 +991,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-05 15:26:31\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":1116,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":424,\"ProcessID\":2484,\"ThreadID\":9244,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\\r\\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\\r\\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\\r\\n \\tNom : HackTool:Win64/Mikatz!dha\\r\\n \\tID : 2147705511\\r\\n \\tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\\r\\n \\tCat\u00c3\u00a9gorie : Outil\\r\\n \\tChemin : file:_C:\\\\Users\\\\r1\\\\Downloads\\\\tmp2\\\\tmp2\\\\Win32\\\\mimidrv.sys\\r\\n \\tOrigine de la d\u00c3\u00a9tection : Ordinateur local\\r\\n \\tType de d\u00c3\u00a9tection : Concret\\r\\n \\tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\\r\\n \\tUtilisateur : DESKTOP-FOOBARZ\\\\r1\\r\\n \\tNom du processus : C:\\\\Windows\\\\explorer.exe\\r\\n \\tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\\r\\n \\tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4\",\"Opcode\":\"Informations\",\"Product Name\":\"%%827\",\"Product Version\":\"4.18.2009.7\",\"Detection ID\":\"{3A24708D-3147-43F8-B63D-60CAD6A64298}\",\"Detection Time\":\"2010-11-05T14:26:30.985Z\",\"Threat ID\":\"2147705511\",\"Threat Name\":\"HackTool:Win64/Mikatz!dha\",\"Severity ID\":\"4\",\"Severity Name\":\"\u00c3\u2030lev\u00c3\u00a9e\",\"Category ID\":\"34\",\"Category Name\":\"Outil\",\"FWLink\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\",\"Status Code\":\"1\",\"State\":\"1\",\"Source ID\":\"3\",\"Source Name\":\"%%818\",\"Process Name\":\"C:\\\\Windows\\\\explorer.exe\",\"Detection User\":\"DESKTOP-FOOBARZ\\\\r1\",\"Path\":\"file:_C:\\\\Users\\\\r1\\\\Downloads\\\\tmp2\\\\tmp2\\\\Win32\\\\mimidrv.sys\",\"Origin ID\":\"1\",\"Origin Name\":\"%%845\",\"Execution ID\":\"1\",\"Execution Name\":\"%%813\",\"Type ID\":\"0\",\"Type Name\":\"%%822\",\"Pre Execution Status\":\"0\",\"Action ID\":\"9\",\"Action Name\":\"%%887\",\"Error Code\":\"0x00000000\",\"Error Description\":\"L\u00e2\u20ac\u2122op\u00c3\u00a9ration a r\u00c3\u00a9ussi. \",\"Post Clean Status\":\"0\",\"Additional Actions ID\":\"0\",\"Additional Actions String\":\"No additional actions required\",\"Security intelligence Version\":\"AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\",\"Engine Version\":\"AM: 1.1.17500.4, NIS: 1.1.17500.4\",\"EventReceivedTime\":\"2010-11-05 15:26:39\",\"SourceModuleName\":\"eventlog2\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1116", - "message": "Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\r\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\r\n \tNom : HackTool:Win64/Mikatz!dha\r\n \tID : 2147705511\r\n \tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\r\n \tCat\u00c3\u00a9gorie : Outil\r\n \tChemin : file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys\r\n \tOrigine de la d\u00c3\u00a9tection : Ordinateur local\r\n \tType de d\u00c3\u00a9tection : Concret\r\n \tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\r\n \tUtilisateur : DESKTOP-FOOBARZ\\r1\r\n \tNom du processus : C:\\Windows\\explorer.exe\r\n \tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\r\n \tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4", - "provider": "Microsoft-Windows-Windows Defender" + "provider": "Microsoft-Windows-Windows Defender", + "message": "Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\r\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\r\n \tNom : HackTool:Win64/Mikatz!dha\r\n \tID : 2147705511\r\n \tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\r\n \tCat\u00c3\u00a9gorie : Outil\r\n \tChemin : file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys\r\n \tOrigine de la d\u00c3\u00a9tection : Ordinateur local\r\n \tType de d\u00c3\u00a9tection : Concret\r\n \tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\r\n \tUtilisateur : DESKTOP-FOOBARZ\\r1\r\n \tNom du processus : C:\\Windows\\explorer.exe\r\n \tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\r\n \tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4" }, "action": { "record_id": 424, "type": "Microsoft-Windows-Windows Defender/Operational", "id": 1116, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "DetectionUser": "DESKTOP-FOOBARZ\\r1", - "Domain": "AUTORITE NT", - "ErrorCode": "0x00000000", - "EventType": "WARNING", - "Execution Name": "%%813", - "OpcodeValue": 0, - "Path": "file:_c:\\users\\r1\\downloads\\tmp2\\tmp2\\win32\\mimidrv.sys", - "ProcessName": "c:\\windows\\explorer.exe", - "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", - "Severity": "WARNING", - "Task": 0, - "ThreatName": "HackTool:Win64/Mikatz!dha", - "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "DetectionUser": "DESKTOP-FOOBARZ\\r1", + "Domain": "AUTORITE NT", + "ErrorCode": "0x00000000", + "EventType": "WARNING", + "Execution Name": "%%813", + "OpcodeValue": 0, + "Path": "file:_c:\\users\\r1\\downloads\\tmp2\\tmp2\\win32\\mimidrv.sys", + "ProcessName": "c:\\windows\\explorer.exe", + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "WARNING", + "Task": 0, + "ThreatName": "HackTool:Win64/Mikatz!dha", + "SourceName": "Microsoft-Windows-Windows Defender", + "Keywords": "-9223372036854775808" + }, "name": "The antimalware platform detected malware or other potentially unwanted software." }, "log": { @@ -1077,31 +1063,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-12-22 20:25:26\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1151,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":215,\"ProcessID\":5472,\"ThreadID\":5596,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \\r\\n \\tVersion de plateforme\u00a0: 4.18.2011.6\\r\\n \\tVersion de moteur\u00a0: 1.1.19900.2\\r\\n \\tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\\r\\n \\tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\\r\\n \\tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\\r\\n \\tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\\r\\n \\t\u00c9tat RTP\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat OA\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat OAV\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat BM\u00a0: Activ\u00e9\\r\\n \\t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\\r\\n \\t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\\r\\n \\t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\\r\\n \\t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\\r\\n \\tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\\r\\n \\tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\\r\\n \\tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\\r\\n \\tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\\r\\n \\tSource de la derni\u00e8re analyse rapide\u00a0: 2\\r\\n \\tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\\r\\n \\tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\\r\\n \\tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\\r\\n \\tStatut du produit\u00a0: 0x00080000\\r\\n\",\"Opcode\":\"Informations\",\"Product Name\":\"Antivirus Microsoft Defender\",\"Platform version\":\"4.18.2011.6\",\"Engine version\":\"1.1.19900.2\",\"NRI engine version\":\"1.1.19900.2\",\"AV security intelligence version\":\"1.381.814.0\",\"AS security intelligence version\":\"1.381.814.0\",\"NRI security intelligence version\":\"1.381.814.0\",\"RTP state\":\"Activ\u00e9\",\"OA state\":\"Activ\u00e9\",\"IOAV state\":\"Activ\u00e9\",\"BM state\":\"Activ\u00e9\",\"Last AV security intelligence age\":\"1\",\"Last AS security intelligence age\":\"1\",\"Last quick scan age\":\"1\",\"Last full scan age\":\"4294967295\",\"AV security intelligence creation time\":\"21/12/2012 01:50:25\",\"AS security intelligence creation time\":\"21/12/2012 01:50:26\",\"Last quick scan start time\":\"21/12/2012 10:30:01\",\"Last quick scan end time\":\"21/12/2012 10:40:38\",\"Last quick scan source\":\"2\",\"Last full scan start time\":\"01/01/1601 00:00:00\",\"Last full scan end time\":\"01/01/1601 00:00:00\",\"Last full scan source\":\"0\",\"Product status\":\"0x00080000\",\"EventReceivedTime\":\"2012-12-22 20:25:28\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1151", - "message": "Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \r\n \tVersion de plateforme\u00a0: 4.18.2011.6\r\n \tVersion de moteur\u00a0: 1.1.19900.2\r\n \tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\r\n \tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\r\n \tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\r\n \tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\r\n \t\u00c9tat RTP\u00a0: Activ\u00e9\r\n \t\u00c9tat OA\u00a0: Activ\u00e9\r\n \t\u00c9tat OAV\u00a0: Activ\u00e9\r\n \t\u00c9tat BM\u00a0: Activ\u00e9\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\r\n \tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\r\n \tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\r\n \tSource de la derni\u00e8re analyse rapide\u00a0: 2\r\n \tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\r\n \tStatut du produit\u00a0: 0x00080000\r\n", - "provider": "Microsoft-Windows-Windows Defender" + "provider": "Microsoft-Windows-Windows Defender", + "message": "Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \r\n \tVersion de plateforme\u00a0: 4.18.2011.6\r\n \tVersion de moteur\u00a0: 1.1.19900.2\r\n \tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\r\n \tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\r\n \tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\r\n \tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\r\n \t\u00c9tat RTP\u00a0: Activ\u00e9\r\n \t\u00c9tat OA\u00a0: Activ\u00e9\r\n \t\u00c9tat OAV\u00a0: Activ\u00e9\r\n \t\u00c9tat BM\u00a0: Activ\u00e9\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\r\n \tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\r\n \tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\r\n \tSource de la derni\u00e8re analyse rapide\u00a0: 2\r\n \tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\r\n \tStatut du produit\u00a0: 0x00080000\r\n" }, "action": { "record_id": 215, "type": "Microsoft-Windows-Windows Defender/Operational", "id": 1151, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "LastASSecurityIntelligenceAge": "1", - "LastAVSecurityIntelligenceAge": "1", - "LastFullScanAge": "4294967295", - "LastQuickScanAge": "1", - "OpcodeValue": 0, - "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", - "Severity": "INFO", - "Task": 0, - "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "LastASSecurityIntelligenceAge": "1", + "LastAVSecurityIntelligenceAge": "1", + "LastFullScanAge": "4294967295", + "LastQuickScanAge": "1", + "OpcodeValue": 0, + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "INFO", + "Task": 0, + "SourceName": "Microsoft-Windows-Windows Defender", + "Keywords": "-9223372036854775808" + } }, "log": { "hostname": "DESKTOP-FOOBARZ", @@ -1148,28 +1132,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-09-13 09:20:39\",\"Hostname\":\"lb-foobar\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5007,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1166,\"ProcessID\":3532,\"ThreadID\":5956,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Processes\\\\powershell.exe = 0x0\\r\\n \\tNew value: \",\"Opcode\":\"Info\",\"Product Name\":\"Microsoft Defender Antivirus\",\"Product Version\":\"4.18.2108.7\",\"Old Value\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Processes\\\\powershell.exe = 0x0\",\"EventReceivedTime\":\"2011-09-13 09:20:41\",\"SourceModuleName\":\"eventlog6\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5007", - "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0\r\n \tNew value: ", - "provider": "Microsoft-Windows-Windows Defender" + "provider": "Microsoft-Windows-Windows Defender", + "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0\r\n \tNew value: " }, "action": { "record_id": 1166, "type": "Microsoft-Windows-Windows Defender/Operational", "id": 5007, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0", - "OpcodeValue": 0, - "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", - "Severity": "INFO", - "Task": 0, - "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0", + "OpcodeValue": 0, + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "INFO", + "Task": 0, + "SourceName": "Microsoft-Windows-Windows Defender", + "Keywords": "-9223372036854775808" + } }, "log": { "hostname": "lb-foobar", @@ -1216,31 +1198,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-06-02 15:04:18\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":712900,\"ActivityID\":\"{260C9E3C-4B0F-0002-DC86-2D260F4BD701}\",\"ProcessID\":22244,\"ThreadID\":16456,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\\r\\n\\r\\n\\r\\nContexte :\\r\\n Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.19041.906\\r\\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\\r\\n Application h\u00f4te = C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.19041.906\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\\r\\n ID de pipeline = 1\\r\\n Nom de commande = Select-Object\\r\\n Type de commande = Cmdlet\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 138\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nDonn\u00e9es utilisateur :\\r\\n\\r\\n\",\"Category\":\"Ex\u00e9cution du pipeline\",\"Opcode\":\"\u00c0 utiliser lorsque l'op\u00e9ration ex\u00e9cute uniquement une m\u00e9thode\",\"ContextInfo\":\" Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.19041.906\\r\\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\\r\\n Application h\u00f4te = C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.19041.906\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\\r\\n ID de pipeline = 1\\r\\n Nom de commande = Select-Object\\r\\n Type de commande = Cmdlet\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence\u00a0= 138\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\\r\\n\",\"EventReceivedTime\":\"2011-06-02 15:04:18\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "message": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", - "provider": "Microsoft-Windows-PowerShell" + "provider": "Microsoft-Windows-PowerShell", + "message": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n" }, "action": { "record_id": 712900, "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 20, - "Payload": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n", - "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", - "Severity": "INFO", - "Task": 106, - "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", - "HostName": "ConsoleHost" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 20, + "Payload": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n", + "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", + "Severity": "INFO", + "Task": 106, + "SourceName": "Microsoft-Windows-PowerShell", + "Keywords": "0", + "HostApplication": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", + "HostName": "ConsoleHost" + } }, "log": { "hostname": "PCFOO.corp.net", @@ -1288,29 +1268,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\": \"2022-03-21 09:17:49\", \"Hostname\": \"dcclient-vm\", \"Keywords\": -9223372036854775808, \"EventType\": \"INFO\", \"SeverityValue\": 2, \"Severity\": \"INFO\", \"EventID\": 5007, \"SourceName\": \"Microsoft-Windows-Windows Defender\", \"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\", \"Version\": 0, \"Task\": 0, \"OpcodeValue\": 0, \"RecordNumber\": 4178, \"ProcessID\": 3292, \"ThreadID\": 5848, \"Channel\": \"Microsoft-Windows-Windows Defender/Operational\", \"Domain\": \"NT AUTHORITY\", \"AccountName\": \"SYSTEM\", \"UserID\": \"S-1-5-18\", \"AccountType\": \"User\", \"Message\": \"Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x5\\r\\n \\tNew value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x4\", \"Opcode\": \"Info\", \"Product Name\": \"Microsoft Defender Antivirus\", \"Product Version\": \"4.18.2202.4\", \"Old Value\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x5\", \"New Value\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x4\", \"EventReceivedTime\": \"2022-03-18 14:42:03\", \"SourceModuleName\": \"eventlog6\", \"SourceModuleType\": \"im_msvistalog\"}", "event": { "code": "5007", - "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5\r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", - "provider": "Microsoft-Windows-Windows Defender" + "provider": "Microsoft-Windows-Windows Defender", + "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5\r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4" }, "action": { "record_id": 4178, "type": "Microsoft-Windows-Windows Defender/Operational", "id": 5007, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", - "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5", - "OpcodeValue": 0, - "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", - "Severity": "INFO", - "Task": 0, - "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", + "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5", + "OpcodeValue": 0, + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "INFO", + "Task": 0, + "SourceName": "Microsoft-Windows-Windows Defender", + "Keywords": "-9223372036854775808" + } }, "log": { "hostname": "dcclient-vm", @@ -1357,35 +1335,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-05-22 15:37:23\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4768,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14339,\"OpcodeValue\":0,\"RecordNumber\":26287385371,\"ProcessID\":1796,\"ThreadID\":17268,\"Channel\":\"Security\",\"Message\":\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tFOO$\\r\\n\\tSupplied Realm Name:\\tKEY.HOSTFOO.INT\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-1574594750-1263408776-2012955550-83436\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:1.1.1.1\\r\\n\\tClient Port:\\t\\t65016\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\",\"Category\":\"Kerberos Authentication Service\",\"Opcode\":\"Info\",\"TargetUserName\":\"FOO$\",\"TargetDomainName\":\"KEY.HOSTFOO.INT\",\"TargetSid\":\"S-1-5-21-1574594750-1263408776-2012955550-83436\",\"ServiceName\":\"krbtgt\",\"ServiceSid\":\"S-1-5-21-1574594750-1263408776-2012955550-502\",\"TicketOptions\":\"0x40810010\",\"Status\":\"0x0\",\"TicketEncryptionType\":\"0x12\",\"PreAuthType\":\"2\",\"IpAddress\":\"::ffff:1.1.1.1\",\"IpPort\":\"65016\",\"EventReceivedTime\":\"2010-05-22 15:37:24\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4768", - "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tFOO$\r\n\tSupplied Realm Name:\tKEY.HOSTFOO.INT\r\n\tUser ID:\t\t\tS-1-5-21-1574594750-1263408776-2012955550-83436\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t65016\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tFOO$\r\n\tSupplied Realm Name:\tKEY.HOSTFOO.INT\r\n\tUser ID:\t\t\tS-1-5-21-1574594750-1263408776-2012955550-83436\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t65016\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120." }, "action": { "record_id": 26287385371, "type": "Security", "id": 4768, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "IpAddress": "::ffff:1.1.1.1", - "IpPort": "65016", - "OpcodeValue": 0, - "PreAuthType": "2", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "ServiceName": "krbtgt", - "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-502", - "Severity": "INFO", - "Status": "0x0", - "TargetDomainName": "KEY.HOSTFOO.INT", - "TargetSid": "S-1-5-21-1574594750-1263408776-2012955550-83436", - "TargetUserName": "FOO$", - "Task": 14339, - "TicketEncryptionType": "0x12", - "TicketOptions": "0x40810010", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "IpAddress": "::ffff:1.1.1.1", + "IpPort": "65016", + "OpcodeValue": 0, + "PreAuthType": "2", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-502", + "Severity": "INFO", + "Status": "0x0", + "TargetDomainName": "KEY.HOSTFOO.INT", + "TargetSid": "S-1-5-21-1574594750-1263408776-2012955550-83436", + "TargetUserName": "FOO$", + "Task": 14339, + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A Kerberos authentication ticket (TGT) was requested", "outcome": "success" }, @@ -1439,28 +1415,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-16 11:55:18\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223354444668731392,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8001,\"SourceName\":\"Microsoft-Windows-Store\",\"ProviderGuid\":\"{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}\",\"Version\":0,\"Task\":8001,\"OpcodeValue\":14,\"RecordNumber\":4644,\"ProcessID\":2368,\"ThreadID\":836,\"Channel\":\"Microsoft-Windows-Store/Operational\",\"Domain\":\"DESKTOP-FOOBARZ\",\"AccountName\":\"UserFoo\",\"UserID\":\"S-1-5-21-1695726573-3959282566-3642579326-1001\",\"AccountType\":\"User\",\"Message\":\"Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\\r\\nFunction: InvokeLicenseManagerRequired\\r\\nSource: enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp (205)\",\"Category\":\"LM\",\"Opcode\":\"Info\",\"Function\":\"InvokeLicenseManagerRequired\",\"Source\":\"enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp\",\"Line Number\":\"205\",\"EventReceivedTime\":\"2019-05-16 11:55:20\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "8001", - "message": "Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\r\nFunction: InvokeLicenseManagerRequired\r\nSource: enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp (205)", - "provider": "Microsoft-Windows-Store" + "provider": "Microsoft-Windows-Store", + "message": "Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\r\nFunction: InvokeLicenseManagerRequired\r\nSource: enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp (205)" }, "action": { "record_id": 4644, "type": "Microsoft-Windows-Store/Operational", "id": 8001, - "properties": [ - { - "AccountName": "UserFoo", - "AccountType": "User", - "Domain": "DESKTOP-FOOBARZ", - "EventType": "INFO", - "OpcodeValue": 14, - "ProviderGuid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}", - "Severity": "INFO", - "Source": "enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp", - "Task": 8001, - "SourceName": "Microsoft-Windows-Store", - "Keywords": "-9223354444668731392" - } - ] + "properties": { + "AccountName": "UserFoo", + "AccountType": "User", + "Domain": "DESKTOP-FOOBARZ", + "EventType": "INFO", + "OpcodeValue": 14, + "ProviderGuid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}", + "Severity": "INFO", + "Source": "enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp", + "Task": 8001, + "SourceName": "Microsoft-Windows-Store", + "Keywords": "-9223354444668731392" + } }, "log": { "hostname": "DESKTOP-FOOBARZ", @@ -1507,28 +1481,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 15:24:15\",\"Hostname\":\"HOSTBAZ-001.ad.HOSTFOO.com\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4634,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12545,\"OpcodeValue\":0,\"RecordNumber\":47121546,\"ProcessID\":560,\"ThreadID\":2172,\"Channel\":\"Security\",\"Message\":\"An account was logged off.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1519513455-2607746426-4144247390-71234\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tAD\\r\\n\\tLogon ID:\\t\\t0x3912391A\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"Category\":\"Logoff\",\"Opcode\":\"Info\",\"TargetUserSid\":\"S-1-5-21-1519513455-2607746426-4144247390-71234\",\"TargetUserName\":\"USERFOO\",\"TargetDomainName\":\"AD\",\"TargetLogonId\":\"0x3912391a\",\"LogonType\":\"3\",\"EventReceivedTime\":\"2019-12-16 15:24:17\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4634", - "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." }, "action": { "record_id": 47121546, "type": "Security", "id": 4634, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "LogonType": "3", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "TargetDomainName": "AD", - "TargetUserName": "USERFOO", - "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", - "Task": 12545, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "LogonType": "3", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "TargetDomainName": "AD", + "TargetUserName": "USERFOO", + "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", + "Task": 12545, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An account was logged off", "outcome": "success" }, @@ -1576,17 +1548,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-06-18 15:28:23\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4624,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12544,\"OpcodeValue\":0,\"RecordNumber\":10457874880,\"ProcessID\":744,\"ThreadID\":2352,\"Channel\":\"Security\",\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-69701\\r\\n\\tAccount Name:\\t\\tSVC_DD_SP-SEARCH\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xFBEE0744\\r\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tV-FOO\\r\\n\\tSource Network Address:\\t-\\r\\n\\tSource Port:\\t\\t-\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\tNTLM V2\\r\\n\\tKey Length:\\t\\t128\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"Category\":\"Logon\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-0-0\",\"SubjectUserName\":\"-\",\"SubjectDomainName\":\"-\",\"SubjectLogonId\":\"0x0\",\"TargetUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-69701\",\"TargetUserName\":\"SVC_DD_SP-SEARCH\",\"TargetDomainName\":\"KEY\",\"TargetLogonId\":\"0xfbee0744\",\"LogonType\":\"3\",\"LogonProcessName\":\"NtLmSsp \",\"AuthenticationPackageName\":\"NTLM\",\"WorkstationName\":\"V-FOO\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LmPackageName\":\"NTLM V2\",\"KeyLength\":\"128\",\"ProcessName\":\"-\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"EventReceivedTime\":\"2010-06-18 15:28:24\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4624", - "message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-69701\r\n\tAccount Name:\t\tSVC_DD_SP-SEARCH\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xFBEE0744\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tV-FOO\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "provider": "Microsoft-Windows-Security-Auditing", + "message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-69701\r\n\tAccount Name:\t\tSVC_DD_SP-SEARCH\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xFBEE0744\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tV-FOO\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "category": [ "authentication" ], "type": [ "start" - ] + ], + "action": "authentication_network" }, "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "V-FOO", + "user": { + "id": "S-1-0-0" + } + }, "server": { + "name": "V-FOO", "os": { "type": "windows" } @@ -1596,32 +1579,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 10457874880, "type": "Security", "id": 4624, - "properties": [ - { - "AuthenticationPackageName": "NTLM", - "EventType": "AUDIT_SUCCESS", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "128", - "LogonProcessName": "NtLmSsp ", - "LogonType": "3", - "OpcodeValue": 0, - "ProcessName": "-", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-0-0", - "TargetDomainName": "KEY", - "TargetUserName": "SVC_DD_SP-SEARCH", - "TargetUserSid": "S-1-5-21-1574594750-1263408776-2012955550-69701", - "Task": 12544, - "WorkstationName": "V-FOO", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "AuthenticationPackageName": "NTLM", + "EventType": "AUDIT_SUCCESS", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "OpcodeValue": 0, + "ProcessName": "-", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "KEY", + "TargetUserName": "SVC_DD_SP-SEARCH", + "TargetUserSid": "S-1-5-21-1574594750-1263408776-2012955550-69701", + "Task": 12544, + "WorkstationName": "V-FOO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An account was successfully logged on", "outcome": "success" }, @@ -1642,7 +1623,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 2352 }, "pid": 744, - "id": 744 + "id": 744, + "name": "NtLmSsp " }, "user": { "id": "S-1-0-0", @@ -1675,17 +1657,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-04-12 17:42:04\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4624,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":12544,\"OpcodeValue\":0,\"RecordNumber\":504041,\"ActivityID\":\"{593B242C-183A-44F2-8977-2A836ABEC213}\",\"ProcessID\":996,\"ThreadID\":1920,\"Channel\":\"Security\",\"Message\":\"L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\\r\\n\\r\\nObjet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tPCFOO$\\r\\n\\tDomaine du compte :\\t\\tFOOBAR\\r\\n\\tID d'ouverture de session :\\t\\t0x3E7\\r\\n\\r\\nInformations d'ouverture de session :\\r\\n\\tType d'ouverture de session :\\t\\t9\\r\\n\\tMode administrateur restreint :\\t-\\r\\n\\tCompte virtuel :\\t\\tNon\\r\\n\\tJeton \u00e9lev\u00e9 :\\t\\tOui\\r\\n\\r\\nNiveau d'emprunt d'identit\u00e9 :\\t\\tEmprunt d\u2019identit\u00e9\\r\\n\\r\\nNouvelle ouverture de session :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tSyst\u00e8me\\r\\n\\tDomaine du compte :\\t\\tAUTORITE NT\\r\\n\\tID d'ouverture de session :\\t\\t0x7E767BC\\r\\n\\tID d'ouverture de session li\u00e9e :\\t\\t0x0\\r\\n\\tNom du compte r\u00e9seau :\\tsvc_admin_sccm\\r\\n\\tDomaine du compte r\u00e9seau :\\tFOOBAR\\r\\n\\tGUID d'ouverture de session :\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\r\\nInformations sur le processus :\\r\\n\\tID du processus :\\t\\t0x2780\\r\\n\\tNom du processus :\\t\\tC:\\\\Windows\\\\CCM\\\\CcmExec.exe\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tNom de la station de travail :\\t-\\r\\n\\tAdresse du r\u00e9seau source :\\t-\\r\\n\\tPort source :\\t\\t-\\r\\n\\r\\nInformations d\u00e9taill\u00e9es sur l'authentification :\\r\\n\\tProcessus d'ouverture de session :\\t\\tAdvapi \\r\\n\\tPackage d'authentification :\\tNegotiate\\r\\n\\tServices en transit :\\t-\\r\\n\\tNom du package (NTLM uniquement) :\\t-\\r\\n\\tLongueur de la cl\u00e9 :\\t\\t0\\r\\n\\r\\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\\r\\n\\r\\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\\r\\n\\r\\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\\r\\n\\r\\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\\r\\n\\r\\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\\r\\n\\r\\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\\r\\n\\r\\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\\r\\n\\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\\r\\n\\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\\r\\n\\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\\r\\n\\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.\",\"Category\":\"Logon\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"PCFOO$\",\"SubjectDomainName\":\"FOOBAR\",\"SubjectLogonId\":\"0x3e7\",\"TargetUserSid\":\"S-1-5-18\",\"TargetUserName\":\"Syst\u00e8me\",\"TargetDomainName\":\"AUTORITE NT\",\"TargetLogonId\":\"0x7e767bc\",\"LogonType\":\"9\",\"LogonProcessName\":\"Advapi \",\"AuthenticationPackageName\":\"Negotiate\",\"WorkstationName\":\"-\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LmPackageName\":\"-\",\"KeyLength\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"RestrictedAdminMode\":\"-\",\"TargetOutboundUserName\":\"svc_admin_sccm\",\"TargetOutboundDomainName\":\"FOOBAR\",\"VirtualAccount\":\"%%1843\",\"TargetLinkedLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"EventReceivedTime\":\"2011-04-12 17:42:06\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4624", - "message": "L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tPCFOO$\r\n\tDomaine du compte :\t\tFOOBAR\r\n\tID d'ouverture de session :\t\t0x3E7\r\n\r\nInformations d'ouverture de session :\r\n\tType d'ouverture de session :\t\t9\r\n\tMode administrateur restreint :\t-\r\n\tCompte virtuel :\t\tNon\r\n\tJeton \u00e9lev\u00e9 :\t\tOui\r\n\r\nNiveau d'emprunt d'identit\u00e9 :\t\tEmprunt d\u2019identit\u00e9\r\n\r\nNouvelle ouverture de session :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tSyst\u00e8me\r\n\tDomaine du compte :\t\tAUTORITE NT\r\n\tID d'ouverture de session :\t\t0x7E767BC\r\n\tID d'ouverture de session li\u00e9e :\t\t0x0\r\n\tNom du compte r\u00e9seau :\tsvc_admin_sccm\r\n\tDomaine du compte r\u00e9seau :\tFOOBAR\r\n\tGUID d'ouverture de session :\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nInformations sur le processus :\r\n\tID du processus :\t\t0x2780\r\n\tNom du processus :\t\tC:\\Windows\\CCM\\CcmExec.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\t-\r\n\tAdresse du r\u00e9seau source :\t-\r\n\tPort source :\t\t-\r\n\r\nInformations d\u00e9taill\u00e9es sur l'authentification :\r\n\tProcessus d'ouverture de session :\t\tAdvapi \r\n\tPackage d'authentification :\tNegotiate\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de la cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\r\n\r\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\r\n\r\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\r\n\r\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\r\n\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\r\n\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.", "provider": "Microsoft-Windows-Security-Auditing", + "message": "L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tPCFOO$\r\n\tDomaine du compte :\t\tFOOBAR\r\n\tID d'ouverture de session :\t\t0x3E7\r\n\r\nInformations d'ouverture de session :\r\n\tType d'ouverture de session :\t\t9\r\n\tMode administrateur restreint :\t-\r\n\tCompte virtuel :\t\tNon\r\n\tJeton \u00e9lev\u00e9 :\t\tOui\r\n\r\nNiveau d'emprunt d'identit\u00e9 :\t\tEmprunt d\u2019identit\u00e9\r\n\r\nNouvelle ouverture de session :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tSyst\u00e8me\r\n\tDomaine du compte :\t\tAUTORITE NT\r\n\tID d'ouverture de session :\t\t0x7E767BC\r\n\tID d'ouverture de session li\u00e9e :\t\t0x0\r\n\tNom du compte r\u00e9seau :\tsvc_admin_sccm\r\n\tDomaine du compte r\u00e9seau :\tFOOBAR\r\n\tGUID d'ouverture de session :\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nInformations sur le processus :\r\n\tID du processus :\t\t0x2780\r\n\tNom du processus :\t\tC:\\Windows\\CCM\\CcmExec.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\t-\r\n\tAdresse du r\u00e9seau source :\t-\r\n\tPort source :\t\t-\r\n\r\nInformations d\u00e9taill\u00e9es sur l'authentification :\r\n\tProcessus d'ouverture de session :\t\tAdvapi \r\n\tPackage d'authentification :\tNegotiate\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de la cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\r\n\r\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\r\n\r\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\r\n\r\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\r\n\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\r\n\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.", "category": [ "authentication" ], "type": [ "start" - ] + ], + "action": "authentication_alternative_credentials" }, "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "PCFOO.corp.net", + "user": { + "name": "PCFOO$", + "id": "S-1-5-18" + } + }, "server": { + "name": "PCFOO.corp.net", "os": { "type": "windows" } @@ -1695,34 +1689,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 504041, "type": "Security", "id": 4624, - "properties": [ - { - "AuthenticationPackageName": "Negotiate", - "EventType": "AUDIT_SUCCESS", - "IpAddress": "-", - "IpPort": "-", - "KeyLength": "0", - "LogonProcessName": "Advapi ", - "LogonType": "9", - "OpcodeValue": 0, - "ProcessName": "c:\\windows\\ccm\\ccmexec.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "FOOBAR", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "PCFOO$", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "AUTORITE NT", - "TargetOutboundDomainName": "FOOBAR", - "TargetOutboundUserName": "svc_admin_sccm", - "TargetUserName": "Syst\u00e8me", - "TargetUserSid": "S-1-5-18", - "Task": 12544, - "WorkstationName": "-", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "AuthenticationPackageName": "Negotiate", + "EventType": "AUDIT_SUCCESS", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LogonProcessName": "Advapi ", + "LogonType": "9", + "OpcodeValue": 0, + "ProcessName": "c:\\windows\\ccm\\ccmexec.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "FOOBAR", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "PCFOO$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "AUTORITE NT", + "TargetOutboundDomainName": "FOOBAR", + "TargetOutboundUserName": "svc_admin_sccm", + "TargetUserName": "Syst\u00e8me", + "TargetUserSid": "S-1-5-18", + "Task": 12544, + "WorkstationName": "-", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An account was successfully logged on", "outcome": "success" }, @@ -1745,7 +1737,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "executable": "c:\\windows\\ccm\\ccmexec.exe", "pid": 996, "id": 996, - "name": "ccmexec.exe", + "name": "Advapi ", "working_directory": "c:\\windows\\ccm\\" }, "user": { @@ -1779,29 +1771,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 15:24:15\",\"Hostname\":\"HOSTBAZ-001.ad.HOSTFOO.com\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4634,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12545,\"OpcodeValue\":0,\"RecordNumber\":47121546,\"ProcessID\":560,\"ThreadID\":2172,\"Channel\":\"Security\",\"Message\":\"An account was logged off.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1519513455-2607746426-4144247390-71234\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tAD\\r\\n\\tLogon ID:\\t\\t0x3912391A\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"Category\":\"Logoff\",\"Opcode\":\"Info\",\"TargetUserSid\":\"S-1-5-21-1519513455-2607746426-4144247390-71234\",\"TargetUserName\":\"USERFOO\",\"ComputerName\":\"FoobarComputer\",\"TargetDomainName\":\"AD\",\"TargetLogonId\":\"0x3912391a\",\"LogonType\":\"3\",\"EventReceivedTime\":\"2019-12-16 15:24:17\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4634", - "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." }, "action": { "record_id": 47121546, "type": "Security", "id": 4634, - "properties": [ - { - "ComputerName": "FoobarComputer", - "EventType": "AUDIT_SUCCESS", - "LogonType": "3", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "TargetDomainName": "AD", - "TargetUserName": "USERFOO", - "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", - "Task": 12545, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "ComputerName": "FoobarComputer", + "EventType": "AUDIT_SUCCESS", + "LogonType": "3", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "TargetDomainName": "AD", + "TargetUserName": "USERFOO", + "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", + "Task": 12545, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An account was logged off", "outcome": "success" }, @@ -1849,38 +1839,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-24 00:06:15\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5145,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12811,\"OpcodeValue\":0,\"RecordNumber\":23997037887,\"ProcessID\":776,\"ThreadID\":784,\"Channel\":\"Security\",\"Message\":\"A network share object was checked to see whether client can be granted desired access.\\r\\n\\t\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-123016\\r\\n\\tAccount Name:\\t\\tBAZ256$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xA62B3A8AE\\r\\n\\r\\nNetwork Information:\\t\\r\\n\\tObject Type:\\t\\tFile\\r\\n\\tSource Address:\\t\\t1.1.1.1\\r\\n\\tSource Port:\\t\\t51042\\r\\n\\t\\r\\nShare Information:\\r\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\SYSVOL\\r\\n\\tShare Path:\\t\\t\\\\??\\\\D:\\\\ActiveDirectory\\\\SYSVOL\\\\sysvol\\r\\n\\tRelative Target Name:\\tKEY.ACME.COM\\\\POLICIES\\\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\\\MACHINE\\r\\n\\r\\nAccess Request Information:\\r\\n\\tAccess Mask:\\t\\t0x100081\\r\\n\\tAccesses:\\t\\tSYNCHRONIZE\\r\\n\\t\\t\\t\\tReadData (or ListDirectory)\\r\\n\\t\\t\\t\\tReadAttributes\\r\\n\\t\\t\\t\\t\\r\\nAccess Check Results:\\r\\n\\tSYNCHRONIZE:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\tReadData (or ListDirectory):\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\tReadAttributes:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t\\r\\n\",\"Category\":\"Detailed File Share\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-123016\",\"SubjectUserName\":\"BAZ256$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xa62b3a8ae\",\"ObjectType\":\"File\",\"IpAddress\":\"1.1.1.1\",\"IpPort\":\"51042\",\"ShareName\":\"\\\\\\\\*\\\\SYSVOL\",\"ShareLocalPath\":\"\\\\??\\\\D:\\\\ActiveDirectory\\\\SYSVOL\\\\sysvol\",\"RelativeTargetName\":\"KEY.ACME.COM\\\\POLICIES\\\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\\\MACHINE\",\"AccessMask\":\"0x100081\",\"AccessList\":\"%%1541\\r\\n\\t\\t\\t\\t%%4416\\r\\n\\t\\t\\t\\t%%4423\\r\\n\\t\\t\\t\\t\",\"AccessReason\":\"%%1541:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t%%4416:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t%%4423:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t\",\"EventReceivedTime\":\"2010-04-24 00:06:17\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5145", - "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123016\r\n\tAccount Name:\t\tBAZ256$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA62B3A8AE\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t1.1.1.1\r\n\tSource Port:\t\t51042\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tKEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100081\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123016\r\n\tAccount Name:\t\tBAZ256$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA62B3A8AE\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t1.1.1.1\r\n\tSource Port:\t\t51042\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tKEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100081\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n" }, "action": { "record_id": 23997037887, "type": "Security", "id": 5145, - "properties": [ - { - "Accesses": "\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes", - "AccessList": "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t", - "AccessMask": "0x100081", - "AccessReason": "%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t", - "EventType": "AUDIT_SUCCESS", - "IpAddress": "1.1.1.1", - "IpPort": "51042", - "ObjectType": "File", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "RelativeTargetName": "KEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE", - "Severity": "INFO", - "ShareLocalPath": "\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol", - "ShareName": "\\\\*\\SYSVOL", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0xa62b3a8ae", - "SubjectUserName": "BAZ256$", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123016", - "Task": 12811, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "Accesses": "\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes", + "AccessList": "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t", + "AccessMask": "0x100081", + "AccessReason": "%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t", + "EventType": "AUDIT_SUCCESS", + "IpAddress": "1.1.1.1", + "IpPort": "51042", + "ObjectType": "File", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "RelativeTargetName": "KEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE", + "Severity": "INFO", + "ShareLocalPath": "\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol", + "ShareName": "\\\\*\\SYSVOL", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0xa62b3a8ae", + "SubjectUserName": "BAZ256$", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123016", + "Task": 12811, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A network share object was checked to see whether client can be granted desired access", "outcome": "success" }, @@ -1936,32 +1924,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-17 11:52:46\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":3,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":3,\"OpcodeValue\":0,\"RecordNumber\":51,\"ProcessID\":3912,\"ThreadID\":532,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2019-05-17 09:52:38.882\\r\\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\\r\\nProcessId: 4200\\r\\nImage: C:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\MicrosoftEdgeCP.exe\\r\\nUser: DESKTOP-FOOBARZ\\\\UserFoo\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 1.1.1.1\\r\\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\\r\\nSourcePort: 49718\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.1\\r\\nDestinationHostname: \\r\\nDestinationPort: 443\\r\\nDestinationPortName: https\",\"Category\":\"Network connection detected (rule: NetworkConnect)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-05-17 09:52:38.882\",\"ProcessGuid\":\"{0BA009B0-846C-5CDE-0000-0010821E0D00}\",\"Image\":\"C:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\MicrosoftEdgeCP.exe\",\"User\":\"DESKTOP-FOOBARZ\\\\UserFoo\",\"Protocol\":\"tcp\",\"Initiated\":\"true\",\"SourceIsIpv6\":\"false\",\"SourceIp\":\"1.1.1.1\",\"SourceHostname\":\"DESKTOP-FOOBARZ.entreprise.sekoia\",\"SourcePort\":\"49718\",\"DestinationIsIpv6\":\"false\",\"DestinationIp\":\"1.1.1.1\",\"DestinationPort\":\"443\",\"DestinationPortName\":\"https\",\"EventReceivedTime\":\"2019-05-17 11:52:46\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "3", - "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:38.882\r\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nUser: DESKTOP-FOOBARZ\\UserFoo\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\r\nSourcePort: 49718\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 443\r\nDestinationPortName: https", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:38.882\r\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nUser: DESKTOP-FOOBARZ\\UserFoo\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\r\nSourcePort: 49718\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 443\r\nDestinationPortName: https" }, "@timestamp": "2019-05-17T09:52:38.882000Z", "action": { "record_id": 51, "type": "Microsoft-Windows-Sysmon/Operational", "id": 3, - "properties": [ - { - "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{0BA009B0-846C-5CDE-0000-0010821E0D00}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 3, - "User": "DESKTOP-FOOBARZ\\UserFoo", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "DestinationPort": "443" - } - ], + "properties": { + "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{0BA009B0-846C-5CDE-0000-0010821E0D00}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 3, + "User": "DESKTOP-FOOBARZ\\UserFoo", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808", + "DestinationPort": "443" + }, "name": "Network connection", "target": "network-traffic" }, @@ -2033,31 +2019,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-28 08:22:44\",\"Hostname\":\"CAYENNE\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1551703898,\"ProcessID\":4,\"ThreadID\":13732,\"Channel\":\"Security\",\"Message\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-122301\\r\\n\\tAccount Name:\\t\\tadm_FOOBAZ\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xF22F28C6\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x2bfc\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeFull (2)\\r\\n\\tCreator Process ID:\\t0x2a28\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"Category\":\"Process Creation\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-122301\",\"SubjectUserName\":\"adm_FOOBAZ\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xf22f28c6\",\"NewProcessId\":\"0x2bfc\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\",\"TokenElevationType\":\"%%1937\",\"TargetUserSid\":\"S-1-0-0\",\"TargetUserName\":\"-\",\"TargetDomainName\":\"-\",\"TargetLogonId\":\"0x0\",\"EventReceivedTime\":\"2010-04-28 08:22:45\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-122301\r\n\tAccount Name:\t\tadm_FOOBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xF22F28C6\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2bfc\r\n\tNew Process Name:\tC:\\Windows\\System32\\wbem\\WMIC.exe\r\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\r\n\tCreator Process ID:\t0x2a28\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-122301\r\n\tAccount Name:\t\tadm_FOOBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xF22F28C6\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2bfc\r\n\tNew Process Name:\tC:\\Windows\\System32\\wbem\\WMIC.exe\r\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\r\n\tCreator Process ID:\t0x2a28\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." }, "action": { "record_id": 1551703898, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0xf22f28c6", - "SubjectUserName": "adm_FOOBAZ", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-122301", - "TargetDomainName": "-", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0xf22f28c6", + "SubjectUserName": "adm_FOOBAZ", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-122301", + "TargetDomainName": "-", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new process has been created", "outcome": "success" }, @@ -2114,24 +2098,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-16 18:07:37\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":36028797018963968,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6000,\"SourceName\":\"Microsoft-Windows-Winlogon\",\"ProviderGuid\":\"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":628,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Application\",\"Message\":\"L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification.\",\"EventReceivedTime\":\"2019-05-17 09:56:11\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6000", - "message": "L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification.", - "provider": "Microsoft-Windows-Winlogon" + "provider": "Microsoft-Windows-Winlogon", + "message": "L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification." }, "action": { "record_id": 628, "type": "Application", "id": 6000, - "properties": [ - { - "EventType": "INFO", - "OpcodeValue": 0, - "ProviderGuid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}", - "Severity": "INFO", - "Task": 0, - "SourceName": "Microsoft-Windows-Winlogon", - "Keywords": "36028797018963968" - } - ] + "properties": { + "EventType": "INFO", + "OpcodeValue": 0, + "ProviderGuid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}", + "Severity": "INFO", + "Task": 0, + "SourceName": "Microsoft-Windows-Winlogon", + "Keywords": "36028797018963968" + } }, "log": { "hostname": "DESKTOP-FOOBARZ", @@ -2170,37 +2152,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-23 13:28:14\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4662,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14080,\"OpcodeValue\":0,\"RecordNumber\":25279566314,\"ProcessID\":1816,\"ThreadID\":15456,\"Channel\":\"Security\",\"Message\":\"An operation was performed on an object.\\r\\n\\r\\nSubject :\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-98189\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x8C042A219\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tDS\\r\\n\\tObject Type:\\t\\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\\tObject Name:\\t\\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\\r\\n\\tHandle ID:\\t\\t0x0\\r\\n\\r\\nOperation:\\r\\n\\tOperation Type:\\t\\tObject Access\\r\\n\\tAccesses:\\t\\tControl Access\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Mask:\\t\\t0x100\\r\\n\\tProperties:\\t\\tControl Access\\r\\n\\t\\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\\r\\n\\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\\r\\n\\r\\nAdditional Information:\\r\\n\\tParameter 1:\\t\\t-\\r\\n\\tParameter 2:\\t\\t\",\"Category\":\"Directory Service Access\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-98189\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x8c042a219\",\"ObjectServer\":\"DS\",\"ObjectType\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\",\"ObjectName\":\"%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\",\"OperationType\":\"Object Access\",\"HandleId\":\"0x0\",\"AccessList\":\"%%7688\\r\\n\\t\\t\\t\\t\",\"AccessMask\":\"0x100\",\"Properties\":\"%%7688\\r\\n\\t\\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\\r\\n\\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\",\"AdditionalInfo\":\"-\",\"EventReceivedTime\":\"2010-04-23 13:28:14\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4662", - "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-98189\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x8C042A219\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-98189\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x8C042A219\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t" }, "action": { "record_id": 25279566314, "type": "Security", "id": 4662, - "properties": [ - { - "Accesses": "\t\tControl Access", - "AccessList": "%%7688\r\n\t\t\t\t", - "AccessMask": "0x100", - "EventType": "AUDIT_SUCCESS", - "HandleId": "0x0", - "ObjectName": "%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}", - "ObjectServer": "DS", - "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", - "OpcodeValue": 0, - "OperationType": "Object Access", - "Properties": "%%7688\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x8c042a219", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-98189", - "Task": 14080, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "Accesses": "\t\tControl Access", + "AccessList": "%%7688\r\n\t\t\t\t", + "AccessMask": "0x100", + "EventType": "AUDIT_SUCCESS", + "HandleId": "0x0", + "ObjectName": "%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}", + "ObjectServer": "DS", + "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", + "OpcodeValue": 0, + "OperationType": "Object Access", + "Properties": "%%7688\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x8c042a219", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-98189", + "Task": 14080, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An operation was performed on an object", "outcome": "success" }, @@ -2249,29 +2229,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-05-19 12:11:47\",\"Hostname\":\"V-FOO\",\"Keywords\":0,\"EventType\":\"VERBOSE\",\"SeverityValue\":1,\"Severity\":\"DEBUG\",\"EventID\":4104,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":2,\"OpcodeValue\":15,\"RecordNumber\":272330460,\"ActivityID\":\"{5D86B418-29E5-0000-F508-CD69E529D601}\",\"ProcessID\":968,\"ThreadID\":5568,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Creating Scriptblock text (1 of 1):\\r\\n{ @('Object') -contains $_ }\\r\\n\\r\\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\\r\\nPath: \",\"Category\":\"Execute a Remote Command\",\"Opcode\":\"On create calls\",\"MessageNumber\":\"1\",\"MessageTotal\":\"1\",\"ScriptBlockText\":\"{ @('Object') -contains $_ }\",\"ScriptBlockId\":\"592078b2-e981-40be-a166-10896495067b\",\"EventReceivedTime\":\"2010-05-19 12:11:48\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4104", - "message": "Creating Scriptblock text (1 of 1):\r\n{ @('Object') -contains $_ }\r\n\r\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\r\nPath: ", - "provider": "Microsoft-Windows-PowerShell" + "provider": "Microsoft-Windows-PowerShell", + "message": "Creating Scriptblock text (1 of 1):\r\n{ @('Object') -contains $_ }\r\n\r\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\r\nPath: " }, "action": { "record_id": 272330460, "type": "Microsoft-Windows-PowerShell/Operational", "id": 4104, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "VERBOSE", - "OpcodeValue": 15, - "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", - "ScriptBlockId": "592078b2-e981-40be-a166-10896495067b", - "ScriptBlockText": "{ @('Object') -contains $_ }", - "Severity": "DEBUG", - "Task": 2, - "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0" - } - ], + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "VERBOSE", + "OpcodeValue": 15, + "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", + "ScriptBlockId": "592078b2-e981-40be-a166-10896495067b", + "ScriptBlockText": "{ @('Object') -contains $_ }", + "Severity": "DEBUG", + "Task": 2, + "SourceName": "Microsoft-Windows-PowerShell", + "Keywords": "0" + }, "name": "Creating Scriptblock text" }, "log": { @@ -2320,31 +2298,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-02 17:20:14\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":249099289,\"ActivityID\":\"{264E110A-980D-0002-50EB-4F260D98D601}\",\"ProcessID\":2816,\"ThreadID\":3184,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation(Write-Verbose): \\\"Write-Verbose\\\"\\r\\nParameterBinding(Write-Verbose): name=\\\"Message\\\"; value=\\\"ParentDisplayName\\\"\\r\\n\\r\\n\\r\\nContext:\\r\\n Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14409.1018\\r\\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\\r\\n Host Application = C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\\\ProgramData\\\\PuppetLabs\\\\facter\\\\facts.d\\\\InstalledSoftware.ps1\\r\\n Engine Version = 5.1.14409.1018\\r\\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\\r\\n Pipeline ID = 1\\r\\n Command Name = Write-Verbose\\r\\n Command Type = Cmdlet\\r\\n Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSSoftware\\\\1.0.29\\\\PSSoftware.psm1\\r\\n Command Path = \\r\\n Sequence Number = 3930\\r\\n User = WORKGROUP\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nUser Data:\\r\\n\\r\\n\",\"Category\":\"Executing Pipeline\",\"Opcode\":\"To be used when operation is just executing a method\",\"ContextInfo\":\" Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14409.1018\\r\\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\\r\\n Host Application = C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\\\ProgramData\\\\PuppetLabs\\\\facter\\\\facts.d\\\\InstalledSoftware.ps1\\r\\n Engine Version = 5.1.14409.1018\\r\\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\\r\\n Pipeline ID = 1\\r\\n Command Name = Write-Verbose\\r\\n Command Type = Cmdlet\\r\\n Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSSoftware\\\\1.0.29\\\\PSSoftware.psm1\\r\\n Command Path = \\r\\n Sequence Number = 3930\\r\\n User = WORKGROUP\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation(Write-Verbose): \\\"Write-Verbose\\\"\\r\\nParameterBinding(Write-Verbose): name=\\\"Message\\\"; value=\\\"ParentDisplayName\\\"\\r\\n\",\"EventReceivedTime\":\"2010-10-02 17:20:19\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "message": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", - "provider": "Microsoft-Windows-PowerShell" + "provider": "Microsoft-Windows-PowerShell", + "message": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n" }, "action": { "record_id": 249099289, "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 20, - "Payload": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n", - "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", - "Severity": "INFO", - "Task": 106, - "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1", - "HostName": "ConsoleHost" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 20, + "Payload": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n", + "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", + "Severity": "INFO", + "Task": 106, + "SourceName": "Microsoft-Windows-PowerShell", + "Keywords": "0", + "HostApplication": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1", + "HostName": "ConsoleHost" + } }, "log": { "hostname": "DESKTOP-FOOBARZ", @@ -2392,31 +2368,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-22 20:12:26\",\"Hostname\":\"DC2.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":32670,\"ActivityID\":\"{AA56825F-C7FE-0000-D33D-F2AAFEC7D901}\",\"ProcessID\":5676,\"ThreadID\":3020,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation(Add-Type): \\\"Add-Type\\\"\\r\\nParameterBinding(Add-Type): name=\\\"AssemblyName\\\"; value=\\\"System.Core\\\"\\r\\n\\r\\n\\r\\nContext:\\r\\n Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14393.5582\\r\\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\\r\\n Engine Version = 5.1.14393.5582\\r\\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\\r\\n Pipeline ID = 1\\r\\n Command Name = Add-Type\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 18\\r\\n User = INTRANET\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nUser Data:\\r\\n\\r\\n\",\"Category\":\"Executing Pipeline\",\"Opcode\":\"To be used when operation is just executing a method\",\"ContextInfo\":\" Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14393.5582\\r\\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\\r\\n Engine Version = 5.1.14393.5582\\r\\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\\r\\n Pipeline ID = 1\\r\\n Command Name = Add-Type\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 18\\r\\n User = INTRANET\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation(Add-Type): \\\"Add-Type\\\"\\r\\nParameterBinding(Add-Type): name=\\\"AssemblyName\\\"; value=\\\"System.Core\\\"\\r\\n\",\"EventReceivedTime\":\"2023-08-22 20:12:27\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "message": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", - "provider": "Microsoft-Windows-PowerShell" + "provider": "Microsoft-Windows-PowerShell", + "message": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n" }, "action": { "record_id": 32670, "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 20, - "Payload": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n", - "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", - "Severity": "INFO", - "Task": 106, - "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}", - "HostName": "ConsoleHost" - } - ] + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 20, + "Payload": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n", + "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", + "Severity": "INFO", + "Task": 106, + "SourceName": "Microsoft-Windows-PowerShell", + "Keywords": "0", + "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}", + "HostName": "ConsoleHost" + } }, "log": { "hostname": "DC2.corp.net", @@ -2464,31 +2438,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-04-18 14:51:32\",\"Hostname\":\"PCFOO4147.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":1079309,\"ActivityID\":\"{83B38D2A-3444-0004-D607-B4834434D701}\",\"ProcessID\":5532,\"ThreadID\":7212,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\\r\\n\\r\\n\\r\\n\\r\\nContexte :\\r\\n Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.18362.1171\\r\\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\\r\\n Application h\u00f4te = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.18362.1171\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\\r\\n ID de pipeline = 1\\r\\n Nom de commande = \\r\\n Type de commande = Script\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 18\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nDonn\u00e9es utilisateur :\\r\\n\\r\\n\",\"Category\":\"Ex\u00e9cution du pipeline\",\"Opcode\":\"\u00c0 utiliser lorsque l'op\u00e9ration ex\u00e9cute uniquement une m\u00e9thode\",\"ContextInfo\":\" Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.18362.1171\\r\\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\\r\\n Application h\u00f4te = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.18362.1171\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\\r\\n ID de pipeline = 1\\r\\n Nom de commande = \\r\\n Type de commande = Script\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 18\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\\r\\n\",\"EventReceivedTime\":\"2011-04-18 14:51:33\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "message": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\r\n\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", - "provider": "Microsoft-Windows-PowerShell" + "provider": "Microsoft-Windows-PowerShell", + "message": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\r\n\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n" }, "action": { "record_id": 1079309, "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 20, - "Payload": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\n", - "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", - "Severity": "INFO", - "Task": 106, - "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", - "HostName": "ConsoleHost" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 20, + "Payload": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\n", + "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", + "Severity": "INFO", + "Task": 106, + "SourceName": "Microsoft-Windows-PowerShell", + "Keywords": "0", + "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", + "HostName": "ConsoleHost" + } }, "log": { "hostname": "PCFOO4147.corp.net", @@ -2536,38 +2508,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-28 18:30:29\",\"Hostname\":\"V-FOO\",\"Keywords\":-9218868437227405312,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":4656,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12804,\"OpcodeValue\":0,\"RecordNumber\":9931381860,\"ProcessID\":728,\"ThreadID\":736,\"Channel\":\"Security\",\"Message\":\"A handle to an object was requested.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-73322\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xA4FA5F41\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tWS-Management Listener\\r\\n\\tObject Type:\\t\\tUnknown\\r\\n\\tObject Name:\\t\\tUnknown\\r\\n\\tHandle ID:\\t\\t0x0\\r\\n\\tResource Attributes:\\t-\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x3d4\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\r\\n\\r\\nAccess Request Information:\\r\\n\\tTransaction ID:\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\tAccesses:\\t\\tMAX_ALLOWED\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Reasons:\\t\\t-\\r\\n\\tAccess Mask:\\t\\t0x2000000\\r\\n\\tPrivileges Used for Access Check:\\t-\\r\\n\\tRestricted SID Count:\\t0\",\"Category\":\"Other Object Access Events\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-73322\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xa4fa5f41\",\"ObjectServer\":\"WS-Management Listener\",\"ObjectType\":\"Unknown\",\"ObjectName\":\"Unknown\",\"HandleId\":\"0x0\",\"TransactionId\":\"{00000000-0000-0000-0000-000000000000}\",\"AccessList\":\"%%1543\\r\\n\\t\\t\\t\\t\",\"AccessReason\":\"-\",\"AccessMask\":\"0x2000000\",\"PrivilegeList\":\"-\",\"RestrictedSidCount\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"ResourceAttributes\":\"-\",\"EventReceivedTime\":\"2010-09-28 18:30:30\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4656", - "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-73322\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA4FA5F41\r\n\r\nObject:\r\n\tObject Server:\t\tWS-Management Listener\r\n\tObject Type:\t\tUnknown\r\n\tObject Name:\t\tUnknown\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x3d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tMAX_ALLOWED\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x2000000\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-73322\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA4FA5F41\r\n\r\nObject:\r\n\tObject Server:\t\tWS-Management Listener\r\n\tObject Type:\t\tUnknown\r\n\tObject Name:\t\tUnknown\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x3d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tMAX_ALLOWED\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x2000000\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0" }, "action": { "record_id": 9931381860, "type": "Security", "id": 4656, - "properties": [ - { - "Accesses": "\t\tMAX_ALLOWED", - "AccessList": "%%1543\r\n\t\t\t\t", - "AccessMask": "0x2000000", - "AccessReason": "-", - "EventType": "AUDIT_FAILURE", - "HandleId": "0x0", - "ObjectName": "Unknown", - "ObjectServer": "WS-Management Listener", - "ObjectType": "Unknown", - "OpcodeValue": 0, - "PrivilegeList": "-", - "ProcessName": "c:\\windows\\system32\\svchost.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "ERROR", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0xa4fa5f41", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-73322", - "Task": 12804, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9218868437227405312" - } - ], + "properties": { + "Accesses": "\t\tMAX_ALLOWED", + "AccessList": "%%1543\r\n\t\t\t\t", + "AccessMask": "0x2000000", + "AccessReason": "-", + "EventType": "AUDIT_FAILURE", + "HandleId": "0x0", + "ObjectName": "Unknown", + "ObjectServer": "WS-Management Listener", + "ObjectType": "Unknown", + "OpcodeValue": 0, + "PrivilegeList": "-", + "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "ERROR", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0xa4fa5f41", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-73322", + "Task": 12804, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9218868437227405312" + }, "name": "A handle to an object was requested", "outcome": "failure" }, @@ -2619,34 +2589,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 12:01:24\",\"Hostname\":\"FOOBAZ02\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4657,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12801,\"OpcodeValue\":0,\"RecordNumber\":27949645047,\"ProcessID\":4,\"ThreadID\":14940,\"Channel\":\"Security\",\"Message\":\"A registry value was modified.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tFOOBAZ02$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Name:\\t\\t\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WindowsUpdate\\\\Auto Update\\r\\n\\tObject Value Name:\\tFirmwareUpdatesNotInstalled\\r\\n\\tHandle ID:\\t\\t0x22cc\\r\\n\\tOperation Type:\\t\\tNew registry value created\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0xac0\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\r\\n\\r\\nChange Information:\\r\\n\\tOld Value Type:\\t\\t-\\r\\n\\tOld Value:\\t\\t-\\r\\n\\tNew Value Type:\\t\\tREG_DWORD\\r\\n\\tNew Value:\\t\\t0\",\"Category\":\"Registry\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"FOOBAZ02$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectName\":\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WindowsUpdate\\\\Auto Update\",\"ObjectValueName\":\"FirmwareUpdatesNotInstalled\",\"HandleId\":\"0x22cc\",\"OperationType\":\"%%1904\",\"OldValueType\":\"-\",\"OldValue\":\"-\",\"NewValueType\":\"%%1876\",\"NewValue\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-09-30 12:01:25\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4657", - "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tFOOBAZ02$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\r\n\tObject Value Name:\tFirmwareUpdatesNotInstalled\r\n\tHandle ID:\t\t0x22cc\r\n\tOperation Type:\t\tNew registry value created\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xac0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\t-\r\n\tOld Value:\t\t-\r\n\tNew Value Type:\t\tREG_DWORD\r\n\tNew Value:\t\t0", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tFOOBAZ02$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\r\n\tObject Value Name:\tFirmwareUpdatesNotInstalled\r\n\tHandle ID:\t\t0x22cc\r\n\tOperation Type:\t\tNew registry value created\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xac0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\t-\r\n\tOld Value:\t\t-\r\n\tNew Value Type:\t\tREG_DWORD\r\n\tNew Value:\t\t0" }, "action": { "record_id": 27949645047, "type": "Security", "id": 4657, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "HandleId": "0x22cc", - "NewValue": "0", - "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update", - "ObjectValueName": "FirmwareUpdatesNotInstalled", - "OpcodeValue": 0, - "OperationType": "%%1904", - "ProcessName": "c:\\windows\\system32\\svchost.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "FOOBAZ02$", - "SubjectUserSid": "S-1-5-18", - "Task": 12801, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "HandleId": "0x22cc", + "NewValue": "0", + "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update", + "ObjectValueName": "FirmwareUpdatesNotInstalled", + "OpcodeValue": 0, + "OperationType": "%%1904", + "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "FOOBAZ02$", + "SubjectUserSid": "S-1-5-18", + "Task": 12801, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A registry value was modified", "outcome": "success" }, @@ -2698,31 +2666,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 12:32:03\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4658,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12801,\"OpcodeValue\":0,\"RecordNumber\":11254204732,\"ProcessID\":4,\"ThreadID\":6740,\"Channel\":\"Security\",\"Message\":\"The handle to an object was closed.\\r\\n\\r\\nSubject :\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tSecurity\\r\\n\\tHandle ID:\\t\\t0x5c44\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x4e58\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"Category\":\"Registry\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"Security\",\"HandleId\":\"0x5c44\",\"ProcessName\":\"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"EventReceivedTime\":\"2010-09-30 12:32:03\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4658", - "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x5c44\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4e58\r\n\tProcess Name:\t\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x5c44\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4e58\r\n\tProcess Name:\t\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" }, "action": { "record_id": 11254204732, "type": "Security", "id": 4658, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "HandleId": "0x5c44", - "ObjectServer": "Security", - "OpcodeValue": 0, - "ProcessName": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-18", - "Task": 12801, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "HandleId": "0x5c44", + "ObjectServer": "Security", + "OpcodeValue": 0, + "ProcessName": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-18", + "Task": 12801, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "The handle to an object was closed", "outcome": "success" }, @@ -2774,36 +2740,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 14:43:13\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4663,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12802,\"OpcodeValue\":0,\"RecordNumber\":1507550680,\"ProcessID\":4,\"ThreadID\":10820,\"Channel\":\"Security\",\"Message\":\"An attempt was made to access an object.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tSecurity\\r\\n\\tObject Type:\\t\\tProcess\\r\\n\\tObject Name:\\t\\t\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\tHandle ID:\\t\\t0x5d4\\r\\n\\tResource Attributes:\\t-\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0xcc8\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\\r\\n\\r\\nAccess Request Information:\\r\\n\\tAccesses:\\t\\tRead from process memory\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Mask:\\t\\t0x10\",\"Category\":\"Kernel Object\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"Security\",\"ObjectType\":\"Process\",\"ObjectName\":\"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\lsass.exe\",\"HandleId\":\"0x5d4\",\"AccessList\":\"%%4484\\r\\n\\t\\t\\t\\t\",\"AccessMask\":\"0x10\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\"ResourceAttributes\":\"-\",\"EventReceivedTime\":\"2010-09-30 14:43:15\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4663", - "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x5d4\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x5d4\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10" }, "action": { "record_id": 1507550680, "type": "Security", "id": 4663, - "properties": [ - { - "Accesses": "\t\tRead from process memory", - "AccessList": "%%4484\r\n\t\t\t\t", - "AccessMask": "0x10", - "EventType": "AUDIT_SUCCESS", - "HandleId": "0x5d4", - "ObjectName": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe", - "ObjectServer": "Security", - "ObjectType": "Process", - "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\wbem\\wmiprvse.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-18", - "Task": 12802, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "Accesses": "\t\tRead from process memory", + "AccessList": "%%4484\r\n\t\t\t\t", + "AccessMask": "0x10", + "EventType": "AUDIT_SUCCESS", + "HandleId": "0x5d4", + "ObjectName": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe", + "ObjectServer": "Security", + "ObjectType": "Process", + "OpcodeValue": 0, + "ProcessName": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-18", + "Task": 12802, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "An attempt was made to access an object", "outcome": "success" }, @@ -2865,26 +2829,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 878009, "type": "Security", "id": 4670, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "HandleId": "0x444", - "ObjectName": "-", - "ObjectServer": "Security", - "ObjectType": "Token", - "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\searchindexer.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "FOOBAZ$", - "SubjectUserSid": "S-1-5-18", - "Task": 13570, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "HandleId": "0x444", + "ObjectName": "-", + "ObjectServer": "Security", + "ObjectType": "Token", + "OpcodeValue": 0, + "ProcessName": "c:\\windows\\system32\\searchindexer.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "FOOBAZ$", + "SubjectUserSid": "S-1-5-18", + "Task": 13570, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "Permissions on an object were changed", "outcome": "success" }, @@ -2959,24 +2921,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 968049, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "REDACTED", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "REDACTED", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "-", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600035000" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "REDACTED", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "REDACTED", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "-", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600035000" + }, "name": "A new process has been created", "outcome": "success" }, @@ -3029,23 +2989,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 1840478, "type": "Security", "id": 4689, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\svchost.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "Status": "0x0", - "SubjectDomainName": "REDACTED", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "REDACTED", - "SubjectUserSid": "S-1-5-18", - "Task": 13313, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "Status": "0x0", + "SubjectDomainName": "REDACTED", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "REDACTED", + "SubjectUserSid": "S-1-5-18", + "Task": 13313, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A process has exited", "outcome": "success" }, @@ -3097,31 +3055,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\": \"2023-08-25 12:13:33\", \"Hostname\": \"srv-foo\", \"Keywords\": -9214364837600034816, \"EventType\": \"AUDIT_SUCCESS\", \"SeverityValue\": 2, \"Severity\": \"INFO\", \"EventID\": 4698, \"SourceName\": \"Microsoft-Windows-Security-Auditing\", \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\", \"Version\": 1, \"Task\": 12804, \"OpcodeValue\": 0, \"RecordNumber\": 4302958134, \"ActivityID\": \"{25C1B30D-1E8B-4A26-9E80-ED3A242DB52E}\", \"ProcessID\": 912, \"ThreadID\": 5584, \"Channel\": \"Security\", \"Message\": \"A scheduled task was created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tsrv-foo$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTask Information:\\r\\n\\tTask Name: \\t\\t\\\\CORP-Dump_Installed_Updates\\r\\n\\tTask Content: \\t\\t\\r\\n\\r\\n \\r\\n KEY\\\\adm_foo\\r\\n \\\\CORP-Dump_Installed_Updates\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n PT1H\\r\\n P1D\\r\\n true\\r\\n \\r\\n 2016-05-02T04:45:00\\r\\n PT30M\\r\\n true\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n \\r\\n HighestAvailable\\r\\n NT AUTHORITY\\\\System\\r\\n S4U\\r\\n \\r\\n \\r\\n \\r\\n StopExisting\\r\\n false\\r\\n false\\r\\n true\\r\\n true\\r\\n false\\r\\n \\r\\n PT5M\\r\\n PT1H\\r\\n false\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n PT1H\\r\\n 7\\r\\n \\r\\n PT15M\\r\\n 3\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\n -NonInteractive -NoProfile -Command \\\"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\\\Exploitation\\\\Scripts\\\\Nagios\\\\LastInstalledUpdates.xml'\\\"\\r\\n \\r\\n \\r\\n\\r\\n\\r\\nOther Information:\\r\\n\\tProcessCreationTime: \\t\\t28428972647776291\\r\\n\\tClientProcessId: \\t\\t\\t1700\\r\\n\\tParentProcessId: \\t\\t\\t892\\r\\n\\tFQDN: \\t\\t0\\r\\n\\t\", \"Category\": \"Other Object Access Events\", \"Opcode\": \"Info\", \"SubjectUserSid\": \"S-1-5-18\", \"SubjectUserName\": \"srv-foo$\", \"SubjectDomainName\": \"KEY\", \"SubjectLogonId\": \"0x3e7\", \"TaskName\": \"\\\\CORP-Dump_Installed_Updates\", \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <Author>KEY\\\\adm_foo</Author>\\r\\n <URI>\\\\CORP-Dump_Installed_Updates</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <CalendarTrigger>\\r\\n <Repetition>\\r\\n <Interval>PT1H</Interval>\\r\\n <Duration>P1D</Duration>\\r\\n <StopAtDurationEnd>true</StopAtDurationEnd>\\r\\n </Repetition>\\r\\n <StartBoundary>2016-05-02T04:45:00</StartBoundary>\\r\\n <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>\\r\\n <Enabled>true</Enabled>\\r\\n <ScheduleByDay>\\r\\n <DaysInterval>1</DaysInterval>\\r\\n </ScheduleByDay>\\r\\n </CalendarTrigger>\\r\\n </Triggers>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <RunLevel>HighestAvailable</RunLevel>\\r\\n <UserId>NT AUTHORITY\\\\System</UserId>\\r\\n <LogonType>S4U</LogonType>\\r\\n </Principal>\\r\\n </Principals>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n <AllowHardTerminate>true</AllowHardTerminate>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <IdleSettings>\\r\\n <Duration>PT5M</Duration>\\r\\n <WaitTimeout>PT1H</WaitTimeout>\\r\\n <StopOnIdleEnd>false</StopOnIdleEnd>\\r\\n <RestartOnIdle>false</RestartOnIdle>\\r\\n </IdleSettings>\\r\\n <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n <Enabled>true</Enabled>\\r\\n <Hidden>false</Hidden>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>false</WakeToRun>\\r\\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\\r\\n <Priority>7</Priority>\\r\\n <RestartOnFailure>\\r\\n <Interval>PT15M</Interval>\\r\\n <Count>3</Count>\\r\\n </RestartOnFailure>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe</Command>\\r\\n <Arguments>-NonInteractive -NoProfile -Command \\\"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\\\Exploitation\\\\Scripts\\\\Nagios\\\\LastInstalledUpdates.xml'\\\"</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n</Task>\", \"ClientProcessStartKey\": \"28428972647776291\", \"ClientProcessId\": \"1700\", \"ParentProcessId\": \"892\", \"RpcCallClientLocality\": \"0\", \"FQDN\": \"srv-foo.key.corp.net\", \"EventReceivedTime\": \"2023-08-25 12:13:34\", \"SourceModuleName\": \"in\", \"SourceModuleType\": \"im_msvistalog\"}", "event": { "code": "4698", - "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tsrv-foo$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\CORP-Dump_Installed_Updates\r\n\tTask Content: \t\t\r\n\r\n \r\n KEY\\adm_foo\r\n \\CORP-Dump_Installed_Updates\r\n \r\n \r\n \r\n \r\n PT1H\r\n P1D\r\n true\r\n \r\n 2016-05-02T04:45:00\r\n PT30M\r\n true\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n StopExisting\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT1H\r\n 7\r\n \r\n PT15M\r\n 3\r\n \r\n \r\n \r\n \r\n C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n -NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"\r\n \r\n \r\n\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t28428972647776291\r\n\tClientProcessId: \t\t\t1700\r\n\tParentProcessId: \t\t\t892\r\n\tFQDN: \t\t0\r\n\t", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tsrv-foo$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\CORP-Dump_Installed_Updates\r\n\tTask Content: \t\t\r\n\r\n \r\n KEY\\adm_foo\r\n \\CORP-Dump_Installed_Updates\r\n \r\n \r\n \r\n \r\n PT1H\r\n P1D\r\n true\r\n \r\n 2016-05-02T04:45:00\r\n PT30M\r\n true\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n StopExisting\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT1H\r\n 7\r\n \r\n PT15M\r\n 3\r\n \r\n \r\n \r\n \r\n C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n -NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"\r\n \r\n \r\n\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t28428972647776291\r\n\tClientProcessId: \t\t\t1700\r\n\tParentProcessId: \t\t\t892\r\n\tFQDN: \t\t0\r\n\t" }, "action": { "record_id": 4302958134, "type": "Security", "id": 4698, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "srv-foo$", - "SubjectUserSid": "S-1-5-18", - "Task": 12804, - "TaskName": "\\CORP-Dump_Installed_Updates", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "TaskContentNew_Args": "-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"", - "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "srv-foo$", + "SubjectUserSid": "S-1-5-18", + "Task": 12804, + "TaskName": "\\CORP-Dump_Installed_Updates", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816", + "TaskContentNew_Args": "-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"", + "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, "name": "A scheduled task was created", "outcome": "success" }, @@ -3177,22 +3133,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 3128, "type": "Security", "id": 4719, - "properties": [ - { - "AuditPolicyChanges": "%%8449, %%8451", - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "FOOBAR$", - "SubjectUserSid": "S-1-5-18", - "Task": 13568, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "AuditPolicyChanges": "%%8449, %%8451", + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "FOOBAR$", + "SubjectUserSid": "S-1-5-18", + "Task": 13568, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "System audit policy was changed", "outcome": "success" }, @@ -3241,39 +3195,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2020-11-27 17:05:18\",\"Hostname\":\"SERVERFOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4720,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":13824,\"OpcodeValue\":0,\"RecordNumber\":2077430259,\"ProcessID\":1808,\"ThreadID\":9204,\"Channel\":\"Security\",\"Message\":\"A user account was created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1595408694-1749029380-1551332766-2746\\r\\n\\tAccount Name:\\t\\tSVC_sitemanager\\r\\n\\tAccount Domain:\\t\\tEXTRAWEB\\r\\n\\tLogon ID:\\t\\t0x8A2F8844\\r\\n\\r\\nNew Account:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1595408694-1749029380-1551332766-47859\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tEXTRAWEB\\r\\n\\r\\nAttributes:\\r\\n\\tSAM Account Name:\\tUSERFOO\\r\\n\\tDisplay Name:\\t\\tUSERFOO USERLASTNAME\\r\\n\\tUser Principal Name:\\\\tuserfoo@mycorp.nett\\r\\n\\tHome Directory:\\t\\t-\\r\\n\\tHome Drive:\\t\\t-\\r\\n\\tScript Path:\\t\\t-\\r\\n\\tProfile Path:\\t\\t-\\r\\n\\tUser Workstations:\\t-\\r\\n\\tPassword Last Set:\\t\\r\\n\\tAccount Expires:\\t\\t28/11/2021 00:00:00\\r\\n\\tPrimary Group ID:\\t513\\r\\n\\tAllowed To Delegate To:\\t-\\r\\n\\tOld UAC Value:\\t\\t0x0\\r\\n\\tNew UAC Value:\\t\\t0x15\\r\\n\\tUser Account Control:\\t\\r\\n\\t\\tAccount Disabled\\r\\n\\t\\t'Password Not Required' - Enabled\\r\\n\\t\\t'Normal Account' - Enabled\\r\\n\\tUser Parameters:\\t-\\r\\n\\tSID History:\\t\\t-\\r\\n\\tLogon Hours:\\t\\t\\r\\n\\r\\nAdditional Information:\\r\\n\\tPrivileges\\t\\t-\",\"Category\":\"User Account Management\",\"Opcode\":\"Info\",\"TargetUserName\":\"USERFOO\",\"TargetDomainName\":\"EXTRAWEB\",\"TargetSid\":\"S-1-5-21-1595408694-1749029380-1551332766-47859\",\"SubjectUserSid\":\"S-1-5-21-1595408694-1749029380-1551332766-2746\",\"SubjectUserName\":\"SVC_sitemanager\",\"SubjectDomainName\":\"EXTRAWEB\",\"SubjectLogonId\":\"0x8a2f8844\",\"PrivilegeList\":\"-\",\"SamAccountName\":\"USERFOO\",\"DisplayName\":\"USERFOO USERLASTNAME\",\"UserPrincipalName\":\"userfoo@mycorp.nett\",\"HomeDirectory\":\"-\",\"HomePath\":\"-\",\"ScriptPath\":\"-\",\"ProfilePath\":\"-\",\"UserWorkstations\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AccountExpires\":\"28/11/2021 00:00:00\",\"PrimaryGroupId\":\"513\",\"AllowedToDelegateTo\":\"-\",\"OldUacValue\":\"0x0\",\"NewUacValue\":\"0x15\",\"UserAccountControl\":\"\\r\\n\\t\\t%%2080\\r\\n\\t\\t%%2082\\r\\n\\t\\t%%2084\",\"UserParameters\":\"-\",\"SidHistory\":\"-\",\"LogonHours\":\"%%1793\",\"EventReceivedTime\":\"2020-11-27 17:05:19\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4720", - "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-2746\r\n\tAccount Name:\t\tSVC_sitemanager\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\tLogon ID:\t\t0x8A2F8844\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-47859\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\r\nAttributes:\r\n\tSAM Account Name:\tUSERFOO\r\n\tDisplay Name:\t\tUSERFOO USERLASTNAME\r\n\tUser Principal Name:\\tuserfoo@mycorp.nett\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t\r\n\tAccount Expires:\t\t28/11/2021 00:00:00\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-2746\r\n\tAccount Name:\t\tSVC_sitemanager\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\tLogon ID:\t\t0x8A2F8844\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-47859\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\r\nAttributes:\r\n\tSAM Account Name:\tUSERFOO\r\n\tDisplay Name:\t\tUSERFOO USERLASTNAME\r\n\tUser Principal Name:\\tuserfoo@mycorp.nett\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t\r\n\tAccount Expires:\t\t28/11/2021 00:00:00\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-" }, "action": { "record_id": 2077430259, "type": "Security", "id": 4720, - "properties": [ - { - "AllowedToDelegateTo": "-", - "DisplayName": "USERFOO USERLASTNAME", - "EventType": "AUDIT_SUCCESS", - "HomeDirectory": "-", - "OpcodeValue": 0, - "PrivilegeList": "-", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "SamAccountName": "USERFOO", - "ScriptPath": "-", - "Severity": "INFO", - "SidHistory": "-", - "SubjectDomainName": "EXTRAWEB", - "SubjectLogonId": "0x8a2f8844", - "SubjectUserName": "SVC_sitemanager", - "SubjectUserSid": "S-1-5-21-1595408694-1749029380-1551332766-2746", - "TargetDomainName": "EXTRAWEB", - "TargetSid": "S-1-5-21-1595408694-1749029380-1551332766-47859", - "TargetUserName": "USERFOO", - "Task": 13824, - "UserPrincipalName": "userfoo@mycorp.nett", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "AllowedToDelegateTo": "-", + "DisplayName": "USERFOO USERLASTNAME", + "EventType": "AUDIT_SUCCESS", + "HomeDirectory": "-", + "OpcodeValue": 0, + "PrivilegeList": "-", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "SamAccountName": "USERFOO", + "ScriptPath": "-", + "Severity": "INFO", + "SidHistory": "-", + "SubjectDomainName": "EXTRAWEB", + "SubjectLogonId": "0x8a2f8844", + "SubjectUserName": "SVC_sitemanager", + "SubjectUserSid": "S-1-5-21-1595408694-1749029380-1551332766-2746", + "TargetDomainName": "EXTRAWEB", + "TargetSid": "S-1-5-21-1595408694-1749029380-1551332766-47859", + "TargetUserName": "USERFOO", + "Task": 13824, + "UserPrincipalName": "userfoo@mycorp.nett", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A user account was created", "outcome": "success" }, @@ -3326,34 +3278,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-11 16:17:08\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4769,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14337,\"OpcodeValue\":0,\"RecordNumber\":30707351571,\"ProcessID\":1812,\"ThreadID\":4500,\"Channel\":\"Security\",\"Message\":\"A Kerberos service ticket was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tHOSTFOO\\r\\n\\tAccount Domain:\\t\\tKEY.HOSTFOO\\r\\n\\tLogon GUID:\\t\\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tV-FOO$\\r\\n\\tService ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-74694\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:1.1.1.1\\r\\n\\tClient Port:\\t\\t54021\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810000\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tFailure Code:\\t\\t0x0\\r\\n\\tTransited Services:\\t-\\r\\n\\r\\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\\r\\n\\r\\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\\r\\n\\r\\nTicket options, encryption types, and failure codes are defined in RFC 4120.\",\"Category\":\"Kerberos Service Ticket Operations\",\"Opcode\":\"Info\",\"TargetUserName\":\"HOSTFOO@KEY.HOSTFOO\",\"TargetDomainName\":\"KEY.HOSTFOO\",\"ServiceName\":\"V-FOO$\",\"ServiceSid\":\"S-1-5-21-1574594750-1263408776-2012955550-74694\",\"TicketOptions\":\"0x40810000\",\"TicketEncryptionType\":\"0x12\",\"IpAddress\":\"::ffff:1.1.1.1\",\"IpPort\":\"54021\",\"Status\":\"0x0\",\"LogonGuid\":\"{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\",\"TransmittedServices\":\"-\",\"EventReceivedTime\":\"2010-12-11 16:17:09\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4769", - "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tHOSTFOO\r\n\tAccount Domain:\t\tKEY.HOSTFOO\r\n\tLogon GUID:\t\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\r\n\r\nService Information:\r\n\tService Name:\t\tV-FOO$\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-74694\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t54021\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tHOSTFOO\r\n\tAccount Domain:\t\tKEY.HOSTFOO\r\n\tLogon GUID:\t\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\r\n\r\nService Information:\r\n\tService Name:\t\tV-FOO$\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-74694\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t54021\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120." }, "action": { "record_id": 30707351571, "type": "Security", "id": 4769, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "IpAddress": "::ffff:1.1.1.1", - "IpPort": "54021", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "ServiceName": "V-FOO$", - "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-74694", - "Severity": "INFO", - "Status": "0x0", - "TargetDomainName": "KEY.HOSTFOO", - "TargetUserName": "HOSTFOO@KEY.HOSTFOO", - "Task": 14337, - "TicketEncryptionType": "0x12", - "TicketOptions": "0x40810000", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "FailureCode": "0x0" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "IpAddress": "::ffff:1.1.1.1", + "IpPort": "54021", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "ServiceName": "V-FOO$", + "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-74694", + "Severity": "INFO", + "Status": "0x0", + "TargetDomainName": "KEY.HOSTFOO", + "TargetUserName": "HOSTFOO@KEY.HOSTFOO", + "Task": 14337, + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816", + "FailureCode": "0x0" + }, "name": "A Kerberos service ticket was requested", "outcome": "success" }, @@ -3407,32 +3357,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-13 17:25:22\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5136,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14081,\"OpcodeValue\":0,\"RecordNumber\":30373281570,\"ProcessID\":1928,\"ThreadID\":12604,\"Channel\":\"Security\",\"Message\":\"A directory service object was modified.\\r\\n\\t\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-123990\\r\\n\\tAccount Name:\\t\\tHOSTNAMEBAZ\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x2245EEC18\\r\\n\\r\\nDirectory Service:\\r\\n\\tName:\\tkey.mycorp.int\\r\\n\\tType:\\tActive Directory Domain Services\\r\\n\\t\\r\\nObject:\\r\\n\\tDN:\\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\\r\\n\\tGUID:\\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\\r\\n\\tClass:\\tcomputer\\r\\n\\t\\r\\nAttribute:\\r\\n\\tLDAP Display Name:\\tservicePrincipalName\\r\\n\\tSyntax (OID):\\t1.1.1.1\\r\\n\\tValue:\\tCmRcService/MYUSER\\r\\n\\t\\r\\nOperation:\\r\\n\\tType:\\tValue Added\\r\\n\\tCorrelation ID:\\t{862BB478-DF85-4696-B45A-8C27F04C9377}\\r\\n\\tApplication Correlation ID:\\t-\",\"Category\":\"Directory Service Changes\",\"Opcode\":\"Info\",\"OpCorrelationID\":\"{862BB478-DF85-4696-B45A-8C27F04C9377}\",\"AppCorrelationID\":\"-\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-123990\",\"SubjectUserName\":\"HOSTNAMEBAZ\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x2245eec18\",\"DSName\":\"key.mycorp.int\",\"DSType\":\"%%14676\",\"ObjectDN\":\"CN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\",\"ObjectGUID\":\"{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\",\"ObjectClass\":\"computer\",\"AttributeLDAPDisplayName\":\"servicePrincipalName\",\"AttributeSyntaxOID\":\"1.1.1.1\",\"AttributeValue\":\"CmRcService/MYUSER\",\"OperationType\":\"%%14674\",\"EventReceivedTime\":\"2010-11-13 17:25:22\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5136", - "message": "A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123990\r\n\tAccount Name:\t\tHOSTNAMEBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x2245EEC18\r\n\r\nDirectory Service:\r\n\tName:\tkey.mycorp.int\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\r\n\tGUID:\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t1.1.1.1\r\n\tValue:\tCmRcService/MYUSER\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{862BB478-DF85-4696-B45A-8C27F04C9377}\r\n\tApplication Correlation ID:\t-", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123990\r\n\tAccount Name:\t\tHOSTNAMEBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x2245EEC18\r\n\r\nDirectory Service:\r\n\tName:\tkey.mycorp.int\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\r\n\tGUID:\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t1.1.1.1\r\n\tValue:\tCmRcService/MYUSER\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{862BB478-DF85-4696-B45A-8C27F04C9377}\r\n\tApplication Correlation ID:\t-" }, "action": { "record_id": 30373281570, "type": "Security", "id": 5136, - "properties": [ - { - "AttributeLDAPDisplayName": "servicePrincipalName", - "AttributeValue": "CmRcService/MYUSER", - "EventType": "AUDIT_SUCCESS", - "ObjectClass": "computer", - "OpcodeValue": 0, - "OperationType": "%%14674", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x2245eec18", - "SubjectUserName": "HOSTNAMEBAZ", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123990", - "Task": 14081, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "AttributeLDAPDisplayName": "servicePrincipalName", + "AttributeValue": "CmRcService/MYUSER", + "EventType": "AUDIT_SUCCESS", + "ObjectClass": "computer", + "OpcodeValue": 0, + "OperationType": "%%14674", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x2245eec18", + "SubjectUserName": "HOSTNAMEBAZ", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123990", + "Task": 14081, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A directory service object was modified", "outcome": "success" }, @@ -3481,21 +3429,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"@timestamp\": \"2010-10-29T12:16:10.651Z\", \"TimeCreated\": \"2010-10-29T12:16:10.651Z\", \"ProviderGuid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"SourcePort\": \"8000\", \"LayerName\": \"%%14609\", \"SourceAddress\": \"::\", \"Level\": \"0\", \"Channel\": \"Security\", \"Task\": \"12810\", \"Protocol\": \"6\", \"SourceName\": \"Microsoft-Windows-Security-Auditing\", \"Hostname\": \"WORKSTATION5\", \"ProcessId\": \"10220\", \"LayerRTID\": \"42\", \"FilterRTID\": \"81935\", \"EventID\": 5154, \"Keywords\": \"0x8020000000000000\", \"Application\": \"\\\\device\\\\harddiskvolume2\\\\users\\\\wardog\\\\appdata\\\\local\\\\programs\\\\python\\\\python39\\\\python.exe\", \"Message\": \"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t10220\\r\\n\\tApplication Name:\\t\\\\device\\\\harddiskvolume2\\\\users\\\\wardog\\\\appdata\\\\local\\\\programs\\\\python\\\\python39\\\\python.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tSource Address:\\t\\t::\\r\\n\\tSource Port:\\t\\t8000\\r\\n\\tProtocol:\\t\\t6\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t81935\\r\\n\\tLayer Name:\\t\\tListen\\r\\n\\tLayer Run-Time ID:\\t42\", \"EventTime\": \"2011-06-10 08:53:53\"}", "event": { "code": "5154", - "message": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t10220\r\n\tApplication Name:\t\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t8000\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t81935\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t10220\r\n\tApplication Name:\t\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t8000\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t81935\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42" }, "action": { "type": "Security", "id": 5154, - "properties": [ - { - "Application": "\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe", - "ProviderGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "Task": 12810, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "0x8020000000000000" - } - ], + "properties": { + "Application": "\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe", + "ProviderGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "Task": 12810, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "0x8020000000000000" + }, "name": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections" }, "log": { @@ -3538,26 +3484,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-21 14:10:49\",\"Hostname\":\"host.foo.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5156,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12810,\"OpcodeValue\":0,\"RecordNumber\":10943,\"ProcessID\":4,\"ThreadID\":148,\"Channel\":\"Security\",\"Message\":\"La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\\r\\n\\r\\nInformations sur l\u2019application :\\r\\n\\tID du processus :\\t\\t1452\\r\\n\\tNom de l\u2019application :\\t\\\\device\\\\harddiskvolume2\\\\program files (x86)\\\\nxlog\\\\nxlog.exe\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tDirection :\\t\\tEntrant\\r\\n\\tAdresse source :\\t\\t1.1.1.1\\r\\n\\tPort source :\\t\\t51845\\r\\n\\tAdresse de destination :\\t1.1.1.1\\r\\n\\tPort de destination :\\t\\t51846\\r\\n\\tProtocole :\\t\\t6\\r\\n\\r\\nInformations sur le filtre :\\r\\n\\tID d\u2019ex\u00e9cution du filtre :\\t9\\r\\n\\tNom de la couche :\\t\\tR\u00e9ception/Acceptation\\r\\n\\tID d\u2019ex\u00e9cution de la couche :\\t44\",\"Category\":\"Connexion de la plateforme de filtrage\",\"Opcode\":\"Informations\",\"Application\":\"\\\\device\\\\harddiskvolume2\\\\program files (x86)\\\\nxlog\\\\nxlog.exe\",\"Direction\":\"%%14592\",\"SourceAddress\":\"1.1.1.1\",\"SourcePort\":\"51845\",\"DestAddress\":\"1.1.1.1\",\"DestPort\":\"51846\",\"Protocol\":\"6\",\"FilterRTID\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"RemoteUserID\":\"S-1-0-0\",\"RemoteMachineID\":\"S-1-0-0\",\"EventReceivedTime\":\"2010-10-21 14:10:50\",\"SourceModuleName\":\"security\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5156", - "message": "La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\r\n\r\nInformations sur l\u2019application :\r\n\tID du processus :\t\t1452\r\n\tNom de l\u2019application :\t\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tDirection :\t\tEntrant\r\n\tAdresse source :\t\t1.1.1.1\r\n\tPort source :\t\t51845\r\n\tAdresse de destination :\t1.1.1.1\r\n\tPort de destination :\t\t51846\r\n\tProtocole :\t\t6\r\n\r\nInformations sur le filtre :\r\n\tID d\u2019ex\u00e9cution du filtre :\t9\r\n\tNom de la couche :\t\tR\u00e9ception/Acceptation\r\n\tID d\u2019ex\u00e9cution de la couche :\t44", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\r\n\r\nInformations sur l\u2019application :\r\n\tID du processus :\t\t1452\r\n\tNom de l\u2019application :\t\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tDirection :\t\tEntrant\r\n\tAdresse source :\t\t1.1.1.1\r\n\tPort source :\t\t51845\r\n\tAdresse de destination :\t1.1.1.1\r\n\tPort de destination :\t\t51846\r\n\tProtocole :\t\t6\r\n\r\nInformations sur le filtre :\r\n\tID d\u2019ex\u00e9cution du filtre :\t9\r\n\tNom de la couche :\t\tR\u00e9ception/Acceptation\r\n\tID d\u2019ex\u00e9cution de la couche :\t44" }, "action": { "record_id": 10943, "type": "Security", "id": 5156, - "properties": [ - { - "Application": "\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe", - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "Task": 12810, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "DestinationPort": "51846" - } - ], + "properties": { + "Application": "\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe", + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "Task": 12810, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816", + "DestinationPort": "51846" + }, "name": "The Windows Filtering Platform has allowed a connection", "outcome": "success", "target": "network-traffic" @@ -3615,31 +3559,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-26 16:58:35\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9187343239835811840,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":7045,\"SourceName\":\"Service Control Manager\",\"ProviderGuid\":\"{555908D1-A6D7-4695-8E1E-26931D2012F4}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":749,\"ProcessID\":528,\"ThreadID\":636,\"Channel\":\"System\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"A service was installed in the system.\\r\\n\\r\\nService Name: MpKslDrv\\r\\nService File Name: C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\\\MpKslDrv.sys\\r\\nService Type: kernel mode driver\\r\\nService Start Type: system start\\r\\nService Account: \",\"ServiceName\":\"MpKslDrv\",\"ImagePath\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\\\MpKslDrv.sys\",\"ServiceType\":\"kernel mode driver\",\"StartType\":\"system start\",\"EventReceivedTime\":\"2010-10-26 16:58:36\",\"SourceModuleName\":\"eventlog2\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "7045", - "message": "A service was installed in the system.\r\n\r\nService Name: MpKslDrv\r\nService File Name: C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys\r\nService Type: kernel mode driver\r\nService Start Type: system start\r\nService Account: ", - "provider": "Service Control Manager" + "provider": "Service Control Manager", + "message": "A service was installed in the system.\r\n\r\nService Name: MpKslDrv\r\nService File Name: C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys\r\nService Type: kernel mode driver\r\nService Start Type: system start\r\nService Account: " }, "action": { "record_id": 749, "type": "System", "id": 7045, - "properties": [ - { - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "ImagePath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys", - "OpcodeValue": 0, - "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}", - "ServiceName": "MpKslDrv", - "ServiceType": "kernel mode driver", - "Severity": "INFO", - "StartType": "system start", - "Task": 0, - "SourceName": "Service Control Manager", - "Keywords": "-9187343239835811840" - } - ], + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "ImagePath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys", + "OpcodeValue": 0, + "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}", + "ServiceName": "MpKslDrv", + "ServiceType": "kernel mode driver", + "Severity": "INFO", + "StartType": "system start", + "Task": 0, + "SourceName": "Service Control Manager", + "Keywords": "-9187343239835811840" + }, "name": "A new service was installed in the system" }, "log": { @@ -3687,9 +3629,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2019-05-17 11:52:59\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":66,\"ProcessID\":3912,\"ThreadID\":2152,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-05-17 09:52:59.277\\r\\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\\r\\nProcessId: 4540\\r\\nImage: C:\\\\Windows\\\\System32\\\\LogonUI.exe\\r\\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\\r\\nDescription: Windows Logon User Interface Host\\r\\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nCommandLine: \\\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\\\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: AUTORITE NT\\\\Syst\u00c3\u00a8me\\r\\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: System\\r\\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\\r\\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\\r\\nParentProcessId: 476\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\winlogon.exe\\r\\nParentCommandLine: winlogon.exe\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-05-17 09:52:59.277\",\"ProcessGuid\":\"{0BA009B0-847B-5CDE-0000-001038720D00}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\",\"FileVersion\":\"10.0.10586.0 (th2_release.151029-1700)\",\"Description\":\"Windows Logon User Interface Host\",\"Product\":\"Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"CommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\\\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\",\"CurrentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"User\":\"AUTORITE NT\\\\Syst\u00c3\u00a8me\",\"LogonGuid\":\"{0BA009B0-82CF-5CDE-0000-0020E7030000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"1\",\"IntegrityLevel\":\"System\",\"Hashes\":\"MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\",\"ParentProcessGuid\":\"{0BA009B0-82CF-5CDE-0000-0010883A0000}\",\"ParentProcessId\":\"476\",\"ParentImage\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\"ParentCommandLine\":\"winlogon.exe\",\"EventReceivedTime\":\"2019-05-17 11:53:00\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", - "message": "Process Create:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:59.277\r\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\r\nProcessId: 4540\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\r\nDescription: Windows Logon User Interface Host\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nCommandLine: \"C:\\Windows\\System32\\LogonUI.exe\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 1\r\nIntegrityLevel: System\r\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\r\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\r\nParentProcessId: 476\r\nParentImage: C:\\Windows\\System32\\winlogon.exe\r\nParentCommandLine: winlogon.exe", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows Logon User Interface Host" + "reason": "Windows Logon User Interface Host", + "message": "Process Create:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:59.277\r\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\r\nProcessId: 4540\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\r\nDescription: Windows Logon User Interface Host\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nCommandLine: \"C:\\Windows\\System32\\LogonUI.exe\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 1\r\nIntegrityLevel: System\r\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\r\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\r\nParentProcessId: 476\r\nParentImage: C:\\Windows\\System32\\winlogon.exe\r\nParentCommandLine: winlogon.exe" }, "@timestamp": "2019-05-17T09:52:59.277000Z", "process": { @@ -3718,24 +3660,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 66, "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, - "properties": [ - { - "Image": "c:\\windows\\system32\\logonui.exe", - "ParentImage": "c:\\windows\\system32\\winlogon.exe", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{0BA009B0-847B-5CDE-0000-001038720D00}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 1, - "User": "AUTORITE NT\\Syst\u00c3\u00a8me", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\windows\\system32\\logonui.exe", + "ParentImage": "c:\\windows\\system32\\winlogon.exe", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{0BA009B0-847B-5CDE-0000-001038720D00}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 1, + "User": "AUTORITE NT\\Syst\u00c3\u00a8me", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Process creation" }, "log": { @@ -3803,24 +3743,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 1639089, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "HOSTFOOBAR", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "-", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "HOSTFOOBAR", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "-", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new process has been created", "outcome": "success" }, @@ -3890,24 +3828,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 1454160, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0xc2801", - "SubjectUserName": "USERFOO", - "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-78445", - "TargetDomainName": "-", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0xc2801", + "SubjectUserName": "USERFOO", + "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-78445", + "TargetDomainName": "-", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new process has been created", "outcome": "success" }, @@ -3954,32 +3890,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-28 12:23:17\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":34819,\"ProcessID\":1436,\"ThreadID\":2860,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\\\r\\\\nRuleName: InvDB\\\\r\\\\nEventType: SetValue\\\\r\\\\nUtcTime: 2010-10-28 11:23:17.379\\\\r\\\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\\\r\\\\nProcessId: 1012\\\\r\\\\nImage: C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\\r\\\\nTargetObject: HKU\\\\\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Compatibility Assistant\\\\\\\\Store\\\\\\\\C:\\\\\\\\Program Files\\\\\\\\WindowsApps\\\\\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\\\\\LocalBridge.exe\\\\r\\\\nDetails: Binary Data\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"InvDB\",\"UtcTime\":\"2010-10-28 11:23:17.379\",\"ProcessGuid\":\"{34EA5B98-48E6-5F99-1600-000000000E00}\",\"Image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\",\"TargetObject\":\"HKU\\\\\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Compatibility Assistant\\\\\\\\Store\\\\\\\\C:\\\\\\\\Program Files\\\\\\\\WindowsApps\\\\\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\\\\\LocalBridge.exe\",\"Details\":\"Binary Data\",\"EventReceivedTime\":\"2010-10-28 12:23:19\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "message": "Registry value set:\\r\\nRuleName: InvDB\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-10-28 11:23:17.379\\r\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\r\\nProcessId: 1012\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\\r\\nDetails: Binary Data", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Registry value set:\\r\\nRuleName: InvDB\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-10-28 11:23:17.379\\r\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\r\\nProcessId: 1012\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\\r\\nDetails: Binary Data" }, "@timestamp": "2010-10-28T11:23:17.379000Z", "action": { "record_id": 34819, "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, - "properties": [ - { - "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", - "Details": "Binary Data", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{34EA5B98-48E6-5F99-1600-000000000E00}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "TargetObject": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", - "Task": 13, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", + "Details": "Binary Data", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{34EA5B98-48E6-5F99-1600-000000000E00}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "TargetObject": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "Task": 13, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "RegistryEvent (Value Set)", "target": "registry" }, @@ -4036,8 +3970,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2011-03-02 01:40:47\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":4611686018427387904,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":61,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":18732,\"ActivityID\":\"{5B327F5A-B797-4B7E-AB05-11A0E98A15AF}\",\"ProcessID\":5796,\"ThreadID\":12472,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.\",\"Opcode\":\"Arr\u00c3\u00aater\",\"transferId\":\"{5b327f5a-b797-4b7e-ab05-11a0e98a15af}\",\"name\":\"Font Download\",\"Id\":\"{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}\",\"url\":\"https://fs.microsoft.com/fs/windows/config.json\",\"hr\":\"2147954402\",\"fileTime\":\"1601-01-01T00:00:00.0000000Z\",\"fileLength\":\"18446744073709551615\",\"bytesTotal\":\"18446744073709551615\",\"bytesTransferred\":\"0\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2011-03-02 01:40:48\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "61", - "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", - "provider": "Microsoft-Windows-Bits-Client" + "provider": "Microsoft-Windows-Bits-Client", + "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2." }, "file": { "name": "font download", @@ -4047,23 +3981,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 18732, "type": "Microsoft-Windows-Bits-Client/Operational", "id": 61, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "WARNING", - "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", - "OpcodeValue": 2, - "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", - "Severity": "WARNING", - "Task": 0, - "bytesTransferred": "0", - "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "-1" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "WARNING", + "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", + "OpcodeValue": 2, + "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", + "Severity": "WARNING", + "Task": 0, + "bytesTransferred": "0", + "SourceName": "Microsoft-Windows-Bits-Client", + "Keywords": "4611686018427387904", + "BytesTotal": "-1" + } }, "log": { "hostname": "PCFOO.corp.net", @@ -4127,32 +4059,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-04-01 16:37:06\",\"Hostname\":\"host.foo.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4702,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12804,\"OpcodeValue\":0,\"RecordNumber\":393771,\"ActivityID\":\"{13AB68AE-1C3D-0000-296A-AB133D1CD701}\",\"ProcessID\":608,\"ThreadID\":244,\"Channel\":\"Security\",\"Message\":\"Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\\r\\n\\r\\nObjet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom de compte :\\t\\tSEKADWV01$\\r\\n\\tDomaine du compte :\\t\\tSEKOPOC\\r\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\r\\n\\r\\nInformations sur la t\u00e2che :\\r\\n\\tNom de la t\u00e2che : \\t\\t\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\\r\\n\\tNouveau contenu de la t\u00e2che : \\t\\t\\r\\n\\r\\n \\r\\n \\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\\r\\n \\r\\n \\r\\n \\r\\n 2011-04-15T14:37:06.282Z\\r\\n true\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n false\\r\\n false\\r\\n true\\r\\n true\\r\\n false\\r\\n \\r\\n PT10M\\r\\n PT1H\\r\\n true\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n true\\r\\n PT72H\\r\\n 7\\r\\n \\r\\n \\r\\n \\r\\n %systemroot%\\\\system32\\\\usoclient.exe\\r\\n StartScan\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n S-1-5-18\\r\\n LeastPrivilege\\r\\n \\r\\n \\r\\n\\r\\n\\t\",\"Category\":\"Other Object Access Events\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"SEKADWV01$\",\"SubjectDomainName\":\"SEKOPOC\",\"SubjectLogonId\":\"0x3e7\",\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\",\"TaskContentNew\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <URI>\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <TimeTrigger>\\r\\n <StartBoundary>2011-04-15T14:37:06.282Z</StartBoundary>\\r\\n <Enabled>true</Enabled>\\r\\n </TimeTrigger>\\r\\n </Triggers>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n <AllowHardTerminate>true</AllowHardTerminate>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <IdleSettings>\\r\\n <Duration>PT10M</Duration>\\r\\n <WaitTimeout>PT1H</WaitTimeout>\\r\\n <StopOnIdleEnd>true</StopOnIdleEnd>\\r\\n <RestartOnIdle>false</RestartOnIdle>\\r\\n </IdleSettings>\\r\\n <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n <Enabled>true</Enabled>\\r\\n <Hidden>false</Hidden>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>true</WakeToRun>\\r\\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\\r\\n <Priority>7</Priority>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>%systemroot%\\\\system32\\\\usoclient.exe</Command>\\r\\n <Arguments>StartScan</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <UserId>S-1-5-18</UserId>\\r\\n <RunLevel>LeastPrivilege</RunLevel>\\r\\n </Principal>\\r\\n </Principals>\\r\\n</Task>\",\"EventReceivedTime\":\"2011-04-01 16:37:08\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4702", - "message": "Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom de compte :\t\tSEKADWV01$\r\n\tDomaine du compte :\t\tSEKOPOC\r\n\tID d\u2019ouverture de session :\t\t0x3E7\r\n\r\nInformations sur la t\u00e2che :\r\n\tNom de la t\u00e2che : \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n\tNouveau contenu de la t\u00e2che : \t\t\r\n\r\n \r\n \\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n \r\n \r\n \r\n 2011-04-15T14:37:06.282Z\r\n true\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT10M\r\n PT1H\r\n true\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n true\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n %systemroot%\\system32\\usoclient.exe\r\n StartScan\r\n \r\n \r\n \r\n \r\n S-1-5-18\r\n LeastPrivilege\r\n \r\n \r\n\r\n\t", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom de compte :\t\tSEKADWV01$\r\n\tDomaine du compte :\t\tSEKOPOC\r\n\tID d\u2019ouverture de session :\t\t0x3E7\r\n\r\nInformations sur la t\u00e2che :\r\n\tNom de la t\u00e2che : \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n\tNouveau contenu de la t\u00e2che : \t\t\r\n\r\n \r\n \\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n \r\n \r\n \r\n 2011-04-15T14:37:06.282Z\r\n true\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT10M\r\n PT1H\r\n true\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n true\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n %systemroot%\\system32\\usoclient.exe\r\n StartScan\r\n \r\n \r\n \r\n \r\n S-1-5-18\r\n LeastPrivilege\r\n \r\n \r\n\r\n\t" }, "action": { "record_id": 393771, "type": "Security", "id": 4702, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "SEKOPOC", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "SEKADWV01$", - "SubjectUserSid": "S-1-5-18", - "Task": 12804, - "TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <URI>\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <TimeTrigger>\r\n <StartBoundary>2011-04-15T14:37:06.282Z</StartBoundary>\r\n <Enabled>true</Enabled>\r\n </TimeTrigger>\r\n </Triggers>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT10M</Duration>\r\n <WaitTimeout>PT1H</WaitTimeout>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>true</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>%systemroot%\\system32\\usoclient.exe</Command>\r\n <Arguments>StartScan</Arguments>\r\n </Exec>\r\n </Actions>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n </Principal>\r\n </Principals>\r\n</Task>", - "TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "TaskContentNew_Args": "StartScan", - "TaskContentNew_Command": "%systemroot%\\system32\\usoclient.exe" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "SEKOPOC", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "SEKADWV01$", + "SubjectUserSid": "S-1-5-18", + "Task": 12804, + "TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <URI>\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <TimeTrigger>\r\n <StartBoundary>2011-04-15T14:37:06.282Z</StartBoundary>\r\n <Enabled>true</Enabled>\r\n </TimeTrigger>\r\n </Triggers>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT10M</Duration>\r\n <WaitTimeout>PT1H</WaitTimeout>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>true</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>%systemroot%\\system32\\usoclient.exe</Command>\r\n <Arguments>StartScan</Arguments>\r\n </Exec>\r\n </Actions>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n </Principal>\r\n </Principals>\r\n</Task>", + "TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816", + "TaskContentNew_Args": "StartScan", + "TaskContentNew_Command": "%systemroot%\\system32\\usoclient.exe" + }, "name": "A scheduled task was updated", "outcome": "success" }, @@ -4201,32 +4131,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-16 14:49:29\",\"Hostname\":\"pps-val-app\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4673,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":13056,\"OpcodeValue\":0,\"RecordNumber\":10604999,\"ProcessID\":4,\"ThreadID\":19016,\"Channel\":\"Security\",\"Message\":\"A privileged service was called.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tPPS-VAL-APP$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nService:\\r\\n\\tServer:\\tNT Local Security Authority / Authentication Service\\r\\n\\tService Name:\\tLsaRegisterLogonProcess()\\r\\n\\r\\nProcess:\\r\\n\\tProcess ID:\\t0x7e0\\r\\n\\tProcess Name:\\tC:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\r\\nService Request Information:\\r\\n\\tPrivileges:\\t\\tSeTcbPrivilege\",\"Category\":\"Sensitive Privilege Use\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"PPS-VAL-APP$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"NT Local Security Authority / Authentication Service\",\"Service\":\"LsaRegisterLogonProcess()\",\"PrivilegeList\":\"SeTcbPrivilege\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"EventReceivedTime\":\"2010-11-16 14:49:31\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4673", - "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tPPS-VAL-APP$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService:\r\n\tServer:\tNT Local Security Authority / Authentication Service\r\n\tService Name:\tLsaRegisterLogonProcess()\r\n\r\nProcess:\r\n\tProcess ID:\t0x7e0\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tPPS-VAL-APP$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService:\r\n\tServer:\tNT Local Security Authority / Authentication Service\r\n\tService Name:\tLsaRegisterLogonProcess()\r\n\r\nProcess:\r\n\tProcess ID:\t0x7e0\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege" }, "action": { "record_id": 10604999, "type": "Security", "id": 4673, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "ObjectServer": "NT Local Security Authority / Authentication Service", - "OpcodeValue": 0, - "PrivilegeList": "SeTcbPrivilege", - "ProcessName": "c:\\windows\\system32\\lsass.exe", - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Service": "LsaRegisterLogonProcess()", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "PPS-VAL-APP$", - "SubjectUserSid": "S-1-5-18", - "Task": 13056, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "ObjectServer": "NT Local Security Authority / Authentication Service", + "OpcodeValue": 0, + "PrivilegeList": "SeTcbPrivilege", + "ProcessName": "c:\\windows\\system32\\lsass.exe", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Service": "LsaRegisterLogonProcess()", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "PPS-VAL-APP$", + "SubjectUserSid": "S-1-5-18", + "Task": 13056, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A privileged service was called", "outcome": "success" }, @@ -4284,26 +4212,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 1704922, "type": "Security", "id": 4697, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "ServiceAccount": "LocalSystem", - "ServiceFileName": "C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup", - "ServiceName": "WpnUserService_14bec52", - "ServiceStartType": "2", - "ServiceType": "0xe0", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-18", - "Task": 12289, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "ServiceAccount": "LocalSystem", + "ServiceFileName": "C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup", + "ServiceName": "WpnUserService_14bec52", + "ServiceStartType": "2", + "ServiceType": "0xe0", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-18", + "Task": 12289, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A service was installed in the system", "outcome": "success" }, @@ -4352,34 +4278,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-15 16:52:28\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":10,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":10,\"OpcodeValue\":0,\"RecordNumber\":1481365,\"ProcessID\":9628,\"ThreadID\":10352,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process accessed:\\r\\nRuleName: \\r\\nUtcTime: 2010-10-15 14:52:28.536\\r\\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\\r\\nSourceProcessId: 920\\r\\nSourceThreadId: 1052\\r\\nSourceImage: C:\\\\Windows\\\\System32\\\\VBoxService.exe\\r\\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\\r\\nTargetProcessId: 4324\\r\\nTargetImage: C:\\\\WINDOWS\\\\system32\\\\ctfmon.exe\\r\\nGrantedAccess: 0x1400\\r\\nCallTrace: C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9c534|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+305fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+12d8d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+140cf|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1435d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fc2b|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1071a|C:\\\\Windows\\\\System32\\\\VBoxService.exe+17fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+31c1f|C:\\\\Windows\\\\System32\\\\VBoxService.exe+35682|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbbeb|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbc7f|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17bd4|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+6ce51\",\"Category\":\"Process accessed (rule: ProcessAccess)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-10-15 14:52:28.536\",\"SourceProcessGUID\":\"{c8188de9-3743-5f84-0000-00100ef00000}\",\"SourceProcessId\":\"920\",\"SourceThreadId\":\"1052\",\"SourceImage\":\"C:\\\\Windows\\\\System32\\\\VBoxService.exe\",\"TargetProcessGUID\":\"{c8188de9-3771-5f84-0000-0010443b0900}\",\"TargetProcessId\":\"4324\",\"TargetImage\":\"C:\\\\WINDOWS\\\\system32\\\\ctfmon.exe\",\"GrantedAccess\":\"0x1400\",\"CallTrace\":\"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9c534|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+305fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+12d8d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+140cf|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1435d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fc2b|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1071a|C:\\\\Windows\\\\System32\\\\VBoxService.exe+17fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+31c1f|C:\\\\Windows\\\\System32\\\\VBoxService.exe+35682|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbbeb|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbc7f|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17bd4|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+6ce51\",\"EventReceivedTime\":\"2010-10-15 16:56:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "10", - "message": "Process accessed:\r\nRuleName: \r\nUtcTime: 2010-10-15 14:52:28.536\r\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\r\nSourceProcessId: 920\r\nSourceThreadId: 1052\r\nSourceImage: C:\\Windows\\System32\\VBoxService.exe\r\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\r\nTargetProcessId: 4324\r\nTargetImage: C:\\WINDOWS\\system32\\ctfmon.exe\r\nGrantedAccess: 0x1400\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Process accessed:\r\nRuleName: \r\nUtcTime: 2010-10-15 14:52:28.536\r\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\r\nSourceProcessId: 920\r\nSourceThreadId: 1052\r\nSourceImage: C:\\Windows\\System32\\VBoxService.exe\r\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\r\nTargetProcessId: 4324\r\nTargetImage: C:\\WINDOWS\\system32\\ctfmon.exe\r\nGrantedAccess: 0x1400\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51" }, "@timestamp": "2010-10-15T14:52:28.536000Z", "action": { "record_id": 1481365, "type": "Microsoft-Windows-Sysmon/Operational", "id": 10, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "CallTrace": "c:\\windows\\system32\\ntdll.dll+9c534|c:\\windows\\system32\\kernelbase.dll+305fe|c:\\windows\\system32\\vboxservice.exe+12d8d|c:\\windows\\system32\\vboxservice.exe+140cf|c:\\windows\\system32\\vboxservice.exe+1435d|c:\\windows\\system32\\vboxservice.exe+fc2b|c:\\windows\\system32\\vboxservice.exe+1071a|c:\\windows\\system32\\vboxservice.exe+17fe|c:\\windows\\system32\\vboxservice.exe+31c1f|c:\\windows\\system32\\vboxservice.exe+35682|c:\\windows\\system32\\vboxservice.exe+fbbeb|c:\\windows\\system32\\vboxservice.exe+fbc7f|c:\\windows\\system32\\kernel32.dll+17bd4|c:\\windows\\system32\\ntdll.dll+6ce51", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "GrantedAccess": "0x1400", - "OpcodeValue": 0, - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxservice.exe", - "SourceProcessId": "920", - "TargetImage": "c:\\windows\\system32\\ctfmon.exe", - "TargetProcessId": "4324", - "Task": 10, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "CallTrace": "c:\\windows\\system32\\ntdll.dll+9c534|c:\\windows\\system32\\kernelbase.dll+305fe|c:\\windows\\system32\\vboxservice.exe+12d8d|c:\\windows\\system32\\vboxservice.exe+140cf|c:\\windows\\system32\\vboxservice.exe+1435d|c:\\windows\\system32\\vboxservice.exe+fc2b|c:\\windows\\system32\\vboxservice.exe+1071a|c:\\windows\\system32\\vboxservice.exe+17fe|c:\\windows\\system32\\vboxservice.exe+31c1f|c:\\windows\\system32\\vboxservice.exe+35682|c:\\windows\\system32\\vboxservice.exe+fbbeb|c:\\windows\\system32\\vboxservice.exe+fbc7f|c:\\windows\\system32\\kernel32.dll+17bd4|c:\\windows\\system32\\ntdll.dll+6ce51", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "GrantedAccess": "0x1400", + "OpcodeValue": 0, + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "SourceImage": "c:\\windows\\system32\\vboxservice.exe", + "SourceProcessId": "920", + "TargetImage": "c:\\windows\\system32\\ctfmon.exe", + "TargetProcessId": "4324", + "Task": 10, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "ProcessAccess" }, "log": { @@ -4430,31 +4354,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 16:10:53\",\"Hostname\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":11,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":11,\"OpcodeValue\":0,\"RecordNumber\":3561,\"ProcessID\":4492,\"ThreadID\":9332,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-16 15:10:53.715\\r\\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\\r\\nProcessId: 2060\\r\\nImage: C:\\\\Program Files (x86)\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Bin\\\\ccSvcHst.exe\\r\\nTargetFilename: C:\\\\Windows\\\\Temp\\\\SymDelta_2060\\\\content.zip.tmp\\\\cur.scr\\r\\nCreationUtcTime: 2019-12-16 15:10:53.715\",\"Category\":\"File created (rule: FileCreate)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 15:10:53.715\",\"ProcessGuid\":\"{23AD1E42-B4F1-5C41-0000-001028060400}\",\"Image\":\"C:\\\\Program Files (x86)\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Bin\\\\ccSvcHst.exe\",\"TargetFilename\":\"C:\\\\Windows\\\\Temp\\\\SymDelta_2060\\\\content.zip.tmp\\\\cur.scr\",\"CreationUtcTime\":\"2019-12-16 15:10:53.715\",\"EventReceivedTime\":\"2019-12-16 16:10:54\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "11", - "message": "File created:\r\nRuleName: \r\nUtcTime: 2019-12-16 15:10:53.715\r\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\r\nProcessId: 2060\r\nImage: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe\r\nTargetFilename: C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr\r\nCreationUtcTime: 2019-12-16 15:10:53.715", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "File created:\r\nRuleName: \r\nUtcTime: 2019-12-16 15:10:53.715\r\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\r\nProcessId: 2060\r\nImage: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe\r\nTargetFilename: C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr\r\nCreationUtcTime: 2019-12-16 15:10:53.715" }, "@timestamp": "2019-12-16T15:10:53.715000Z", "action": { "record_id": 3561, "type": "Microsoft-Windows-Sysmon/Operational", "id": 11, - "properties": [ - { - "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", - "AccountName": "Syst\ufffdme", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{23AD1E42-B4F1-5C41-0000-001028060400}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 11, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "TargetFilename": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr" - } - ], + "properties": { + "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "AccountName": "Syst\ufffdme", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{23AD1E42-B4F1-5C41-0000-001028060400}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 11, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808", + "TargetFilename": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr" + }, "name": "FileCreate" }, "file": { @@ -4510,33 +4432,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 08:10:31\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":3456,\"ProcessID\":44420,\"ThreadID\":27948,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2019-12-16 07:10:31.795\\r\\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\\r\\nProcessId: 572\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\nolmhash\\r\\nDetails: DWORD (0x00000001)\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 07:10:31.795\",\"ProcessGuid\":\"{D19882A0-7814-5B1E-0000-001015400100}\",\"Image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"TargetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\nolmhash\",\"Details\":\"DWORD (0x00000001)\",\"EventReceivedTime\":\"2019-12-16 08:10:32\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "message": "Registry value set:\r\nRuleName: \r\nEventType: SetValue\r\nUtcTime: 2019-12-16 07:10:31.795\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash\r\nDetails: DWORD (0x00000001)", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Registry value set:\r\nRuleName: \r\nEventType: SetValue\r\nUtcTime: 2019-12-16 07:10:31.795\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash\r\nDetails: DWORD (0x00000001)" }, "@timestamp": "2019-12-16T07:10:31.795000Z", "action": { "record_id": 3456, "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, - "properties": [ - { - "MessEventType": "SetValue", - "Image": "c:\\windows\\system32\\services.exe", - "Details": "DWORD (0x00000001)", - "AccountName": "Syst\ufffdme", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", - "Task": 13, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "MessEventType": "SetValue", + "Image": "c:\\windows\\system32\\services.exe", + "Details": "DWORD (0x00000001)", + "AccountName": "Syst\ufffdme", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "Task": 13, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "RegistryEvent (Value Set)", "target": "registry" }, @@ -4599,33 +4519,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-03-31 15:02:03\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":49665,\"ProcessID\":16532,\"ThreadID\":35536,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\r\\nRuleName: T1031,T1050\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-03-31 13:02:03.124\\r\\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\\r\\nProcessId: 572\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\NAVENG\\\\ImagePath\\r\\nDetails: \\\\??\\\\C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20100330.020\\\\ENG64.SYS\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Informations\",\"RuleName\":\"T1031,T1050\",\"UtcTime\":\"2010-03-31 13:02:03.124\",\"ProcessGuid\":\"{D19882A0-7814-5B1E-0000-001015400100}\",\"Image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"TargetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\NAVENG\\\\ImagePath\",\"Details\":\"\\\\??\\\\C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20100330.020\\\\ENG64.SYS\",\"EventReceivedTime\":\"2010-03-31 15:02:05\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "message": "Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2010-03-31 13:02:03.124\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath\r\nDetails: \\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2010-03-31 13:02:03.124\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath\r\nDetails: \\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS" }, "@timestamp": "2010-03-31T13:02:03.124000Z", "action": { "record_id": 49665, "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, - "properties": [ - { - "MessEventType": "SetValue", - "Image": "c:\\windows\\system32\\services.exe", - "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "TargetObject": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", - "Task": 13, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "MessEventType": "SetValue", + "Image": "c:\\windows\\system32\\services.exe", + "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "TargetObject": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "Task": 13, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "RegistryEvent (Value Set)", "target": "registry" }, @@ -4688,35 +4606,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-05-11 17:36:44\",\"Hostname\":\"PCFOO4019.Comte.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":15,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":15,\"OpcodeValue\":0,\"RecordNumber\":111672,\"ProcessID\":5288,\"ThreadID\":6860,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"File stream created:\\r\\nRuleName: -\\r\\nUtcTime: 2011-05-11 15:36:44.305\\r\\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\\r\\nProcessId: 3768\\r\\nImage: C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\r\\nTargetFilename: C:\\\\Users\\\\Pipin_Touque\\\\Downloads\\\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\\r\\nCreationUtcTime: 2011-05-11 15:36:43.452\\r\\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\\r\\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ \",\"Category\":\"File stream created (rule: FileCreateStreamHash)\",\"Opcode\":\"Informations\",\"RuleName\":\"-\",\"UtcTime\":\"2011-05-11 15:36:44.305\",\"ProcessGuid\":\"{3cb7cf38-a48b-609a-490c-000000002a00}\",\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"TargetFilename\":\"C:\\\\Users\\\\Pipin_Touque\\\\Downloads\\\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\",\"CreationUtcTime\":\"2011-05-11 15:36:43.452\",\"Hash\":\"MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\",\"Contents\":\"[ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ \",\"EventReceivedTime\":\"2011-05-11 17:36:44\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "15", - "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2011-05-11 15:36:44.305\r\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\r\nProcessId: 3768\r\nImage: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nTargetFilename: C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\r\nCreationUtcTime: 2011-05-11 15:36:43.452\r\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\r\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ ", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2011-05-11 15:36:44.305\r\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\r\nProcessId: 3768\r\nImage: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nTargetFilename: C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\r\nCreationUtcTime: 2011-05-11 15:36:43.452\r\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\r\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ " }, "@timestamp": "2011-05-11T15:36:44.305000Z", "action": { "record_id": 111672, "type": "Microsoft-Windows-Sysmon/Operational", "id": 15, - "properties": [ - { - "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "Hash": "MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000", - "OpcodeValue": 0, - "ProcessGuid": "{3cb7cf38-a48b-609a-490c-000000002a00}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 15, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "TargetFilename": "C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier", - "Content": "ZoneTransfer", - "HostUrl": "https://entreprises.interepargne.natixis.com/", - "ZoneId": "3" - } - ], + "properties": { + "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "Hash": "MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000", + "OpcodeValue": 0, + "ProcessGuid": "{3cb7cf38-a48b-609a-490c-000000002a00}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 15, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808", + "TargetFilename": "C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier", + "Content": "ZoneTransfer", + "HostUrl": "https://entreprises.interepargne.natixis.com/", + "ZoneId": "3" + }, "name": "FileCreateStreamHash" }, "file": { @@ -4788,22 +4704,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 6045, "type": "Microsoft-Windows-Sysmon/Operational", "id": 16, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "ConfigurationFile": "C:\\Windows\\ccmcache\\1r\\config.xml", - "ConfigurationFileHash": "SHA256=F89C54AE9EEB2BF3810DC3F1B974A4AC56FF013D0A67BBFBB33D217530279740", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 16, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "ConfigurationFile": "C:\\Windows\\ccmcache\\1r\\config.xml", + "ConfigurationFileHash": "SHA256=F89C54AE9EEB2BF3810DC3F1B974A4AC56FF013D0A67BBFBB33D217530279740", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 16, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Sysmon config state changed" }, "log": { @@ -4851,32 +4765,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-16 12:36:40\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":17,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":1,\"Task\":17,\"OpcodeValue\":0,\"RecordNumber\":1148,\"ProcessID\":8764,\"ThreadID\":2780,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2010-12-16 11:36:40.267\\r\\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\\r\\nProcessId: 2584\\r\\nPipeName: \\\\wkssvc\\r\\nImage: c:\\\\windows\\\\system32\\\\svchost.exe\",\"Category\":\"Pipe Created (rule: PipeEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-16 11:36:40.267\",\"ProcessGuid\":\"{FC729081-EDD6-5FD9-3D00-000000000500}\",\"PipeName\":\"\\\\wkssvc\",\"Image\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-12-16 12:36:42\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "17", - "message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2010-12-16 11:36:40.267\r\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\r\nProcessId: 2584\r\nPipeName: \\wkssvc\r\nImage: c:\\windows\\system32\\svchost.exe", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2010-12-16 11:36:40.267\r\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\r\nProcessId: 2584\r\nPipeName: \\wkssvc\r\nImage: c:\\windows\\system32\\svchost.exe" }, "@timestamp": "2010-12-16T11:36:40.267000Z", "action": { "record_id": 1148, "type": "Microsoft-Windows-Sysmon/Operational", "id": 17, - "properties": [ - { - "MessEventType": "CreatePipe", - "Image": "c:\\windows\\system32\\svchost.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "PipeName": "\\wkssvc", - "ProcessGuid": "{FC729081-EDD6-5FD9-3D00-000000000500}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 17, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "MessEventType": "CreatePipe", + "Image": "c:\\windows\\system32\\svchost.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "PipeName": "\\wkssvc", + "ProcessGuid": "{FC729081-EDD6-5FD9-3D00-000000000500}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 17, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Pipe created" }, "log": { @@ -4927,32 +4839,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-16 12:37:00\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":18,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":1,\"Task\":18,\"OpcodeValue\":0,\"RecordNumber\":1151,\"ProcessID\":8764,\"ThreadID\":2780,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Pipe Connected:\\r\\nRuleName: -\\r\\nEventType: ConnectPipe\\r\\nUtcTime: 2010-12-16 11:37:00.267\\r\\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\\r\\nProcessId: 4032\\r\\nPipeName: \\\\wkssvc\\r\\nImage: C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\"Category\":\"Pipe Connected (rule: PipeEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-16 11:37:00.267\",\"ProcessGuid\":\"{FC729081-EDDC-5FD9-5800-000000000500}\",\"PipeName\":\"\\\\wkssvc\",\"Image\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\"EventReceivedTime\":\"2010-12-16 12:37:02\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "18", - "message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2010-12-16 11:37:00.267\r\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\r\nProcessId: 4032\r\nPipeName: \\wkssvc\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2010-12-16 11:37:00.267\r\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\r\nProcessId: 4032\r\nPipeName: \\wkssvc\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, "@timestamp": "2010-12-16T11:37:00.267000Z", "action": { "record_id": 1151, "type": "Microsoft-Windows-Sysmon/Operational", "id": 18, - "properties": [ - { - "MessEventType": "ConnectPipe", - "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "PipeName": "\\wkssvc", - "ProcessGuid": "{FC729081-EDDC-5FD9-5800-000000000500}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 18, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "MessEventType": "ConnectPipe", + "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "PipeName": "\\wkssvc", + "ProcessGuid": "{FC729081-EDDC-5FD9-5800-000000000500}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 18, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Pipe connected" }, "log": { @@ -5003,9 +4913,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-03-20 11:19:20\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":129451,\"ProcessID\":5044,\"ThreadID\":7472,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2011-03-20 10:19:20.872\\r\\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\\r\\nProcessId: 2016\\r\\nImage: C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\r\\nFileVersion: 1.1.1.1\\r\\nDescription: Application IAComClient\\r\\nProduct: Interact\\r\\nCompany: Interact Software\\r\\nOriginalFileName: IAComClient\\r\\nCommandLine: \\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\\"\\r\\nCurrentDirectory: C:\\\\WINDOWS\\\\system32\\\\\\r\\nUser: AUTORITE NT\\\\Syst\u00c3\u00a8me\\r\\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\\r\\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\\r\\nParentProcessId: 4756\\r\\nParentImage: C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\r\\nParentCommandLine: \\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\\"\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Informations\",\"RuleName\":\"-\",\"UtcTime\":\"2011-03-20 10:19:20.872\",\"ProcessGuid\":\"{9beb284d-cc28-6055-3602-000000004900}\",\"Image\":\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\",\"FileVersion\":\"1.1.1.1\",\"Description\":\"Application IAComClient\",\"Product\":\"Interact\",\"Company\":\"Interact Software\",\"OriginalFileName\":\"IAComClient\",\"CommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\\"\",\"CurrentDirectory\":\"C:\\\\WINDOWS\\\\system32\\\\\",\"User\":\"AUTORITE NT\\\\Syst\u00c3\u00a8me\",\"LogonGuid\":\"{9beb284d-c684-6055-e703-000000000000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"0\",\"IntegrityLevel\":\"System\",\"Hashes\":\"MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\",\"ParentProcessGuid\":\"{9beb284d-c689-6055-6900-000000004900}\",\"ParentProcessId\":\"4756\",\"ParentImage\":\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\",\"ParentCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\\"\",\"EventReceivedTime\":\"2011-03-20 11:19:22\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", - "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2011-03-20 10:19:20.872\r\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\r\nProcessId: 2016\r\nImage: C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\r\nFileVersion: 1.1.1.1\r\nDescription: Application IAComClient\r\nProduct: Interact\r\nCompany: Interact Software\r\nOriginalFileName: IAComClient\r\nCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\"\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\r\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\r\nParentProcessId: 4756\r\nParentImage: C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\r\nParentCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\"", "provider": "Microsoft-Windows-Sysmon", - "reason": "Application IAComClient" + "reason": "Application IAComClient", + "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2011-03-20 10:19:20.872\r\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\r\nProcessId: 2016\r\nImage: C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\r\nFileVersion: 1.1.1.1\r\nDescription: Application IAComClient\r\nProduct: Interact\r\nCompany: Interact Software\r\nOriginalFileName: IAComClient\r\nCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\"\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\r\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\r\nParentProcessId: 4756\r\nParentImage: C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\r\nParentCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\"" }, "@timestamp": "2011-03-20T10:19:20.872000Z", "process": { @@ -5035,24 +4945,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 129451, "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, - "properties": [ - { - "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{9beb284d-cc28-6055-3602-000000004900}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 1, - "User": "AUTORITE NT\\Syst\u00c3\u00a8me", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{9beb284d-cc28-6055-3602-000000004900}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 1, + "User": "AUTORITE NT\\Syst\u00c3\u00a8me", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Process creation" }, "log": { @@ -5097,9 +5005,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-09-05 12:28:34\",\"Hostname\":\"foo-vm\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":13871322,\"ProcessID\":2992,\"ThreadID\":748,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-09-05 12:28:34.887\\r\\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\\r\\nProcessId: 18144\\r\\nImage: C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\\r\\nFileVersion: 16.0.16626.20170\\r\\nDescription: Microsoft Office SDX Helper\\r\\nProduct: Microsoft Office\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: SDXHELPER.EXE\\r\\nCommandLine: \\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: foo-vm\\\\adminuser\\r\\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\\r\\nLogonId: 0x219FAFD\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\\r\\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\\r\\nParentProcessId: 1772\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2023-09-05 12:28:34.887\",\"ProcessGuid\":\"{178446c4-1ef2-64f7-fa8d-010000001100}\",\"Image\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\",\"FileVersion\":\"16.0.16626.20170\",\"Description\":\"Microsoft Office SDX Helper\",\"Product\":\"Microsoft Office\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"SDXHELPER.EXE\",\"CommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\",\"CurrentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"User\":\"foo-vm\\\\adminuser\",\"LogonGuid\":\"{178446c4-8d94-6495-fdfa-190200000000}\",\"LogonId\":\"0x219fafd\",\"TerminalSessionId\":\"2\",\"IntegrityLevel\":\"High\",\"Hashes\":\"MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\",\"ParentProcessGuid\":\"{178446c4-7a9f-6491-2800-000000001100}\",\"ParentProcessId\":\"1772\",\"ParentImage\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\",\"ParentUser\":\"NT AUTHORITY\\\\SYSTEM\",\"EventReceivedTime\":\"2023-09-05 12:28:35\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", - "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2023-09-05 12:28:34.887\r\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\r\nProcessId: 18144\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe\r\nFileVersion: 16.0.16626.20170\r\nDescription: Microsoft Office SDX Helper\r\nProduct: Microsoft Office\r\nCompany: Microsoft Corporation\r\nOriginalFileName: SDXHELPER.EXE\r\nCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe\" /onlogon\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: foo-vm\\adminuser\r\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\r\nLogonId: 0x219FAFD\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\r\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\r\nParentProcessId: 1772\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM", "provider": "Microsoft-Windows-Sysmon", - "reason": "Microsoft Office SDX Helper" + "reason": "Microsoft Office SDX Helper", + "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2023-09-05 12:28:34.887\r\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\r\nProcessId: 18144\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe\r\nFileVersion: 16.0.16626.20170\r\nDescription: Microsoft Office SDX Helper\r\nProduct: Microsoft Office\r\nCompany: Microsoft Corporation\r\nOriginalFileName: SDXHELPER.EXE\r\nCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe\" /onlogon\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: foo-vm\\adminuser\r\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\r\nLogonId: 0x219FAFD\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\r\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\r\nParentProcessId: 1772\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM" }, "@timestamp": "2023-09-05T12:28:34.887000Z", "process": { @@ -5129,24 +5037,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 13871322, "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, - "properties": [ - { - "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", - "ParentImage": "c:\\windows\\system32\\svchost.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 1, - "User": "foo-vm\\adminuser", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "ParentImage": "c:\\windows\\system32\\svchost.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 1, + "User": "foo-vm\\adminuser", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Process creation" }, "log": { @@ -5191,33 +5097,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-18 15:57:58\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":20,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":20,\"OpcodeValue\":0,\"RecordNumber\":17336,\"ProcessID\":3140,\"ThreadID\":4420,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"WmiEventConsumer activity detected:\\r\\nRuleName: -\\r\\nEventType: WmiConsumerEvent\\r\\nUtcTime: 2010-12-18 14:57:58.828\\r\\nOperation: Created\\r\\nUser: DESKTOP-FOOBARZ\\\\userXYZ\\r\\nName: \\\"ServiceConsumer\\\"\\r\\nType: Log File\\r\\nDestination: \\\"C:\\\\\\\\Log.log\\\"\",\"Category\":\"WmiEventConsumer activity detected (rule: WmiEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-18 14:57:58.828\",\"Operation\":\"Created\",\"User\":\"DESKTOP-FOOBARZ\\\\userXYZ\",\"Name\":\" \\\"ServiceConsumer\\\"\",\"Type\":\"Log File\",\"Destination\":\" \\\"C:\\\\\\\\Log.log\\\"\",\"EventReceivedTime\":\"2010-12-18 15:58:00\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "20", - "message": "WmiEventConsumer activity detected:\r\nRuleName: -\r\nEventType: WmiConsumerEvent\r\nUtcTime: 2010-12-18 14:57:58.828\r\nOperation: Created\r\nUser: DESKTOP-FOOBARZ\\userXYZ\r\nName: \"ServiceConsumer\"\r\nType: Log File\r\nDestination: \"C:\\\\Log.log\"", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "WmiEventConsumer activity detected:\r\nRuleName: -\r\nEventType: WmiConsumerEvent\r\nUtcTime: 2010-12-18 14:57:58.828\r\nOperation: Created\r\nUser: DESKTOP-FOOBARZ\\userXYZ\r\nName: \"ServiceConsumer\"\r\nType: Log File\r\nDestination: \"C:\\\\Log.log\"" }, "@timestamp": "2010-12-18T14:57:58.828000Z", "action": { "record_id": 17336, "type": "Microsoft-Windows-Sysmon/Operational", "id": 20, - "properties": [ - { - "MessEventType": "WmiConsumerEvent", - "AccountName": "SYSTEM", - "AccountType": "User", - "Destination": " \"C:\\\\Log.log\"", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "Operation": "Created", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 20, - "Type": "Log File", - "User": "DESKTOP-FOOBARZ\\userXYZ", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "MessEventType": "WmiConsumerEvent", + "AccountName": "SYSTEM", + "AccountType": "User", + "Destination": " \"C:\\\\Log.log\"", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "Operation": "Created", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 20, + "Type": "Log File", + "User": "DESKTOP-FOOBARZ\\userXYZ", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "WmiEventConsumer activity detected" }, "log": { @@ -5265,30 +5169,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-02-14 14:50:28\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":22,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":22,\"OpcodeValue\":0,\"RecordNumber\":23609,\"ProcessID\":2556,\"ThreadID\":3448,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2010-02-10 12:10:41.909\\r\\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\\r\\nProcessId: 5228\\r\\nQueryName: login.live.com\\r\\nQueryStatus: 0\\r\\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\\r\\nImage: C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\"Category\":\"Dns query (rule: DnsQuery)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-02-10 12:10:41.909\",\"ProcessGuid\":\"{c8188de9-a5a2-5e46-0000-00104fae7900}\",\"QueryName\":\"login.live.com\",\"QueryStatus\":\"0\",\"QueryResults\":\"type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\",\"Image\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-02-14 14:50:29\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "22", - "message": "Dns query:\r\nRuleName: \r\nUtcTime: 2010-02-10 12:10:41.909\r\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\r\nProcessId: 5228\r\nQueryName: login.live.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\r\nImage: C:\\WINDOWS\\system32\\svchost.exe", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Dns query:\r\nRuleName: \r\nUtcTime: 2010-02-10 12:10:41.909\r\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\r\nProcessId: 5228\r\nQueryName: login.live.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\r\nImage: C:\\WINDOWS\\system32\\svchost.exe" }, "@timestamp": "2010-02-10T12:10:41.909000Z", "action": { "record_id": 23609, "type": "Microsoft-Windows-Sysmon/Operational", "id": 22, - "properties": [ - { - "Image": "c:\\windows\\system32\\svchost.exe", - "AccountName": "Syst\ufffdme", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{c8188de9-a5a2-5e46-0000-00104fae7900}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 22, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\windows\\system32\\svchost.exe", + "AccountName": "Syst\ufffdme", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{c8188de9-a5a2-5e46-0000-00104fae7900}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 22, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "DNS query" }, "log": { @@ -5388,23 +5290,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "record_id": 514759, "type": "Microsoft-Windows-Sysmon/Operational", "id": 25, - "properties": [ - { - "Image": "c:\\windows\\syswow64\\svchost.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{ab376ee3-7152-60a2-6808-000000001000}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 25, - "Type": "Image is replaced", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\windows\\syswow64\\svchost.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{ab376ee3-7152-60a2-6808-000000001000}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 25, + "Type": "Image is replaced", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Process Tampering" }, "log": { @@ -5455,29 +5355,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-08 13:12:51\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854776000,\"EventType\":\"ERROR\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":255,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":255,\"OpcodeValue\":0,\"RecordNumber\":320976,\"ProcessID\":2788,\"ThreadID\":4008,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Error report:\\r\\nUtcTime: 2012-09-08 11:12:51.685\\r\\nID: DriverCommunication\\r\\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\\r\\n\",\"Opcode\":\"Informations\",\"UtcTime\":\"2012-09-08 11:12:51.685\",\"ID\":\"DriverCommunication\",\"Description\":\"Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\\r\\n\",\"EventReceivedTime\":\"2012-09-08 13:12:53\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "255", - "message": "Error report:\r\nUtcTime: 2012-09-08 11:12:51.685\r\nID: DriverCommunication\r\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n", "provider": "Microsoft-Windows-Sysmon", - "reason": "Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n" + "reason": "Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n", + "message": "Error report:\r\nUtcTime: 2012-09-08 11:12:51.685\r\nID: DriverCommunication\r\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n" }, "@timestamp": "2012-09-08T11:12:51.685000Z", "action": { "record_id": 320976, "type": "Microsoft-Windows-Sysmon/Operational", "id": 255, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "ERROR", - "OpcodeValue": 0, - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "ERROR", - "Task": 255, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ] + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "ERROR", + "OpcodeValue": 0, + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "ERROR", + "Task": 255, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + } }, "log": { "hostname": "DESKTOP-FOOBARZ", @@ -5524,32 +5422,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 08:46:46\",\"Hostname\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":3,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":3,\"OpcodeValue\":0,\"RecordNumber\":3463,\"ProcessID\":4492,\"ThreadID\":8112,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-16 07:46:27.307\\r\\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\\r\\nProcessId: 564\\r\\nImage: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\nUser: AUTORITE NT\\\\Syst\u00e8me\\r\\nProtocol: udp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 1.1.1.1\\r\\nSourceHostname: USERNAME01.ACT.CORP.local\\r\\nSourcePort: 389\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.1\\r\\nDestinationHostname: \\r\\nDestinationPort: 1723\\r\\nDestinationPortName: \",\"Category\":\"Network connection detected (rule: NetworkConnect)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 07:46:27.307\",\"ProcessGuid\":\"{23AD1E42-B4C1-5C41-0000-0010B4020100}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"User\":\"AUTORITE NT\\\\Syst\u00e8me\",\"Protocol\":\"udp\",\"Initiated\":\"true\",\"SourceIsIpv6\":\"false\",\"SourceIp\":\"1.1.1.1\",\"SourceHostname\":\"USERNAME01.ACT.CORP.local\",\"SourcePort\":\"389\",\"DestinationIsIpv6\":\"false\",\"DestinationIp\":\"1.1.1.1\",\"DestinationPort\":\"1723\",\"EventReceivedTime\":\"2019-12-16 08:46:47\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "3", - "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-12-16 07:46:27.307\r\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\r\nProcessId: 564\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: AUTORITE NT\\Syst\u00e8me\r\nProtocol: udp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: USERNAME01.ACT.CORP.local\r\nSourcePort: 389\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 1723\r\nDestinationPortName: ", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-12-16 07:46:27.307\r\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\r\nProcessId: 564\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: AUTORITE NT\\Syst\u00e8me\r\nProtocol: udp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: USERNAME01.ACT.CORP.local\r\nSourcePort: 389\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 1723\r\nDestinationPortName: " }, "@timestamp": "2019-12-16T07:46:27.307000Z", "action": { "record_id": 3463, "type": "Microsoft-Windows-Sysmon/Operational", "id": 3, - "properties": [ - { - "Image": "c:\\windows\\system32\\lsass.exe", - "AccountName": "Syst\ufffdme", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{23AD1E42-B4C1-5C41-0000-0010B4020100}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 3, - "User": "AUTORITE NT\\Syst\u00e8me", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "DestinationPort": "1723" - } - ], + "properties": { + "Image": "c:\\windows\\system32\\lsass.exe", + "AccountName": "Syst\ufffdme", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{23AD1E42-B4C1-5C41-0000-0010B4020100}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 3, + "User": "AUTORITE NT\\Syst\u00e8me", + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808", + "DestinationPort": "1723" + }, "name": "Network connection", "target": "network-traffic" }, @@ -5620,32 +5516,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-09 03:03:03\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":6,\"OpcodeValue\":0,\"RecordNumber\":82505,\"ProcessID\":2456,\"ThreadID\":3548,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Driver loaded:\\r\\nRuleName: \\r\\nUtcTime: 2010-10-09 01:03:03.880\\r\\nImageLoaded: C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20101008.007\\\\eng64.sys\\r\\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\\r\\nSigned: true\\r\\nSignature: Symantec Corporation\\r\\nSignatureStatus: Valid\",\"Category\":\"Driver loaded (rule: DriverLoad)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-10-09 01:03:03.880\",\"ImageLoaded\":\"C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20101008.007\\\\eng64.sys\",\"Hashes\":\"MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\",\"Signed\":\"true\",\"Signature\":\"Symantec Corporation\",\"SignatureStatus\":\"Valid\",\"EventReceivedTime\":\"2010-10-09 03:03:05\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6", - "message": "Driver loaded:\r\nRuleName: \r\nUtcTime: 2010-10-09 01:03:03.880\r\nImageLoaded: C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys\r\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\r\nSigned: true\r\nSignature: Symantec Corporation\r\nSignatureStatus: Valid", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "Driver loaded:\r\nRuleName: \r\nUtcTime: 2010-10-09 01:03:03.880\r\nImageLoaded: C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys\r\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\r\nSigned: true\r\nSignature: Symantec Corporation\r\nSignatureStatus: Valid" }, "@timestamp": "2010-10-09T01:03:03.880000Z", "action": { "record_id": 82505, "type": "Microsoft-Windows-Sysmon/Operational", "id": 6, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "ImageLoaded": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", - "OpcodeValue": 0, - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Signature": "Symantec Corporation", - "SignatureStatus": "Valid", - "Signed": "true", - "Task": 6, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "ImageLoaded": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "OpcodeValue": 0, + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Signature": "Symantec Corporation", + "SignatureStatus": "Valid", + "Signed": "true", + "Task": 6, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Driver loaded" }, "log": { @@ -5705,35 +5599,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-08 14:12:27\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":7,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":7,\"OpcodeValue\":0,\"RecordNumber\":3035010,\"ProcessID\":10164,\"ThreadID\":5408,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Image loaded:\\r\\nRuleName: \\r\\nUtcTime: 2010-12-08 13:12:27.356\\r\\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\\r\\nProcessId: 10540\\r\\nImage: C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\\\HxTsr.exe\\r\\nImageLoaded: C:\\\\Windows\\\\System32\\\\bcryptprimitives.dll\\r\\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\\r\\nDescription: Windows Cryptographic Primitives Library\\r\\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: bcryptprimitives.dll\\r\\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\\r\\nSigned: true\\r\\nSignature: Microsoft Windows\\r\\nSignatureStatus: Valid\",\"Category\":\"Image loaded (rule: ImageLoad)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-12-08 13:12:27.356\",\"ProcessGuid\":\"{c8188de9-7bbb-5fcf-0000-0010f7277203}\",\"Image\":\"C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\\\HxTsr.exe\",\"ImageLoaded\":\"C:\\\\Windows\\\\System32\\\\bcryptprimitives.dll\",\"FileVersion\":\"10.0.18362.836 (WinBuild.160101.0800)\",\"Description\":\"Windows Cryptographic Primitives Library\",\"Product\":\"Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"bcryptprimitives.dll\",\"Hashes\":\"MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\",\"Signed\":\"true\",\"Signature\":\"Microsoft Windows\",\"SignatureStatus\":\"Valid\",\"EventReceivedTime\":\"2010-12-08 14:20:43\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "7", - "message": "Image loaded:\r\nRuleName: \r\nUtcTime: 2010-12-08 13:12:27.356\r\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\r\nProcessId: 10540\r\nImage: C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe\r\nImageLoaded: C:\\Windows\\System32\\bcryptprimitives.dll\r\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\r\nDescription: Windows Cryptographic Primitives Library\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcryptprimitives.dll\r\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows Cryptographic Primitives Library" + "reason": "Windows Cryptographic Primitives Library", + "message": "Image loaded:\r\nRuleName: \r\nUtcTime: 2010-12-08 13:12:27.356\r\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\r\nProcessId: 10540\r\nImage: C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe\r\nImageLoaded: C:\\Windows\\System32\\bcryptprimitives.dll\r\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\r\nDescription: Windows Cryptographic Primitives Library\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcryptprimitives.dll\r\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid" }, "@timestamp": "2010-12-08T13:12:27.356000Z", "action": { "record_id": 3035010, "type": "Microsoft-Windows-Sysmon/Operational", "id": 7, - "properties": [ - { - "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "ImageLoaded": "c:\\windows\\system32\\bcryptprimitives.dll", - "OpcodeValue": 0, - "ProcessGuid": "{c8188de9-7bbb-5fcf-0000-0010f7277203}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Signature": "Microsoft Windows", - "SignatureStatus": "Valid", - "Signed": "true", - "Task": 7, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "ImageLoaded": "c:\\windows\\system32\\bcryptprimitives.dll", + "OpcodeValue": 0, + "ProcessGuid": "{c8188de9-7bbb-5fcf-0000-0010f7277203}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "Signed": "true", + "Task": 7, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "Image loaded" }, "log": { @@ -5796,35 +5688,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-11 16:45:08\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":8,\"OpcodeValue\":0,\"RecordNumber\":3697557,\"ProcessID\":9520,\"ThreadID\":10704,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CreateRemoteThread detected:\\r\\nRuleName: \\r\\nUtcTime: 2010-12-11 15:45:08.062\\r\\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\\r\\nSourceProcessId: 9808\\r\\nSourceImage: C:\\\\Windows\\\\System32\\\\VBoxTray.exe\\r\\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\\r\\nTargetProcessId: 10576\\r\\nTargetImage: C:\\\\Windows\\\\System32\\\\csrss.exe\\r\\nNewThreadId: 9368\\r\\nStartAddress: 0xFFFFCFBA48C52460\\r\\nStartModule: C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\r\\nStartFunction: LoadLibraryA\",\"Category\":\"CreateRemoteThread detected (rule: CreateRemoteThread)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-12-11 15:45:08.062\",\"SourceProcessGuid\":\"{c8188de9-704e-5fcf-0000-001073ed4903}\",\"SourceProcessId\":\"9808\",\"SourceImage\":\"C:\\\\Windows\\\\System32\\\\VBoxTray.exe\",\"TargetProcessGuid\":\"{c8188de9-702f-5fcf-0000-00101b084403}\",\"TargetProcessId\":\"10576\",\"TargetImage\":\"C:\\\\Windows\\\\System32\\\\csrss.exe\",\"NewThreadId\":\"9368\",\"StartAddress\":\"0xFFFFCFBA48C52460\",\"EventReceivedTime\":\"2010-12-11 16:52:15\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "8", - "message": "CreateRemoteThread detected:\r\nRuleName: \r\nUtcTime: 2010-12-11 15:45:08.062\r\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\r\nSourceProcessId: 9808\r\nSourceImage: C:\\Windows\\System32\\VBoxTray.exe\r\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\r\nTargetProcessId: 10576\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 9368\r\nStartAddress: 0xFFFFCFBA48C52460\r\nStartModule: C:\\Windows\\SYSTEM32\\ntdll.dll\r\nStartFunction: LoadLibraryA", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "CreateRemoteThread detected:\r\nRuleName: \r\nUtcTime: 2010-12-11 15:45:08.062\r\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\r\nSourceProcessId: 9808\r\nSourceImage: C:\\Windows\\System32\\VBoxTray.exe\r\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\r\nTargetProcessId: 10576\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 9368\r\nStartAddress: 0xFFFFCFBA48C52460\r\nStartModule: C:\\Windows\\SYSTEM32\\ntdll.dll\r\nStartFunction: LoadLibraryA" }, "@timestamp": "2010-12-11T15:45:08.062000Z", "action": { "record_id": 3697557, "type": "Microsoft-Windows-Sysmon/Operational", "id": 8, - "properties": [ - { - "AccountName": "Syst\u00e8me", - "AccountType": "User", - "Domain": "AUTORITE NT", - "EventType": "INFO", - "OpcodeValue": 0, - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxtray.exe", - "SourceProcessId": "9808", - "StartAddress": "0xFFFFCFBA48C52460", - "StartFunction": "LoadLibraryA", - "StartModule": "c:\\windows\\system32\\ntdll.dll", - "TargetImage": "c:\\windows\\system32\\csrss.exe", - "TargetProcessId": "10576", - "Task": 8, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "OpcodeValue": 0, + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "SourceImage": "c:\\windows\\system32\\vboxtray.exe", + "SourceProcessId": "9808", + "StartAddress": "0xFFFFCFBA48C52460", + "StartFunction": "LoadLibraryA", + "StartModule": "c:\\windows\\system32\\ntdll.dll", + "TargetImage": "c:\\windows\\system32\\csrss.exe", + "TargetProcessId": "10576", + "Task": 8, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "CreateRemoteThread" }, "log": { @@ -5875,31 +5765,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-17 15:52:55\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":9,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":9,\"OpcodeValue\":0,\"RecordNumber\":4797,\"ProcessID\":2704,\"ThreadID\":3916,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"RawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcTime: 2010-12-17 14:52:55.449\\r\\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\\r\\nProcessId: 6428\\r\\nImage: C:\\\\Windows\\\\System32\\\\LogonUI.exe\\r\\nDevice: \\\\Device\\\\HarddiskVolume1\",\"Category\":\"RawAccessRead detected (rule: RawAccessRead)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-17 14:52:55.449\",\"ProcessGuid\":\"{FC729081-70A2-5FDB-6701-000000000600}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\",\"Device\":\"\\\\Device\\\\HarddiskVolume1\",\"EventReceivedTime\":\"2010-12-17 15:52:56\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "9", - "message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2010-12-17 14:52:55.449\r\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\r\nProcessId: 6428\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nDevice: \\Device\\HarddiskVolume1", - "provider": "Microsoft-Windows-Sysmon" + "provider": "Microsoft-Windows-Sysmon", + "message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2010-12-17 14:52:55.449\r\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\r\nProcessId: 6428\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nDevice: \\Device\\HarddiskVolume1" }, "@timestamp": "2010-12-17T14:52:55.449000Z", "action": { "record_id": 4797, "type": "Microsoft-Windows-Sysmon/Operational", "id": 9, - "properties": [ - { - "Image": "c:\\windows\\system32\\logonui.exe", - "AccountName": "SYSTEM", - "AccountType": "User", - "Device": "\\Device\\HarddiskVolume1", - "Domain": "NT AUTHORITY", - "EventType": "INFO", - "OpcodeValue": 0, - "ProcessGuid": "{FC729081-70A2-5FDB-6701-000000000600}", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", - "Severity": "INFO", - "Task": 9, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - ], + "properties": { + "Image": "c:\\windows\\system32\\logonui.exe", + "AccountName": "SYSTEM", + "AccountType": "User", + "Device": "\\Device\\HarddiskVolume1", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "OpcodeValue": 0, + "ProcessGuid": "{FC729081-70A2-5FDB-6701-000000000600}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Task": 9, + "SourceName": "Microsoft-Windows-Sysmon", + "Keywords": "-9223372036854775808" + }, "name": "RawAccessRead" }, "log": { @@ -5950,28 +5838,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-07-29 15:24:16\",\"HOSTNAME\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1284656143,\"ProcessID\":4,\"ThreadID\":92,\"Channel\":\"Security\",\"Message\":\"Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\\r\\n\\r\\nSujet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tUSERNAME01$\\r\\n\\tDomaine du compte :\\t\\tACT\\r\\n\\tID d\u2019ouverture de session :\\t\\t0x3e7\\r\\n\\r\\nInformations sur le processus :\\r\\n\\tID du nouveau processus :\\t\\t0x32b4\\r\\n\\tNom du nouveau processus :\\tC:\\\\Windows\\\\System32\\\\qwinsta.exe\\r\\n\\tType d\u2019\u00e9l\u00e9vation du jeton :\\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\\r\\n\\tID du processus cr\u00e9ateur :\\t0x2748\\r\\n\\tLigne de commande de processus :\\t\\r\\n\\r\\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\\r\\n\\r\\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\\r\\n\\r\\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\\r\\n\\r\\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur.\",\"Category\":\"Cr\u00e9ation du processus\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"USERNAME01$\",\"SubjectDomainName\":\"ACT\",\"SubjectLogonId\":\"0x3e7\",\"NewProcessId\":\"0x32b4\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\qwinsta.exe\",\"TokenElevationType\":\"%%1936\",\"EventReceivedTime\":\"2010-07-29 15:24:18\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "message": "Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tUSERNAME01$\r\n\tDomaine du compte :\t\tACT\r\n\tID d\u2019ouverture de session :\t\t0x3e7\r\n\r\nInformations sur le processus :\r\n\tID du nouveau processus :\t\t0x32b4\r\n\tNom du nouveau processus :\tC:\\Windows\\System32\\qwinsta.exe\r\n\tType d\u2019\u00e9l\u00e9vation du jeton :\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\r\n\tID du processus cr\u00e9ateur :\t0x2748\r\n\tLigne de commande de processus :\t\r\n\r\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\r\n\r\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\r\n\r\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\r\n\r\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tUSERNAME01$\r\n\tDomaine du compte :\t\tACT\r\n\tID d\u2019ouverture de session :\t\t0x3e7\r\n\r\nInformations sur le processus :\r\n\tID du nouveau processus :\t\t0x32b4\r\n\tNom du nouveau processus :\tC:\\Windows\\System32\\qwinsta.exe\r\n\tType d\u2019\u00e9l\u00e9vation du jeton :\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\r\n\tID du processus cr\u00e9ateur :\t0x2748\r\n\tLigne de commande de processus :\t\r\n\r\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\r\n\r\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\r\n\r\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\r\n\r\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur." }, "action": { "record_id": 1284656143, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "ACT", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "USERNAME01$", - "SubjectUserSid": "S-1-5-18", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "ACT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "USERNAME01$", + "SubjectUserSid": "S-1-5-18", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new process has been created", "outcome": "success" }, @@ -6015,28 +5901,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-08-05 16:21:20\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1132084818,\"ProcessID\":4,\"ThreadID\":88,\"Channel\":\"Security\",\"Message\":\"A new process has been created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3e7\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x111c\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\conhost.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\r\\n\\tCreator Process ID:\\t0x204\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"Category\":\"Process Creation\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"NewProcessId\":\"0x111c\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\conhost.exe\",\"TokenElevationType\":\"%%1936\",\"EventReceivedTime\":\"2010-08-05 16:21:21\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x111c\r\n\tNew Process Name:\tC:\\Windows\\System32\\conhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x204\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x111c\r\n\tNew Process Name:\tC:\\Windows\\System32\\conhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x204\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." }, "action": { "record_id": 1132084818, "type": "Security", "id": 4688, - "properties": [ - { - "EventType": "AUDIT_SUCCESS", - "OpcodeValue": 0, - "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "Severity": "INFO", - "SubjectDomainName": "KEY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "V-FOO$", - "SubjectUserSid": "S-1-5-18", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - } - ], + "properties": { + "EventType": "AUDIT_SUCCESS", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SubjectDomainName": "KEY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "V-FOO$", + "SubjectUserSid": "S-1-5-18", + "Task": 13312, + "SourceName": "Microsoft-Windows-Security-Auditing", + "Keywords": "-9214364837600034816" + }, "name": "A new process has been created", "outcome": "success" }, @@ -6097,11 +5981,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "family": "windows", "platform": "windows" }, - "action": { - "properties": [ - null - ] - }, "related": { "hosts": [ "mycorp.net" @@ -6123,7 +6002,6 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.id` | `number` | | -|`action.properties` | `array` | action.properties | |`action.properties.AccessList` | `keyword` | | |`action.properties.AccessMask` | `keyword` | | |`action.properties.AccessReason` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 5e89fe0b45..f9a94f04ab 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -17,9 +17,9 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | -| Category | `file`, `iam`, `network` | -| Type | `change`, `info` | +| Kind | `alert`, `event` | +| Category | `authentication`, `email`, `file`, `iam`, `intrusion_detection`, `network` | +| Type | `access`, `change`, `info`, `start` | @@ -368,7 +368,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "user": { "name": "email@example.org", - "id": "10033FFF80D15ECF", + "id": "S-1-5-21-3620271904-3241272990-2175486473-1085344", "email": "email@example.org" }, "organization": { @@ -391,6 +391,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": 0, "name": "Regular" }, + "exchange": { + "mailbox_guid": "24683bc8-fab1-48b3-b834-cb11b95bb911" + }, "context": { "aad_session_id": "8ad3822b-1cfd-40e7-aeaa-6d0708691ad8" } @@ -467,7 +470,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "HardDelete", "kind": "event", - "code": "3" + "code": "3", + "category": [ + "email" + ], + "type": [ + "info" + ] }, "@timestamp": "2023-09-15T18:11:42Z", "service": { @@ -498,6 +507,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": 0, "name": "Regular" }, + "exchange": { + "email": { + "subjects": [ + "" + ], + "paths": [ + "\\Recoverable Items\\Deletions" + ] + } + }, "context": { "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" } @@ -515,6 +534,253 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "exchange_item_group_2.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-08-22T13:51:02\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"SoftDelete\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 3, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"11111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example.org\", \"ClientIPAddress\": \"1.2.3.4\", \"ClientInfoString\": \"Client=MSExchangeRPC\", \"ClientProcessName\": \"OUTLOOK.EXE\", \"ClientRequestId\": \"{037FD006-A72B-49AE-4BB0-08DBA30C8729}\", \"ClientVersion\": \"16.0.15601.20364\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxGuid\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MailboxOwnerSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxOwnerUPN\": \"john.doe@example.org\", \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"MYSERVER (15.20.4200.000)\\r\\n\", \"SessionId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AffectedItems\": [{\"Attachments\": \"image006.png (6438b); image007.png (449b); image008.png (448b); image009.png (449b); image010.jpg (2443b); image011.png (6444b); image012.png (447b); image013.png (448b)\", \"Id\": \"333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333\", \"InternetMessageId\": \"<44444444444444444444444444444444444444@MYSERVER.USA2345.PROD.OUTLOOK.COM>\", \"ParentFolder\": {\"Id\": \"1111111111111111111111111111111111111111111111111111111111111111\", \"Path\": \"\\\\Draft\"}, \"Subject\": \"Re: HI\"}], \"CrossMailboxOperation\": false, \"Folder\": {\"Id\": \"2222222222222222222222222222222222222222222222222222222222222222\", \"Path\": \"\\\\Draft\"}}", + "event": { + "action": "SoftDelete", + "kind": "event", + "code": "3", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-08-22T13:51:02Z", + "service": { + "name": "Exchange" + }, + "user": { + "name": "john.doe@example.org", + "id": "11111111111111", + "email": "john.doe@example.org" + }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, + "action": { + "id": 3, + "name": "SoftDelete", + "target": "user", + "outcome": "success" + }, + "source": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "office365": { + "record_type": 3, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + }, + "exchange": { + "client_version": "16.0.15601.20364", + "email": { + "subjects": [ + "Re: HI" + ], + "paths": [ + "\\Draft" + ] + } + }, + "context": { + "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + } + }, + "process": { + "name": "OUTLOOK.EXE" + }, + "email": { + "attachments": [ + { + "file": { + "name": "image006.png", + "size": "6438" + } + }, + { + "file": { + "name": "image007.png", + "size": "449" + } + }, + { + "file": { + "name": "image008.png", + "size": "448" + } + }, + { + "file": { + "name": "image009.png", + "size": "449" + } + }, + { + "file": { + "name": "image010.jpg", + "size": "2443" + } + }, + { + "file": { + "name": "image011.png", + "size": "6444" + } + }, + { + "file": { + "name": "image012.png", + "size": "447" + } + }, + { + "file": { + "name": "image013.png", + "size": "448" + } + } + ] + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + } + } + + ``` + + +=== "exchange_item_update.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-08-22T13:49:36\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"Update\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 2, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"1111111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"UserId\": \"john.doe@example.org\", \"AppId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ClientAppId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ClientIPAddress\": \"2603:1026:c09:834::5\", \"ClientInfoString\": \"Client=REST;Client=RESTSystem;;\", \"ClientRequestId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxGuid\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MailboxOwnerSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxOwnerUPN\": \"john.doe@example.org\", \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"MYSERVER (15.20.4200.000)\\r\\n\", \"Item\": {\"Id\": \"333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333\", \"InternetMessageId\": \"<44444444444444444444444444444444444444@MYSERVER.USA2345.PROD.OUTLOOK.COM>\", \"ParentFolder\": {\"Id\": \"1111111111111111111111111111111111111111111111111111111111111111\", \"Path\": \"\\\\Draft\"}, \"SizeInBytes\": 70806, \"Subject\": \"HI\"}, \"ModifiedProperties\": [\"MapiEndTime\", \"MapiPREndDate\", \"TimeZone\", \"TimeZoneBlob\", \"TimeZoneDefinitionStart\", \"TimeZoneDefinitionEnd\", \"MapiStartTime\", \"MapiPRStartDate\", \"MapiIsAllDayEvent\", \"TimeZoneDefinitionRecurring\", \"AppointmentRecurring\", \"AttendeeCriticalChangeTime\", \"Location\", \"SendRichInfo\", \"PartnerNetworkUserId\", \"PartnerNetworkId\", \"SentRepresentingDisplayName\", \"SentRepresentingEmailAddress\", \"SentRepresentingType\", \"SentRepresentingEntryId\", \"SentRepresentingSmtpAddress\", \"SipUri\", \"SentRepresentingSID\", \"When\", \"BirthdayContactAttributionDisplayName\", \"BirthdayLocal\", \"ReceivedByName\", \"ReceivedByEmailAddress\", \"ReceivedByAddrType\", \"ReceivedByEntryId\", \"ReceivedBySmtpAddress\", \"AllAttachmentsHidden\", \"SenderDisplayName\", \"SenderEmailAddress\", \"SenderAddressType\", \"SenderEntryId\", \"SenderSmtpAddress\", \"SenderSID\", \"SentTime\", \"HtmlBody\", \"RtfBody\", \"TextBody\", \"DisplayName\", \"CreationTime\", \"MapiSubject\", \"NormalizedSubjectInternal\", \"SubjectPrefixInternal\", \"ItemClass\", \"ReplyForwardStatus\", \"ReceivedTime\", \"RecipientCollection\"]}", + "event": { + "action": "Update", + "kind": "event", + "code": "2", + "category": [ + "email", + "file" + ], + "type": [ + "info", + "change" + ] + }, + "@timestamp": "2023-08-22T13:49:36Z", + "service": { + "name": "Exchange" + }, + "user": { + "name": "john.doe@example.org", + "id": "S-1-5-21-1111111111-2222222222-3333333333-4444444", + "email": "john.doe@example.org" + }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, + "action": { + "id": 2, + "name": "Update", + "target": "user", + "outcome": "success" + }, + "source": { + "ip": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "address": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" + }, + "office365": { + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + }, + "exchange": { + "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507", + "modified_properties": [ + "MapiEndTime", + "MapiPREndDate", + "TimeZone", + "TimeZoneBlob", + "TimeZoneDefinitionStart", + "TimeZoneDefinitionEnd", + "MapiStartTime", + "MapiPRStartDate", + "MapiIsAllDayEvent", + "TimeZoneDefinitionRecurring", + "AppointmentRecurring", + "AttendeeCriticalChangeTime", + "Location", + "SendRichInfo", + "PartnerNetworkUserId", + "PartnerNetworkId", + "SentRepresentingDisplayName", + "SentRepresentingEmailAddress", + "SentRepresentingType", + "SentRepresentingEntryId", + "SentRepresentingSmtpAddress", + "SipUri", + "SentRepresentingSID", + "When", + "BirthdayContactAttributionDisplayName", + "BirthdayLocal", + "ReceivedByName", + "ReceivedByEmailAddress", + "ReceivedByAddrType", + "ReceivedByEntryId", + "ReceivedBySmtpAddress", + "AllAttachmentsHidden", + "SenderDisplayName", + "SenderEmailAddress", + "SenderAddressType", + "SenderEntryId", + "SenderSmtpAddress", + "SenderSID", + "SentTime", + "HtmlBody", + "RtfBody", + "TextBody", + "DisplayName", + "CreationTime", + "MapiSubject", + "NormalizedSubjectInternal", + "SubjectPrefixInternal", + "ItemClass", + "ReplyForwardStatus", + "ReceivedTime", + "RecipientCollection" + ] + } + }, + "related": { + "ip": [ + "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" + ], + "user": [ + "john.doe@example.org" + ] + } + } + + ``` + + === "file_previewed.json" ```json @@ -574,7 +840,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "name": "MyDocument.docx", - "directory": "Documents" + "directory": "Documents", + "extension": "xlsx" }, "user_agent": { "original": "OneDriveMpc-Transform_Thumbnail/1.0", @@ -675,7 +942,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "name": "logo.png", - "directory": "public/assets/website" + "directory": "public/assets/website", + "extension": "png" }, "user_agent": { "original": "Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)", @@ -853,6 +1121,155 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "managed_sync.json" + + ```json + + { + "message": "{\"AppAccessContext\": {\"AADSessionId\": \"fbe7d318-3d7f-4645-9e03-caa46e2a8f01\", \"CorrelationId\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"UniqueTokenId\": \"2222222222222222222222\"}, \"CreationTime\": \"2023-08-22T12:37:20\", \"Id\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"Operation\": \"ManagedSyncClientAllowed\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 4, \"UserKey\": \"i:0h.f|membership|1111111111111111@live.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example.org\", \"AuthenticationType\": \"FormsCookieAuth\", \"BrowserName\": \"Edge\", \"BrowserVersion\": \"114.0.1823.79\", \"CorrelationId\": \"ec84154f-db9d-47cd-b1be-56d75cb8840e\", \"EventSource\": \"SharePoint\", \"IsManagedDevice\": false, \"ItemType\": \"DocumentLibrary\", \"Platform\": \"WinDesktop\", \"Site\": \"1435321e-2bbb-417d-b21c-533e3ec15f5f\", \"UserAgent\": \"Microsoft SkyDriveSync 23.101.0514.0004 ship; Windows NT 10.0 (19045)\", \"WebId\": \"50ad5578-0fa1-4285-9cde-1e4f067fb892\", \"DeviceDisplayName\": \"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"MachineDomainInfo\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MachineId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}", + "event": { + "action": "ManagedSyncClientAllowed", + "kind": "event", + "code": "4", + "category": [ + "file" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2023-08-22T12:37:20Z", + "service": { + "name": "SharePoint" + }, + "user": { + "name": "john.doe@example.org", + "id": "i:0h.f|membership|1111111111111111@live.com", + "email": "john.doe@example.org" + }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, + "action": { + "id": 4, + "name": "ManagedSyncClientAllowed", + "target": "user", + "outcome": "success" + }, + "source": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "office365": { + "record_type": 4, + "user_type": { + "code": 0, + "name": "Regular" + }, + "context": { + "aad_session_id": "fbe7d318-3d7f-4645-9e03-caa46e2a8f01", + "correlation": { + "id": "5f24aa82-f874-44d1-b6df-857cd9e1decf" + } + }, + "audit": { + "site": "1435321e-2bbb-417d-b21c-533e3ec15f5f", + "event_source": "SharePoint", + "item_type": "DocumentLibrary", + "platform": "WinDesktop" + } + }, + "user_agent": { + "original": "Microsoft SkyDriveSync 23.101.0514.0004 ship; Windows NT 10.0 (19045)", + "device": { + "name": "Other" + }, + "name": "Microsoft SkyDriveSync", + "version": "23.101.0514", + "os": { + "name": "Windows", + "version": "10" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + } + } + + ``` + + +=== "mcas_alert.json" + + ```json + + { + "message": "{\"Applications\": [{\"Name\": \"Microsoft SharePoint Online\"}], \"AlertCategory\": \"ANOMALY_DETECTION\", \"AlertDisplayName\": \"Impossible travel activity\", \"AlertDescription\": \"The user JOHN DOE (john.doe@example.org) was involved in an impossible travel\\n incident. The user connected from two countries within 10 minutes, from these IP addresses: Belgium\\n (3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6) and France (1.2.3.4). If any of these IP addresses are used by the\\n organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as\\n VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.\", \"AlertSeverity\": \"Medium\", \"AssignedTo\": null, \"LastUpdatedTime\": \"2023-04-19T12:24:16\", \"ActivityStartTime\": \"2023-04-19T12:07:08\", \"ItemCount\": 0, \"AlertUri\": \"https://example.portal.cloudappsecurity.com/#/alerts/111111111111111111111111\", \"ClientIPs\": [\"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"1.2.3.4\"], \"ObjectId\": \"643fdd70e8ff3e15bba6dfd8\", \"UserId\": \"john.doe@example.org\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 98, \"CreationTime\": \"2023-04-19T12:24:16\", \"Operation\": \"MCAS_ALERT_ANUBIS_DETECTION_VELOCITY\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserType\": 0, \"UserKey\": \"john.doe@example.org\", \"Workload\": \"MCAS\", \"ResultStatus\": \"New\", \"Version\": 1}", + "event": { + "action": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", + "kind": "alert", + "code": "98", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-04-19T12:24:16Z", + "service": { + "name": "MCAS" + }, + "user": { + "name": "john.doe@example.org", + "id": "john.doe@example.org", + "email": "john.doe@example.org" + }, + "organization": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "action": { + "id": 98, + "name": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", + "target": "user", + "outcome": "success" + }, + "office365": { + "record_type": 98, + "result_status": "New", + "user_type": { + "code": 0, + "name": "Regular" + }, + "audit": { + "object_id": "643fdd70e8ff3e15bba6dfd8" + }, + "alert": { + "category": "ANOMALY_DETECTION", + "display_name": "Impossible travel activity", + "description": "The user JOHN DOE (john.doe@example.org) was involved in an impossible travel\n incident. The user connected from two countries within 10 minutes, from these IP addresses: Belgium\n (3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6) and France (1.2.3.4). If any of these IP addresses are used by the\n organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as\n VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.", + "severity": "Medium", + "client_ips": [ + "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "1.2.3.4" + ] + } + }, + "related": { + "user": [ + "john.doe@example.org" + ] + } + } + + ``` + + === "microsoft_defender_threatintelligence_atp.json" ```json @@ -892,10 +1309,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "detection": { "method": "AntiMalware" - } + }, + "malware_family": "iPhoneOS/Vortex.C" + } + }, + "file": { + "name": "malware", + "hash": { + "sha256": "SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=" } }, + "url": { + "original": "https://example.sharepoint.com/personal/people_example_org/Documents/malware", + "domain": "example.sharepoint.com", + "top_level_domain": "com", + "subdomain": "example", + "registered_domain": "sharepoint.com", + "path": "/personal/people_example_org/Documents/malware", + "scheme": "https", + "port": 443 + }, "related": { + "hash": [ + "SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=" + ], "user": [ "people@example.org" ] @@ -1098,6 +1535,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "security_compliance_alert.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-08-31T07:24:24\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Operation\": \"AlertTriggered\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"ts\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"te\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"tid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"tdc\\\":\\\"1\\\",\\\"af\\\":\\\"0\\\",\\\"tht\\\":\\\"Phish,\\n\\nMalicious\\\",\\\"als\\\":\\\"Protection\\\",\\\"op\\\":\\\"Protection\\\",\\\"wsrt\\\":\\\"0001-01-01T00:00:00\\\",\\\"mdt\\\":\\\"u\\\",\\\"rid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"cid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"ad\\\":\\\"This\\nalert fires when message containing phish was delivered due to an ETR override. \\n-V1.0.0.5\\\",\\\"lon\\\":\\\"Protection\\\",\\\"an\\\":\\\"Phish delivered due to an ETR override\\\",\\\"sev\\\":\\\"Informational\\\"}\", \"Name\": \"Phish delivered due to an ETR override\", \"PolicyId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Severity\": \"Informational\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertTriggered", + "kind": "alert", + "code": "40", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-08-31T07:24:24Z", + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "name": "SecurityComplianceAlerts", + "id": "SecurityComplianceAlerts" + }, + "organization": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "action": { + "id": 40, + "name": "AlertTriggered", + "target": "user", + "outcome": "success" + }, + "office365": { + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + }, + "audit": { + "object_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "alert": { + "category": "ThreatManagement", + "display_name": "Phish delivered due to an ETR override", + "severity": "Informational", + "source": "Office 365 Security & Compliance", + "status": "Active" + } + }, + "rule": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + } + } + + ``` + + === "teams_message_has_link.json" ```json @@ -1181,6 +1683,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "threat_intel.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-08-30T20:49:04\", \"Id\": \"f872f447-2417-492a-d462-08dba99a7777\", \"Operation\": \"AtpDetection\", \"OrganizationId\": \"4720ed5e-c545-46eb-99a5-958dd3337777\", \"RecordType\": 47, \"UserKey\": \"ThreatIntel\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"ThreatIntelligence\", \"UserId\": \"user@user.com\", \"DetectionDate\": \"2023-08-30T20:48:08\", \"DetectionMethod\": \"AntiMalware\", \"EventDeepLink\": \"https://security.mamamia.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2023-07-30T23:59:59.002Z&endtime=2023-09-01T23:59:59.002Z&query-Id=f872f447-2417-492a-d462-08dba99a7777\", \"FileData\": {\"DocumentId\": \"f773238b-ef02-41f4-94db-bbd7d5167777\", \"FileName\": \"file.exe\", \"FilePath\": \"https://user-my.sharepoint.com/personal/user_user_com/Documents/blabla .exe\", \"FileSize\": \"9670017\", \"FileVerdict\": 1, \"MalwareFamily\": \"Malicious Payload\", \"SHA256\": \"G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=\"}}", + "event": { + "action": "AtpDetection", + "kind": "event", + "code": "47", + "url": "https://security.mamamia.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2023-07-30T23:59:59.002Z&endtime=2023-09-01T23:59:59.002Z&query-Id=f872f447-2417-492a-d462-08dba99a7777" + }, + "@timestamp": "2023-08-30T20:49:04Z", + "service": { + "name": "ThreatIntelligence" + }, + "user": { + "name": "user@user.com", + "id": "ThreatIntel", + "email": "user@user.com" + }, + "organization": { + "id": "4720ed5e-c545-46eb-99a5-958dd3337777" + }, + "action": { + "id": 47, + "name": "AtpDetection", + "target": "user", + "outcome": "success" + }, + "office365": { + "record_type": 47, + "user_type": { + "code": 4, + "name": "System" + }, + "defender": { + "detection": { + "method": "AntiMalware" + }, + "malware_family": "Malicious Payload" + } + }, + "file": { + "name": "file.exe", + "hash": { + "sha256": "G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=" + } + }, + "url": { + "original": "https://user-my.sharepoint.com/personal/user_user_com/Documents/blabla .exe", + "domain": "user-my.sharepoint.com", + "top_level_domain": "com", + "subdomain": "user-my", + "registered_domain": "sharepoint.com", + "path": "/personal/user_user_com/Documents/blabla .exe", + "scheme": "https", + "port": 443 + }, + "related": { + "hash": [ + "G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=" + ], + "user": [ + "user@user.com" + ] + } + } + + ``` + + === "update_group.json" ```json @@ -1441,6 +2015,104 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "user_logged_in_2.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-05-02T18:02:13\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"1111111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"john.doe@example.org\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Type\": 0}, {\"ID\": \"john.doe@example.org\", \"Type\": 5}], \"ActorContextId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"ActorIpAddress\": \"1.2.3.4\", \"InterSystemsId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"IntraSystemId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"00000003-0000-0ff1-ce00-000000000000\", \"Type\": 0}], \"TargetContextId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"ApplicationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"DeviceProperties\": [{\"Name\": \"Id\", \"Value\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}, {\"Name\": \"DisplayName\", \"Value\": \"displayname\"}, {\"Name\": \"OS\", \"Value\": \"Windows 10\"}, {\"Name\": \"BrowserType\", \"Value\": \"Firefox\"}, {\"Name\": \"IsCompliant\", \"Value\": \"True\"}, {\"Name\": \"IsCompliantAndManaged\", \"Value\": \"True\"}, {\"Name\": \"TrustType\", \"Value\": \"2\"}, {\"Name\": \"SessionId\", \"Value\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}], \"ErrorNumber\": \"0\"}", + "event": { + "action": "UserLoggedIn", + "kind": "event", + "code": "15", + "category": [ + "authentication" + ], + "type": [ + "start" + ] + }, + "@timestamp": "2023-05-02T18:02:13Z", + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "name": "john.doe@example.org", + "id": "1111111111111111", + "email": "john.doe@example.org" + }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, + "action": { + "id": 15, + "name": "UserLoggedIn", + "target": "network-traffic", + "outcome": "success" + }, + "source": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "office365": { + "record_type": 15, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" + }, + "audit": { + "object_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "error_number": 0, + "device": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", + "is_compliant": true, + "is_compliant_and_managed": true, + "trust_type": 2 + }, + "auth": { + "request_type": "OAuth2:Authorize", + "result_status_detail": "Redirect" + }, + "context": { + "correlation": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + } + }, + "host": { + "os": { + "full": "Windows 10" + }, + "name": "displayname" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", + "device": { + "name": "Other" + }, + "name": "Firefox", + "version": "102.0", + "os": { + "name": "Windows", + "version": "10" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + } + } + + ``` + + === "user_login_failed.json" ```json @@ -1492,16 +2164,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "logon_error": "AuthenticationFailedSasError", "error_number": 500121, + "device": { + "is_compliant_and_managed": false + }, "auth": { "user_authentication_method": 1, "request_type": "SAS:EndAuth", "result_status_detail": "Success" }, "context": { - "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248", "correlation": { "id": "d48e6ea0-40c1-5000-5eba-0ee33d13b1ca" - } + }, + "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248" + } + }, + "host": { + "os": { + "full": "Windows 10" } }, "user_agent": { @@ -1559,12 +2239,26 @@ The following table lists the fields that are extracted, normalized under the EC |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`event.url` | `keyword` | Event investigation URL | |`file.directory` | `keyword` | Directory where the file is located. | +|`file.extension` | `keyword` | File extension, excluding the leading dot. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`host.name` | `keyword` | Name of the host. | +|`host.os.full` | `keyword` | Operating system name, including the version or code name. | |`log.level` | `keyword` | Log level of the log event. | +|`office365.alert.category` | `keyword` | | +|`office365.alert.client_ips` | `array` | | +|`office365.alert.description` | `keyword` | | +|`office365.alert.display_name` | `keyword` | | +|`office365.alert.severity` | `keyword` | | +|`office365.alert.source` | `keyword` | | +|`office365.alert.status` | `keyword` | | +|`office365.audit.event_source` | `keyword` | | +|`office365.audit.item_type` | `keyword` | | |`office365.audit.object_id` | `keyword` | For Exchange admin audit logging, the name of the object that was modified by the cmdlet. For SharePoint activity, the full URL path name of the file or folder accessed by a user. For Azure AD activity, the name of the user account that was modified. | +|`office365.audit.platform` | `keyword` | | +|`office365.audit.site` | `keyword` | | |`office365.auth.keep_me_signed_in` | `boolean` | User KeepMeSignedIn choice | -|`office365.auth.request_type` | `keyword` | Authentifcation type | +|`office365.auth.request_type` | `keyword` | Authentication type | |`office365.auth.result_status_detail` | `keyword` | Authentication result detail | |`office365.auth.user_authentication_method` | `long` | User authentication method | |`office365.context.aad_session_id` | `keyword` | The identifier of an Azure Active Directory session | @@ -1584,8 +2278,18 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.defender.email.delivery.original_location` | `keyword` | The original location delivery of the email | |`office365.defender.email.verdict.confidence` | `keyword` | The confidence in the verdict | |`office365.defender.email.verdict.reason` | `keyword` | The verdict about the messahe | +|`office365.defender.malware_family` | `keyword` | | |`office365.defender.system_overrides` | `array` | Overrides that are applicable to the email | +|`office365.device.id` | `keyword` | | +|`office365.device.is_compliant` | `boolean` | | +|`office365.device.is_compliant_and_managed` | `boolean` | | +|`office365.device.trust_type` | `long` | | |`office365.error_number` | `long` | Error number | +|`office365.exchange.client_version` | `keyword` | | +|`office365.exchange.email.paths` | `array` | | +|`office365.exchange.email.subjects` | `array` | A list of email subjects | +|`office365.exchange.mailbox_guid` | `keyword` | | +|`office365.exchange.modified_properties` | `array` | | |`office365.exchange_admin.parameters` | `array` | The parameters that were used with the cmdlet that is identified in the event.action field | |`office365.investigation.alert.category` | `keyword` | Investigation alert category | |`office365.investigation.alert.correlation_key` | `keyword` | Investigation alert correlation key | @@ -1625,7 +2329,9 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.virus_info` | `keyword` | VirusInfo | |`office365.virus_vendor` | `keyword` | VirusVendor | |`organization.id` | `keyword` | Unique identifier for the organization. | +|`process.name` | `keyword` | Process name. | |`rule.category` | `keyword` | Rule category | +|`rule.id` | `keyword` | Rule ID | |`rule.name` | `keyword` | Rule name | |`service.name` | `keyword` | Name of the service. | |`source.ip` | `ip` | IP address of the source. |