diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 6877ad4158..019901077f 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -15,7 +15,232 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `network` | +| Type | `` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_begin.json" + + ```json + + { + "message": "{\"flow_state\": \"begin\",\"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1493763938,1.2.3.4,5.6.7.8,35370,23,T,I,A,B,,,,\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", + "event": { + "kind": "event", + "category": [ + "network" + ], + "code": "NetworkSecurityGroupFlowEvents", + "action": "accept", + "type": [ + "allowed" + ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "action": { + "type": "DefaultRule_AllowVnetOutBound", + "target": "network-traffic", + "properties": [ + { + "OperationName": "NetworkSecurityGroupFlowEvents", + "FlowState": "begin", + "Version": "2" + } + ], + "name": "accept" + }, + "host": { + "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" + }, + "network": { + "transport": "tcp", + "direction": "inbound" + }, + "source": { + "ip": "1.2.3.4", + "port": 35370, + "mac": "DB831EFEC376", + "address": "1.2.3.4" + }, + "destination": { + "ip": "5.6.7.8", + "port": 23, + "address": "5.6.7.8" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + +=== "test_end.json" + + ```json + + { + "message": "{\"flow_state\": \"end\", \"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1607984156,1.2.3.4,5.6.7.8,36422,8086,T,O,A,E,1,74,1,74\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", + "event": { + "kind": "event", + "category": [ + "network" + ], + "code": "NetworkSecurityGroupFlowEvents", + "action": "accept", + "type": [ + "allowed" + ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "action": { + "type": "DefaultRule_AllowVnetOutBound", + "target": "network-traffic", + "properties": [ + { + "OperationName": "NetworkSecurityGroupFlowEvents", + "FlowState": "end", + "Version": "2" + } + ], + "name": "accept" + }, + "host": { + "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" + }, + "network": { + "transport": "tcp", + "direction": "outbound" + }, + "source": { + "ip": "1.2.3.4", + "port": 36422, + "packets": 1, + "bytes": 74, + "mac": "DB831EFEC376", + "address": "1.2.3.4" + }, + "destination": { + "ip": "5.6.7.8", + "port": 8086, + "packets": 1, + "bytes": 74, + "address": "5.6.7.8" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + +=== "test_short.json" + + ```json + + { + "message": "{\"flow_state\": \"begin\", \"source_addr\": \"1.3.4.2\", \"macAddress\": \"DB831EFEC376\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\", \"time\": \"2021-03-24T10:55:03.0680749Z\", \"rule\": \"DefaultRule_AllowInternetOutBound\", \"flow.0\": \"1616583277,1.2.3.4,5.6.7.8,55486,443,T,O,A\"}", + "event": { + "kind": "event", + "category": [ + "network" + ], + "code": "NetworkSecurityGroupFlowEvents", + "action": "accept", + "type": [ + "allowed" + ] + }, + "rule": { + "name": "DefaultRule_AllowInternetOutBound" + }, + "action": { + "type": "DefaultRule_AllowInternetOutBound", + "target": "network-traffic", + "properties": [ + { + "OperationName": "NetworkSecurityGroupFlowEvents", + "FlowState": "begin" + } + ], + "name": "accept" + }, + "host": { + "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" + }, + "network": { + "transport": "tcp", + "direction": "inbound" + }, + "source": { + "ip": "1.3.4.2", + "port": 55486, + "mac": "DB831EFEC376", + "address": "1.3.4.2" + }, + "destination": { + "ip": "5.6.7.8", + "port": 443, + "address": "5.6.7.8" + }, + "related": { + "ip": [ + "1.3.4.2", + "5.6.7.8" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties` | `array` | action.properties | +|`action.target` | `keyword` | The target of the action | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.packets` | `long` | Packets sent from the destination to the source. | +|`destination.port` | `long` | Port of the destination. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.code` | `keyword` | Identification code for this event. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`host.name` | `keyword` | Name of the host. | +|`rule.name` | `keyword` | Rule name | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | +|`source.packets` | `long` | Packets sent from the source to the destination. | +|`source.port` | `long` | Port of the source. | + diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index 8fa1fc824a..ca8427be9b 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -672,6 +672,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "json_post.json" + + ```json + + { + "message": "8.8.8.8 - - [15/Nov/2023:12:49:15 +0100] \"POST /path/to/url HTTP/1.1\" 200 6390 \"https://example.of.address/12345\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.0.0.0 Safari/537.36 Edg/1.0.0.0\" 0.239 0.223 .", + "event": { + "category": [ + "web" + ], + "dataset": "access", + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2023-11-15T11:49:15Z", + "http": { + "request": { + "method": "POST", + "referrer": "https://example.of.address/12345" + }, + "response": { + "bytes": 6390, + "status_code": 200 + }, + "version": "1.1" + }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "source": { + "address": "8.8.8.8", + "ip": "8.8.8.8" + }, + "url": { + "original": "/path/to/url", + "path": "/path/to/url" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.0.0.0 Safari/537.36 Edg/1.0.0.0", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "1.0.0" + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index e2d06fa7a5..6cd5759ee4 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -43,6 +43,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "5156", "hash": "0ea8852922910c8bceeaff4bd0d18c79c045b2d5", "kind": "event", + "module": "security", "original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t1.1.1.1\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0" }, "@timestamp": "2023-01-31T18:02:52.597000Z", @@ -137,6 +138,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4624", "hash": "009b8a99fa360981d2f0407a8513d7742fc6a311", "kind": "event", + "module": "security", "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-12737\n\tAccount Name:\t\tFOO-FARM-ADMIN\n\tAccount Domain:\t\tFOOBAR.NET\n\tLogon ID:\t\t0x2374A6A43\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "type": [ "start" @@ -241,6 +243,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "keywords": [ "Audit Success" ], + "logon": { + "id": "0x0", + "type": "Network" + }, "opcode": "Info", "process": { "pid": 756, @@ -760,51 +766,1442 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "id": 13, "properties": { - "Details": "Binary Data", - "EventType": "SetValue", - "TargetObject": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", - "User": "COMPANY\\asmithee" + "Details": "Binary Data", + "EventType": "SetValue", + "TargetObject": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "User": "COMPANY\\asmithee" + } + }, + "agent": { + "ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9", + "id": "001234567-abcd-ef01-2345-6789abcdef01", + "name": "WB-DK-PC01234567", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "PC01234567", + "id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45", + "ip": [ + "0.0.0.0", + "1.2.3.4", + "10.20.30.40", + "1122::3344:5566:7788:9900", + "11::2233:4455:6677:8899", + "40.30.20.10", + "5.6.7.8", + "8.8.8.8", + "a0b1::c2d3:e4f5:123:abcd", + "a123::b234:c345:d456:e567", + "aabb::ccdd:eeff:11:2233", + "abcd::ef01:2345:6789:abcd" + ], + "mac": [ + "00:11:22:33:44:55", + "01:23:45:67:89:ab", + "66:77:88:99:00:11", + "a0:b1:c2:d3:e4:f5", + "aa:bb:cc:dd:ee:ff", + "ab:cd:ef:01:23:45" + ], + "name": "PC01234567.company.com", + "os": { + "build": "19044.3570", + "family": "windows", + "kernel": "10.0.19041.3570 (WinBuild.160101.0800)", + "name": "Windows 10 Enterprise", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{abcdef01-2345-6789-abcd-000000000000}", + "executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "name": "Teams.exe", + "pid": 17772 + }, + "registry": { + "data": { + "strings": "Binary Data" + }, + "hive": "target", + "key": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current", + "path": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "value": "Teams.exe" + }, + "related": { + "hash": [ + "dbfbea81bd233292dc651cb11a98ffab227443e4" + ], + "hosts": [ + "PC01234567" + ], + "ip": [ + "0.0.0.0", + "1.2.3.4", + "10.20.30.40", + "1122::3344:5566:7788:9900", + "11::2233:4455:6677:8899", + "40.30.20.10", + "5.6.7.8", + "8.8.8.8", + "a0b1::c2d3:e4f5:123:abcd", + "a123::b234:c345:d456:e567", + "aabb::ccdd:eeff:11:2233", + "abcd::ef01:2345:6789:abcd" + ], + "user": [ + "asmithee" + ] + }, + "user": { + "domain": "COMPANY", + "id": "S-1-2-3", + "name": "asmithee" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "PC01234567.company.com", + "event_id": "13", + "opcode": "Informations", + "process": { + "pid": 5624, + "thread": { + "id": 7248 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67193809", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "DOMAIN", + "identifier": "S-1-2-3", + "name": "Syst\u00e8me", + "type": "User" + }, + "version": 2 + } + } + + ``` + + +=== "event_registry_2.json" + + ```json + + { + "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Details\": \"WORD (0x00000000-0x12345678)\",\n \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"User\": \"DOMAIN\\\\Syst\u00e8me\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"13\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193778,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:00:56.524\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 5500\\nImage: C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\\nDetails: WORD (0x00000000-0x12345678)\\nUser: DOMAIN\\\\Syst\u00e8me\",\n \"event_ingest_logstash\": \"2023-10-17T14:00:59.207219Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T14:00:58.520Z\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"kind\": \"event\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"MsSense.exe\",\n \"pid\": 5500,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1089,technique_name=Disabling Security Tools\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:00:56.524Z\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-version-sysmon\": 13.33\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"name\": \"PC01234567.company.com\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"path\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"hive\": \"HKLM\",\n \"value\": \"LastSuccessfulUploadTime\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", + "event": { + "action": "Registry value set (rule: RegistryEvent)", + "category": [ + "configuration", + "registry" + ], + "code": "13", + "hash": "25c902e0f7f27e2a1a6d74c675b97c7fde0a4dda", + "kind": "event", + "module": "sysmon", + "original": "Registry value set:\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\nEventType: SetValue\nUtcTime: 2023-10-17 14:00:56.524\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\nProcessId: 5500\nImage: C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime\nDetails: WORD (0x00000000-0x12345678)\nUser: DOMAIN\\Syst\u00e8me", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "@timestamp": "2023-10-17T14:00:56.524000Z", + "action": { + "id": 13, + "properties": { + "Details": "WORD (0x00000000-0x12345678)", + "EventType": "SetValue", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime", + "User": "DOMAIN\\Syst\u00e8me" + } + }, + "agent": { + "ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9", + "id": "001234567-abcd-ef01-2345-6789abcdef01", + "name": "WB-DK-PC01234567", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "PC01234567", + "id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45", + "ip": [ + "0.0.0.0", + "1.2.3.4", + "10.20.30.40", + "1122::3344:5566:7788:9900", + "11::2233:4455:6677:8899", + "40.30.20.10", + "5.6.7.8", + "8.8.8.8", + "a0b1::c2d3:e4f5:123:abcd", + "a123::b234:c345:d456:e567", + "aabb::ccdd:eeff:11:2233", + "abcd::ef01:2345:6789:abcd" + ], + "mac": [ + "00:11:22:33:44:55", + "01:23:45:67:89:ab", + "66:77:88:99:00:11", + "a0:b1:c2:d3:e4:f5", + "aa:bb:cc:dd:ee:ff", + "ab:cd:ef:01:23:45" + ], + "name": "PC01234567.company.com", + "os": { + "build": "19044.3570", + "family": "windows", + "kernel": "10.0.19041.3570 (WinBuild.160101.0800)", + "name": "Windows 10 Enterprise", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{abcdef01-2345-6789-abcd-000000000000}", + "executable": "C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe", + "name": "MsSense.exe", + "pid": 5500 + }, + "registry": { + "data": { + "strings": "WORD (0x00000000-0x12345678)" + }, + "hive": "HKLM", + "key": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib", + "path": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime", + "value": "LastSuccessfulUploadTime" + }, + "related": { + "hash": [ + "25c902e0f7f27e2a1a6d74c675b97c7fde0a4dda" + ], + "hosts": [ + "PC01234567" + ], + "ip": [ + "0.0.0.0", + "1.2.3.4", + "10.20.30.40", + "1122::3344:5566:7788:9900", + "11::2233:4455:6677:8899", + "40.30.20.10", + "5.6.7.8", + "8.8.8.8", + "a0b1::c2d3:e4f5:123:abcd", + "a123::b234:c345:d456:e567", + "aabb::ccdd:eeff:11:2233", + "abcd::ef01:2345:6789:abcd" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "Syst\u00e8me" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "PC01234567.company.com", + "event_id": "13", + "opcode": "Informations", + "process": { + "pid": 5624, + "thread": { + "id": 7248 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67193778", + "task": "Registry value set (rule: RegistryEvent)", + "user": { + "domain": "DOMAIN", + "identifier": "S-1-2-3", + "name": "Syst\u00e8me", + "type": "User" + }, + "version": 2 + } + } + + ``` + + +=== "security_event_1100.json" + + ```json + + { + "message": "{\"@timestamp\": \"2019-11-07T10:37:04.2260925Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"logging-service-shutdown\", \"category\": [\"process\"], \"code\": \"1100\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Eventlog\", \"type\": [\"end\"]}, \"host\": {\"name\": \"WIN-41OB2LO92CR.wlbeat.local\"}, \"log\": {\"level\": \"information\"}, \"message\": \"The event logging service has shut down.\", \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"WIN-41OB2LO92CR.wlbeat.local\", \"event_id\": \"1100\", \"keywords\": [\"Audit Success\"], \"opcode\": \"Info\", \"process\": {\"pid\": 1144, \"thread\": {\"id\": 4532}}, \"provider_guid\": \"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\", \"provider_name\": \"Microsoft-Windows-Eventlog\", \"record_id\": \"14257\", \"task\": \"Service shutdown\"}}", + "event": { + "action": "logging-service-shutdown", + "category": [ + "process" + ], + "code": "1100", + "hash": "361bb11c0451eb45e271a976994b57b186f933be", + "kind": "event", + "module": "security", + "original": "The event logging service has shut down.", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "end" + ] + }, + "@timestamp": "2019-11-07T10:37:04.226092Z", + "action": { + "id": 1100, + "outcome": "success" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "361bb11c0451eb45e271a976994b57b186f933be" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "task": "Service shutdown" + } + } + + ``` + + +=== "security_event_1102.json" + + ```json + + { + "message": "{\"@timestamp\": \"2019-11-07T10:34:29.0559196Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"audit-log-cleared\", \"category\": [\"iam\"], \"code\": \"1102\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Eventlog\", \"type\": [\"admin\", \"change\"]}, \"host\": {\"name\": \"WIN-41OB2LO92CR.wlbeat.local\"}, \"log\": {\"level\": \"information\"}, \"message\": \"The audit log was cleared.\\nSubject:\\n\\tSecurity ID:\\tS-1-5-21-101361758-2486510592-3018839910-500\\n\\tAccount Name:\\tAdministrator\\n\\tDomain Name:\\tWLBEAT\\n\\tLogon ID:\\t0x50E87\", \"related\": {\"user\": [\"Administrator\"]}, \"user\": {\"domain\": \"WLBEAT\", \"id\": \"S-1-5-21-101361758-2486510592-3018839910-500\", \"name\": \"Administrator\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"WIN-41OB2LO92CR.wlbeat.local\", \"event_id\": \"1102\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x50e87\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 1144, \"thread\": {\"id\": 1824}}, \"provider_guid\": \"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\", \"provider_name\": \"Microsoft-Windows-Eventlog\", \"record_id\": \"14224\", \"task\": \"Log clear\", \"user_data\": {\"SubjectDomainName\": \"WLBEAT\", \"SubjectLogonId\": \"0x50e87\", \"SubjectUserName\": \"Administrator\", \"SubjectUserSid\": \"S-1-5-21-101361758-2486510592-3018839910-500\", \"xml_name\": \"LogFileCleared\"}}}", + "event": { + "action": "audit-log-cleared", + "category": [ + "iam" + ], + "code": "1102", + "hash": "f390960100640278bc84f4de043b325ee561b750", + "kind": "event", + "module": "security", + "original": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] + }, + "@timestamp": "2019-11-07T10:34:29.055919Z", + "action": { + "id": 1102, + "outcome": "success" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "f390960100640278bc84f4de043b325ee561b750" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1102", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x50e87" + }, + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14224", + "task": "Log clear", + "user_data": { + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "xml_name": "LogFileCleared" + } + } + } + + ``` + + +=== "security_event_4648.json" + + ```json + + { + "message": "{\"log\": {\"level\": \"information\"}, \"message\": \"A logon was attempted using explicit credentials.\\\\n\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-2-3\\\\n\\\\tAccount Name:\\\\t\\\\tSYSTEM\\\\n\\\\tAccount Domain:\\\\t\\\\tDOMAIN\\\\n\\\\tLogon ID:\\\\t\\\\t0x41C1B034B\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nAccount Whose Credentials Were Used:\\\\n\\\\tAccount Name:\\\\t\\\\taccount\\\\n\\\\tAccount Domain:\\\\t\\\\tcompany\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nTarget Server:\\\\n\\\\tTarget Server Name:\\\\tTARGET.company.com\\\\n\\\\tAdditional Information:\\\\tTARGET.company.com\\\\n\\\\nProcess Information:\\\\n\\\\tProcess ID:\\\\t\\\\t0x8314\\\\n\\\\tProcess Name:\\\\t\\\\tD:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\\\\n\\\\nNetwork Information:\\\\n\\\\tNetwork Address:\\\\t8.8.8.8\\\\n\\\\tPort:\\\\t\\\\t\\\\t12345\\\\n\\\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.\", \"type\": \"R2\", \"fields\": {\"gdp-indice\": \"l-serve\", \"gdp-parc\": \"defaut\", \"gdp-config\": \"server\", \"gdp-version-sysmon\": 15, \"gdp-sousparc\": \"prod\", \"gdp-version\": \"2.8\", \"gdp-version-winlogbeat\": 3.4}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"name\": \"WB-SRV-HOST01\", \"type\": \"winlogbeat\", \"version\": \"8.8.2\", \"ephemeral_id\": \"06ad3222-a4be-4b59-9958-5f9a657ea9f1\", \"id\": \"2c0cd63b-3836-4620-9eb8-13202bd370a3\"}, \"fields.gdp-redis\": \"2\", \"event\": {\"provider\": \"Microsoft-Windows-Security-Auditing\", \"kind\": \"event\", \"code\": \"4648\", \"action\": \"Logon\", \"created\": \"2023-11-09T09:05:15.197Z\", \"outcome\": \"success\"}, \"winlog\": {\"event_id\": \"4648\", \"keywords\": [\"Audit Success\"], \"provider_guid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\", \"event_data\": {\"SubjectUserName\": \"SYSTEM\", \"IpPort\": \"12345\", \"TargetInfo\": \"TARGET.company.com\", \"TargetLogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"TargetUserName\": \"account\", \"TargetServerName\": \"TARGET.company.com\", \"ProcessName\": \"D:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\", \"SubjectUserSid\": \"S-1-2-3\", \"IpAddress\": \"8.8.8.8\", \"TargetDomainName\": \"company\", \"SubjectDomainName\": \"DOMAIN\", \"ProcessId\": \"0x8314\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"SubjectLogonId\": \"0x41c1b034b\"}, \"process\": {\"pid\": 848, \"thread\": {\"id\": 22916}}, \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"computer_name\": \"HOST01.company.com\", \"opcode\": \"Info\", \"task\": \"Logon\", \"channel\": \"Security\", \"api\": \"wineventlog\", \"record_id\": 8500947825, \"activity_id\": \"{7E156DC4-0D77-0008-C56D-157E770DDA01}\"}, \"@timestamp\": \"2023-11-09T09:05:14.415Z\", \"host\": {\"name\": \"HOST01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"mac\": [\"00-00-00-00-00-00-00-E0\", \"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"platform\": \"windows\", \"version\": \"10.0\", \"name\": \"Windows Server 2016 Standard\", \"build\": \"14393.6351\", \"kernel\": \"10.0.14393.6343 (rs1_release.230913-1727)\", \"type\": \"windows\", \"family\": \"windows\"}, \"hostname\": \"HOST01\", \"ip\": [\"1.2.3.4\", \"fe80::abcd:123:456\"]}, \"event_ingest_logstash\": \"2023-11-09T09:05:14.912238Z\", \"fields.gdp-logstash\": \"5\", \"@version\": \"1\"}", + "event": { + "action": "Logon", + "code": "4648", + "hash": "c20fb2f9eef469e4c56d0d5ad755884dd2cd9ce1", + "kind": "event", + "module": "security", + "original": "A logon was attempted using explicit credentials.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tSYSTEM\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x41C1B034B\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nAccount Whose Credentials Were Used:\\n\\tAccount Name:\\t\\taccount\\n\\tAccount Domain:\\t\\tcompany\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nTarget Server:\\n\\tTarget Server Name:\\tTARGET.company.com\\n\\tAdditional Information:\\tTARGET.company.com\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x8314\\n\\tProcess Name:\\t\\tD:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe\\n\\nNetwork Information:\\n\\tNetwork Address:\\t8.8.8.8\\n\\tPort:\\t\\t\\t12345\\n\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2023-11-09T09:05:14.415000Z", + "action": { + "id": 4648, + "outcome": "success", + "properties": { + "IpAddress": "8.8.8.8", + "IpPort": "12345", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessId": "0x8314", + "ProcessName": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x41c1b034b", + "SubjectUserName": "SYSTEM", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "company", + "TargetInfo": "TARGET.company.com", + "TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}", + "TargetServerName": "TARGET.company.com", + "TargetUserName": "account" + } + }, + "agent": { + "ephemeral_id": "06ad3222-a4be-4b59-9958-5f9a657ea9f1", + "id": "2c0cd63b-3836-4620-9eb8-13202bd370a3", + "name": "WB-SRV-HOST01", + "type": "winlogbeat", + "version": "8.8.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "HOST01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "ip": [ + "1.2.3.4", + "fe80::abcd:123:456" + ], + "mac": [ + "00-00-00-00-00-00-00-E0", + "00-11-22-33-44-55" + ], + "name": "HOST01", + "os": { + "build": "14393.6351", + "family": "windows", + "kernel": "10.0.14393.6343 (rs1_release.230913-1727)", + "name": "Windows Server 2016 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", + "name": "processname.exe", + "pid": 33556 + }, + "related": { + "hash": [ + "c20fb2f9eef469e4c56d0d5ad755884dd2cd9ce1" + ], + "hosts": [ + "HOST01" + ], + "ip": [ + "1.2.3.4", + "8.8.8.8", + "fe80::abcd:123:456" + ], + "user": [ + "account" + ] + }, + "source": { + "address": "8.8.8.8", + "ip": "8.8.8.8", + "port": 12345 + }, + "user": { + "domain": "company", + "effective": { + "domain": "company", + "name": "account" + }, + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "company", + "name": "account" + } + }, + "winlog": { + "activity_id": "{7e156dc4-0d77-0008-c56d-157e770dda01}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.company.com", + "event_id": "4648", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x41c1b034b" + }, + "opcode": "Info", + "process": { + "pid": 848, + "thread": { + "id": 22916 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "8500947825", + "task": "Logon" + } + } + + ``` + + +=== "security_event_4688.json" + + ```json + + { + "message": "{\"tags\": [\"beats_input_codec_plain_applied\"], \"event\": {\"original\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"action\": \"Process Creation\", \"kind\": \"event\", \"outcome\": \"success\", \"created\": \"2023-11-09T08:43:52.407Z\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"code\": \"4688\"}, \"@version\": \"1\", \"@timestamp\": \"2023-11-09T08:43:51.462Z\", \"message\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"winlog\": {\"computer_name\": \"HOST01.company.test\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"channel\": \"Security\", \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"keywords\": [\"Audit Success\"], \"version\": 2, \"event_id\": \"4688\", \"process\": {\"pid\": 4, \"thread\": {\"id\": 17028}}, \"task\": \"Process Creation\", \"event_data\": {\"ParentProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\", \"TokenElevationType\": \"%%1936\", \"MandatoryLabel\": \"S-1-2-3\", \"TargetUserSid\": \"S-1-0-0\", \"SubjectUserSid\": \"S-1-1-1\", \"SubjectDomainName\": \"COMPANY\", \"SubjectLogonId\": \"0x3e7\", \"CommandLine\": \"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"NewProcessId\": \"0x1d9c\", \"TargetDomainName\": \"-\", \"ProcessId\": \"0x2a0\", \"SubjectUserName\": \"HOST01$\", \"TargetUserName\": \"-\", \"NewProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"TargetLogonId\": \"0x0\"}, \"record_id\": 8884538, \"api\": \"wineventlog\", \"opcode\": \"Info\"}, \"host\": {\"hostname\": \"host01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"ip\": [\"8.8.8.8\"], \"name\": \"host01\", \"mac\": [\"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"build\": \"20348.2031\", \"version\": \"10.0\", \"name\": \"Windows Server 2022 Standard\", \"family\": \"windows\", \"kernel\": \"10.0.20348.2031 (WinBuild.160101.0800)\", \"type\": \"windows\", \"platform\": \"windows\"}}, \"log\": {\"level\": \"information\"}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"type\": \"winlogbeat\", \"ephemeral_id\": \"7ecf606a-ee47-4796-a223-4e6bb827233d\", \"id\": \"65ede6f4-4783-4792-8dc0-8364bc33b7bd\", \"version\": \"8.10.4\", \"name\": \"HOST01\"}}", + "event": { + "action": "Process Creation", + "code": "4688", + "hash": "d5bc16d9a722f6e28d702823c9db8bf7502984f6", + "kind": "event", + "module": "security", + "original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2023-11-09T08:43:51.462000Z", + "action": { + "id": 4688, + "outcome": "success", + "properties": { + "CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", + "MandatoryLabel": "S-1-2-3", + "NewProcessId": "0x1d9c", + "NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", + "ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe", + "ProcessId": "0x2a0", + "SubjectDomainName": "COMPANY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "HOST01$", + "SubjectUserSid": "S-1-1-1", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1936" + } + }, + "agent": { + "ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d", + "id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd", + "name": "HOST01", + "type": "winlogbeat", + "version": "8.10.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "host01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "ip": [ + "8.8.8.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "host01", + "os": { + "build": "20348.2031", + "family": "windows", + "kernel": "10.0.20348.2031 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "command_line": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", + "executable": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", + "name": "WmiApSrv.exe", + "parent": { + "executable": "C:\\\\Windows\\\\System32\\\\services.exe", + "name": "services.exe", + "pid": 672 + }, + "pid": 7580 + }, + "related": { + "hash": [ + "d5bc16d9a722f6e28d702823c9db8bf7502984f6" + ], + "hosts": [ + "host01" + ], + "ip": [ + "8.8.8.8" + ], + "user": [ + "HOST01" + ] + }, + "user": { + "domain": "COMPANY", + "effective": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + }, + "id": "S-1-1-1", + "name": "HOST01", + "target": { + "domain": "-", + "name": "-" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.company.test", + "event_id": "4688", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 17028 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "8884538", + "task": "Process Creation", + "version": 2 + } + } + + ``` + + +=== "security_event_4742.json" + + ```json + + { + "message": "{\"@timestamp\": \"2019-12-18T16:22:12.3425087Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"changed-computer-account\", \"category\": [\"iam\"], \"code\": \"4742\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"change\", \"admin\"]}, \"host\": {\"name\": \"DC_TEST2k12.TEST.SAAS\"}, \"log\": {\"level\": \"information\"}, \"message\": \"A computer account was changed.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2794\\n\\tAccount Name:\\t\\tat_adm\\n\\tAccount Domain:\\t\\tTEST\\n\\tLogon ID:\\t\\t0x2E67800\\n\\nComputer Account That Was Changed:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2902\\n\\tAccount Name:\\t\\tTESTCOMPUTEROBJ$\\n\\tAccount Domain:\\t\\tTEST\\n\\nChanged Attributes:\\n\\tSAM Account Name:\\t-\\n\\tDisplay Name:\\t\\t-\\n\\tUser Principal Name:\\t-\\n\\tHome Directory:\\t\\t-\\n\\tHome Drive:\\t\\t-\\n\\tScript Path:\\t\\t-\\n\\tProfile Path:\\t\\t-\\n\\tUser Workstations:\\t-\\n\\tPassword Last Set:\\t-\\n\\tAccount Expires:\\t\\t-\\n\\tPrimary Group ID:\\t-\\n\\tAllowedToDelegateTo:\\t-\\n\\tOld UAC Value:\\t\\t0x85\\n\\tNew UAC Value:\\t\\t0x84\\n\\tUser Account Control:\\t\\n\\t\\tAccount Enabled\\n\\tUser Parameters:\\t-\\n\\tSID History:\\t\\t-\\n\\tLogon Hours:\\t\\t-\\n\\tDNS Host Name:\\t\\t-\\n\\tService Principal Names:\\t-\\n\\nAdditional Information:\\n\\tPrivileges:\\t\\t-\", \"related\": {\"user\": [\"at_adm\"]}, \"user\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"name\": \"at_adm\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computerObject\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2902\", \"name\": \"TESTCOMPUTEROBJ$\"}, \"computer_name\": \"DC_TEST2k12.TEST.SAAS\", \"event_data\": {\"AccountExpires\": \"-\", \"AllowedToDelegateTo\": \"-\", \"ComputerAccountChange\": \"-\", \"DisplayName\": \"-\", \"DnsHostName\": \"-\", \"HomeDirectory\": \"-\", \"HomePath\": \"-\", \"LogonHours\": \"-\", \"NewUACList\": [\"USER_PASSWORD_NOT_REQUIRED\", \"USER_WORKSTATION_TRUST_ACCOUNT\"], \"NewUacValue\": \"0x84\", \"OldUacValue\": \"0x85\", \"PasswordLastSet\": \"-\", \"PrimaryGroupId\": \"-\", \"PrivilegeList\": [\"-\"], \"ProfilePath\": \"-\", \"SamAccountName\": \"-\", \"ScriptPath\": \"-\", \"ServicePrincipalNames\": \"-\", \"SidHistory\": \"-\", \"SubjectDomainName\": \"TEST\", \"SubjectLogonId\": \"0x2e67800\", \"SubjectUserName\": \"at_adm\", \"SubjectUserSid\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"TargetDomainName\": \"TEST\", \"TargetSid\": \"S-1-5-21-1717121054-434620538-60925301-2902\", \"TargetUserName\": \"TESTCOMPUTEROBJ$\", \"UserAccountControl\": [\"2048\"], \"UserParameters\": \"-\", \"UserPrincipalName\": \"-\", \"UserWorkstations\": \"-\"}, \"event_id\": \"4742\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x2e67800\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 492, \"thread\": {\"id\": 664}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"3699934\", \"task\": \"Computer Account Management\"}}", + "event": { + "action": "changed-computer-account", + "category": [ + "iam" + ], + "code": "4742", + "hash": "b71143c79488f994a7193abd6ac7d3fddccd864a", + "kind": "event", + "module": "security", + "original": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "@timestamp": "2019-12-18T16:22:12.342508Z", + "action": { + "id": 4742, + "outcome": "success", + "properties": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUACList": [ + "USER_PASSWORD_NOT_REQUIRED", + "USER_WORKSTATION_TRUST_ACCOUNT" + ], + "NewUacValue": "0x84", + "OldUacValue": "0x85", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2048" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + } + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "b71143c79488f994a7193abd6ac7d3fddccd864a" + ], + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "NewUACList": [ + "USER_PASSWORD_NOT_REQUIRED", + "USER_WORKSTATION_TRUST_ACCOUNT" + ], + "UserAccountControl": [ + "2048" + ] + }, + "event_id": "4742", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699934", + "task": "Computer Account Management" + } + } + + ``` + + +=== "security_event_4744.json" + + ```json + + { + "message": "{\"@timestamp\": \"2019-12-18T16:26:46.8744233Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"added-distribution-group-account\", \"category\": [\"iam\"], \"code\": \"4744\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"group\", \"creation\"]}, \"group\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2903\", \"name\": \"testdistlocal\"}, \"host\": {\"name\": \"DC_TEST2k12.TEST.SAAS\"}, \"log\": {\"level\": \"information\"}, \"message\": \"A security-disabled local group was created.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2794\\n\\tAccount Name:\\t\\tat_adm\\n\\tAccount Domain:\\t\\tTEST\\n\\tLogon ID:\\t\\t0x2E67800\\n\\nNew Group:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2903\\n\\tGroup Name:\\t\\ttestdistlocal\\n\\tGroup Domain:\\t\\tTEST\\n\\nAttributes:\\n\\tSAM Account Name:\\ttestdistlocal\\n\\tSID History:\\t\\t-\\n\\nAdditional Information:\\n\\tPrivileges:\\t\\t-\", \"related\": {\"user\": [\"at_adm\"]}, \"user\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"name\": \"at_adm\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"DC_TEST2k12.TEST.SAAS\", \"event_data\": {\"PrivilegeList\": \"-\", \"SamAccountName\": \"testdistlocal\", \"SidHistory\": \"-\", \"SubjectDomainName\": \"TEST\", \"SubjectLogonId\": \"0x2e67800\", \"SubjectUserName\": \"at_adm\", \"SubjectUserSid\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"TargetDomainName\": \"TEST\", \"TargetSid\": \"S-1-5-21-1717121054-434620538-60925301-2903\", \"TargetUserName\": \"testdistlocal\"}, \"event_id\": \"4744\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x2e67800\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 492, \"thread\": {\"id\": 664}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"3699973\", \"task\": \"Distribution Group Management\"}}", + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4744", + "hash": "1650805cac5e1ac39d47012e649c3a4c66e319e9", + "kind": "event", + "module": "security", + "original": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] + }, + "@timestamp": "2019-12-18T16:26:46.874423Z", + "action": { + "id": 4744, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + } + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "1650805cac5e1ac39d47012e649c3a4c66e319e9" + ], + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_id": "4744", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699973", + "task": "Distribution Group Management" + } + } + + ``` + + +=== "security_event_4750.json" + + ```json + + { + "message": "{\"@timestamp\": \"2019-12-19T08:10:57.4737631Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"changed-distribution-group-account\", \"category\": [\"iam\"], \"code\": \"4750\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"group\", \"change\"]}, \"group\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2904\", \"name\": \"testglobal1\"}, \"host\": {\"name\": \"DC_TEST2k12.TEST.SAAS\"}, \"log\": {\"level\": \"information\"}, \"message\": \"A security-disabled global group was changed.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2794\\n\\tAccount Name:\\t\\tat_adm\\n\\tAccount Domain:\\t\\tTEST\\n\\tLogon ID:\\t\\t0x2E67800\\n\\nGroup:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-2904\\n\\tGroup Name:\\t\\ttestglobal1\\n\\tGroup Domain:\\t\\tTEST\\n\\nChanged Attributes:\\n\\tSAM Account Name:\\ttestglobal1\\n\\tSID History:\\t\\t-\\n\\nAdditional Information:\\n\\tPrivileges:\\t\\t-\", \"related\": {\"user\": [\"at_adm\"]}, \"user\": {\"domain\": \"TEST\", \"id\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"name\": \"at_adm\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"DC_TEST2k12.TEST.SAAS\", \"event_data\": {\"PrivilegeList\": \"-\", \"SamAccountName\": \"testglobal1\", \"SidHistory\": \"-\", \"SubjectDomainName\": \"TEST\", \"SubjectLogonId\": \"0x2e67800\", \"SubjectUserName\": \"at_adm\", \"SubjectUserSid\": \"S-1-5-21-1717121054-434620538-60925301-2794\", \"TargetDomainName\": \"TEST\", \"TargetSid\": \"S-1-5-21-1717121054-434620538-60925301-2904\", \"TargetUserName\": \"testglobal1\"}, \"event_id\": \"4750\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x2e67800\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 492, \"thread\": {\"id\": 664}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"3707550\", \"task\": \"Distribution Group Management\"}}", + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4750", + "hash": "27b3b0e6203fddd6cf77db746f3a063bf6037d73", + "kind": "event", + "module": "security", + "original": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] + }, + "@timestamp": "2019-12-19T08:10:57.473763Z", + "action": { + "id": 4750, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + } + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "27b3b0e6203fddd6cf77db746f3a063bf6037d73" + ], + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_id": "4750", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707550", + "task": "Distribution Group Management" + } + } + + ``` + + +=== "security_event_4771.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-03-31T07:50:27.1681182Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"kerberos-preauth-failed\", \"category\": [\"authentication\"], \"code\": \"4771\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"failure\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"start\"]}, \"host\": {\"name\": \"DC_TEST2k12.TEST.SAAS\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Kerberos pre-authentication failed.\\n\\nAccount Information:\\n\\tSecurity ID:\\t\\tS-1-5-21-1717121054-434620538-60925301-3057\\n\\tAccount Name:\\t\\tMPUIG\\n\\nService Information:\\n\\tService Name:\\t\\tkrbtgt/test.saas\\n\\nNetwork Information:\\n\\tClient Address:\\t\\t::ffff:192.168.5.44\\n\\tClient Port:\\t\\t53366\\n\\nAdditional Information:\\n\\tTicket Options:\\t\\t0x40810010\\n\\tFailure Code:\\t\\t0x12\\n\\tPre-Authentication Type:\\t0\\n\\nCertificate Information:\\n\\tCertificate Issuer Name:\\t\\t\\n\\tCertificate Serial Number: \\t\\n\\tCertificate Thumbprint:\\t\\t\\n\\nCertificate information is only provided if a certificate was used for pre-authentication.\\n\\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\\n\\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.\", \"related\": {\"ip\": [\"192.168.5.44\"], \"user\": [\"MPUIG\"]}, \"service\": {\"name\": \"krbtgt/test.saas\"}, \"source\": {\"ip\": \"192.168.5.44\", \"port\": 53366}, \"user\": {\"id\": \"S-1-5-21-1717121054-434620538-60925301-3057\", \"name\": \"MPUIG\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"DC_TEST2k12.TEST.SAAS\", \"event_data\": {\"PreAuthType\": \"0\", \"ServiceName\": \"krbtgt/test.saas\", \"Status\": \"0x12\", \"StatusDescription\": \"KDC_ERR_CLIENT_REVOKED\", \"TargetSid\": \"S-1-5-21-1717121054-434620538-60925301-3057\", \"TargetUserName\": \"MPUIG\", \"TicketOptions\": \"0x40810010\", \"TicketOptionsDescription\": [\"Renewable-ok\", \"Name-canonicalize\", \"Renewable\", \"Forwardable\"]}, \"event_id\": \"4771\", \"keywords\": [\"Audit Failure\"], \"opcode\": \"Info\", \"process\": {\"pid\": 496, \"thread\": {\"id\": 4552}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"5027836\", \"task\": \"Kerberos Authentication Service\"}}", + "event": { + "action": "kerberos-preauth-failed", + "category": [ + "authentication" + ], + "code": "4771", + "hash": "c7477a160ca084b3ed4fec641de9cf9377df16a5", + "kind": "event", + "module": "security", + "original": "Kerberos pre-authentication failed.\n\nAccount Information:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-3057\n\tAccount Name:\t\tMPUIG\n\nService Information:\n\tService Name:\t\tkrbtgt/test.saas\n\nNetwork Information:\n\tClient Address:\t\t::ffff:192.168.5.44\n\tClient Port:\t\t53366\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tFailure Code:\t\t0x12\n\tPre-Authentication Type:\t0\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number: \t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\n\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "@timestamp": "2020-03-31T07:50:27.168118Z", + "action": { + "id": 4771, + "outcome": "failure", + "properties": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Name-canonicalize", + "Renewable", + "Renewable-ok" + ] + } + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "c7477a160ca084b3ed4fec641de9cf9377df16a5" + ], + "ip": [ + "192.168.5.44" + ], + "user": [ + "MPUIG" + ] + }, + "service": { + "name": "krbtgt/test.saas" + }, + "source": { + "address": "192.168.5.44", + "ip": "192.168.5.44", + "port": 53366 + }, + "user": { + "id": "S-1-5-21-1717121054-434620538-60925301-3057", + "name": "MPUIG", + "target": { + "id": "S-1-5-21-1717121054-434620538-60925301-3057", + "name": "MPUIG" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TicketOptionsDescription": [ + "Forwardable", + "Name-canonicalize", + "Renewable", + "Renewable-ok" + ] + }, + "event_id": "4771", + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5027836", + "task": "Kerberos Authentication Service" + } + } + + ``` + + +=== "security_event_4776.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-04-01T08:45:42.1873153Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"credential-validated\", \"category\": [\"authentication\"], \"code\": \"4776\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"start\"]}, \"host\": {\"name\": \"DC_TEST2k12.TEST.SAAS\"}, \"log\": {\"level\": \"information\"}, \"message\": \"The computer attempted to validate the credentials for an account.\\n\\nAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\nLogon Account:\\tat_adm\\nSource Workstation:\\tEQP01777\\nError Code:\\t0x0\", \"related\": {\"user\": [\"at_adm\"]}, \"user\": {\"name\": \"at_adm\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"DC_TEST2k12.TEST.SAAS\", \"event_data\": {\"PackageName\": \"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\", \"Status\": \"0x0\", \"TargetUserName\": \"at_adm\", \"Workstation\": \"EQP01777\"}, \"event_id\": \"4776\", \"keywords\": [\"Audit Success\"], \"logon\": {\"failure\": {\"status\": \"Status OK.\"}}, \"opcode\": \"Info\", \"process\": {\"pid\": 496, \"thread\": {\"id\": 1864}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"5040222\", \"task\": \"Credential Validation\"}}", + "event": { + "action": "credential-validated", + "category": [ + "authentication" + ], + "code": "4776", + "hash": "ed0b384fbbecf3f7b17b0bf8a99c8125062c3cb2", + "kind": "event", + "module": "security", + "original": "The computer attempted to validate the credentials for an account.\n\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\nLogon Account:\tat_adm\nSource Workstation:\tEQP01777\nError Code:\t0x0", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "@timestamp": "2020-04-01T08:45:42.187315Z", + "action": { + "id": 4776, + "outcome": "success", + "properties": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" + } + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "ed0b384fbbecf3f7b17b0bf8a99c8125062c3cb2" + ], + "user": [ + "at_adm" + ] + }, + "user": { + "name": "at_adm", + "target": { + "name": "at_adm" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_id": "4776", + "keywords": [ + "Audit Success" + ], + "logon": { + "failure": { + "status": "Status OK." + } + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040222", + "task": "Credential Validation" + } + } + + ``` + + +=== "security_event_4778.json" + + ```json + + { + "message": "{\"@timestamp\": \"2023-01-17T21:35:22.347Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"session-reconnected\", \"category\": [\"authentication\", \"session\"], \"code\": \"4778\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"start\"]}, \"host\": {\"name\": \"COMPUTER1.contoso.com\"}, \"log\": {\"level\": \"information\"}, \"related\": {\"ip\": [\"127.0.0.1\"], \"user\": [\"user1\"]}, \"source\": {\"domain\": \"Unknown\", \"ip\": \"127.0.0.1\"}, \"user\": {\"domain\": \"CONTOSO\", \"name\": \"user1\"}, \"winlog\": {\"activity_id\": \"{7261ec5d-29d2-0001-bdec-6172d229d901}\", \"channel\": \"Security\", \"computer_name\": \"COMPUTER1.contoso.com\", \"event_data\": {\"AccountDomain\": \"CONTOSO\", \"AccountName\": \"user1\", \"ClientAddress\": \"127.0.0.1\", \"ClientName\": \"Unknown\", \"LogonID\": \"0x5c7c095\", \"SessionName\": \"Console\"}, \"event_id\": \"4778\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x5c7c095\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 320, \"thread\": {\"id\": 4484}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"6540868\", \"time_created\": \"2023-01-17T21:35:22.347697Z\"}}", + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "@timestamp": "2023-01-17T21:35:22.347000Z", + "action": { + "id": 4778, + "outcome": "success", + "properties": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x5c7c095", + "SessionName": "Console" + } + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "Unknown" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "address": "Unknown", + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5c7c095" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 4484 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6540868", + "time_created": "2023-01-17T21:35:22.347697Z" + } + } + + ``` + + +=== "security_event_4964.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-03-21T23:50:34.347458Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"logged-in-special\", \"category\": [\"iam\"], \"code\": \"4964\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"admin\", \"group\"]}, \"host\": {\"name\": \"WIN-41OB2LO92CR.wlbeat.local\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Special groups have been assigned to a new logon.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\tWIN-41OB2LO92CR$\\n\\tAccount Domain:\\t\\tWLBEAT\\n\\tLogon ID:\\t\\t0x3E7\\n\\tLogon GUID:\\t{00000000-0000-0000-0000-000000000000}\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-21-101361758-2486510592-3018839910-500\\n\\tAccount Name:\\t\\tAdministrator\\n\\tAccount Domain:\\t\\tWLBEAT\\n\\tLogon ID:\\t\\t0x1D22ED\\n\\tLogon GUID:\\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\\n\\tSpecial Groups Assigned:\\t\\n\\t\\t%{S-1-5-21-101361758-2486510592-3018839910-519}\", \"related\": {\"user\": [\"Administrator\"]}, \"user\": {\"domain\": \"WLBEAT\", \"id\": \"S-1-5-21-101361758-2486510592-3018839910-500\", \"name\": \"Administrator\"}, \"winlog\": {\"activity_id\": \"{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}\", \"api\": \"wineventlog\", \"channel\": \"Security\", \"computer_name\": \"WIN-41OB2LO92CR.wlbeat.local\", \"event_data\": {\"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"SidList\": \"\\n\\t\\t%{S-1-5-21-101361758-2486510592-3018839910-519}\", \"SubjectDomainName\": \"WLBEAT\", \"SubjectLogonId\": \"0x3e7\", \"SubjectUserName\": \"WIN-41OB2LO92CR$\", \"SubjectUserSid\": \"S-1-5-18\", \"TargetDomainName\": \"WLBEAT\", \"TargetLogonGuid\": \"{c25cdf73-2322-651f-f4fb-db862c0e03a8}\", \"TargetLogonId\": \"0x1d22ed\", \"TargetUserName\": \"Administrator\", \"TargetUserSid\": \"S-1-5-21-101361758-2486510592-3018839910-500\"}, \"event_id\": \"4964\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x3e7\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 788, \"thread\": {\"id\": 828}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"68259\", \"task\": \"Special Logon\"}}", + "event": { + "action": "logged-in-special", + "category": [ + "iam" + ], + "code": "4964", + "hash": "7935608b407aae6b894df48799057eaa2440b415", + "kind": "event", + "module": "security", + "original": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "group" + ] + }, + "@timestamp": "2020-03-21T23:50:34.347458Z", + "action": { + "id": 4964, + "outcome": "success", + "properties": { + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}", + "TargetLogonId": "0x1d22ed", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + } + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "hash": [ + "7935608b407aae6b894df48799057eaa2440b415" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "4964", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1d22ed" + }, + "opcode": "Info", + "process": { + "pid": 788, + "thread": { + "id": 828 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "68259", + "task": "Special Logon" + } + } + + ``` + + +=== "security_event_5140.json" + + ```json + + { + "message": "{\"tags\": [\"beats_input_codec_plain_applied\"], \"event\": {\"original\": \"A network share object was accessed.\\\\n\\\\t\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-2-3-4-5-6-7\\\\n\\\\tAccount Name:\\\\t\\\\tUSERNAME$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x20D8D915\\\\n\\\\nNetwork Information:\\\\t\\\\n\\\\tObject Type:\\\\t\\\\tFile\\\\n\\\\tSource Address:\\\\t\\\\t172.27.221.26\\\\n\\\\tSource Port:\\\\t\\\\t12345\\\\n\\\\t\\\\nShare Information:\\\\n\\\\tShare Name:\\\\t\\\\t\\\\\\\\\\\\\\\\*\\\\\\\\IPC$\\\\n\\\\tShare Path:\\\\t\\\\t\\\\n\\\\nAccess Request Information:\\\\n\\\\tAccess Mask:\\\\t\\\\t0x1\\\\n\\\\tAccesses:\\\\t\\\\tReadData (or ListDirectory)\\\\n\\\\t\\\\t\\\\t\\\\t\", \"action\": \"File Share\", \"kind\": \"event\", \"outcome\": \"success\", \"created\": \"2023-11-09T09:07:04.744Z\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"code\": \"5140\"}, \"@version\": \"1\", \"@timestamp\": \"2023-11-09T09:07:03.406Z\", \"message\": \"A network share object was accessed.\\\\n\\\\t\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-2-3-4-5-6-7\\\\n\\\\tAccount Name:\\\\t\\\\tUSERNAME$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x20D8D915\\\\n\\\\nNetwork Information:\\\\t\\\\n\\\\tObject Type:\\\\t\\\\tFile\\\\n\\\\tSource Address:\\\\t\\\\t172.27.221.26\\\\n\\\\tSource Port:\\\\t\\\\t12345\\\\n\\\\t\\\\nShare Information:\\\\n\\\\tShare Name:\\\\t\\\\t\\\\\\\\\\\\\\\\*\\\\\\\\IPC$\\\\n\\\\tShare Path:\\\\t\\\\t\\\\n\\\\nAccess Request Information:\\\\n\\\\tAccess Mask:\\\\t\\\\t0x1\\\\n\\\\tAccesses:\\\\t\\\\tReadData (or ListDirectory)\\\\n\\\\t\\\\t\\\\t\\\\t\", \"winlog\": {\"computer_name\": \"HOST01.company.test\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"channel\": \"Security\", \"keywords\": [\"Audit Success\"], \"process\": {\"pid\": 4, \"thread\": {\"id\": 12216}}, \"event_id\": \"5140\", \"version\": 1, \"task\": \"File Share\", \"event_data\": {\"ObjectType\": \"File\", \"ShareName\": \"\\\\\\\\\\\\\\\\*\\\\\\\\IPC$\", \"IpPort\": \"12345\", \"AccessList\": \"%%4416\\\\n\\\\t\\\\t\\\\t\\\\t\", \"SubjectUserName\": \"USERNAME$\", \"SubjectUserSid\": \"S-1-2-3-4-5-6-7\", \"SubjectDomainName\": \"COMPANY\", \"SubjectLogonId\": \"0x20d8d915\", \"IpAddress\": \"172.27.221.26\", \"AccessMask\": \"0x1\"}, \"record_id\": 21473595, \"opcode\": \"Info\", \"api\": \"wineventlog\"}, \"host\": {\"hostname\": \"host01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"ip\": [\"8.8.8.8\"], \"name\": \"host01\", \"mac\": [\"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"build\": \"20348.1850\", \"version\": \"10.0\", \"name\": \"Windows Server 2022 Standard\", \"family\": \"windows\", \"kernel\": \"10.0.20348.1850 (WinBuild.160101.0800)\", \"type\": \"windows\", \"platform\": \"windows\"}}, \"log\": {\"level\": \"information\"}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"type\": \"winlogbeat\", \"ephemeral_id\": \"1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69\", \"version\": \"8.10.4\", \"id\": \"222ff142-dbdf-42d8-a403-df533d45d5a8\", \"name\": \"HOST01\"}}", + "event": { + "action": "File Share", + "code": "5140", + "hash": "8340423cdea2e4f482842d90b178ad2d08bae54f", + "kind": "event", + "module": "security", + "original": "A network share object was accessed.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5-6-7\\n\\tAccount Name:\\t\\tUSERNAME$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D8D915\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t172.27.221.26\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\IPC$\\n\\tShare Path:\\t\\t\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x1\\n\\tAccesses:\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\t", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2023-11-09T09:07:03.406000Z", + "action": { + "id": 5140, + "outcome": "success", + "properties": { + "AccessList": "%%4416\\n\\t\\t\\t\\t", + "AccessMask": "0x1", + "IpAddress": "172.27.221.26", + "IpPort": "12345", + "ObjectType": "File", + "ShareName": "\\\\\\\\*\\\\IPC$", + "SubjectDomainName": "COMPANY", + "SubjectLogonId": "0x20d8d915", + "SubjectUserName": "USERNAME$", + "SubjectUserSid": "S-1-2-3-4-5-6-7" } }, "agent": { - "ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9", - "id": "001234567-abcd-ef01-2345-6789abcdef01", - "name": "WB-DK-PC01234567", + "ephemeral_id": "1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69", + "id": "222ff142-dbdf-42d8-a403-df533d45d5a8", + "name": "HOST01", "type": "winlogbeat", - "version": "7.17.1" + "version": "8.10.4" + }, + "file": { + "directory": "", + "name": "", + "path": "\\", + "target_path": "\\\\\\\\*\\\\IPC$\\" }, "host": { "architecture": "x86_64", - "hostname": "PC01234567", - "id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45", + "hostname": "host01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", "ip": [ - "0.0.0.0", - "1.2.3.4", - "10.20.30.40", - "1122::3344:5566:7788:9900", - "11::2233:4455:6677:8899", - "40.30.20.10", - "5.6.7.8", - "8.8.8.8", - "a0b1::c2d3:e4f5:123:abcd", - "a123::b234:c345:d456:e567", - "aabb::ccdd:eeff:11:2233", - "abcd::ef01:2345:6789:abcd" + "8.8.8.8" ], "mac": [ - "00:11:22:33:44:55", - "01:23:45:67:89:ab", - "66:77:88:99:00:11", - "a0:b1:c2:d3:e4:f5", - "aa:bb:cc:dd:ee:ff", - "ab:cd:ef:01:23:45" + "00-11-22-33-44-55" ], - "name": "PC01234567.company.com", + "name": "host01", "os": { - "build": "19044.3570", + "build": "20348.1850", "family": "windows", - "kernel": "10.0.19041.3570 (WinBuild.160101.0800)", - "name": "Windows 10 Enterprise", + "kernel": "10.0.20348.1850 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", "platform": "windows", "type": "windows", "version": "10.0" @@ -813,151 +2210,129 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "level": "information" }, - "process": { - "entity_id": "{abcdef01-2345-6789-abcd-000000000000}", - "executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", - "name": "Teams.exe", - "pid": 17772 - }, - "registry": { - "data": { - "strings": "Binary Data" - }, - "hive": "target", - "key": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current", - "path": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", - "value": "Teams.exe" - }, "related": { "hash": [ - "dbfbea81bd233292dc651cb11a98ffab227443e4" + "8340423cdea2e4f482842d90b178ad2d08bae54f" ], "hosts": [ - "PC01234567" + "host01" ], "ip": [ - "0.0.0.0", - "1.2.3.4", - "10.20.30.40", - "1122::3344:5566:7788:9900", - "11::2233:4455:6677:8899", - "40.30.20.10", - "5.6.7.8", - "8.8.8.8", - "a0b1::c2d3:e4f5:123:abcd", - "a123::b234:c345:d456:e567", - "aabb::ccdd:eeff:11:2233", - "abcd::ef01:2345:6789:abcd" + "172.27.221.26", + "8.8.8.8" ], "user": [ - "asmithee" + "USERNAME" ] }, + "source": { + "address": "172.27.221.26", + "ip": "172.27.221.26", + "port": 12345 + }, "user": { "domain": "COMPANY", - "id": "S-1-2-3", - "name": "asmithee" + "id": "S-1-2-3-4-5-6-7", + "name": "USERNAME" }, "winlog": { "api": "wineventlog", - "channel": "Microsoft-Windows-Sysmon/Operational", - "computer_name": "PC01234567.company.com", - "event_id": "13", - "opcode": "Informations", + "channel": "Security", + "computer_name": "HOST01.company.test", + "event_data": { + "AccessMaskDescription": [ + "Create Child" + ] + }, + "event_id": "5140", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x20d8d915" + }, + "opcode": "Info", "process": { - "pid": 5624, + "pid": 4, "thread": { - "id": 7248 + "id": 12216 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "provider_name": "Microsoft-Windows-Sysmon", - "record_id": "67193809", - "task": "Registry value set (rule: RegistryEvent)", - "user": { - "domain": "DOMAIN", - "identifier": "S-1-2-3", - "name": "Syst\u00e8me", - "type": "User" - }, - "version": 2 + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21473595", + "task": "File Share", + "version": 1 } } ``` -=== "event_registry_2.json" +=== "security_event_5145.json" ```json { - "message": "{\n \"winlog\": {\n \"event_data\": {\n \"Details\": \"WORD (0x00000000-0x12345678)\",\n \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"User\": \"DOMAIN\\\\Syst\u00e8me\",\n \"EventType\": \"SetValue\"\n },\n \"task\": \"Registry value set (rule: RegistryEvent)\",\n \"channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"api\": \"wineventlog\",\n \"user\": {\n \"name\": \"Syst\u00e8me\",\n \"identifier\": \"S-1-2-3\",\n \"type\": \"User\",\n \"domain\": \"DOMAIN\"\n },\n \"provider_guid\": \"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\n \"process\": {\n \"thread\": {\n \"id\": 7248\n },\n \"pid\": 5624\n },\n \"event_id\": \"13\",\n \"version\": 2,\n \"computer_name\": \"PC01234567.company.com\",\n \"record_id\": 67193778,\n \"opcode\": \"Informations\",\n \"provider_name\": \"Microsoft-Windows-Sysmon\"\n },\n \"message\": \"Registry value set:\\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\\nEventType: SetValue\\nUtcTime: 2023-10-17 14:00:56.524\\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\\nProcessId: 5500\\nImage: C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\\nDetails: WORD (0x00000000-0x12345678)\\nUser: DOMAIN\\\\Syst\u00e8me\",\n \"event_ingest_logstash\": \"2023-10-17T14:00:59.207219Z\",\n \"fields.gdp-logstash\": \"6\",\n \"event\": {\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"created\": \"2023-10-17T14:00:58.520Z\",\n \"category\": [\n \"configuration\",\n \"registry\"\n ],\n \"kind\": \"event\",\n \"action\": \"Registry value set (rule: RegistryEvent)\",\n \"module\": \"sysmon\",\n \"code\": \"13\",\n \"type\": [\n \"change\"\n ]\n },\n \"process\": {\n \"name\": \"MsSense.exe\",\n \"pid\": 5500,\n \"entity_id\": \"{abcdef01-2345-6789-abcd-000000000000}\",\n \"executable\": \"C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\"\n },\n \"@version\": \"1\",\n \"log\": {\n \"level\": \"information\"\n },\n \"rule\": {\n \"name\": \"technique_id=T1089,technique_name=Disabling Security Tools\"\n },\n \"ecs\": {\n \"version\": \"1.12.0\"\n },\n \"@timestamp\": \"2023-10-17T14:00:56.524Z\",\n \"fields\": {\n \"gdp-parc\": \"defaut\",\n \"gdp-version-winlogbeat\": 2.8,\n \"gdp-indice\": \"l-desk\",\n \"gdp-sousparc\": \"prod\",\n \"gdp-config\": \"desktop\",\n \"gdp-version\": \"1.16\",\n \"gdp-version-sysmon\": 13.33\n },\n \"host\": {\n \"os\": {\n \"platform\": \"windows\",\n \"name\": \"Windows 10 Enterprise\",\n \"version\": \"10.0\",\n \"kernel\": \"10.0.19041.3570 (WinBuild.160101.0800)\",\n \"build\": \"19044.3570\",\n \"type\": \"windows\",\n \"family\": \"windows\"\n },\n \"name\": \"PC01234567.company.com\",\n \"id\": \"a0b1c2d3-0123-abcd-0a1b-abcd0123ef45\",\n \"mac\": [\n \"00:11:22:33:44:55\",\n \"aa:bb:cc:dd:ee:ff\",\n \"a0:b1:c2:d3:e4:f5\",\n \"66:77:88:99:00:11\",\n \"01:23:45:67:89:ab\",\n \"ab:cd:ef:01:23:45\"\n ],\n \"hostname\": \"PC01234567\",\n \"architecture\": \"x86_64\",\n \"ip\": [\n \"a123::b234:c345:d456:e567\",\n \"8.8.8.8\",\n \"abcd::ef01:2345:6789:abcd\",\n \"1.2.3.4\",\n \"a0b1::c2d3:e4f5:0123:abcd\",\n \"10.20.30.40\",\n \"aabb::ccdd:eeff:0011:2233\",\n \"0.0.0.0\",\n \"1122::3344:5566:7788:9900\",\n \"5.6.7.8\",\n \"0011::2233:4455:6677:8899\",\n \"40.30.20.10\"\n ]\n },\n \"registry\": {\n \"key\": \"SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"path\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection\\\\TelLib\\\\LastSuccessfulUploadTime\",\n \"hive\": \"HKLM\",\n \"value\": \"LastSuccessfulUploadTime\"\n },\n \"tags\": [\n \"beats_input_codec_plain_applied\"\n ],\n \"agent\": {\n \"id\": \"001234567-abcd-ef01-2345-6789abcdef01\",\n \"name\": \"WB-DK-PC01234567\",\n \"version\": \"7.17.1\",\n \"ephemeral_id\": \"a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9\",\n \"hostname\": \"PC01234567\",\n \"type\": \"winlogbeat\"\n }\n}", + "message": "{\"tags\": [\"beats_input_codec_plain_applied\"], \"event\": {\"original\": \"A network share object was checked to see whether client can be granted desired access.\\\\n\\\\t\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-5-18\\\\n\\\\tAccount Name:\\\\t\\\\thost01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x20D93996\\\\n\\\\nNetwork Information:\\\\t\\\\n\\\\tObject Type:\\\\t\\\\tFile\\\\n\\\\tSource Address:\\\\t\\\\t::1\\\\n\\\\tSource Port:\\\\t\\\\t12345\\\\n\\\\t\\\\nShare Information:\\\\n\\\\tShare Name:\\\\t\\\\t\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\\n\\\\tShare Path:\\\\t\\\\t\\\\\\\\??\\\\\\\\C:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\sysvol\\\\n\\\\tRelative Target Name:\\\\tcompany.test\\\\\\\\scripts\\\\\\\\TargetName.cmd\\\\n\\\\nAccess Request Information:\\\\n\\\\tAccess Mask:\\\\t\\\\t0x120089\\\\n\\\\tAccesses:\\\\t\\\\tREAD_CONTROL\\\\n\\\\t\\\\t\\\\t\\\\tSYNCHRONIZE\\\\n\\\\t\\\\t\\\\t\\\\tReadData (or ListDirectory)\\\\n\\\\t\\\\t\\\\t\\\\tReadEA\\\\n\\\\t\\\\t\\\\t\\\\tReadAttributes\\\\n\\\\t\\\\t\\\\t\\\\t\\\\nAccess Check Results:\\\\n\\\\tREAD_CONTROL:\\\\tGranted by Ownership\\\\n\\\\t\\\\t\\\\t\\\\tSYNCHRONIZE:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadData (or ListDirectory):\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadEA:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadAttributes:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t\", \"outcome\": \"success\", \"action\": \"Detailed File Share\", \"kind\": \"event\", \"created\": \"2023-11-09T09:09:01.979Z\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"code\": \"5145\"}, \"@version\": \"1\", \"@timestamp\": \"2023-11-09T09:09:01.274Z\", \"message\": \"A network share object was checked to see whether client can be granted desired access.\\\\n\\\\t\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-5-18\\\\n\\\\tAccount Name:\\\\t\\\\thost01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x20D93996\\\\n\\\\nNetwork Information:\\\\t\\\\n\\\\tObject Type:\\\\t\\\\tFile\\\\n\\\\tSource Address:\\\\t\\\\t::1\\\\n\\\\tSource Port:\\\\t\\\\t12345\\\\n\\\\t\\\\nShare Information:\\\\n\\\\tShare Name:\\\\t\\\\t\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\\n\\\\tShare Path:\\\\t\\\\t\\\\\\\\??\\\\\\\\C:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\sysvol\\\\n\\\\tRelative Target Name:\\\\tcompany.test\\\\\\\\scripts\\\\\\\\TargetName.cmd\\\\n\\\\nAccess Request Information:\\\\n\\\\tAccess Mask:\\\\t\\\\t0x120089\\\\n\\\\tAccesses:\\\\t\\\\tREAD_CONTROL\\\\n\\\\t\\\\t\\\\t\\\\tSYNCHRONIZE\\\\n\\\\t\\\\t\\\\t\\\\tReadData (or ListDirectory)\\\\n\\\\t\\\\t\\\\t\\\\tReadEA\\\\n\\\\t\\\\t\\\\t\\\\tReadAttributes\\\\n\\\\t\\\\t\\\\t\\\\t\\\\nAccess Check Results:\\\\n\\\\tREAD_CONTROL:\\\\tGranted by Ownership\\\\n\\\\t\\\\t\\\\t\\\\tSYNCHRONIZE:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadData (or ListDirectory):\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadEA:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\tReadAttributes:\\\\tGranted by\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t\", \"host\": {\"hostname\": \"host01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"ip\": [\"8.8.8.8\"], \"name\": \"host01\", \"mac\": [\"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"build\": \"20348.1850\", \"version\": \"10.0\", \"name\": \"Windows Server 2022 Standard\", \"kernel\": \"10.0.20348.1850 (WinBuild.160101.0800)\", \"family\": \"windows\", \"type\": \"windows\", \"platform\": \"windows\"}}, \"agent\": {\"type\": \"winlogbeat\", \"id\": \"222ff142-dbdf-42d8-a403-df533d45d5a8\", \"version\": \"8.10.4\", \"ephemeral_id\": \"1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69\", \"name\": \"HOST01\"}, \"ecs\": {\"version\": \"8.0.0\"}, \"winlog\": {\"computer_name\": \"host01.company.test\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"channel\": \"Security\", \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"keywords\": [\"Audit Success\"], \"process\": {\"pid\": 4, \"thread\": {\"id\": 6404}}, \"event_id\": \"5145\", \"task\": \"Detailed File Share\", \"event_data\": {\"ShareName\": \"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\", \"IpPort\": \"12345\", \"AccessList\": \"%%1538\\\\n\\\\t\\\\t\\\\t\\\\t%%1541\\\\n\\\\t\\\\t\\\\t\\\\t%%4416\\\\n\\\\t\\\\t\\\\t\\\\t%%4419\\\\n\\\\t\\\\t\\\\t\\\\t%%4423\\\\n\\\\t\\\\t\\\\t\\\\t\", \"SubjectUserSid\": \"S-1-5-18\", \"SubjectDomainName\": \"COMPANY\", \"RelativeTargetName\": \"company.test\\\\\\\\scripts\\\\\\\\TargetName.cmd\", \"SubjectLogonId\": \"0x20d93996\", \"AccessMask\": \"0x120089\", \"ObjectType\": \"File\", \"ShareLocalPath\": \"\\\\\\\\??\\\\\\\\C:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\sysvol\", \"SubjectUserName\": \"host01$\", \"AccessReason\": \"%%1538:\\\\t%%1804\\\\n\\\\t\\\\t\\\\t\\\\t%%1541:\\\\t%%1801\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t%%4416:\\\\t%%1801\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t%%4419:\\\\t%%1801\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t%%4423:\\\\t%%1801\\\\tD:(A;;0x1200a9;;;WD)\\\\n\\\\t\\\\t\\\\t\\\\t\", \"IpAddress\": \"::1\"}, \"record_id\": 21474307, \"opcode\": \"Info\", \"api\": \"wineventlog\"}, \"log\": {\"level\": \"information\"}}", "event": { - "action": "Registry value set (rule: RegistryEvent)", - "category": [ - "configuration", - "registry" - ], - "code": "13", - "hash": "25c902e0f7f27e2a1a6d74c675b97c7fde0a4dda", + "action": "Detailed File Share", + "code": "5145", + "hash": "4bbac6b00cfda04a0961a2d9307ec16deb05f06f", "kind": "event", - "module": "sysmon", - "original": "Registry value set:\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\nEventType: SetValue\nUtcTime: 2023-10-17 14:00:56.524\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\nProcessId: 5500\nImage: C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime\nDetails: WORD (0x00000000-0x12345678)\nUser: DOMAIN\\Syst\u00e8me", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "module": "security", + "original": "A network share object was checked to see whether client can be granted desired access.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\thost01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D93996\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t::1\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\SYSVOL\\n\\tShare Path:\\t\\t\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol\\n\\tRelative Target Name:\\tcompany.test\\\\scripts\\\\TargetName.cmd\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x120089\\n\\tAccesses:\\t\\tREAD_CONTROL\\n\\t\\t\\t\\tSYNCHRONIZE\\n\\t\\t\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\tReadEA\\n\\t\\t\\t\\tReadAttributes\\n\\t\\t\\t\\t\\nAccess Check Results:\\n\\tREAD_CONTROL:\\tGranted by Ownership\\n\\t\\t\\t\\tSYNCHRONIZE:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadData (or ListDirectory):\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadEA:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadAttributes:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t", + "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-10-17T14:00:56.524000Z", + "@timestamp": "2023-11-09T09:09:01.274000Z", "action": { - "id": 13, + "id": 5145, + "outcome": "success", "properties": { - "Details": "WORD (0x00000000-0x12345678)", - "EventType": "SetValue", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime", - "User": "DOMAIN\\Syst\u00e8me" + "AccessList": "%%1538\\n\\t\\t\\t\\t%%1541\\n\\t\\t\\t\\t%%4416\\n\\t\\t\\t\\t%%4419\\n\\t\\t\\t\\t%%4423\\n\\t\\t\\t\\t", + "AccessMask": "0x120089", + "AccessReason": "%%1538:\\t%%1804\\n\\t\\t\\t\\t%%1541:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4416:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4419:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4423:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t", + "IpAddress": "::1", + "IpPort": "12345", + "ObjectType": "File", + "RelativeTargetName": "company.test\\\\scripts\\\\TargetName.cmd", + "ShareLocalPath": "\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol", + "ShareName": "\\\\\\\\*\\\\SYSVOL", + "SubjectDomainName": "COMPANY", + "SubjectLogonId": "0x20d93996", + "SubjectUserName": "host01$", + "SubjectUserSid": "S-1-5-18" } }, "agent": { - "ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9", - "id": "001234567-abcd-ef01-2345-6789abcdef01", - "name": "WB-DK-PC01234567", + "ephemeral_id": "1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69", + "id": "222ff142-dbdf-42d8-a403-df533d45d5a8", + "name": "HOST01", "type": "winlogbeat", - "version": "7.17.1" + "version": "8.10.4" + }, + "file": { + "directory": "\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol", + "name": "company.test\\\\scripts\\\\TargetName.cmd", + "path": "\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol\\company.test\\\\scripts\\\\TargetName.cmd", + "target_path": "\\\\\\\\*\\\\SYSVOL\\company.test\\\\scripts\\\\TargetName.cmd" }, "host": { "architecture": "x86_64", - "hostname": "PC01234567", - "id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45", + "hostname": "host01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", "ip": [ - "0.0.0.0", - "1.2.3.4", - "10.20.30.40", - "1122::3344:5566:7788:9900", - "11::2233:4455:6677:8899", - "40.30.20.10", - "5.6.7.8", - "8.8.8.8", - "a0b1::c2d3:e4f5:123:abcd", - "a123::b234:c345:d456:e567", - "aabb::ccdd:eeff:11:2233", - "abcd::ef01:2345:6789:abcd" + "8.8.8.8" ], "mac": [ - "00:11:22:33:44:55", - "01:23:45:67:89:ab", - "66:77:88:99:00:11", - "a0:b1:c2:d3:e4:f5", - "aa:bb:cc:dd:ee:ff", - "ab:cd:ef:01:23:45" + "00-11-22-33-44-55" ], - "name": "PC01234567.company.com", + "name": "host01", "os": { - "build": "19044.3570", + "build": "20348.1850", "family": "windows", - "kernel": "10.0.19041.3570 (WinBuild.160101.0800)", - "name": "Windows 10 Enterprise", + "kernel": "10.0.20348.1850 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", "platform": "windows", "type": "windows", "version": "10.0" @@ -966,74 +2341,138 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "level": "information" }, - "process": { - "entity_id": "{abcdef01-2345-6789-abcd-000000000000}", - "executable": "C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe", - "name": "MsSense.exe", - "pid": 5500 - }, - "registry": { - "data": { - "strings": "WORD (0x00000000-0x12345678)" - }, - "hive": "HKLM", - "key": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib", - "path": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime", - "value": "LastSuccessfulUploadTime" - }, "related": { "hash": [ - "25c902e0f7f27e2a1a6d74c675b97c7fde0a4dda" + "4bbac6b00cfda04a0961a2d9307ec16deb05f06f" ], "hosts": [ - "PC01234567" + "host01" ], "ip": [ - "0.0.0.0", - "1.2.3.4", - "10.20.30.40", - "1122::3344:5566:7788:9900", - "11::2233:4455:6677:8899", - "40.30.20.10", - "5.6.7.8", "8.8.8.8", - "a0b1::c2d3:e4f5:123:abcd", - "a123::b234:c345:d456:e567", - "aabb::ccdd:eeff:11:2233", - "abcd::ef01:2345:6789:abcd" + "::1" ], "user": [ - "Syst\u00e8me" + "host01" ] }, + "source": { + "address": "::1", + "ip": "::1", + "port": 12345 + }, "user": { - "domain": "DOMAIN", - "id": "S-1-2-3", - "name": "Syst\u00e8me" + "domain": "COMPANY", + "id": "S-1-5-18", + "name": "host01" }, "winlog": { "api": "wineventlog", - "channel": "Microsoft-Windows-Sysmon/Operational", - "computer_name": "PC01234567.company.com", - "event_id": "13", - "opcode": "Informations", + "channel": "Security", + "computer_name": "host01.company.test", + "event_data": { + "AccessMaskDescription": [ + "List Object", + "READ_CONTROL", + "SYNCHRONIZE" + ] + }, + "event_id": "5145", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x20d93996" + }, + "opcode": "Info", "process": { - "pid": 5624, + "pid": 4, "thread": { - "id": 7248 + "id": 6404 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "provider_name": "Microsoft-Windows-Sysmon", - "record_id": "67193778", - "task": "Registry value set (rule: RegistryEvent)", - "user": { - "domain": "DOMAIN", - "identifier": "S-1-2-3", - "name": "Syst\u00e8me", - "type": "User" + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21474307", + "task": "Detailed File Share" + } + } + + ``` + + +=== "security_event_5381.json" + + ```json + + { + "message": "{\"@timestamp\": \"2023-01-17T21:15:02.549Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"vault-credentials-were-read\", \"category\": [\"iam\"], \"code\": \"5381\", \"kind\": \"event\", \"module\": \"security\", \"outcome\": \"success\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"type\": [\"user\", \"info\"]}, \"host\": {\"name\": \"COMPUTER1.contoso.com\"}, \"log\": {\"level\": \"information\"}, \"related\": {\"user\": [\"COMPUTER1$\"]}, \"user\": {\"domain\": \"CONTOSO\", \"id\": \"S-1-5-18\", \"name\": \"COMPUTER1$\"}, \"winlog\": {\"channel\": \"Security\", \"computer_name\": \"COMPUTER1.contoso.com\", \"event_data\": {\"ClientProcessId\": \"5048\", \"CountOfCredentialsReturned\": \"0\", \"Flags\": \"0\", \"ProcessCreationTime\": \"2023-01-17T21:15:02.4069136Z\", \"SubjectDomainName\": \"CONTOSO\", \"SubjectLogonId\": \"0x3e7\", \"SubjectUserName\": \"COMPUTER1$\", \"SubjectUserSid\": \"S-1-5-18\"}, \"event_id\": \"5381\", \"keywords\": [\"Audit Success\"], \"logon\": {\"id\": \"0x3e7\"}, \"opcode\": \"Info\", \"process\": {\"pid\": 772, \"thread\": {\"id\": 820}}, \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"record_id\": \"13342699\", \"time_created\": \"2023-01-17T21:15:02.5490822Z\"}}\n", + "event": { + "action": "vault-credentials-were-read", + "category": [ + "iam" + ], + "code": "5381", + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "user" + ] + }, + "@timestamp": "2023-01-17T21:15:02.549000Z", + "action": { + "id": 5381, + "outcome": "success", + "properties": { + "ClientProcessId": "5048", + "CountOfCredentialsReturned": "0", + "Flags": "0", + "ProcessCreationTime": "2023-01-17T21:15:02.4069136Z", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "COMPUTER1$", + "SubjectUserSid": "S-1-5-18" + } + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "COMPUTER1" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-18", + "name": "COMPUTER1" + }, + "winlog": { + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_id": "5381", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" }, - "version": 2 + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13342699", + "time_created": "2023-01-17T21:15:02.5490822Z" } } @@ -2137,6 +3576,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "5156", "hash": "ab796c9b97ae44dbe45db2b945d2c773175b2e08", "kind": "event", + "module": "security", "original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t192.168.83.100\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0" }, "@timestamp": "2023-01-31T18:02:52.597000Z", @@ -2228,6 +3668,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4672", "hash": "b6bb91718122b7f68c88dccd13cbb6a0eec95599", "kind": "event", + "module": "security", "original": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-17198\n\tAccount Name:\t\tVM-EXC-MSG-4$\n\tAccount Domain:\t\tEXAMPLE\n\tLogon ID:\t\t0xC5D72273\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege" }, "@timestamp": "2023-01-31T18:02:50.013000Z", @@ -2281,6 +3722,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "keywords": [ "Audit Success" ], + "logon": { + "id": "0xc5d72273" + }, "opcode": "Info", "process": { "pid": 856, @@ -2346,10 +3790,15 @@ The following table lists the fields that are extracted, normalized under the EC |`file.pe.imphash` | `keyword` | A hash of the imports in a PE file. | |`file.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | |`file.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | +|`file.target_path` | `keyword` | Target path for symlinks. | +|`group.domain` | `keyword` | Name of the directory the group is a member of. | +|`group.id` | `keyword` | Unique identifier for the group on the system/platform. | +|`group.name` | `keyword` | Name of the group. | |`network.direction` | `keyword` | Direction of the network traffic. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | +|`process.args` | `keyword` | Array of process arguments. | |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.entity_id` | `keyword` | Unique identifier for the process. | |`process.executable` | `keyword` | Absolute path to the process executable. | @@ -2381,17 +3830,32 @@ The following table lists the fields that are extracted, normalized under the EC |`registry.path` | `keyword` | Full path, including hive, key and value | |`registry.value` | `keyword` | Name of the value written. | |`rule.name` | `keyword` | Rule name | +|`service.name` | `keyword` | Name of the service. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | |`sysmon.dns.status` | `keyword` | Windows status code returned for the DNS query | |`sysmon.file.archived` | `boolean` | Indicates if the deleted file was archived | |`sysmon.file.is_executable` | `boolean` | Indicates if the deleted file was an executable | +|`user.changes.name` | `keyword` | Short name or login of the user. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.effective.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.effective.id` | `keyword` | Unique identifier of the user. | +|`user.effective.name` | `keyword` | Short name or login of the user. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user.target.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.target.id` | `keyword` | Unique identifier of the user. | |`user.target.name` | `keyword` | Short name or login of the user. | |`winlog.activity_id` | `keyword` | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | +|`winlog.computerObject.domain` | `keyword` | The domain of the account that was added, modified or deleted in the event. | +|`winlog.computerObject.id` | `keyword` | A globally unique identifier that identifies the target device. | +|`winlog.computerObject.name` | `keyword` | The account name that was added, modified or deleted in the event. | +|`winlog.event_data.AccessMaskDescription` | `array` | Description of the access mask value | +|`winlog.event_data.Category` | `keyword` | Set Audit category | +|`winlog.event_data.NewUACList` | `array` | New UAC list associated to the event | +|`winlog.event_data.SubCategory` | `keyword` | SEt Audit sub-category | +|`winlog.event_data.TicketOptionsDescription` | `array` | Description of Kerberos ticket options | +|`winlog.logon.id` | `keyword` | Logon ID that can be used to associate this logon with other events related to the same logon session. | |`winlog.provider_guid` | `keyword` | A globally unique identifier that identifies the provider that logged the event. | diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md new file mode 100644 index 0000000000..ebe9c7e89e --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -0,0 +1,1139 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Host network interface` | every packets are logged and information on the outcome, the source/destination are extracted | +| `Web logs` | OpenVPN provide information about the connected client and the requested resource | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `network` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "client_connection_0.json" + + ```json + + { + "message": "2023-10-31 15:09:55 client01,10.8.0.4,", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "client": { + "address": "client01", + "domain": "client01", + "nat": { + "ip": "10.8.0.4" + } + }, + "related": { + "hosts": [ + "client01" + ], + "ip": [ + "10.8.0.4" + ] + } + } + + ``` + + +=== "client_connection_1.json" + + ```json + + { + "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: Learn: 10.8.0.6 -> client01/165.225.204.88:59321", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:59Z", + "client": { + "address": "client01", + "domain": "client01", + "ip": "165.225.204.88", + "nat": { + "ip": "10.8.0.6" + }, + "port": 59321 + }, + "related": { + "hosts": [ + "client01" + ], + "ip": [ + "10.8.0.6", + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_connection_2.json" + + ```json + + { + "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: primary virtual IP for client01/165.225.204.88:59321: 10.8.0.6", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:59Z", + "client": { + "address": "client01", + "domain": "client01", + "ip": "165.225.204.88", + "nat": { + "ip": "10.8.0.6" + }, + "port": 59321 + }, + "related": { + "hosts": [ + "client01" + ], + "ip": [ + "10.8.0.6", + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_connection_3.json" + + ```json + + { + "message": "2023-10-31 15:09:59 165.225.204.88:59321 [client01] Peer Connection Initiated with [AF_INET]165.225.204.88:59321", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:59Z", + "client": { + "address": "client01", + "domain": "client01", + "ip": "165.225.204.88", + "port": 59321 + }, + "related": { + "hosts": [ + "client01" + ], + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_0.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=1, CN=Easy-RSA CA", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "VERIFY OK: depth=1, CN=Easy-RSA CA", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_1.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=0, CN=client01", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "VERIFY OK: depth=0, CN=client01", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_10.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUB=1", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_COMP_STUB=1", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_11.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUBv2=1", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_COMP_STUBv2=1", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_12.json" + + ```json + + { + "message": "2023-10-31 15:10:21 SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:10:21Z" + } + + ``` + + +=== "client_information_13.json" + + ```json + + { + "message": "2023-10-31 15:09:55 Diffie-Hellman initialized with 2048 bit key", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "Diffie-Hellman initialized with 2048 bit key", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_14.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_route_v4_best_gw query: dst 0.0.0.0", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "net_route_v4_best_gw query: dst 0.0.0.0", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_15.json" + + ```json + + { + "message": "2023-10-31 15:09:55 Could not determine IPv4/IPv6 protocol. Using AF_INET", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "Could not determine IPv4/IPv6 protocol. Using AF_INET", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_16.json" + + ```json + + { + "message": "2023-10-31 15:09:55 Socket Buffers: R=[212992->212992] S=[212992->212992]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "Socket Buffers: R=[212992->212992] S=[212992->212992]", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_17.json" + + ```json + + { + "message": "2023-10-31 15:09:55 UDPv4 link local (bound): [AF_INET][undef]:1194", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "UDPv4 link local (bound): [AF_INET][undef]:1194", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_18.json" + + ```json + + { + "message": "2023-10-31 15:09:55 UDPv4 link remote: [AF_UNSPEC]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "UDPv4 link remote: [AF_UNSPEC]", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_19.json" + + ```json + + { + "message": "2023-10-31 15:09:55 MULTI: multi_init called, r=256 v=256", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "MULTI: multi_init called, r=256 v=256", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_2.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_VER=2.6.6", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_VER=2.6.6", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_20.json" + + ```json + + { + "message": "2023-10-31 15:09:55 IFCONFIG POOL IPv4: base=10.8.0.4 size=62", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "IFCONFIG POOL IPv4", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "client": { + "address": "10.8.0.4", + "ip": "10.8.0.4" + }, + "related": { + "ip": [ + "10.8.0.4" + ] + } + } + + ``` + + +=== "client_information_21.json" + + ```json + + { + "message": "2023-10-31 15:09:55 ifconfig_pool_read(), in='client01,10.8.0.4,'", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "ifconfig_pool_read", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "client": { + "address": "client01", + "domain": "client01", + "ip": "10.8.0.4" + }, + "related": { + "hosts": [ + "client01" + ], + "ip": [ + "10.8.0.4" + ] + } + } + + ``` + + +=== "client_information_22.json" + + ```json + + { + "message": "2023-10-31 15:09:55 succeeded -> ifconfig_pool_set(hand=0)", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "succeeded -> ifconfig_pool_set(hand=0)", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_23.json" + + ```json + + { + "message": "2023-10-31 15:09:55 IFCONFIG POOL LIST", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "IFCONFIG POOL LIST", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "client_information_24.json" + + ```json + + { + "message": "2023-10-31 15:12:13 event_wait : Interrupted system call (code=4)", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "event_wait : Interrupted system call (code=4)", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:12:13Z" + } + + ``` + + +=== "client_information_3.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PLAT=linux", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_PLAT=linux", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_4.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_TCPNL=1", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_TCPNL=1", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_5.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_MTU=1600", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_MTU=1600", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_6.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_NCP=2", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_NCP=2", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_7.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_8.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PROTO=990", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_PROTO=990", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "client_information_9.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_LZO_STUB=1", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "peer info: IV_LZO_STUB=1", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + } + } + + ``` + + +=== "gateway_0.json" + + ```json + + { + "message": "2023-10-31 15:09:55 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=0e:dd:8a:3b:b1:86", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "egress": { + "interface": { + "name": "eth0" + } + }, + "mac": "0e:dd:8a:3b:b1:86" + } + } + + ``` + + +=== "gateway_1.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_route_v4_best_gw result: via 172.31.32.1 dev eth0", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "egress": { + "interface": { + "name": "eth0" + } + } + } + } + + ``` + + +=== "tls_information_0.json" + + ```json + + { + "message": "2023-10-31 15:11:18 165.225.204.88:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:11:18Z", + "client": { + "address": "165.225.204.88", + "ip": "165.225.204.88", + "port": 62586 + }, + "related": { + "ip": [ + "165.225.204.88" + ] + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "v1.3" + } + } + + ``` + + +=== "tunnel_0.json" + + ```json + + { + "message": "2023-10-31 15:09:55 TUN/TAP device tun0 opened", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "ingress": { + "interface": { + "name": "tun0" + } + } + } + } + + ``` + + +=== "tunnel_1.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_iface_mtu_set: mtu 1500 for tun0", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "ingress": { + "interface": { + "name": "tun0" + } + } + } + } + + ``` + + +=== "tunnel_2.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_iface_up: set tun0 up", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "ingress": { + "interface": { + "name": "tun0" + } + } + } + } + + ``` + + +=== "tunnel_3.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_addr_ptp_v4_add: 10.8.0.1 peer 10.8.0.2 dev tun0", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "observer": { + "ingress": { + "interface": { + "name": "tun0" + } + }, + "ip": "10.8.0.1" + }, + "openvpn": { + "peer": { + "ip": "10.8.0.2" + } + }, + "related": { + "ip": [ + "10.8.0.1" + ] + } + } + + ``` + + +=== "tunnel_4.json" + + ```json + + { + "message": "2023-10-31 15:09:55 net_route_v4_add: 10.8.0.0/24 via 10.8.0.2 dev [NULL] table 0 metric -1", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z", + "openvpn": { + "peer": { + "ip": "10.8.0.2" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`client.domain` | `keyword` | The domain name of the client. | +|`client.ip` | `ip` | IP address of the client. | +|`client.nat.ip` | `ip` | Client NAT ip address | +|`client.port` | `long` | Port of the client. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`observer.egress.interface.name` | `keyword` | Interface name | +|`observer.ingress.interface.name` | `keyword` | Interface name | +|`observer.ip` | `ip` | IP addresses of the observer. | +|`observer.mac` | `keyword` | MAC addresses of the observer. | +|`openvpn.peer.ip` | `keyword` | OpenVPN peer IP | +|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +