@@ -83,6 +83,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
8383 "message": "{\"user\":{\"target\":{\"name\":\"
[email protected] \",\"domain\":\"EXAMPLE.LOCAL\"}},\"action\":{\"properties\":{\"EventType\":\"AUDIT_SUCCESS\",\"IpAddress\":\"::ffff:10.0.30.42\",\"IpPort\":\"57111\",\"Keywords\":\"0x8020000000000000\",\"LogonGuid\":\"{345a31bc-e0d8-4d9b-98e7-d7c27a2404f2}\",\"ProviderGuid\":\"{9341bdd5-a0aa-4978-8f7b-36d0c7f5de05}\",\"ServiceName\":\"eXampl-AZRWE-AA00$\",\"ServiceSid\":\"S-1-5-21-2222222-111111111-1197373316-51000\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"Status\":\"0x0\",\"TargetDomainName\":\"EXAMPLE.LOCAL\",\"TargetUserName\":\"
[email protected] \",\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"TransmittedServices\":\"-\"},\"id\":4769},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4769},\"agent\":{\"id\":\"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\",\"version\":\"v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"eXampl-AZRWE-AAAA\",\"ip\":[\"fe80::76e9:3115:c5b4:aaaa\",\"10.0.11.1\"]},\"source\":{\"address\":\"10.0.11.11\",\"ip\":\"10.0.11.12\"},\"@timestamp\":\"2024-01-19T13:18:38.703193Z\"}",
8484 "event": {
8585 "code": "4769",
86+ "outcome": "success",
8687 "provider": "Microsoft-Windows-Security-Auditing"
8788 },
8889 "@timestamp": "2024-01-19T13:18:38.703193Z",
@@ -158,6 +159,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
158159 "message": "{\n \"user\": {\n \"id\": \"S-1-5-18\",\n \"name\": \"EXPL111$\",\n \"domain\": \"EXAMPLE\"\n },\n \"action\": {\n \"properties\": {\n \"ClientProcessId\": \"10704\",\n \"ClientProcessStartKey\": \"14918173765668009\",\n \"EventType\": \"AUDIT_SUCCESS\",\n \"FQDN\": \"EXPL111.example.org\",\n \"Keywords\": \"0x8020000000000000\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"RpcCallClientLocality\": \"0\",\n \"Severity\": \"LOG_ALWAYS\",\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"SubjectDomainName\": \"EXAMPLE\",\n \"SubjectLogonId\": \"0x3E7\",\n \"SubjectUserName\": \"EXPL111$\",\n \"SubjectUserSid\": \"S-1-5-18\",\n \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <Author>EXAMPLE\\\\master</Author>\\r\\n <Description>d\u00e9ploiement de l'agent SYSMON sur les PC</Description>\\r\\n <URI>\\\\Agent Sysmon</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <TimeTrigger>\\r\\n <StartBoundary>2024-03-27T10:58:36</StartBoundary>\\r\\n <EndBoundary>2024-03-27T10:59:31</EndBoundary>\\r\\n <Enabled>true</Enabled>\\r\\n </TimeTrigger>\\r\\n </Triggers>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <RunLevel>HighestAvailable</RunLevel>\\r\\n <UserId>NT AUTHORITY\\\\System</UserId>\\r\\n <LogonType>S4U</LogonType>\\r\\n </Principal>\\r\\n </Principals>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n <AllowHardTerminate>false</AllowHardTerminate>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <IdleSettings>\\r\\n <Duration>PT5M</Duration>\\r\\n <WaitTimeout>PT1H</WaitTimeout>\\r\\n <StopOnIdleEnd>false</StopOnIdleEnd>\\r\\n <RestartOnIdle>false</RestartOnIdle>\\r\\n </IdleSettings>\\r\\n <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n <Enabled>true</Enabled>\\r\\n <Hidden>false</Hidden>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>false</WakeToRun>\\r\\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\\r\\n <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>\\r\\n <Priority>7</Priority>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>\\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmon.exe</Command>\\r\\n <Arguments>-accepteula -i \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmonconfig-export.xml</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n</Task>\",\n \"TaskName\": \"\\\\Agent Sysmon\"\n },\n \"id\": 4698\n },\n \"event\": {\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"code\": 4698\n },\n \"agent\": {\n \"id\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"version\": \"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"\n },\n \"host\": {\n \"os\": {\n \"type\": \"windows\"\n },\n \"hostname\": \"EXPL111\",\n \"ip\": [\n \"1.2.3.4\"\n ]\n },\n \"process\": {\n \"parent\": {\n \"pid\": 1188\n }\n },\n \"@timestamp\": \"2024-03-27T09:58:31.8443945Z\"\n}",
159160 "event": {
160161 "code": "4698",
162+ "outcome": "success",
161163 "provider": "Microsoft-Windows-Security-Auditing"
162164 },
163165 "@timestamp": "2024-03-27T09:58:31.844394Z",
@@ -1122,6 +1124,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
11221124 "message": "{\"action\":{\"properties\":{\"Application\":\"\\\\device\\\\harddisk\\\\windows\\\\system32\\\\test.exe\",\"Direction\":\"%%14593\",\"EventType\":\"AUDIT_SUCCESS\",\"FilterRTID\":\"72760\",\"Keywords\":\"0x8020000000000000\",\"LayerName\":\"%%14611\",\"LayerRTID\":\"48\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\"},\"id\":5156},\"destination\":{\"address\":\"1.2.3.4\",\"ip\":\"1.2.3.4\",\"port\":1},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":5156},\"agent\":{\"id\":\"72d68eb9bacfe73d21ff765b4e81aaec6934169b947daae740666327bd5f5e8c\",\"version\":\"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"hostname\",\"ip\":[\"5.6.7.8\"]},\"network\":{\"transport\":\"tcp\"},\"process\":{\"pid\":2184},\"source\":{\"address\":\"5.6.7.8\",\"ip\":\"5.6.7.8\",\"port\":2},\"@timestamp\":\"2024-07-19T14:10:28.962733Z\"}",
11231125 "event": {
11241126 "code": "5156",
1127+ "outcome": "success",
11251128 "provider": "Microsoft-Windows-Security-Auditing"
11261129 },
11271130 "@timestamp": "2024-07-19T14:10:28.962733Z",
@@ -1199,6 +1202,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
11991202 "authentication"
12001203 ],
12011204 "code": "4624",
1205+ "outcome": "success",
12021206 "provider": "Microsoft-Windows-Security-Auditing",
12031207 "type": [
12041208 "start"
@@ -1307,6 +1311,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
13071311 "authentication"
13081312 ],
13091313 "code": "4625",
1314+ "outcome": "failure",
13101315 "provider": "Microsoft-Windows-Security-Auditing",
13111316 "reason": "user_not_exist",
13121317 "type": [
@@ -1505,6 +1510,7 @@ The following table lists the fields that are extracted, normalized under the EC
15051510| ` event.code ` | ` keyword ` | Identification code for this event. |
15061511| ` event.end ` | ` date ` | event.end contains the date when the event ended or when the activity was last observed. |
15071512| ` event.kind ` | ` keyword ` | The kind of the event. The highest categorization field in the hierarchy. |
1513+ | ` event.outcome ` | ` keyword ` | The outcome of the event. The lowest level categorization field in the hierarchy. |
15081514| ` event.provider ` | ` keyword ` | Source of the event. |
15091515| ` event.reason ` | ` keyword ` | Reason why this event happened, according to the source |
15101516| ` event.start ` | ` date ` | event.start contains the date when the event started or when the activity was first observed. |
![sekoia-io-cross-repo-comm-app[bot]](https://avatars.githubusercontent.com/u/59438400?v=4&size=40){kind=avatar}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments