Winlogbeat
Overview
Winlogbeat is an open-source log collector that ships Windows Event Logs as JSON events to a Losgtash log concentrator before being sent to Sekoia.io.
- Vendor: Elastic
- Supported environment: On Premise
- Detection based on: Telemetry
- Supported application or feature: System Monitoring and Security
High-Level Architecture Diagram
- Type of integration: Outbound (PUSH to Sekoia.io)
- Schema
Specification
Prerequisites
- Resource:
- Self-managed logstash server
- Network:
- Outbound traffic allowed
- Permissions:
- Administrator access to the Windows server
- Root access to the Linux server with the logstash
Transport Protocol/Method
- Indirect HTTP
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: JSON
- Supported verbosity level: Informational
Note
Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.
Step-by-Step Configuration Procedure
Instructions on the 3rd Party Solution
Install and Configure Winlogbeat
- Download Winlogbeat zip from the Elastic.co download page
- Extract the archive into
C:\Program Files\winlogbeat
- Open a PowerShell prompt as an Administrator and run the following commands to install the service
PS C:\Users\Administrator> cd 'C:\Program Files\winlogbeat'
PS C:\Program Files\winlogbeat> .\install-service-winlogbeat.ps1
- Replace the configuration file
C:\Program Files\winlogbeat\winlogbeat.yml
by the following content:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: ForwardedEvents
tags: [forwarded]
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
enabled: false
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["logstash_concentrator:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
# ================================== Logging ===================================
logging.level: info
#logging.to_files: true
#logging.files:
#path: C:\ProgramData\winlogbeat\Logs
#name: winlogbeat
#keepfiles: 7
#permissions: 0640
Warning
Don't forget to specify the location of your logstash server in this configuration
- Save and validate the configuration with the command:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
- Set up assets:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e
- Start the Winlogbeat service:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Note
If you encounter any issues during the configuration specified in this section "Instructions on the 3rd Party Solution," please do not hesitate to contact your editor. We also welcome any suggestions for improving our documentation to better serve your needs.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intake
button at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create
. - You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Forward logs to Sekoia.io
Please consult our guide to configure logs forwarding from Logstash to Sekoia.io.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"@timestamp": "2023-01-31T18:02:52.597Z",
"@version": "1",
"agent": {
"ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
"hostname": "vm204d",
"id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
"type": "winlogbeat",
"version": "7.0.0"
},
"ecs": {
"version": "1.0.0"
},
"event": {
"action": "Filtering Platform Connection",
"code": 5156,
"created": "2023-01-31T18:02:53.233Z",
"kind": "event"
},
"host": {
"architecture": "x86_64",
"hostname": "vm204d",
"id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
"name": "vm204d",
"os": {
"build": "20348.1487",
"family": "windows",
"kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
"name": "Windows Server 2022 Datacenter",
"platform": "windows",
"version": "10.0"
}
},
"log": {
"level": "information"
},
"message": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t1.1.1.1\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
"tags": [
"beats_input_codec_plain_applied"
],
"type": "winlogbeat",
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "vm204d.example.org",
"event_data": {
"Application": "System",
"DestAddress": "5.6.7.8",
"DestPort": "445",
"Direction": "%%14592",
"FilterOrigin": "Unknown",
"FilterRTID": "71694",
"InterfaceIndex": "9",
"LayerName": "%%14610",
"LayerRTID": "44",
"ProcessID": "4",
"Protocol": "6",
"RemoteMachineID": "S-1-0-0",
"RemoteUserID": "S-1-0-0",
"SourceAddress": "1.2.3.4",
"SourcePort": "58499"
},
"event_id": 5156,
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 1940
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 614833249,
"task": "Filtering Platform Connection",
"version": 1
}
}
{
"@timestamp": "2023-06-23T08:15:46.358Z",
"ecs": {
"version": "1.0.0"
},
"type": "winlogbeat",
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"id": "c1e16f64-cfc4-4141-bdc0-71f2a0e45791",
"ephemeral_id": "21a6bd0d-afb5-4e55-827e-5329797579a4",
"hostname": "VM-FOO",
"version": "7.0.0",
"type": "winlogbeat"
},
"host": {
"os": {
"build": "14393.5921",
"kernel": "10.0.14393.5921 (rs1_release.230504-1649)",
"version": "10.0",
"name": "Windows Server 2016 Datacenter",
"family": "windows",
"platform": "windows"
},
"id": "8ea16272-0ba2-4838-b321-1646a493a128",
"hostname": "VM-FOO",
"architecture": "x86_64",
"name": "VM-FOO"
},
"winlog": {
"process": {
"pid": 756,
"thread": {
"id": 13000
}
},
"event_data": {
"TargetLogonId": "0x2374a6a43",
"SubjectLogonId": "0x0",
"TargetUserName": "FOO-FARM-ADMIN",
"TargetUserSid": "S-1-5-21-776561741-920026266-725345543-12737",
"TargetLinkedLogonId": "0x0",
"ProcessId": "0x0",
"AuthenticationPackageName": "Kerberos",
"ImpersonationLevel": "%%1833",
"LogonGuid": "{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}",
"LmPackageName": "-",
"RestrictedAdminMode": "-",
"VirtualAccount": "%%1843",
"TransmittedServices": "-",
"WorkstationName": "-",
"TargetOutboundDomainName": "-",
"IpAddress": "-",
"ProcessName": "-",
"TargetDomainName": "FOOBAR.NET",
"KeyLength": "0",
"ElevatedToken": "%%1842",
"SubjectUserSid": "S-1-0-0",
"TargetOutboundUserName": "-",
"LogonType": "3",
"SubjectUserName": "-",
"LogonProcessName": "Kerberos",
"SubjectDomainName": "-",
"IpPort": "-"
},
"activity_id": "{DBC05D38-994B-0003-395D-C0DB4B99D901}",
"record_id": 131091844,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"opcode": "Info",
"keywords": [
"Audit Success"
],
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "Logon",
"channel": "Security",
"computer_name": "VM-FOO.FOOBAR.NET",
"version": 2,
"event_id": 4624,
"api": "wineventlog"
},
"log": {
"level": "information"
},
"event": {
"code": 4624,
"kind": "event",
"action": "Logon",
"created": "2023-06-23T08:15:47.185Z"
},
"@version": "1",
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-12737\n\tAccount Name:\t\tFOO-FARM-ADMIN\n\tAccount Domain:\t\tFOOBAR.NET\n\tLogon ID:\t\t0x2374A6A43\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}
{
"fields.gdp-redis": "3",
"message": "File created:\nRuleName: technique_id=T1047,technique_name=File System Permissions Weakness\nUtcTime: 2023-10-19 11:22:01.885\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\nProcessId: 4504\nImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetFilename: C:\\Windows\\System32\\WinBioDatabase\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP\nCreationUtcTime: 2023-10-19 11:22:01.885\nUser: USER\\Syst\u00e8me",
"fields": {
"gdp-version-winlogbeat": 3.4,
"gdp-sousparc": "prod",
"gdp-version": "2.8",
"gdp-parc": "defaut",
"gdp-config": "desktop",
"gdp-version-sysmon": 15,
"gdp-indice": [
"l-desk",
"l-desk"
]
},
"@version": "1",
"log": {
"level": "information"
},
"type": "R3",
"agent": {
"id": "001234567-abcd-ef01-2345-6789abcdef01",
"ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9",
"name": "WB-DK-PC01234567",
"type": "winlogbeat",
"version": "8.8.2"
},
"event": {
"provider": "Microsoft-Windows-Sysmon",
"action": "File created (rule: FileCreate)",
"created": "2023-10-19T11:22:03.054Z",
"kind": "event",
"code": "11"
},
"event_ingest_logstash": "2023-10-19T11:22:03.810843Z",
"fields.gdp-logstash": "6",
"winlog": {
"process": {
"thread": {
"id": 7408
},
"pid": 4524
},
"user": {
"name": "Syst\u00e8me",
"type": "Well Known Group",
"identifier": "S-1-2-3",
"domain": "USER"
},
"event_id": "11",
"api": "wineventlog",
"record_id": 5103594,
"provider_name": "Microsoft-Windows-Sysmon",
"version": 2,
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"task": "File created (rule: FileCreate)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_data": {
"TargetFilename": "C:\\Windows\\System32\\WinBioDatabase\\ABCD1234-E5F6-1234-ABCD-0123456789EF.ABC~DE123abcde.TMP",
"UtcTime": "2023-10-19 11:22:01.885",
"User": "USER\\Syst\u00e8me",
"ProcessId": "4504",
"ProcessGuid": "{abcdef01-2345-6789-abcd-000000000000}",
"Image": "C:\\WINDOWS\\system32\\svchost.exe",
"CreationUtcTime": "2023-10-19 11:22:01.885",
"RuleName": "technique_id=T1047,technique_name=File System Permissions Weakness"
},
"computer_name": "PC01234567.company.com",
"opcode": "Informations"
},
"ecs": {
"version": "8.0.0"
},
"host": {
"id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45",
"name": "PC01234567",
"mac": [
"00:11:22:33:44:55",
"AA:BB:CC:DD:EE:FF",
"A0:B1:C2:D3:E4:F5",
"66:77:88:99:00:11",
"01:23:45:67:89:AB",
"AB:CD:EF:01:23:45"
],
"hostname": "PC01234567",
"os": {
"name": "Windows 10 Enterprise",
"platform": "windows",
"version": "10.0",
"kernel": "10.0.19041.3448 (WinBuild.160101.0800)",
"build": "19045.3448",
"type": "windows",
"family": "windows"
},
"ip": [
"a123::b234:c345:d456:e567",
"8.8.8.8",
"abcd::ef01:2345:6789:abcd",
"1.2.3.4",
"a0b1::c2d3:e4f5:0123:abcd",
"10.20.30.40",
"aabb::ccdd:eeff:0011:2233",
"0.0.0.0",
"1122::3344:5566:7788:9900",
"5.6.7.8",
"0011::2233:4455:6677:8899",
"40.30.20.10"
],
"architecture": "x86_64"
},
"@timestamp": "2023-10-19T11:22:01.893Z"
}
{
"winlog": {
"event_data": {
"Product": "Microsoft Teams",
"RuleName": "technique_id=T1036,technique_name=Masquerading",
"CommandLine": "\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1",
"FileVersion": "1.6.00.27573",
"ParentCommandLine": "\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" ",
"LogonGuid": "{abcdef01-b1c2-d3c4-1234-123400000000}",
"ParentProcessGuid": "{10fecdba-1234-abcd-0a1b-000000000000}",
"Hashes": "SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34",
"User": "COMPANY\\asmithee",
"ProcessId": "4980",
"LogonId": "0x1234abc",
"ProcessGuid": "{10fecdba-1234-abcd-0a1b-000000000000}",
"Description": "Microsoft Teams",
"OriginalFileName": "Teams.exe",
"Image": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"CurrentDirectory": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\",
"ParentImage": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"IntegrityLevel": "Low",
"ParentProcessId": "1124",
"Company": "Microsoft Corporation",
"TerminalSessionId": "1",
"UtcTime": "2023-10-17 12:03:14.183",
"ParentUser": "COMPANY\\asmithee"
},
"task": "Process Create (rule: ProcessCreate)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"user": {
"name": "Syst\u00e8me",
"identifier": "S-1-2-3",
"type": "Well Known Group",
"domain": "Domain"
},
"event_id": "1",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"process": {
"thread": {
"id": 5760
},
"pid": 3852
},
"api": "wineventlog",
"version": 5,
"computer_name": "PC01234567.company.com",
"record_id": 9359683,
"provider_name": "Microsoft-Windows-Sysmon",
"opcode": "Informations"
},
"message": "Process Create:\nRuleName: technique_id=T1036,technique_name=Masquerading\nUtcTime: 2023-10-17 12:03:14.183\nProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\nProcessId: 4980\nImage: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nFileVersion: 1.6.00.27573\nDescription: Microsoft Teams\nProduct: Microsoft Teams\nCompany: Microsoft Corporation\nOriginalFileName: Teams.exe\nCommandLine: \"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=89 --launch-time-ticks=212569133487 --mojo-platform-channel-handle=6672 --field-trial-handle=1780,i,5843992499021049077,4525004813667802135,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\nCurrentDirectory: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\\nUser: COMPANY\\asmithee\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\nLogonId: 0x1234abc\nTerminalSessionId: 1\nIntegrityLevel: Low\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\nParentProcessGuid: {10fecdba-1234-abcd-0a1b-000000000000}\nParentProcessId: 1124\nParentImage: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nParentCommandLine: \"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" \nParentUser: COMPANY\\asmithee",
"event_ingest_logstash": "2023-10-17T12:03:18.802068Z",
"fields.gdp-logstash": "6",
"event": {
"kind": "event",
"provider": "Microsoft-Windows-Sysmon",
"created": "2023-10-17T12:03:17.092Z",
"code": "1",
"action": "Process Create (rule: ProcessCreate)"
},
"@version": "1",
"log": {
"level": "information"
},
"ecs": {
"version": "8.0.0"
},
"@timestamp": "2023-10-17T12:03:15.436Z",
"fields.gdp-redis": "2",
"fields": {
"gdp-parc": "defaut",
"gdp-version-winlogbeat": 3.4,
"gdp-indice": [
"l-desk",
"l-desk"
],
"gdp-sousparc": "prod",
"gdp-version": "2.8",
"gdp-config": "desktop",
"gdp-version-sysmon": 15
},
"host": {
"os": {
"platform": "windows",
"name": "Windows 10 Enterprise",
"version": "10.0",
"kernel": "10.0.19041.3448 (WinBuild.160101.0800)",
"build": "19045.3448",
"family": "windows",
"type": "windows"
},
"mac": [
"A1-B2-C3-D4-E5-F6"
],
"name": "PC01234567",
"id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45",
"hostname": "PC01234567",
"architecture": "x86_64",
"ip": [
"a123::b234:c345:d456:e567",
"8.8.8.8"
]
},
"type": "R2",
"agent": {
"id": "01234567-abcd-ef01-2345-6789abcdef01",
"name": "WB-DK-PC01234567",
"version": "8.8.2",
"ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9",
"type": "winlogbeat"
}
}
{
"winlog": {
"event_data": {
"IntegrityLevel": "Low",
"Product": "Microsoft Teams",
"Description": "Microsoft Teams",
"LogonId": "0x1234abc",
"TerminalSessionId": "1",
"FileVersion": "1.6.00.27573",
"LogonGuid": "{abcdef01-b1c2-d3c4-1234-123400000000}",
"Company": "Microsoft Corporation",
"ParentUser": "COMPANY\\asmithee"
},
"task": "Process Create (rule: ProcessCreate)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"user": {
"name": "Syst\u00e8me",
"identifier": "S-1-2-3",
"type": "User",
"domain": "DOMAIN"
},
"api": "wineventlog",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"process": {
"thread": {
"id": 7248
},
"pid": 5624
},
"event_id": "1",
"version": 5,
"computer_name": "PC01234567.company.com",
"record_id": 67177799,
"opcode": "Informations",
"provider_name": "Microsoft-Windows-Sysmon"
},
"message": "Process Create:\nRuleName: technique_id=T1036,technique_name=Masquerading\nUtcTime: 2023-10-17 12:05:25.091\nProcessGuid: {1c03cf6e-7885-652e-190c-00000000fa00}\nProcessId: 27804\nImage: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nFileVersion: 1.6.00.27573\nDescription: Microsoft Teams\nProduct: Microsoft Teams\nCompany: Microsoft Corporation\nOriginalFileName: Teams.exe\nCommandLine: \"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1\nCurrentDirectory: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\\nUser: COMPANY\\asmithee\nLogonGuid: {abcdef01-b1c2-d3c4-1234-123400000000}\nLogonId: 0x1234ABC\nTerminalSessionId: 1\nIntegrityLevel: Low\nHashes: SHA1=68D25B5F5A57CF5DC0D63644338C04EA906D472B,MD5=89B717809A5A49D19E7E06746982BF0B,SHA256=2024533463DF3C945A74C774858285915FFB4E083031B51B8135BBBF5E8FC5EE,IMPHASH=00590C8FDC1F372F8DB1D3F49D342D34\nParentProcessGuid: {1c03cf6e-331c-652e-b001-00000000fa00}\nParentProcessId: 17772\nParentImage: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nParentCommandLine: \"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --system-initiated\nParentUser: COMPANY\\asmithee",
"hash": {
"sha256": "2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee",
"sha1": "68d25b5f5a57cf5dc0d63644338c04ea906d472b",
"md5": "89b717809a5a49d19e7e06746982bf0b",
"imphash": "00590c8fdc1f372f8db1d3f49d342d34"
},
"event_ingest_logstash": "2023-10-17T12:05:27.363678Z",
"fields.gdp-logstash": "6",
"user": {
"name": "asmithee",
"id": "S-1-2-3",
"domain": "COMPANY"
},
"event": {
"created": "2023-10-17T12:05:26.268Z",
"kind": "event",
"provider": "Microsoft-Windows-Sysmon",
"category": [
"process"
],
"code": "1",
"module": "sysmon",
"action": "Process Create (rule: ProcessCreate)",
"type": [
"start",
"process_start"
]
},
"process": {
"name": "Teams.exe",
"args": [
"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"--type=renderer",
"--enable-wer",
"--user-data-dir=C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams",
"--ms-teams-less-cors=522133263",
"--app-user-model-id=com.squirrel.Teams.Teams",
"--app-path=C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test",
"--autoplay-policy=no-user-gesture-required",
"--disable-background-timer-throttling",
"--lang=fr",
"--device-scale-factor=1.25",
"--num-raster-threads=4",
"--enable-main-frame-before-activation",
"--renderer-client-id=196",
"--launch-time-ticks=17880973283",
"--mojo-platform-channel-handle=2520",
"--field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072",
"--enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker",
"--disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand",
"/prefetch:1"
],
"hash": {
"sha256": "2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee",
"sha1": "68d25b5f5a57cf5dc0d63644338c04ea906d472b",
"md5": "89b717809a5a49d19e7e06746982bf0b"
},
"entity_id": "{abcdef01-2345-6789-abcd-000000000000}",
"command_line": "\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --type=renderer --enable-wer --user-data-dir=\"C:\\Users\\asmithee\\AppData\\Roaming\\Microsoft\\Teams\" --ms-teams-less-cors=522133263 --app-user-model-id=com.squirrel.Teams.Teams --app-path=\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\resources\\app.test\" --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=fr --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=196 --launch-time-ticks=17880973283 --mojo-platform-channel-handle=2520 --field-trial-handle=1808,i,7578868639254466484,17758186584081941877,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1",
"pe": {
"description": "Microsoft Teams",
"company": "Microsoft Corporation",
"file_version": "1.6.00.27573",
"imphash": "00590c8fdc1f372f8db1d3f49d342d34",
"original_file_name": "Teams.exe",
"product": "Microsoft Teams"
},
"parent": {
"name": "Teams.exe",
"args": [
"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"--system-initiated"
],
"entity_id": "{abcdef01-2345-6789-abcd-000000000000}",
"command_line": "\"C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\" --system-initiated",
"pid": 17772,
"executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
},
"pid": 27804,
"working_directory": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\",
"executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
},
"@version": "1",
"log": {
"level": "information"
},
"rule": {
"name": "technique_id=T1036,technique_name=Masquerading"
},
"related": {
"hash": [
"68d25b5f5a57cf5dc0d63644338c04ea906d472b",
"89b717809a5a49d19e7e06746982bf0b",
"2024533463df3c945a74c774858285915ffb4e083031b51b8135bbbf5e8fc5ee",
"00590c8fdc1f372f8db1d3f49d342d34"
],
"user": "asmithee"
},
"ecs": {
"version": "1.12.0"
},
"@timestamp": "2023-10-17T12:05:25.091Z",
"fields": {
"gdp-version-sysmon": 13.33,
"gdp-version-winlogbeat": 2.8,
"gdp-indice": "l-desk",
"gdp-sousparc": "prod",
"gdp-config": "desktop",
"gdp-version": "1.16",
"gdp-parc": "defaut"
},
"host": {
"id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45",
"name": "PC01234567.company.com",
"mac": [
"00:11:22:33:44:55",
"aa:bb:cc:dd:ee:ff",
"a0:b1:c2:d3:e4:f5",
"66:77:88:99:00:11",
"01:23:45:67:89:ab",
"ab:cd:ef:01:23:45"
],
"os": {
"platform": "windows",
"name": "Windows 10 Enterprise",
"version": "10.0",
"kernel": "10.0.19041.3570 (WinBuild.160101.0800)",
"build": "19044.3570",
"type": "windows",
"family": "windows"
},
"hostname": "PC01234567",
"architecture": "x86_64",
"ip": [
"a123::b234:c345:d456:e567",
"8.8.8.8",
"abcd::ef01:2345:6789:abcd",
"1.2.3.4",
"a0b1::c2d3:e4f5:0123:abcd",
"10.20.30.40",
"aabb::ccdd:eeff:0011:2233",
"0.0.0.0",
"1122::3344:5566:7788:9900",
"5.6.7.8",
"0011::2233:4455:6677:8899",
"40.30.20.10"
]
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"id": "001234567-abcd-ef01-2345-6789abcdef01",
"name": "WB-DK-PC01234567",
"version": "7.17.1",
"ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9",
"hostname": "PC01234567",
"type": "winlogbeat"
}
}
{
"winlog": {
"event_data": {
"TargetObject": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"Details": "Binary Data",
"User": "COMPANY\\asmithee",
"EventType": "SetValue"
},
"task": "Registry value set (rule: RegistryEvent)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"api": "wineventlog",
"user": {
"name": "Syst\u00e8me",
"identifier": "S-1-2-3",
"type": "User",
"domain": "DOMAIN"
},
"event_id": "13",
"process": {
"thread": {
"id": 7248
},
"pid": 5624
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 2,
"computer_name": "PC01234567.company.com",
"record_id": 67193809,
"provider_name": "Microsoft-Windows-Sysmon",
"opcode": "Informations"
},
"message": "Registry value set:\nRuleName: technique_id=T1543,technique_name=Service Creation\nEventType: SetValue\nUtcTime: 2023-10-17 14:01:17.244\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\nProcessId: 17772\nImage: C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nTargetObject: target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\nDetails: Binary Data\nUser: COMPANY\\asmithee",
"event_ingest_logstash": "2023-10-17T14:01:18.423152Z",
"fields.gdp-logstash": "6",
"event": {
"created": "2023-10-17T14:01:17.717Z",
"kind": "event",
"category": [
"configuration",
"registry"
],
"provider": "Microsoft-Windows-Sysmon",
"action": "Registry value set (rule: RegistryEvent)",
"module": "sysmon",
"code": "13",
"type": [
"change"
]
},
"process": {
"name": "Teams.exe",
"pid": 17772,
"entity_id": "{abcdef01-2345-6789-abcd-000000000000}",
"executable": "C:\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe"
},
"@version": "1",
"log": {
"level": "information"
},
"rule": {
"name": "technique_id=T1543,technique_name=Service Creation"
},
"ecs": {
"version": "1.12.0"
},
"@timestamp": "2023-10-17T14:01:17.244Z",
"fields": {
"gdp-version-sysmon": 13.33,
"gdp-version-winlogbeat": 2.8,
"gdp-indice": "l-desk",
"gdp-sousparc": "prod",
"gdp-version": "1.16",
"gdp-config": "desktop",
"gdp-parc": "defaut"
},
"host": {
"name": "PC01234567.company.com",
"mac": [
"00:11:22:33:44:55",
"aa:bb:cc:dd:ee:ff",
"a0:b1:c2:d3:e4:f5",
"66:77:88:99:00:11",
"01:23:45:67:89:ab",
"ab:cd:ef:01:23:45"
],
"os": {
"name": "Windows 10 Enterprise",
"platform": "windows",
"version": "10.0",
"kernel": "10.0.19041.3570 (WinBuild.160101.0800)",
"build": "19044.3570",
"type": "windows",
"family": "windows"
},
"id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45",
"hostname": "PC01234567",
"architecture": "x86_64",
"ip": [
"a123::b234:c345:d456:e567",
"8.8.8.8",
"abcd::ef01:2345:6789:abcd",
"1.2.3.4",
"a0b1::c2d3:e4f5:0123:abcd",
"10.20.30.40",
"aabb::ccdd:eeff:0011:2233",
"0.0.0.0",
"1122::3344:5566:7788:9900",
"5.6.7.8",
"0011::2233:4455:6677:8899",
"40.30.20.10"
]
},
"registry": {
"key": "System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"path": "target\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-2-3-4-012345678-123456789-876543210-12345\\\\Device\\HarddiskVolume3\\Users\\asmithee\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
"hive": "target",
"value": "Teams.exe"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"id": "001234567-abcd-ef01-2345-6789abcdef01",
"name": "WB-DK-PC01234567",
"version": "7.17.1",
"ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9",
"hostname": "PC01234567",
"type": "winlogbeat"
}
}
{
"winlog": {
"event_data": {
"Details": "WORD (0x00000000-0x12345678)",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime",
"User": "DOMAIN\\Syst\u00e8me",
"EventType": "SetValue"
},
"task": "Registry value set (rule: RegistryEvent)",
"channel": "Microsoft-Windows-Sysmon/Operational",
"api": "wineventlog",
"user": {
"name": "Syst\u00e8me",
"identifier": "S-1-2-3",
"type": "User",
"domain": "DOMAIN"
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"process": {
"thread": {
"id": 7248
},
"pid": 5624
},
"event_id": "13",
"version": 2,
"computer_name": "PC01234567.company.com",
"record_id": 67193778,
"opcode": "Informations",
"provider_name": "Microsoft-Windows-Sysmon"
},
"message": "Registry value set:\nRuleName: technique_id=T1089,technique_name=Disabling Security Tools\nEventType: SetValue\nUtcTime: 2023-10-17 14:00:56.524\nProcessGuid: {abcdef01-2345-6789-abcd-000000000000}\nProcessId: 5500\nImage: C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime\nDetails: WORD (0x00000000-0x12345678)\nUser: DOMAIN\\Syst\u00e8me",
"event_ingest_logstash": "2023-10-17T14:00:59.207219Z",
"fields.gdp-logstash": "6",
"event": {
"provider": "Microsoft-Windows-Sysmon",
"created": "2023-10-17T14:00:58.520Z",
"category": [
"configuration",
"registry"
],
"kind": "event",
"action": "Registry value set (rule: RegistryEvent)",
"module": "sysmon",
"code": "13",
"type": [
"change"
]
},
"process": {
"name": "MsSense.exe",
"pid": 5500,
"entity_id": "{abcdef01-2345-6789-abcd-000000000000}",
"executable": "C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe"
},
"@version": "1",
"log": {
"level": "information"
},
"rule": {
"name": "technique_id=T1089,technique_name=Disabling Security Tools"
},
"ecs": {
"version": "1.12.0"
},
"@timestamp": "2023-10-17T14:00:56.524Z",
"fields": {
"gdp-parc": "defaut",
"gdp-version-winlogbeat": 2.8,
"gdp-indice": "l-desk",
"gdp-sousparc": "prod",
"gdp-config": "desktop",
"gdp-version": "1.16",
"gdp-version-sysmon": 13.33
},
"host": {
"os": {
"platform": "windows",
"name": "Windows 10 Enterprise",
"version": "10.0",
"kernel": "10.0.19041.3570 (WinBuild.160101.0800)",
"build": "19044.3570",
"type": "windows",
"family": "windows"
},
"name": "PC01234567.company.com",
"id": "a0b1c2d3-0123-abcd-0a1b-abcd0123ef45",
"mac": [
"00:11:22:33:44:55",
"aa:bb:cc:dd:ee:ff",
"a0:b1:c2:d3:e4:f5",
"66:77:88:99:00:11",
"01:23:45:67:89:ab",
"ab:cd:ef:01:23:45"
],
"hostname": "PC01234567",
"architecture": "x86_64",
"ip": [
"a123::b234:c345:d456:e567",
"8.8.8.8",
"abcd::ef01:2345:6789:abcd",
"1.2.3.4",
"a0b1::c2d3:e4f5:0123:abcd",
"10.20.30.40",
"aabb::ccdd:eeff:0011:2233",
"0.0.0.0",
"1122::3344:5566:7788:9900",
"5.6.7.8",
"0011::2233:4455:6677:8899",
"40.30.20.10"
]
},
"registry": {
"key": "SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime",
"path": "HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\TelLib\\LastSuccessfulUploadTime",
"hive": "HKLM",
"value": "LastSuccessfulUploadTime"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"id": "001234567-abcd-ef01-2345-6789abcdef01",
"name": "WB-DK-PC01234567",
"version": "7.17.1",
"ephemeral_id": "a0b1c2d3-0123-4567-abcd-e4f5a6b7c8d9",
"hostname": "PC01234567",
"type": "winlogbeat"
}
}
{
"@timestamp": "2020-05-14T07:00:30.8914235Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Engine Lifecycle",
"category": "process",
"code": "400",
"ingested": "2022-06-08T06:07:25.791038Z",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 13,
"type": "start"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Engine state is changed from None to Available. \\n\\nDetails: \\n\\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\\n\\tHostApplication=C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.17763.1007\\n\\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
"powershell": {
"engine": {
"new_state": "Available",
"previous_state": "None",
"version": "5.1.17763.1007"
},
"process": {
"executable_version": "1.0.0.0"
},
"runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2"
},
"process": {
"args": [
"C:\\\\Windows\\\\system32\\\\wsmprovhost.exe",
"-Embedding"
],
"args_count": 2,
"command_line": "C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding",
"entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519",
"title": "ServerRemoteHost"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "400",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "1492",
"task": "Engine Lifecycle"
}
}
{
"@timestamp": "2020-06-04T07:20:28.6861939Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Engine Lifecycle",
"category": "process",
"code": "403",
"ingested": "2022-06-08T06:07:25.874238900Z",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 10,
"type": "end"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Engine state is changed from Available to Stopped. \\n\\nDetails: \\n\\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=10\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\\n\\tEngineVersion=2.0\\n\\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
"powershell": {
"engine": {
"new_state": "Stopped",
"previous_state": "Available",
"version": "2.0"
},
"process": {
"executable_version": "2.0"
},
"runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099"
},
"process": {
"entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657",
"title": "ConsoleHost"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "403",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "18592",
"task": "Engine Lifecycle"
}
}
{
"@timestamp": "2020-05-13T13:21:43.1831809Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Provider Lifecycle",
"category": "process",
"code": "600",
"ingested": "2022-06-08T06:07:25.978294200Z",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 35,
"type": "info"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Provider \"Certificate\" is Started. \\n\\nDetails: \\n\\tProviderName=Certificate\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=35\\n\\n\\tHostName=Windows PowerShell ISE Host\\n\\tHostVersion=5.1.17763.1007\\n\\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1\\n\\tEngineVersion=5.1.17763.1007\\n\\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\\n\\tPipelineId=15\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=",
"powershell": {
"engine": {
"version": "5.1.17763.1007"
},
"pipeline_id": "15",
"process": {
"executable_version": "5.1.17763.1007"
},
"provider": {
"name": "Certificate",
"new_state": "Started"
},
"runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9"
},
"process": {
"args": [
"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe",
"C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1"
],
"args_count": 2,
"command_line": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1",
"entity_id": "86edc16f-6943-469e-8bd8-ef1857080206",
"title": "Windows PowerShell ISE Host"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "600",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "1089",
"task": "Provider Lifecycle"
}
}
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Pipeline Execution Details",
"category": "process",
"code": "800",
"ingested": "2022-06-08T06:07:25.991832300Z",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 141,
"type": "info"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"powershell": {
"command": {
"invocation_details": [
{
"related_command": "Import-LocalizedData",
"type": "CommandInvocation",
"value": "\"Import-LocalizedData\""
},
{
"name": "\"FileName\"",
"related_command": "Import-LocalizedData",
"type": "ParameterBinding",
"value": "\"ArchiveResources\""
},
{
"name": "\"BindingVariable\"",
"related_command": "Import-LocalizedData",
"type": "ParameterBinding",
"value": "\"LocalizedData\""
},
{
"related_command": "Import-LocalizedData",
"type": "NonTerminatingError",
"value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
}
],
"value": "Import-LocalizedData LocalizedData -filename ArchiveResources"
},
"engine": {
"version": "5.1.17763.1007"
},
"pipeline_id": "71",
"process": {
"executable_version": "5.1.17763.1007"
},
"runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf",
"sequence": 1,
"total": 1
},
"process": {
"args": [
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"-noexit",
"-command",
"'C:\\Gopath\\src\\github.com\\elastic\\beats'"
],
"args_count": 4,
"command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'",
"entity_id": "aae5217d-054f-435f-9968-4b5bebf12116",
"title": "ConsoleHost"
},
"related": {
"user": [
"vagrant"
]
},
"user": {
"domain": "VAGRANT",
"name": "vagrant"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": "1846",
"task": "Pipeline Execution Details"
}
}
{
"@timestamp": "2020-05-15T08:11:47.8979495Z",
"destination": {
"user": {
"domain": "VAGRANT",
"name": "vagrant"
}
},
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Executing Pipeline",
"category": "process",
"code": "4103",
"ingested": "2022-06-08T06:07:25.896041700Z",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
"sequence": 34,
"type": "info"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant <<===>> \\\\vboxsvr\\vagrant\"\n\n\nContext:\n Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\n\nUser Data:",
"powershell": {
"command": {
"invocation_details": [
{
"related_command": "cmd.exe",
"type": "CommandInvocation",
"value": "\"cmd.exe\""
},
{
"related_command": "Out-Null",
"type": "CommandInvocation",
"value": "\"Out-Null\""
},
{
"name": "\"InputObject\"",
"related_command": "Out-Null",
"type": "ParameterBinding",
"value": "\"symbolic link created for C:\\vagrant <<===>> \\\\vboxsvr\\vagrant\""
}
],
"name": "cmd.exe",
"path": "C:\\Windows\\system32\\cmd.exe",
"type": "Application"
},
"engine": {
"version": "5.1.17763.1007"
},
"id": "Microsoft.PowerShell",
"pipeline_id": "1",
"process": {
"executable_version": "1.0.0.0"
},
"runspace_id": "0729459a-8646-4176-8b02-024421a9632e"
},
"process": {
"args": [
"C:\\Windows\\system32\\wsmprovhost.exe",
"-Embedding"
],
"args_count": 2,
"command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding",
"entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e",
"title": "ServerRemoteHost"
},
"related": {
"user": [
"vagrant"
]
},
"source": {
"user": {
"domain": "VAGRANT",
"name": "vagrant"
}
},
"user": {
"domain": "VAGRANT",
"id": "S-1-5-21-1350058589-2282154016-2764056528-1000",
"name": "vagrant"
},
"winlog": {
"activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}",
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": "4103",
"opcode": "To be used when operation is just executing a method",
"process": {
"pid": 3984,
"thread": {
"id": 3616
}
},
"provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"provider_name": "Microsoft-Windows-PowerShell",
"record_id": "3885",
"task": "Executing Pipeline",
"user": {
"identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"version": 1
}
}
{
"@timestamp": "2020-05-14T11:33:51.3938848Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Execute a Remote Command",
"category": "process",
"code": "4104",
"ingested": "2022-06-08T06:07:25.944391600Z",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
"type": "info"
},
"file": {
"directory": "C:\\\\Users\\\\vagrant\\\\Desktop",
"extension": "ps1",
"name": "patata.ps1",
"path": "C:\\\\Users\\\\vagrant\\\\Desktop\\\\patata.ps1"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "verbose"
},
"message": "Creating Scriptblock text (1 of 1):\\n\\n\\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\\nPath: C:\\\\Users\\\\vagrant\\\\Desktop\\\\patata.ps1",
"powershell": {
"file": {
"script_block_id": "f5521cbd-656e-4296-b74d-9ffb4eec23b0"
},
"sequence": 1,
"total": 1
},
"user": {
"id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"winlog": {
"activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}",
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": "4104",
"opcode": "On create calls",
"process": {
"pid": 4844,
"thread": {
"id": 4428
}
},
"provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"provider_name": "Microsoft-Windows-PowerShell",
"record_id": "3582",
"task": "Execute a Remote Command",
"user": {
"identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"version": 1
}
}
{
"@timestamp": "2020-05-13T09:04:04.7552325Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Starting Command",
"category": "process",
"code": "4105",
"ingested": "2022-06-08T06:07:25.962029500Z",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
"type": "start"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "verbose"
},
"message": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623",
"powershell": {
"file": {
"script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9"
},
"runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623"
},
"user": {
"id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"winlog": {
"activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": "4105",
"opcode": "On create calls",
"process": {
"pid": 4204,
"thread": {
"id": 1476
}
},
"provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"provider_name": "Microsoft-Windows-PowerShell",
"record_id": "790",
"task": "Starting Command",
"user": {
"identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"version": 1
}
}
{
"@timestamp": "2020-05-13T10:40:32.5957152Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "Stopping Command",
"category": "process",
"code": "4106",
"ingested": "2022-06-08T06:07:25.970830900Z",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
"type": "end"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "verbose"
},
"message": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332",
"powershell": {
"file": {
"script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c"
},
"runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332"
},
"user": {
"id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"winlog": {
"activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}",
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": "4106",
"opcode": "On create calls",
"process": {
"pid": 4776,
"thread": {
"id": 5092
}
},
"provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"provider_name": "Microsoft-Windows-PowerShell",
"record_id": "933",
"task": "Stopping Command",
"user": {
"identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
},
"version": 1
}
}
{
"@timestamp": "2019-11-07T10:37:04.2260925Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "logging-service-shutdown",
"category": [
"process"
],
"code": "1100",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"end"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"level": "information"
},
"message": "The event logging service has shut down.",
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_id": "1100",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "14257",
"task": "Service shutdown"
}
}
{
"@timestamp": "2019-11-07T10:34:29.0559196Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "audit-log-cleared",
"category": [
"iam"
],
"code": "1102",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"admin",
"change"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"level": "information"
},
"message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87",
"related": {
"user": [
"Administrator"
]
},
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"name": "Administrator"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_id": "1102",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x50e87"
},
"opcode": "Info",
"process": {
"pid": 1144,
"thread": {
"id": 1824
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "14224",
"task": "Log clear",
"user_data": {
"SubjectDomainName": "WLBEAT",
"SubjectLogonId": "0x50e87",
"SubjectUserName": "Administrator",
"SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
"xml_name": "LogFileCleared"
}
}
}
{
"agent": {
"version": "7.0.0",
"hostname": "hostname",
"id": "abcd1234-abcd-1234-ef56-abcdef123456",
"ephemeral_id": "12345678-1234-5678-9012-123456789012",
"type": "winlogbeat"
},
"host": {
"hostname": "hostname",
"os": {
"version": "10.0",
"build": "17763.6414",
"family": "windows",
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"platform": "windows",
"name": "Windows Server 2019 Datacenter"
},
"id": "abcdefab-1234-5678-9012-abcdefabcdef",
"name": "hostname",
"architecture": "x86_64"
},
"type": "winlogbeat",
"ecs": {
"version": "1.0.0"
},
"event": {
"created": "2024-11-12T08:41:07.164Z",
"action": "Logon",
"code": 4624,
"kind": "event"
},
"tags": [
"beats_input_codec_plain_applied"
],
"winlog": {
"keywords": [
"Audit Success"
],
"api": "wineventlog",
"version": 2,
"process": {
"pid": 752,
"thread": {
"id": 7960
}
},
"record_id": 1170100815,
"event_data": {
"TargetLinkedLogonId": "0x0",
"IpPort": "29051",
"TargetOutboundUserName": "-",
"ImpersonationLevel": "%%1833",
"TargetDomainName": "DOMAIN",
"TargetOutboundDomainName": "-",
"IpAddress": "1.2.3.4",
"LogonProcessName": "Process ",
"WorkstationName": "WS-USER-01",
"LmPackageName": "-",
"SubjectUserSid": "S-1-2-3",
"ProcessId": "0x2f0",
"VirtualAccount": "%%1843",
"SubjectLogonId": "0x3e7",
"KeyLength": "0",
"RestrictedAdminMode": "-",
"TargetUserSid": "S-4-5-6",
"ElevatedToken": "%%1843",
"SubjectUserName": "WS-USER-01$",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"TransmittedServices": "-",
"LogonType": "3",
"SubjectDomainName": "DOMAIN",
"TargetUserName": "target_user",
"ProcessName": "C:\\Windows\\System32\\executable.exe",
"TargetLogonId": "0xfcebb74a",
"AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
},
"event_id": 4624,
"computer_name": "hostname.company.com",
"channel": "Security",
"task": "Logon",
"provider_name": "Microsoft-Windows-Security-Auditing",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"opcode": "Info"
},
"log": {
"level": "information"
},
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"@version": "1",
"@timestamp": "2024-11-12T08:41:05.803Z"
}
{
"@timestamp": "2024-11-12T08:40:34.260Z",
"event": {
"action": "Logon",
"outcome": "failure",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4625",
"created": "2024-11-12T08:40:35.900Z",
"kind": "event",
"dataset": "system.security"
},
"elastic_agent": {
"version": "8.14.1",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"activity_id": "{12345678-ABCD-EFAB-CDEF-123456789012}",
"keywords": [
"Audit Failure"
],
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"channel": "Security",
"task": "Logon",
"process": {
"pid": 824,
"thread": {
"id": 28936
}
},
"event_data": {
"SubjectUserSid": "S-1-2-3",
"FailureReason": "%%2313",
"IpPort": "-",
"KeyLength": "0",
"Status": "0xc000006d",
"TargetUserSid": "S-1-0-0",
"TransmittedServices": "-",
"LogonType": "3",
"IpAddress": "-",
"LogonProcessName": "Channel",
"SubjectLogonId": "0x3e7",
"SubStatus": "0xc0000064",
"WorkstationName": "WORKSTATION",
"SubjectDomainName": "J_DOE",
"ProcessName": "C:\\Windows\\System32\\executable.exe",
"SubjectUserName": "WORKSTATION$",
"LmPackageName": "-",
"ProcessId": "0x338",
"AuthenticationPackageName": "Kerberos"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "WORKSTATION.johndoe.com",
"record_id": 2552812283,
"event_id": "4625"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "WORKSTATION",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"ephemeral_id": "11111111-2222-3333-4444-555555555555"
},
"host": {
"hostname": "hostname",
"architecture": "x86_64",
"id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"name": "hostname",
"mac": [
"00-00-00-00-00-00-00-00",
"11-11-11-11-11-11",
"A0-B1-C2-D3-E4-F5",
"AA-BB-CC-DD-EE-FF"
],
"os": {
"kernel": "10.0.14393.7426 (rs1_release.240926-1524)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2016 Datacenter",
"build": "14393.7428",
"family": "windows",
"platform": "windows"
},
"ip": [
"fe80::1234:5678:90ab:cde",
"5.6.7.8",
"fe80::1111:2222:3333:4444",
"4.3.2.1",
"fe80::aaaa:bbbb:cccc:dddd",
"1.2.3.4",
"fe80::1234:abcd:ef",
"fe80::abcd:1234:567",
"fe80::a0b1:c2d:3e4"
]
},
"tags": [
"Windows",
"beats_input_raw_event"
]
}
{
"@timestamp": "2024-11-12T08:42:47.895Z",
"event": {
"action": "Logoff",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4634",
"created": "2024-11-12T08:42:48.190Z",
"kind": "event",
"dataset": "system.security",
"original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"elastic_agent": {
"version": "8.14.1",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"task": "Logoff",
"channel": "Security",
"process": {
"pid": 704,
"thread": {
"id": 6336
}
},
"event_data": {
"TargetUserName": "ACCOUNT",
"TargetLogonId": "0x5ed35bb6",
"TargetUserSid": "S-1-2-3",
"LogonType": "3",
"TargetDomainName": "J_DOE"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "PC01.jdoe.com",
"record_id": 15983780774,
"event_id": "4634"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "PC01",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"ephemeral_id": "11111111-2222-3333-4444-555555555555"
},
"tags": [
"Windows",
"beats_input_codec_plain_applied"
],
"host": {
"hostname": "pc01",
"architecture": "x86_64",
"id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"name": "pc01",
"mac": [
"00-11-22-33-44-55"
],
"os": {
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2019 Standard",
"build": "17763.6414",
"family": "windows",
"platform": "windows"
},
"ip": [
"1.2.3.4",
"5.6.7.8"
]
}
}
{
"log": {
"level": "information"
},
"message": "A logon was attempted using explicit credentials.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tSYSTEM\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x41C1B034B\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nAccount Whose Credentials Were Used:\\n\\tAccount Name:\\t\\taccount\\n\\tAccount Domain:\\t\\tcompany\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nTarget Server:\\n\\tTarget Server Name:\\tTARGET.company.com\\n\\tAdditional Information:\\tTARGET.company.com\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x8314\\n\\tProcess Name:\\t\\tD:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe\\n\\nNetwork Information:\\n\\tNetwork Address:\\t8.8.8.8\\n\\tPort:\\t\\t\\t12345\\n\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.",
"type": "R2",
"fields": {
"gdp-indice": "l-serve",
"gdp-parc": "defaut",
"gdp-config": "server",
"gdp-version-sysmon": 15,
"gdp-sousparc": "prod",
"gdp-version": "2.8",
"gdp-version-winlogbeat": 3.4
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"name": "WB-SRV-HOST01",
"type": "winlogbeat",
"version": "8.8.2",
"ephemeral_id": "06ad3222-a4be-4b59-9958-5f9a657ea9f1",
"id": "2c0cd63b-3836-4620-9eb8-13202bd370a3"
},
"fields.gdp-redis": "2",
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
"code": "4648",
"action": "Logon",
"created": "2023-11-09T09:05:15.197Z",
"outcome": "success"
},
"winlog": {
"event_id": "4648",
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_data": {
"SubjectUserName": "SYSTEM",
"IpPort": "12345",
"TargetInfo": "TARGET.company.com",
"TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}",
"TargetUserName": "account",
"TargetServerName": "TARGET.company.com",
"ProcessName": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe",
"SubjectUserSid": "S-1-2-3",
"IpAddress": "8.8.8.8",
"TargetDomainName": "company",
"SubjectDomainName": "DOMAIN",
"ProcessId": "0x8314",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"SubjectLogonId": "0x41c1b034b"
},
"process": {
"pid": 848,
"thread": {
"id": 22916
}
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "HOST01.company.com",
"opcode": "Info",
"task": "Logon",
"channel": "Security",
"api": "wineventlog",
"record_id": 8500947825,
"activity_id": "{7E156DC4-0D77-0008-C56D-157E770DDA01}"
},
"@timestamp": "2023-11-09T09:05:14.415Z",
"host": {
"name": "HOST01",
"id": "abcdefgh-1234-5678-abcd-efgh12345678",
"mac": [
"00-00-00-00-00-00-00-E0",
"00-11-22-33-44-55"
],
"architecture": "x86_64",
"os": {
"platform": "windows",
"version": "10.0",
"name": "Windows Server 2016 Standard",
"build": "14393.6351",
"kernel": "10.0.14393.6343 (rs1_release.230913-1727)",
"type": "windows",
"family": "windows"
},
"hostname": "HOST01",
"ip": [
"1.2.3.4",
"fe80::abcd:123:456"
]
},
"event_ingest_logstash": "2023-11-09T09:05:14.912238Z",
"fields.gdp-logstash": "5",
"@version": "1"
}
{
"log": {
"level": "information"
},
"@timestamp": "2024-11-12T09:07:11.844Z",
"message": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t",
"tags": [
"beats_input_codec_plain_applied"
],
"event": {
"created": "2024-11-12T09:07:13.714Z",
"action": "Directory Service Access",
"provider": "Microsoft-Windows-Security-Auditing",
"outcome": "success",
"code": "4662",
"original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t",
"kind": "event"
},
"@version": "1",
"agent": {
"name": "ACCOUNT01",
"ephemeral_id": "12345678-1234-5678-9012-345678901234",
"type": "winlogbeat",
"version": "8.12.2",
"id": "abcdefab-cdef-abcd-efab-cdefabcdefab"
},
"host": {
"hostname": "account01",
"mac": [
"00-11-22-33-44-55"
],
"architecture": "x86_64",
"id": "11111111-2222-aaaa-bbbb-333333333333",
"name": "account01",
"ip": [
"1.2.3.4"
],
"os": {
"type": "windows",
"build": "17763.6414",
"name": "Windows Server 2019 Standard",
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"platform": "windows",
"version": "10.0",
"family": "windows"
}
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"api": "wineventlog",
"channel": "Security",
"keywords": [
"Succ\u00e8s de l\u2019audit"
],
"task": "Directory Service Access",
"process": {
"pid": 744,
"thread": {
"id": 864
}
},
"record_id": 476080242,
"event_id": "4662",
"provider_name": "Microsoft-Windows-Security-Auditing",
"opcode": "Informations",
"computer_name": "ACCOUNT01.domain.local",
"event_data": {
"HandleId": "0x0",
"SubjectLogonId": "0xc2b9d138",
"ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}",
"ObjectServer": "DS",
"OperationType": "Object Access",
"SubjectUserSid": "S-1-2-3",
"AdditionalInfo": "-",
"AccessMask": "0x100",
"SubjectDomainName": "DOMAIN",
"ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}",
"SubjectUserName": "ACCOUNT01$",
"AccessList": "%%7688\n\t\t\t\t",
"Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}"
}
}
}
{
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
"code": "4672",
"outcome": "success",
"created": "2024-11-12T09:08:54.122Z",
"action": "Special Logon",
"kind": "event"
},
"@timestamp": "2024-11-12T09:08:50.647Z",
"ecs": {
"version": "8.0.0"
},
"tags": [
"forwarded",
"beats_input_codec_plain_applied"
],
"log": {
"level": "information"
},
"message": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
"host": {
"name": "USER01-WIN.domain.priv"
},
"agent": {
"name": "AGENT",
"version": "8.11.1",
"type": "winlogbeat",
"ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456",
"id": "11111111-aaaa-2222-bbbb-333333333333"
},
"winlog": {
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"channel": "Security",
"task": "Special Logon",
"computer_name": "USER01-WIN.domain.priv",
"keywords": [
"Succ\u00e8s de l\u2019audit"
],
"opcode": "Informations",
"activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}",
"event_data": {
"SubjectLogonId": "0x40c158b6",
"PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "USER01-WIN$",
"SubjectUserSid": "S-1-2-3"
},
"process": {
"thread": {
"id": 27812
},
"pid": 828
},
"event_id": "4672",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 288206963
},
"@version": "1"
}
{
"tags": [
"beats_input_codec_plain_applied"
],
"event": {
"original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",
"action": "Process Creation",
"kind": "event",
"outcome": "success",
"created": "2023-11-09T08:43:52.407Z",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4688"
},
"@version": "1",
"@timestamp": "2023-11-09T08:43:51.462Z",
"message": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",
"winlog": {
"computer_name": "HOST01.company.test",
"provider_name": "Microsoft-Windows-Security-Auditing",
"channel": "Security",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"keywords": [
"Audit Success"
],
"version": 2,
"event_id": "4688",
"process": {
"pid": 4,
"thread": {
"id": 17028
}
},
"task": "Process Creation",
"event_data": {
"ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe",
"TokenElevationType": "%%1936",
"MandatoryLabel": "S-1-2-3",
"TargetUserSid": "S-1-0-0",
"SubjectUserSid": "S-1-1-1",
"SubjectDomainName": "COMPANY",
"SubjectLogonId": "0x3e7",
"CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe",
"NewProcessId": "0x1d9c",
"TargetDomainName": "-",
"ProcessId": "0x2a0",
"SubjectUserName": "HOST01$",
"TargetUserName": "-",
"NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe",
"TargetLogonId": "0x0"
},
"record_id": 8884538,
"api": "wineventlog",
"opcode": "Info"
},
"host": {
"hostname": "host01",
"id": "abcdefgh-1234-5678-abcd-efgh12345678",
"ip": [
"8.8.8.8"
],
"name": "host01",
"mac": [
"00-11-22-33-44-55"
],
"architecture": "x86_64",
"os": {
"build": "20348.2031",
"version": "10.0",
"name": "Windows Server 2022 Standard",
"family": "windows",
"kernel": "10.0.20348.2031 (WinBuild.160101.0800)",
"type": "windows",
"platform": "windows"
}
},
"log": {
"level": "information"
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "winlogbeat",
"ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d",
"id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd",
"version": "8.10.4",
"name": "HOST01"
}
}
{
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0",
"code": "4689",
"outcome": "success",
"created": "2024-11-12T09:10:18.932Z",
"action": "Process Termination",
"kind": "event"
},
"@timestamp": "2024-11-12T09:10:13.534Z",
"ecs": {
"version": "8.0.0"
},
"tags": [
"forwarded",
"beats_input_codec_plain_applied"
],
"log": {
"level": "information"
},
"message": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0",
"host": {
"name": "ACCOUNT_01.domain.priv"
},
"agent": {
"name": "AGENT",
"version": "8.11.1",
"type": "winlogbeat",
"ephemeral_id": "11111111-2222-3333-4444-555555555555",
"id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee"
},
"winlog": {
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"channel": "Security",
"task": "Process Termination",
"computer_name": "ACCOUNT_01.domain.priv",
"keywords": [
"Succ\u00e8s de l\u2019audit"
],
"opcode": "Informations",
"event_data": {
"SubjectLogonId": "0x3e7",
"Status": "0x0",
"ProcessId": "0x1df8",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "ACCOUNT_01$",
"SubjectUserSid": "S-1-2-3",
"ProcessName": "C:\\Windows\\System32\\process.exe"
},
"process": {
"thread": {
"id": 620
},
"pid": 4
},
"event_id": "4689",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1564712
},
"@version": "1"
}
{
"tags": [
"forwarded",
"beats_input_raw_event"
],
"@version": "1",
"host": {
"name": "HOST01.reseau.company"
},
"type": "winlogbeat",
"ecs": {
"version": "1.8.0"
},
"agent": {
"version": "7.12.1",
"name": "AGENT",
"hostname": "AGENT",
"ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456",
"id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc",
"type": "winlogbeat"
},
"@timestamp": "2024-11-12T04:47:02.389Z",
"user": {
"domain": "RESEAU-COMPANY",
"id": "S-1-2-3",
"name": "user-name"
},
"event": {
"outcome": "success",
"action": "added-user-account",
"category": [
"iam"
],
"module": "security",
"kind": "event",
"code": 4720,
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"user",
"creation"
],
"created": "2024-11-12T04:47:08.322Z"
},
"fields": {
"env_AD": "AD Company"
},
"log": {
"level": "information"
},
"related": {
"user": [
"user-name",
"USER"
]
},
"winlog": {
"event_data": {
"SubjectUserSid": "S-1-2-3",
"SubjectDomainName": "RESEAU-COMPANY",
"PrivilegeList": "-",
"UserWorkstations": "-",
"SubjectLogonId": "0x2a4b2040",
"SidHistory": "-",
"TargetUserName": "USER",
"TargetDomainName": "RESEAU-COMPANY",
"OldUacValue": "0x0",
"SubjectUserName": "user-name",
"UserPrincipalName": "USER@reseau.company",
"HomeDirectory": "-",
"AccountExpires": "%%1794",
"SamAccountName": "USER",
"ProfilePath": "-",
"HomePath": "-",
"DisplayName": "-",
"PasswordLastSet": "%%1794",
"AllowedToDelegateTo": "-",
"ScriptPath": "-",
"UserParameters": "-",
"NewUacValue": "0x214",
"LogonHours": "%%1793",
"UserAccountControl": [
"2082",
"2084",
"2089"
],
"NewUACList": [
"LOCKOUT",
"NORMAL_ACCOUNT"
],
"PrimaryGroupId": "513",
"TargetSid": "S-1-2-3-4-5-6-7"
},
"record_id": 479720536,
"process": {
"thread": {
"id": 1940
},
"pid": 612
},
"opcode": "Info",
"api": "wineventlog",
"event_id": 4720,
"logon": {
"id": "0x2a4b2040"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"task": "User Account Management",
"computer_name": "HOST01.reseau.company",
"channel": "Security"
}
}
{
"@timestamp": "2024-11-12T08:53:57.535Z",
"event": {
"action": "User Account Management",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4722",
"created": "2024-11-12T08:53:58.677Z",
"kind": "event",
"dataset": "system.security",
"original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN"
},
"message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN",
"elastic_agent": {
"version": "8.14.1",
"id": "12345678-abcd-90ef-1234-abcdef123456",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"task": "User Account Management",
"channel": "Security",
"process": {
"pid": 756,
"thread": {
"id": 11608
}
},
"event_data": {
"TargetUserName": "ACC_NAME",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "account-name",
"TargetDomainName": "DOMAIN",
"SubjectLogonId": "0x4a13c3fc",
"SubjectUserSid": "S-1-2-3",
"TargetSid": "S-1-2-3-4-5"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "PC01.domain.com",
"record_id": 13042939152,
"event_id": "4722"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "PC01",
"id": "12345678-abcd-90ef-1234-abcdef123456",
"ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333"
},
"tags": [
"Windows",
"beats_input_codec_plain_applied"
],
"host": {
"hostname": "pc01",
"architecture": "x86_64",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "pc01",
"mac": [
"AA-BB-CC-DD-EE-FF"
],
"os": {
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2019 Standard",
"build": "17763.6414",
"family": "windows",
"platform": "windows"
},
"ip": [
"1.2.3.4"
]
}
}
{
"@timestamp": "2024-11-12T08:59:04.757Z",
"event": {
"action": "User Account Management",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4723",
"created": "2024-11-12T08:59:05.295Z",
"kind": "event",
"dataset": "system.security",
"original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-"
},
"message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-",
"elastic_agent": {
"version": "8.14.1",
"id": "123456-abcd-ef90-1234-abcdef123456",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"task": "User Account Management",
"channel": "Security",
"process": {
"pid": 756,
"thread": {
"id": 11608
}
},
"event_data": {
"PrivilegeList": "-",
"TargetUserName": "ACCOUNT",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "ACCOUNT",
"TargetDomainName": "DOMAIN",
"SubjectLogonId": "0x4a28ebbf",
"SubjectUserSid": "S-1-2-3",
"TargetSid": "S-1-2-3"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "PC01.domain.com",
"record_id": 13043050897,
"event_id": "4723"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "PC01",
"id": "123456-abcd-ef90-1234-abcdef123456",
"ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333"
},
"tags": [
"Windows",
"beats_input_codec_plain_applied"
],
"host": {
"hostname": "pc01",
"architecture": "x86_64",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "pc01",
"mac": [
"00-11-22-33-44-55"
],
"os": {
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2019 Standard",
"build": "17763.6414",
"family": "windows",
"platform": "windows"
},
"ip": [
"1.2.3.4"
]
}
}
{
"@timestamp": "2024-11-12T08:41:11.055Z",
"event": {
"action": "User Account Management",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4725",
"created": "2024-11-12T08:41:11.637Z",
"kind": "event",
"dataset": "system.security",
"original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN"
},
"message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN",
"elastic_agent": {
"version": "8.14.1",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"task": "User Account Management",
"channel": "Security",
"process": {
"pid": 756,
"thread": {
"id": 7304
}
},
"event_data": {
"TargetUserName": "ACCOUNT",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "jdoe",
"TargetDomainName": "DOMAIN",
"SubjectLogonId": "0x493fa12d",
"SubjectUserSid": "S-1-2-3",
"TargetSid": "S-4-5-6"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "PC01.domain.com",
"record_id": 13042691344,
"event_id": "4725"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "PC01",
"id": "12345678-abcd-ef90-1234-abcdef123456",
"ephemeral_id": "11111111-2222-3333-4444-555555555555"
},
"tags": [
"Windows",
"beats_input_codec_plain_applied"
],
"host": {
"hostname": "pc01",
"architecture": "x86_64",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "pc01",
"mac": [
"00-11-22-33-44-55"
],
"os": {
"kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2019 Standard",
"build": "17763.6414",
"family": "windows",
"platform": "windows"
},
"ip": [
"1.2.3.4"
]
}
}
{
"@version": "1",
"log": {
"level": "information"
},
"@timestamp": "2024-11-12T07:58:13.288Z",
"message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-",
"event": {
"action": "User Account Management",
"outcome": "success",
"code": "4726",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
"created": "2024-11-12T07:58:14.553Z"
},
"agent": {
"hostname": "hostname",
"id": "12345678-ABCD-ef90-1234-abcdef123456",
"type": "winlogbeat",
"name": "hostname",
"ephemeral_id": "11111111-2222-3333-4444-555555555555",
"version": "7.17.1"
},
"zone": "int",
"site": "site",
"winlog": {
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"channel": "Security",
"process": {
"pid": 632,
"thread": {
"id": 2056
}
},
"event_data": {
"SubjectLogonId": "0x3005c1f76",
"PrivilegeList": "-",
"SubjectDomainName": "DOMAIN",
"SubjectUserName": "doe.j",
"SubjectUserSid": "S-1-2-3",
"TargetSid": "S-1-2-3-4-5",
"TargetUserName": "smithee.a",
"TargetDomainName": "DOMAIN"
},
"record_id": 25349190364,
"event_id": "4726",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "User Account Management",
"computer_name": "hostname.domain.net"
},
"ecs": {
"version": "1.12.0"
},
"host": {
"name": "hostname.domain.net"
},
"tags": [
"windows",
"domain-controller",
"beats_input_codec_plain_applied"
]
}
{
"@timestamp": "2019-12-18T16:22:12.3425087Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "changed-computer-account",
"category": [
"iam"
],
"code": "4742",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"admin"
]
},
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
"log": {
"level": "information"
},
"message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
"related": {
"user": [
"at_adm"
]
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computerObject": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2902",
"name": "TESTCOMPUTEROBJ$"
},
"computer_name": "DC_TEST2k12.TEST.SAAS",
"event_data": {
"AccountExpires": "-",
"AllowedToDelegateTo": "-",
"ComputerAccountChange": "-",
"DisplayName": "-",
"DnsHostName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"LogonHours": "-",
"NewUACList": [
"USER_PASSWORD_NOT_REQUIRED",
"USER_WORKSTATION_TRUST_ACCOUNT"
],
"NewUacValue": "0x84",
"OldUacValue": "0x85",
"PasswordLastSet": "-",
"PrimaryGroupId": "-",
"PrivilegeList": [
"-"
],
"ProfilePath": "-",
"SamAccountName": "-",
"ScriptPath": "-",
"ServicePrincipalNames": "-",
"SidHistory": "-",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x2e67800",
"SubjectUserName": "at_adm",
"SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794",
"TargetDomainName": "TEST",
"TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902",
"TargetUserName": "TESTCOMPUTEROBJ$",
"UserAccountControl": [
"2048"
],
"UserParameters": "-",
"UserPrincipalName": "-",
"UserWorkstations": "-"
},
"event_id": "4742",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x2e67800"
},
"opcode": "Info",
"process": {
"pid": 492,
"thread": {
"id": 664
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "3699934",
"task": "Computer Account Management"
}
}
{
"@timestamp": "2019-12-18T16:26:46.8744233Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "added-distribution-group-account",
"category": [
"iam"
],
"code": "4744",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"group",
"creation"
]
},
"group": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2903",
"name": "testdistlocal"
},
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
"log": {
"level": "information"
},
"message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
"related": {
"user": [
"at_adm"
]
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "DC_TEST2k12.TEST.SAAS",
"event_data": {
"PrivilegeList": "-",
"SamAccountName": "testdistlocal",
"SidHistory": "-",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x2e67800",
"SubjectUserName": "at_adm",
"SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794",
"TargetDomainName": "TEST",
"TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903",
"TargetUserName": "testdistlocal"
},
"event_id": "4744",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x2e67800"
},
"opcode": "Info",
"process": {
"pid": 492,
"thread": {
"id": 664
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "3699973",
"task": "Distribution Group Management"
}
}
{
"@timestamp": "2019-12-19T08:10:57.4737631Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "changed-distribution-group-account",
"category": [
"iam"
],
"code": "4750",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"group",
"change"
]
},
"group": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2904",
"name": "testglobal1"
},
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
"log": {
"level": "information"
},
"message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
"related": {
"user": [
"at_adm"
]
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "DC_TEST2k12.TEST.SAAS",
"event_data": {
"PrivilegeList": "-",
"SamAccountName": "testglobal1",
"SidHistory": "-",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x2e67800",
"SubjectUserName": "at_adm",
"SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794",
"TargetDomainName": "TEST",
"TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904",
"TargetUserName": "testglobal1"
},
"event_id": "4750",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x2e67800"
},
"opcode": "Info",
"process": {
"pid": 492,
"thread": {
"id": 664
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "3707550",
"task": "Distribution Group Management"
}
}
{
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.",
"code": "4768",
"outcome": "success",
"created": "2024-11-12T09:17:12.392Z",
"action": "Service d\u2019authentification Kerberos",
"kind": "event"
},
"@timestamp": "2024-11-12T09:17:10.124Z",
"ecs": {
"version": "8.0.0"
},
"tags": [
"forwarded",
"beats_input_codec_plain_applied"
],
"log": {
"level": "information"
},
"message": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.",
"host": {
"name": "HOSTNAME.domain.priv"
},
"agent": {
"name": "AGENT",
"version": "8.11.1",
"type": "winlogbeat",
"ephemeral_id": "11111111-2222-3333-4444-555555555555",
"id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee"
},
"winlog": {
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"channel": "Security",
"task": "Service d\u2019authentification Kerberos",
"computer_name": "HOSTNAME.domain.priv",
"keywords": [
"Succ\u00e8s de l\u2019audit"
],
"opcode": "Informations",
"event_data": {
"TicketEncryptionType": "0x12",
"TicketOptions": "0x40810010",
"IpPort": "51261",
"TargetDomainName": "DOMAIN",
"TargetUserName": "account",
"TargetSid": "S-1-2-3",
"PreAuthType": "2",
"Status": "0x0",
"ServiceSid": "S-1-2-3-4-5",
"IpAddress": "::ffff:1.2.3.4",
"ServiceName": "service"
},
"process": {
"thread": {
"id": 3228
},
"pid": 560
},
"event_id": "4768",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 2476587536
},
"@version": "1"
}
{
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.",
"code": "4769",
"outcome": "success",
"created": "2024-11-12T09:17:05.023Z",
"action": "Op\u00e9rations de ticket du service Kerberos",
"kind": "event"
},
"@timestamp": "2024-11-12T09:17:02.856Z",
"ecs": {
"version": "8.0.0"
},
"tags": [
"forwarded",
"beats_input_codec_plain_applied"
],
"log": {
"level": "information"
},
"message": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.",
"host": {
"name": "HOST01.domain.priv"
},
"agent": {
"name": "AGENT",
"version": "8.11.1",
"type": "winlogbeat",
"ephemeral_id": "11111111-2222-3333-4444-555555555555",
"id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee"
},
"winlog": {
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"channel": "Security",
"task": "Op\u00e9rations de ticket du service Kerberos",
"computer_name": "HOST01.domain.priv",
"keywords": [
"Succ\u00e8s de l\u2019audit"
],
"opcode": "Informations",
"event_data": {
"TicketEncryptionType": "0x12",
"TicketOptions": "0x40810000",
"LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}",
"IpPort": "50754",
"TargetDomainName": "DOMAIN.PRIV",
"TargetUserName": "account@DOMAIN.PRIV",
"ServiceSid": "S-1-2-3",
"Status": "0x0",
"TransmittedServices": "-",
"IpAddress": "::ffff:1.2.3.4",
"ServiceName": "SERVICE$"
},
"process": {
"thread": {
"id": 7992
},
"pid": 560
},
"event_id": "4769",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 2476587153
},
"@version": "1"
}
{
"@timestamp": "2020-03-31T07:50:27.1681182Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "kerberos-preauth-failed",
"category": [
"authentication"
],
"code": "4771",
"kind": "event",
"module": "security",
"outcome": "failure",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"start"
]
},
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
"log": {
"level": "information"
},
"message": "Kerberos pre-authentication failed.\n\nAccount Information:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-3057\n\tAccount Name:\t\tMPUIG\n\nService Information:\n\tService Name:\t\tkrbtgt/test.saas\n\nNetwork Information:\n\tClient Address:\t\t::ffff:192.168.5.44\n\tClient Port:\t\t53366\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tFailure Code:\t\t0x12\n\tPre-Authentication Type:\t0\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number: \t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\n\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.",
"related": {
"ip": [
"192.168.5.44"
],
"user": [
"MPUIG"
]
},
"service": {
"name": "krbtgt/test.saas"
},
"source": {
"ip": "192.168.5.44",
"port": 53366
},
"user": {
"id": "S-1-5-21-1717121054-434620538-60925301-3057",
"name": "MPUIG"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "DC_TEST2k12.TEST.SAAS",
"event_data": {
"PreAuthType": "0",
"ServiceName": "krbtgt/test.saas",
"Status": "0x12",
"StatusDescription": "KDC_ERR_CLIENT_REVOKED",
"TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057",
"TargetUserName": "MPUIG",
"TicketOptions": "0x40810010",
"TicketOptionsDescription": [
"Renewable-ok",
"Name-canonicalize",
"Renewable",
"Forwardable"
]
},
"event_id": "4771",
"keywords": [
"Audit Failure"
],
"opcode": "Info",
"process": {
"pid": 496,
"thread": {
"id": 4552
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "5027836",
"task": "Kerberos Authentication Service"
}
}
{
"@timestamp": "2020-04-01T08:45:42.1873153Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "credential-validated",
"category": [
"authentication"
],
"code": "4776",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"start"
]
},
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
"log": {
"level": "information"
},
"message": "The computer attempted to validate the credentials for an account.\n\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\nLogon Account:\tat_adm\nSource Workstation:\tEQP01777\nError Code:\t0x0",
"related": {
"user": [
"at_adm"
]
},
"user": {
"name": "at_adm"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "DC_TEST2k12.TEST.SAAS",
"event_data": {
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"Status": "0x0",
"TargetUserName": "at_adm",
"Workstation": "EQP01777"
},
"event_id": "4776",
"keywords": [
"Audit Success"
],
"logon": {
"failure": {
"status": "Status OK."
}
},
"opcode": "Info",
"process": {
"pid": 496,
"thread": {
"id": 1864
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "5040222",
"task": "Credential Validation"
}
}
{
"@timestamp": "2023-01-17T21:35:22.347Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "session-reconnected",
"category": [
"authentication",
"session"
],
"code": "4778",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"start"
]
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"related": {
"ip": [
"127.0.0.1"
],
"user": [
"user1"
]
},
"source": {
"domain": "Unknown",
"ip": "127.0.0.1"
},
"user": {
"domain": "CONTOSO",
"name": "user1"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "127.0.0.1",
"ClientName": "Unknown",
"LogonID": "0x5c7c095",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x5c7c095"
},
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 4484
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "6540868",
"time_created": "2023-01-17T21:35:22.347697Z"
}
}
{
"@timestamp": "2024-11-12T08:25:34.741Z",
"event": {
"action": "User Account Management",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "4798",
"created": "2024-11-12T08:25:35.614Z",
"kind": "event",
"dataset": "system.security",
"original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe"
},
"message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe",
"elastic_agent": {
"version": "8.14.1",
"id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"snapshot": false
},
"log": {
"level": "information"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"activity_id": "{11111111-2222-3333-4444-555555555555}",
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"channel": "Security",
"task": "User Account Management",
"process": {
"pid": 668,
"thread": {
"id": 8860
}
},
"event_data": {
"TargetSid": "S-3-4-5",
"TargetUserName": "Guest",
"SubjectDomainName": "DOMAIN",
"CallerProcessName": "C:\\Program Files\\program.exe",
"SubjectUserName": "ACC0123$",
"TargetDomainName": "ACC0123",
"SubjectLogonId": "0x3e7",
"SubjectUserSid": "S-1-2-3",
"CallerProcessId": "0x123"
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"api": "wineventlog",
"opcode": "Info",
"computer_name": "ACC0123.johndoe.com",
"record_id": 1524672,
"event_id": "4798"
},
"input": {
"type": "winlog"
},
"@version": "1",
"agent": {
"version": "8.14.1",
"type": "filebeat",
"name": "ACC0123",
"id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef"
},
"tags": [
"Windows",
"beats_input_codec_plain_applied"
],
"host": {
"hostname": "hostname",
"architecture": "x86_64",
"id": "12345678-90ef-abcd-1234-abcdef123456",
"name": "hostname",
"mac": [
"00-11-22-33-44-55"
],
"os": {
"kernel": "10.0.20348.169 (WinBuild.160101.0800)",
"version": "10.0",
"type": "windows",
"name": "Windows Server 2022 Standard",
"build": "20348.169",
"family": "windows",
"platform": "windows"
},
"ip": [
"1.2.3.4"
]
}
}
{
"@timestamp": "2020-03-21T23:50:34.347458Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "logged-in-special",
"category": [
"iam"
],
"code": "4964",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"admin",
"group"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"level": "information"
},
"message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}",
"related": {
"user": [
"Administrator"
]
},
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"name": "Administrator"
},
"winlog": {
"activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}",
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_data": {
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}",
"SubjectDomainName": "WLBEAT",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WIN-41OB2LO92CR$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "WLBEAT",
"TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}",
"TargetLogonId": "0x1d22ed",
"TargetUserName": "Administrator",
"TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500"
},
"event_id": "4964",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x3e7"
},
"opcode": "Info",
"process": {
"pid": 788,
"thread": {
"id": 828
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "68259",
"task": "Special Logon"
}
}
{
"tags": [
"beats_input_codec_plain_applied"
],
"event": {
"original": "A network share object was accessed.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5-6-7\\n\\tAccount Name:\\t\\tUSERNAME$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D8D915\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t172.27.221.26\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\IPC$\\n\\tShare Path:\\t\\t\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x1\\n\\tAccesses:\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\t",
"action": "File Share",
"kind": "event",
"outcome": "success",
"created": "2023-11-09T09:07:04.744Z",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "5140"
},
"@version": "1",
"@timestamp": "2023-11-09T09:07:03.406Z",
"message": "A network share object was accessed.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5-6-7\\n\\tAccount Name:\\t\\tUSERNAME$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D8D915\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t172.27.221.26\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\IPC$\\n\\tShare Path:\\t\\t\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x1\\n\\tAccesses:\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\t",
"winlog": {
"computer_name": "HOST01.company.test",
"provider_name": "Microsoft-Windows-Security-Auditing",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"channel": "Security",
"keywords": [
"Audit Success"
],
"process": {
"pid": 4,
"thread": {
"id": 12216
}
},
"event_id": "5140",
"version": 1,
"task": "File Share",
"event_data": {
"ObjectType": "File",
"ShareName": "\\\\\\\\*\\\\IPC$",
"IpPort": "12345",
"AccessList": "%%4416\\n\\t\\t\\t\\t",
"SubjectUserName": "USERNAME$",
"SubjectUserSid": "S-1-2-3-4-5-6-7",
"SubjectDomainName": "COMPANY",
"SubjectLogonId": "0x20d8d915",
"IpAddress": "172.27.221.26",
"AccessMask": "0x1"
},
"record_id": 21473595,
"opcode": "Info",
"api": "wineventlog"
},
"host": {
"hostname": "host01",
"id": "abcdefgh-1234-5678-abcd-efgh12345678",
"ip": [
"8.8.8.8"
],
"name": "host01",
"mac": [
"00-11-22-33-44-55"
],
"architecture": "x86_64",
"os": {
"build": "20348.1850",
"version": "10.0",
"name": "Windows Server 2022 Standard",
"family": "windows",
"kernel": "10.0.20348.1850 (WinBuild.160101.0800)",
"type": "windows",
"platform": "windows"
}
},
"log": {
"level": "information"
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "winlogbeat",
"ephemeral_id": "1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69",
"version": "8.10.4",
"id": "222ff142-dbdf-42d8-a403-df533d45d5a8",
"name": "HOST01"
}
}
{
"tags": [
"beats_input_codec_plain_applied"
],
"event": {
"original": "A network share object was checked to see whether client can be granted desired access.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\thost01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D93996\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t::1\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\SYSVOL\\n\\tShare Path:\\t\\t\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol\\n\\tRelative Target Name:\\tcompany.test\\\\scripts\\\\TargetName.cmd\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x120089\\n\\tAccesses:\\t\\tREAD_CONTROL\\n\\t\\t\\t\\tSYNCHRONIZE\\n\\t\\t\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\tReadEA\\n\\t\\t\\t\\tReadAttributes\\n\\t\\t\\t\\t\\nAccess Check Results:\\n\\tREAD_CONTROL:\\tGranted by Ownership\\n\\t\\t\\t\\tSYNCHRONIZE:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadData (or ListDirectory):\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadEA:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadAttributes:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t",
"outcome": "success",
"action": "Detailed File Share",
"kind": "event",
"created": "2023-11-09T09:09:01.979Z",
"provider": "Microsoft-Windows-Security-Auditing",
"code": "5145"
},
"@version": "1",
"@timestamp": "2023-11-09T09:09:01.274Z",
"message": "A network share object was checked to see whether client can be granted desired access.\\n\\t\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\thost01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x20D93996\\n\\nNetwork Information:\\t\\n\\tObject Type:\\t\\tFile\\n\\tSource Address:\\t\\t::1\\n\\tSource Port:\\t\\t12345\\n\\t\\nShare Information:\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\SYSVOL\\n\\tShare Path:\\t\\t\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol\\n\\tRelative Target Name:\\tcompany.test\\\\scripts\\\\TargetName.cmd\\n\\nAccess Request Information:\\n\\tAccess Mask:\\t\\t0x120089\\n\\tAccesses:\\t\\tREAD_CONTROL\\n\\t\\t\\t\\tSYNCHRONIZE\\n\\t\\t\\t\\tReadData (or ListDirectory)\\n\\t\\t\\t\\tReadEA\\n\\t\\t\\t\\tReadAttributes\\n\\t\\t\\t\\t\\nAccess Check Results:\\n\\tREAD_CONTROL:\\tGranted by Ownership\\n\\t\\t\\t\\tSYNCHRONIZE:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadData (or ListDirectory):\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadEA:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\tReadAttributes:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t",
"host": {
"hostname": "host01",
"id": "abcdefgh-1234-5678-abcd-efgh12345678",
"ip": [
"8.8.8.8"
],
"name": "host01",
"mac": [
"00-11-22-33-44-55"
],
"architecture": "x86_64",
"os": {
"build": "20348.1850",
"version": "10.0",
"name": "Windows Server 2022 Standard",
"kernel": "10.0.20348.1850 (WinBuild.160101.0800)",
"family": "windows",
"type": "windows",
"platform": "windows"
}
},
"agent": {
"type": "winlogbeat",
"id": "222ff142-dbdf-42d8-a403-df533d45d5a8",
"version": "8.10.4",
"ephemeral_id": "1c379f1e-1fd3-4333-80b0-bf3ac6ab4f69",
"name": "HOST01"
},
"ecs": {
"version": "8.0.0"
},
"winlog": {
"computer_name": "host01.company.test",
"provider_name": "Microsoft-Windows-Security-Auditing",
"channel": "Security",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"keywords": [
"Audit Success"
],
"process": {
"pid": 4,
"thread": {
"id": 6404
}
},
"event_id": "5145",
"task": "Detailed File Share",
"event_data": {
"ShareName": "\\\\\\\\*\\\\SYSVOL",
"IpPort": "12345",
"AccessList": "%%1538\\n\\t\\t\\t\\t%%1541\\n\\t\\t\\t\\t%%4416\\n\\t\\t\\t\\t%%4419\\n\\t\\t\\t\\t%%4423\\n\\t\\t\\t\\t",
"SubjectUserSid": "S-1-5-18",
"SubjectDomainName": "COMPANY",
"RelativeTargetName": "company.test\\\\scripts\\\\TargetName.cmd",
"SubjectLogonId": "0x20d93996",
"AccessMask": "0x120089",
"ObjectType": "File",
"ShareLocalPath": "\\\\??\\\\C:\\\\Windows\\\\SYSVOL\\\\sysvol",
"SubjectUserName": "host01$",
"AccessReason": "%%1538:\\t%%1804\\n\\t\\t\\t\\t%%1541:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4416:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4419:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t%%4423:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\n\\t\\t\\t\\t",
"IpAddress": "::1"
},
"record_id": 21474307,
"opcode": "Info",
"api": "wineventlog"
},
"log": {
"level": "information"
}
}
{
"@timestamp": "2023-01-17T21:15:02.549Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"action": "vault-credentials-were-read",
"category": [
"iam"
],
"code": "5381",
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"user",
"info"
]
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"related": {
"user": [
"COMPUTER1$"
]
},
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
"name": "COMPUTER1$"
},
"winlog": {
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"ClientProcessId": "5048",
"CountOfCredentialsReturned": "0",
"Flags": "0",
"ProcessCreationTime": "2023-01-17T21:15:02.4069136Z",
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "COMPUTER1$",
"SubjectUserSid": "S-1-5-18"
},
"event_id": "5381",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x3e7"
},
"opcode": "Info",
"process": {
"pid": 772,
"thread": {
"id": 820
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "13342699",
"time_created": "2023-01-17T21:15:02.5490822Z"
}
}
{
"@timestamp": "2019-03-18T16:57:37.933Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"category": [
"configuration"
],
"code": "16",
"kind": "event",
"module": "sysmon",
"provider": "Microsoft-Windows-Sysmon",
"type": [
"change"
]
},
"host": {
"name": "vagrant-2012-r2"
},
"log": {
"level": "information"
},
"user": {
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "vagrant-2012-r2",
"event_data": {
"Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n"
},
"event_id": "16",
"opcode": "Info",
"process": {
"pid": 4616,
"thread": {
"id": 4724
}
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": "1",
"user": {
"identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001"
},
"version": 3
}
}
{
"@timestamp": "2019-03-18T16:57:37.949Z",
"ecs": {
"version": "1.12.0"
},
"event": {
"category": [
"process"
],
"code": "1",
"kind": "event",
"module": "sysmon",
"provider": "Microsoft-Windows-Sysmon",
"type": [
"start"
]
},
"host": {
"name": "vagrant-2012-r2"
},
"log": {
"level": "information"
},
"process": {
"args": [
"C:\\Windows\\Sysmon.exe"
],
"args_count": 1,
"command_line": "C:\\Windows\\Sysmon.exe",
"entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}",
"executable": "C:\\Windows\\Sysmon.exe",
"hash": {
"sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e"
},
"name": "Sysmon.exe",
"parent": {
"args": [
"C:\\Windows\\system32\\services.exe"
],
"args_count": 1,
"command_line": "C:\\Windows\\system32\\services.exe",
"entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}",
"executable": "C:\\Windows\\System32\\services.exe",
"name": "services.exe",
"pid": 488
},
"pe": {
"company": "Sysinternals - www.sysinternals.com",
"description": "System activity monitor",
"file_version": "9.01",
"product": "Sysinternals Sysmon"
},
"pid": 4860,
"working_directory": "C:\\Windows\\system32\\"
},
"related": {
"hash": [
"ac93c3b38e57a2715572933dbcb2a1c2892dbc5e"
],
"user": [
"SYSTEM"
]
},
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
"name": "SYSTEM"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "vagrant-2012-r2",
"event_data": {
"Company": "Sysinternals - www.sysinternals.com",
"Description": "System activity monitor",
"FileVersion": "9.01",
"IntegrityLevel": "System",
"LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}",
"LogonId": "0x3e7",
"Product": "Sysinternals Sysmon",
"TerminalSessionId": "0"