Azure Windows machines
Overview
Azure Virtual Machines service is developed and managed by Microsoft Corp.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Access tokens |
security identifiers are extracted from several events |
Authentication logs |
audit logon events are examined in detail |
File monitoring |
information about files are extracted from several events |
PowerShell logs |
Windows PowerShell logs are analyzed, and need to be specifically set up |
Process command-line parameters |
Windows Security Auditing logs provide information about process creation |
Process monitoring |
Windows Security Auditing records information on running process activities |
Process use of network |
information on processes having network activities are collected |
Windows event logs |
events related to Windows Event logs shutdown or restart are analyzed |
Windows Registry |
registry auditing events are examined in detail |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"event": {
"code": "4719",
"created": "2021-01-11T10:48:46.476330800Z",
"provider": "Microsoft-Windows-Security-Auditing",
"id": "10f0afe9-98a1-4226-a6bd-8f70d461d430"
},
"message": "{\"time\":\"2021-01-11T10:48:46.4763308Z\",\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"DeploymentId\":\"e089eb44-8406-4be5-b134-3569ba534888\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTDC02\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventId\":4719,\"Level\":0,\"Pid\":592,\"Tid\":6452,\"Opcode\":0,\"Task\":13568,\"Channel\":\"Security\",\"Description\":\"System audit policy was changed.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tACMEAccountName$\\r\\n\\tAccount Domain:\\t\\tACME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nAudit Policy Change:\\r\\n\\tCategory:\\t\\tLogon/Logoff\\r\\n\\tSubcategory:\\t\\tLogon\\r\\n\\tSubcategory GUID:\\t{0CCE9215-69AE-11D9-BED3-505054503030}\\r\\n\\tChanges:\\t\\tFailure removed\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4719</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-01-11T10:48:46.476330800Z'/><EventRecordID>56204662</EventRecordID><Correlation ActivityID='{C42E760F-E51E-4CE7-9AF9-0AA6DA068F9B}'/><Execution ProcessID='592' ThreadID='6452'/><Channel>Security</Channel><Computer>WinAzureTest</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Acmesubject$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CategoryId'>%%8273</Data><Data Name='SubcategoryId'>%%12544</Data><Data Name='SubcategoryGuid'>{0CCE9215-69AE-11D9-BED3-505054503030}</Data><Data Name='AuditPolicyChanges'>%%8450</Data></EventData></Event>\"}}",
"process": {
"pid": 592,
"thread": {
"id": 6452
}
},
"action": {
"id": 4719,
"name": "System audit policy was changed",
"record_id": 56204662,
"type": "Security",
"outcome": "success",
"properties": [
{
"AuditPolicyChanges": "%%8450",
"opcode": 0
}
]
},
"os": {
"family": "windows",
"platform": "windows"
},
"host": {
"hostname": "WinAzureTest"
},
"log": {
"hostname": "WinAzureTest"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "13568",
"opcode": "0",
"event_data": {
"AuditPolicyChanges": "%%8450",
"CategoryId": "%%8273",
"SubcategoryGuid": "{0CCE9215-69AE-11D9-BED3-505054503030}",
"SubcategoryId": "%%12544",
"SubjectDomainName": "ACME",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "Acmesubject$",
"SubjectUserSid": "S-1-5-18"
}
},
"user": {
"domain": "ACME",
"id": "S-1-5-18",
"name": "Acmesubject$"
},
"related": {
"user": [
"Acmesubject$"
]
}
}
{
"message": "{\"time\":\"2022-03-25T09:08:59.2405321Z\",\"resourceId\":\"/subscriptions/6c5a0310-d590-4fb4-945a-bca5dc5e1417/resourceGroups/MyGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount/blobServices/default\",\"category\":\"StorageRead\",\"operationName\":\"GetBlob\",\"schemaVersion\":\"1.0\",\"statusCode\":404,\"statusText\":\"BlobNotFound\",\"durationMs\":1,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"165e8a9d-e08f-43ca-b71b-c2738d24eb66\",\"identity\":{\"type\":\"SAS\",\"tokenHash\":\"system-1(D0B3B275891800D74D0362E6A5CEAEEDD93A110636EFF4CC84CFD05396904C1C),SasSignature(B35B17A0B56ABEDF5D04E11B2AE08EBEC2DEC076742040412D3C034880A3D745)\"},\"location\":\"MyLocation\",\"properties\":{\"accountName\":\"MyStorageAccount\",\"userAgentHeader\":\"AzSerialConsoleSvcPF\",\"serviceType\":\"blob\",\"objectKey\":\"/MyStorageAccount/bootdiagnostics-xxxxxx-84a8d62f-e62c-4001-9ce2-e6a3e25f4f88/XXXXXX.84a8d62f-e62c-4001-9ce2-e6a3e25f4f88.serialconsole-connectionmetadata\",\"lastModifiedTime\":\"1601/01/01 00:00:00.0000000\",\"metricResponseType\":\"ClientOtherError\",\"serverLatencyMs\":1,\"requestHeaderSize\":411,\"responseHeaderSize\":172,\"tlsVersion\":\"TLS 1.2\"},\"uri\":\"https://axenspiproddiag.blob.core.windows.net/bootdiagnostics-azntpi84a8d62f-e62c-4001-9ce2-e6a3e25f4f88/AZNTPI-04.84a8d62f-e62c-4001-9ce2-e6a3e25f4f88.serialconsole-connectionmetadata?sv=2018-03-28&sr=c&sk=system-1&sig=XXXXX&se=9999-01-01T00%3A00%3A00Z&sp=rwd\",\"protocol\":\"HTTPS\",\"resourceType\":\"Microsoft.Storage/storageAccounts/blobServices\"}",
"os": {
"family": "windows",
"platform": "windows"
}
}
{
"event": {
"code": "4624",
"created": "2019-07-22T11:20:54.558577600Z",
"provider": "Microsoft-Windows-Security-Auditing"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tIdentification\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1004336348-2052111302-725345543-33053\\r\\n\\tAccount Name:\\t\\tHOSTMON\\r\\n\\tAccount Domain:\\t\\tACME.LOCAL\\r\\n\\tLogon ID:\\t\\t0x6409B67A\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.129.224.1\\r\\n\\tSource Port:\\t\\t55731\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"EventId\":4624,\"Level\":0,\"Opcode\":0,\"Pid\":632,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-07-22T11:20:54.558577600Z'/><EventRecordID>9999727</EventRecordID><Correlation ActivityID='{32528DD5-0278-4450-AFD8-22FEBDA102F1}'/><Execution ProcessID='632' ThreadID='904'/><Channel>Security</Channel><Computer>AZNTPI-01.acme.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-1004336348-2052111302-725345543-33053</Data><Data Name='TargetUserName'>HOSTMON</Data><Data Name='TargetDomainName'>ACME.LOCAL</Data><Data Name='TargetLogonId'>0x6409b67a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.129.224.1</Data><Data Name='IpPort'>55731</Data><Data Name='ImpersonationLevel'>%%1832</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":12544,\"Tid\":904},\"time\":\"2019-07-22T11:20:54.5585776Z\"}",
"source": {
"address": "10.129.224.1",
"ip": "10.129.224.1",
"port": 55731
},
"host": {
"hostname": "AZNTPI-01.acme.local"
},
"log": {
"hostname": "AZNTPI-01.acme.local"
},
"process": {
"pid": 632,
"thread": {
"id": 904
},
"parent": {
"pid": 0
}
},
"action": {
"id": 4624,
"name": "An account was successfully logged on",
"record_id": 9999727,
"type": "Security",
"outcome": "success",
"target": "user",
"properties": [
{
"id": "S-1-5-21-1004336348-2052111302-725345543-33053",
"name": "HOSTMON",
"domain": "ACME.LOCAL",
"opcode": 0,
"type": "targetedUser"
}
]
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"id": "S-1-0-0"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "12544",
"opcode": "0",
"event_data": {
"AuthenticationPackageName": "Kerberos",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1832",
"IpAddress": "10.129.224.1",
"IpPort": "55731",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}",
"LogonProcessName": "Kerberos",
"LogonType": "3",
"ProcessId": "0x0",
"ProcessName": "-",
"RestrictedAdminMode": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"SubjectUserName": "-",
"SubjectUserSid": "S-1-0-0",
"TargetDomainName": "ACME.LOCAL",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x6409b67a",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "HOSTMON",
"TargetUserSid": "S-1-5-21-1004336348-2052111302-725345543-33053",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"user": {
"domain": {
"name": "ACME.LOCAL"
},
"identifier": "S-1-5-21-1004336348-2052111302-725345543-33053",
"name": "HOSTMON",
"type": "targetedUser"
}
},
"related": {
"ip": [
"10.129.224.1"
],
"user": "HOSTMON"
}
}
{
"event": {
"code": "5058",
"created": "2019-06-24T09:20:18.054208500Z",
"provider": "Microsoft-Windows-Security-Auditing"
},
"message": "{\"time\": \"2019-06-24T09:20:18.0542085Z\",\"category\": \"WindowsEventLogsTable\",\"level\": \"Informational\",\"properties\": {\"DeploymentId\": \"cdc4f011-0dd5-4969-95b1-8c7a914a82f6\",\"Role\": \"IaaS\",\"RoleInstance\": \"_WindowsDesktop\",\"ProviderGuid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"ProviderName\": \"Microsoft-Windows-Security-Auditing\",\"EventId\": 5058,\"Level\": 0,\"Pid\": 704,\"Tid\": 6864,\"Opcode\": 0,\"Task\": 12292,\"Channel\": \"Security\",\"Description\": \"Key file operation.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tWindowsDesktop$\\r\\n\\tAccount Domain:\\t\\tWORKGROUP\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t5396\\r\\n\\tProcess Creation Time:\\t\u200e2019\u200e-\u200e06\u200e-\u200e24T09:18:43.902454200Z\\r\\n\\r\\nCryptographic Parameters:\\r\\n\\tProvider Name:\\tMicrosoft Software Key Storage Provider\\r\\n\\tAlgorithm Name:\\tUNKNOWN\\r\\n\\tKey Name:\\t{3F1E0FA6-ACA6-4152-803B-976EF5816428}\\r\\n\\tKey Type:\\tMachine key.\\r\\n\\r\\nKey File Operation Information:\\r\\n\\tFile Path:\\tC:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b\\r\\n\\tOperation:\\tRead persisted key from file.\\r\\n\\tReturn Code:\\t0x0\",\"RawXml\": \"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5058</EventID><Version>1</Version><Level>0</Level><Task>12292</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-24T09:20:18.054208500Z'/><EventRecordID>249096</EventRecordID><Correlation ActivityID='{4ef44f5e-5539-0000-271e-87006b2ad501}'/><Execution ProcessID='704' ThreadID='6864'/><Channel>Security</Channel><Computer>WindowsDesktop</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>WindowsDesktop$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ClientProcessId'>5396</Data><Data Name='ClientCreationTime'>2019-06-24T09:18:43.902454200Z</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>UNKNOWN</Data><Data Name='KeyName'>{3F1E0FA6-ACA6-4152-803B-976EF5816428}</Data><Data Name='KeyType'>%%2499</Data><Data Name='KeyFilePath'>C:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\MachineKeys\\\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b</Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>\"}}",
"process": {
"pid": 704,
"thread": {
"id": 6864
}
},
"host": {
"hostname": "WindowsDesktop"
},
"log": {
"hostname": "WindowsDesktop"
},
"action": {
"id": 5058,
"name": "Key file operation",
"record_id": 249096,
"type": "Security",
"outcome": "success",
"properties": [
{
"opcode": 0
}
]
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"name": "WindowsDesktop$",
"id": "S-1-5-18",
"domain": "WORKGROUP"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "12292",
"opcode": "0",
"event_data": {
"AlgorithmName": "UNKNOWN",
"ClientCreationTime": "2019-06-24T09:18:43.902454200Z",
"ClientProcessId": "5396",
"KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b",
"KeyName": "{3F1E0FA6-ACA6-4152-803B-976EF5816428}",
"KeyType": "%%2499",
"Operation": "%%2458",
"ProviderName": "Microsoft Software Key Storage Provider",
"ReturnCode": "0x0",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WindowsDesktop$",
"SubjectUserSid": "S-1-5-18"
}
},
"related": {
"user": [
"WindowsDesktop$"
]
}
}
{
"event": {
"code": "4634",
"created": "2019-07-23T15:33:09.199351700Z",
"provider": "Microsoft-Windows-Security-Auditing"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"An account was logged off.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tAZNTPI-01$\\r\\n\\tAccount Domain:\\t\\tACME\\r\\n\\tLogon ID:\\t\\t0x686007F9\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"EventId\":4634,\"Level\":0,\"Opcode\":0,\"Pid\":632,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4634</EventID><Version>0</Version><Level>0</Level><Task>12545</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-07-23T15:33:09.199351700Z'/><EventRecordID>10036511</EventRecordID><Correlation/><Execution ProcessID='632' ThreadID='3136'/><Channel>Security</Channel><Computer>AZNTPI-01.acme.local</Computer><Security/></System><EventData><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>AZNTPI-01$</Data><Data Name='TargetDomainName'>ACME</Data><Data Name='TargetLogonId'>0x686007f9</Data><Data Name='LogonType'>3</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":12545,\"Tid\":3136},\"time\":\"2019-07-23T15:33:09.1993517Z\"}",
"process": {
"pid": 632,
"thread": {
"id": 3136
}
},
"action": {
"id": 4634,
"name": "An account was logged off",
"record_id": 10036511,
"type": "Security",
"outcome": "success",
"target": "user",
"properties": [
{
"name": "AZNTPI-01$",
"id": "S-1-5-18",
"domain": "ACME",
"type": "targetedUser",
"opcode": 0
}
]
},
"os": {
"family": "windows",
"platform": "windows"
},
"host": {
"hostname": "AZNTPI-01.acme.local"
},
"log": {
"hostname": "AZNTPI-01.acme.local"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "12545",
"opcode": "0",
"user": {
"domain": {
"name": "ACME"
},
"identifier": "S-1-5-18",
"name": "AZNTPI-01$",
"type": "targetedUser"
},
"event_data": {
"LogonType": "3",
"TargetDomainName": "ACME",
"TargetLogonId": "0x686007f9",
"TargetUserName": "AZNTPI-01$",
"TargetUserSid": "S-1-5-18"
}
}
}
{
"event": {
"code": "4688",
"created": "2019-07-16T14:16:10.209241300Z",
"provider": "Microsoft-Windows-Security-Auditing"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"0ea500b5-def1-4e62-9020-b5dad9577dad\",\"Description\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tAZNTPI-02$\\r\\n\\tAccount Domain:\\t\\tACME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x50\\r\\n\\tNew Process Name:\\tC:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 52\\\\696\\\\pmfexe.exe\\r\\n\\tToken Elevation Type:\\t%%1936\\r\\n\\tMandatory Label:\\t\\tS-1-16-16384\\r\\n\\tCreator Process ID:\\t0x1568\\r\\n\\tCreator Process Name:\\tC:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\r\\n\\tProcess Command Line:\\t\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 52\\\\696\\\\pmfexe.exe\\\" -PerfMode optimize -quickscan -event -json\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"EventId\":4688,\"Level\":0,\"Opcode\":0,\"Pid\":4,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\": \"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-07-16T14:16:10.209241300Z'/><EventRecordID>3892523</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8060'/><Channel>Security</Channel><Computer>AZNTPI-02.acme.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>AZNTPI-02$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x50</Data><Data Name='NewProcessName'>C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 52\\\\696\\\\pmfexe.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x1568</Data><Data Name='CommandLine'>\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 52\\\\696\\\\pmfexe.exe\\\" -PerfMode optimize -quickscan -event -json</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-02\",\"Task\":13312,\"Tid\":8060},\"time\":\"2019-07-16T14:16:10.2092413Z\"}",
"process": {
"pid": 80,
"name": "pmfexe.exe",
"executable": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696\\pmfexe.exe",
"command_line": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696\\pmfexe.exe -perfmode optimize -quickscan -event -json",
"working_directory": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696",
"parent": {
"name": "monitoringhost.exe",
"executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe",
"working_directory": "c:\\program files\\microsoft monitoring agent\\agent",
"pid": 5480
},
"thread": {
"id": 8060
}
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"name": "AZNTPI-02$",
"id": "S-1-5-18",
"domain": "ACME"
},
"action": {
"id": 4688,
"name": "A new process has been created",
"record_id": 3892523,
"type": "Security",
"outcome": "success",
"properties": [
{
"ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe",
"opcode": 0
}
]
},
"host": {
"hostname": "AZNTPI-02.acme.local"
},
"log": {
"hostname": "AZNTPI-02.acme.local"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "13312",
"opcode": "0",
"event_data": {
"CommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe\" -PerfMode optimize -quickscan -event -json",
"MandatoryLabel": "S-1-16-16384",
"NewProcessId": "0x50",
"NewProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe",
"ParentProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe",
"ProcessId": "0x1568",
"SubjectDomainName": "ACME",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "AZNTPI-02$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"TargetUserName": "-",
"TargetUserSid": "S-1-0-0",
"TokenElevationType": "%%1936"
}
},
"related": {
"user": [
"AZNTPI-02$"
]
}
}
{
"event": {
"code": "4688",
"created": "2019-07-22T12:54:05.281641000Z",
"provider": "Microsoft-Windows-Security-Auditing"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"46c98274-e8d7-4247-a358-11a02975100a\",\"Description\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tAZSQL-02$\\r\\n\\tAccount Domain:\\t\\tACME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x17b4\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\r\\n\\tCreator Process ID:\\t0x1788\\r\\n\\tProcess Command Line:\\t\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \\\"-ExecutionPolicy\\\" \\\"Unrestricted\\\" \\\"-Noninteractive\\\" \\\"-NoProfile\\\" \\\"-NoLogo\\\" \\\"-File\\\" \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\AzureMetadata.ps1\\\"\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"EventId\":4688,\"Level\":0,\"Opcode\":0,\"Pid\":4,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-07-22T12:54:05.281641000Z'/><EventRecordID>4948641</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='9396'/><Channel>Security</Channel><Computer>AZSQL-02.acme.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>AZSQL-02$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x17b4</Data><Data Name='NewProcessName'>C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x1788</Data><Data Name='CommandLine'>\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \\\"-ExecutionPolicy\\\" \\\"Unrestricted\\\" \\\"-Noninteractive\\\" \\\"-NoProfile\\\" \\\"-NoLogo\\\" \\\"-File\\\" \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\AzureMetadata.ps1\\\"</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZSQL-02\",\"Task\":13312,\"Tid\":9396},\"time\":\"2019-07-22T12:54:05.2816410Z\"}",
"process": {
"pid": 6068,
"name": "powershell.exe",
"executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -executionpolicy unrestricted -noninteractive -noprofile -nologo -file c:\\program files\\microsoft dependency agent\\plugins\\azuremetadata.ps1",
"working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0",
"parent": {
"pid": 6024
},
"thread": {
"id": 9396
}
},
"host": {
"hostname": "AZSQL-02.acme.local"
},
"log": {
"hostname": "AZSQL-02.acme.local"
},
"os": {
"family": "windows",
"platform": "windows"
},
"action": {
"id": 4688,
"name": "A new process has been created",
"record_id": 4948641,
"type": "Security",
"outcome": "success",
"properties": [
{
"opcode": 0
}
]
},
"user": {
"name": "AZSQL-02$",
"id": "S-1-5-18",
"domain": "ACME"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"event_data": {
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-ExecutionPolicy\" \"Unrestricted\" \"-Noninteractive\" \"-NoProfile\" \"-NoLogo\" \"-File\" \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\AzureMetadata.ps1\"",
"NewProcessId": "0x17b4",
"NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ProcessId": "0x1788",
"SubjectDomainName": "ACME",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "AZSQL-02$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"TargetUserName": "-",
"TargetUserSid": "S-1-0-0",
"TokenElevationType": "%%1936"
},
"task": "13312",
"opcode": "0"
},
"related": {
"user": [
"AZSQL-02$"
]
}
}
{
"message": "{\"time\":\"2022-01-12T10:33:34.9717584Z\",\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"DeploymentId\":\"f329f776-83f1-4c79-95e5-6ad3f77f11e5\",\"Role\":\"IaaS\",\"RoleInstance\":\"_lab-vm\",\"ProviderGuid\":\"{0888e5ef-9b98-4695-979d-e92ce4247224}\",\"ProviderName\":\"Microsoft-Windows-RestartManager\",\"EventId\":10001,\"Level\":4,\"Pid\":3732,\"Tid\":2144,\"Opcode\":0,\"Task\":0,\"Channel\":\"Application\",\"Description\":\"Ending session 0 started \u200e2022\u200e-\u200e01\u200e-\u200e12T10:33:34.805069900Z.\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-RestartManager' Guid='{0888e5ef-9b98-4695-979d-e92ce4247224}'/><EventID>10001</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-01-12T10:33:34.9717584Z'/><EventRecordID>9379</EventRecordID><Correlation/><Execution ProcessID='3732' ThreadID='2144'/><Channel>Application</Channel><Computer>lab-vm</Computer><Security UserID='S-1-5-18'/></System><UserData><RmSessionEvent xmlns='http://www.microsoft.com/2005/08/Windows/Reliability/RestartManager/'><RmSessionId>0</RmSessionId><UTCStartTime>2022-01-12T10:33:34.8050699Z</UTCStartTime></RmSessionEvent></UserData></Event>\"}}",
"action": {
"id": 10001,
"name": "no match",
"outcome": "success",
"record_id": 9379,
"type": "Application",
"properties": [
{
"opcode": 0
}
]
},
"azure_windows": {
"opcode": "0",
"task": "0",
"provider_guid": "0888e5ef-9b98-4695-979d-e92ce4247224",
"provider_name": "Microsoft-Windows-RestartManager"
},
"os": {
"family": "windows",
"platform": "windows"
},
"process": {
"pid": 3732,
"thread": {
"id": 2144
}
},
"host": {
"hostname": "lab-vm"
},
"log": {
"hostname": "lab-vm"
},
"event": {
"code": "10001",
"provider": "Microsoft-Windows-RestartManager"
}
}
{
"event": {
"code": "1",
"created": "2019-08-30T14:53:03.064863900Z",
"provider": "Microsoft-Windows-Sysmon"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"DeploymentId\":\"86d017b9-31b7-47d4-98e0-667a2ac68873\",\"Description\":\"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-08-30 14:53:03.012\\r\\nProcessGuid: {f67648d5-384f-5d69-0000-00101bd8b501}\\r\\nProcessId: 6272\\r\\nImage: C:\\\\Windows\\\\System32\\\\cscript.exe\\r\\nFileVersion: 5.812.10240.16384\\r\\nDescription: Microsoft \\u00ae Console Based Script Host\\r\\nProduct: Microsoft \\u00ae Windows Script Host\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: cscript.exe\\r\\nCommandLine: \\\"C:\\\\windows\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\\r\\nCurrentDirectory: C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 3\\\\507\\\\\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nLogonGuid: {f67648d5-e752-5d68-0000-0020e7030000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC\\r\\nParentProcessGuid: {f67648d5-e7c8-5d68-0000-00109ed81e00}\\r\\nParentProcessId: 10068\\r\\nParentImage: C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\r\\nParentCommandLine: \\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\",\"EventId\":1,\"Level\":4,\"Opcode\":0,\"Pid\":3272,\"ProviderGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"ProviderName\":\"Microsoft-Windows-Sysmon\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-08-30T14:53:03.064863900Z'/><EventRecordID>120166</EventRecordID><Correlation/><Execution ProcessID='3272' ThreadID='5036'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>WindowsDesktop</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'></Data><Data Name='UtcTime'>2019-08-30 14:53:03.012</Data><Data Name='ProcessGuid'>{f67648d5-384f-5d69-0000-00101bd8b501}</Data><Data Name='ProcessId'>6272</Data><Data Name='Image'>C:\\\\Windows\\\\System32\\\\cscript.exe</Data><Data Name='FileVersion'>5.812.10240.16384</Data><Data Name='Description'>Microsoft \\u00ae Console Based Script Host</Data><Data Name='Product'>Microsoft \\u00ae Windows Script Host</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>cscript.exe</Data><Data Name='CommandLine'>\\\"C:\\\\windows\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"</Data><Data Name='CurrentDirectory'>C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 3\\\\507\\\\</Data><Data Name='User'>NT AUTHORITY\\\\SYSTEM</Data><Data Name='LogonGuid'>{f67648d5-e752-5d68-0000-0020e7030000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC</Data><Data Name='ParentProcessGuid'>{f67648d5-e7c8-5d68-0000-00109ed81e00}</Data><Data Name='ParentProcessId'>10068</Data><Data Name='ParentImage'>C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe</Data><Data Name='ParentCommandLine'>\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_WindowsDesktop\",\"Task\":1,\"Tid\":5036},\"time\":\"2019-08-30T14:53:03.0648639Z\"}",
"host": {
"hostname": "WindowsDesktop"
},
"log": {
"hostname": "WindowsDesktop"
},
"process": {
"pid": 3272,
"name": "cscript.exe",
"hash": {
"md5": "a45586b3a5a291516cd10ef4fd3ee768",
"sha256": "59d3cdc7d51fa34c6b27b8b04ea17992955466eb25022b7bd64880ab35df0bbc"
},
"command_line": "c:\\windows\\system32\\cscript.exe /nologo monitorknowledgediscovery.vbs",
"working_directory": "c:\\windows\\system32",
"executable": "c:\\windows\\system32\\cscript.exe",
"parent": {
"name": "monitoringhost.exe",
"executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe",
"command_line": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe -embedding",
"working_directory": "c:\\program files\\microsoft monitoring agent\\agent",
"pid": 6272
},
"thread": {
"id": 5036
}
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"action": {
"id": 1,
"name": "Process creation",
"record_id": 120166,
"type": "Microsoft-Windows-Sysmon/Operational",
"outcome": "success",
"properties": [
{
"ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe",
"opcode": 0
}
]
},
"azure_windows": {
"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
"provider_name": "Microsoft-Windows-Sysmon",
"task": "1",
"opcode": "0",
"event_data": {
"CommandLine": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"",
"Company": "Microsoft Corporation",
"CurrentDirectory": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 3\\507\\",
"Description": "Microsoft \u00ae Console Based Script Host",
"FileVersion": "5.812.10240.16384",
"Hashes": "MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC",
"Image": "C:\\Windows\\System32\\cscript.exe",
"IntegrityLevel": "System",
"LogonGuid": "{f67648d5-e752-5d68-0000-0020e7030000}",
"LogonId": "0x3e7",
"OriginalFileName": "cscript.exe",
"ParentCommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding",
"ParentImage": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe",
"ParentProcessGuid": "{f67648d5-e7c8-5d68-0000-00109ed81e00}",
"ParentProcessId": "10068",
"ProcessGuid": "{f67648d5-384f-5d69-0000-00101bd8b501}",
"ProcessId": "6272",
"Product": "Microsoft \u00ae Windows Script Host",
"RuleName": null,
"TerminalSessionId": "0",
"User": "NT AUTHORITY\\SYSTEM",
"UtcTime": "2019-08-30 14:53:03.012"
}
},
"related": {
"user": [
"SYSTEM"
]
}
}
{
"event": {
"code": "11",
"created": "2019-11-27T15:25:45.123493500Z",
"provider": "Microsoft-Windows-Sysmon"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-11-27 15:25:45.117\\r\\nProcessGuid: {4A43FA81-9578-5DDE-0000-0010490B8303}\\r\\nProcessId: 4000\\r\\nImage: C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nTargetFilename: C:\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1\\r\\nCreationUtcTime: 2019-11-27 15:25:45.117\",\"EventId\":11,\"Level\":4,\"Opcode\":0,\"Pid\":2232,\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"ProviderName\":\"Microsoft-Windows-Sysmon\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-11-27T15:25:45.123493500Z'/><EventRecordID>121811</EventRecordID><Correlation/><Execution ProcessID='2232' ThreadID='3592'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>AZNTPI-01.acme.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'></Data><Data Name='UtcTime'>2019-11-27 15:25:45.117</Data><Data Name='ProcessGuid'>{4A43FA81-9578-5DDE-0000-0010490B8303}</Data><Data Name='ProcessId'>4000</Data><Data Name='Image'>C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe</Data><Data Name='TargetFilename'>C:\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1</Data><Data Name='CreationUtcTime'>2019-11-27 15:25:45.117</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":11,\"Tid\":3592},\"time\":\"2019-11-27T15:25:45.1234935Z\"}",
"process": {
"pid": 2232,
"name": "powershell.exe",
"working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0",
"executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"thread": {
"id": 3592
},
"parent": {
"pid": 4000
}
},
"action": {
"id": 11,
"name": "FileCreate",
"record_id": 121811,
"type": "Microsoft-Windows-Sysmon/Operational",
"outcome": "success",
"properties": [
{
"opcode": 0
}
]
},
"file": {
"created": "2019-11-27 15:25:45.117",
"name": "__psscriptpolicytest_tnklb3sm.oxn.ps1",
"path": "c:\\windows\\temp"
},
"os": {
"family": "windows",
"platform": "windows"
},
"host": {
"hostname": "AZNTPI-01.acme.local"
},
"log": {
"hostname": "AZNTPI-01.acme.local"
},
"azure_windows": {
"provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"provider_name": "Microsoft-Windows-Sysmon",
"task": "11",
"opcode": "0",
"event_data": {
"CreationUtcTime": "2019-11-27 15:25:45.117",
"Image": "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ProcessGuid": "{4A43FA81-9578-5DDE-0000-0010490B8303}",
"ProcessId": "4000",
"RuleName": null,
"TargetFilename": "C:\\Windows\\Temp\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1",
"UtcTime": "2019-11-27 15:25:45.117"
}
}
}
{
"event": {
"code": "13",
"created": "2020-04-01T06:34:15.214225000Z",
"provider": "Microsoft-Windows-Sysmon"
},
"message": "{\"time\":\"2020-04-01T06:34:15.2142250Z\",\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"ProviderName\":\"Microsoft-Windows-Sysmon\",\"EventId\":13,\"Level\":4,\"Pid\":2140,\"Tid\":3628,\"Opcode\":0,\"Task\":13,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Description\":\"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2020-04-01 06:34:15.158\\r\\nProcessGuid: {4A43FA81-9258-5E74-0000-0010EB030000}\\r\\nProcessId: 4\\r\\nImage: System\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Enum\\\\SWD\\\\PRINTENUM\\\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\\\FriendlyName\\r\\nDetails: Microsoft Print to PDF (redirected 5)\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-04-01T06:34:15.214225000Z'/><EventRecordID>530135</EventRecordID><Correlation/><Execution ProcessID='2140' ThreadID='3628'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>AZNTPI-01.acme.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'></Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2020-04-01 06:34:15.158</Data><Data Name='ProcessGuid'>{4A43FA81-9258-5E74-0000-0010EB030000}</Data><Data Name='ProcessId'>4</Data><Data Name='Image'>System</Data><Data Name='TargetObject'>HKLM\\\\System\\\\CurrentControlSet\\\\Enum\\\\SWD\\\\PRINTENUM\\\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\\\FriendlyName</Data><Data Name='Details'>Microsoft Print to PDF (redirected 5)</Data></EventData></Event>\"}}",
"process": {
"pid": 2140,
"name": "system",
"executable": "system",
"thread": {
"id": 3628
},
"parent": {
"pid": 4
}
},
"host": {
"hostname": "AZNTPI-01.acme.local"
},
"log": {
"hostname": "AZNTPI-01.acme.local"
},
"registry": {
"data": {
"strings": [
"Microsoft Print to PDF (redirected 5)"
],
"type": "REG_SZ"
},
"hive": "HKLM",
"key": "System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}",
"value": "FriendlyName",
"path": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName"
},
"action": {
"id": 13,
"name": "RegistryEvent (Value Set)",
"record_id": 530135,
"type": "Microsoft-Windows-Sysmon/Operational",
"outcome": "success",
"properties": [
{
"opcode": 0
}
]
},
"os": {
"family": "windows",
"platform": "windows"
},
"azure_windows": {
"event_data": {
"Details": "Microsoft Print to PDF (redirected 5)",
"EventType": "SetValue",
"Image": "System",
"ProcessGuid": "{4A43FA81-9258-5E74-0000-0010EB030000}",
"ProcessId": "4",
"RuleName": null,
"TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName",
"UtcTime": "2020-04-01 06:34:15.158"
},
"provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"provider_name": "Microsoft-Windows-Sysmon",
"task": "13",
"opcode": "0"
}
}
{
"event": {
"code": "22",
"created": "2020-02-26T11:08:11.071181600Z",
"provider": "Microsoft-Windows-Sysmon"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"DeploymentId\":\"23fa1f98-e483-4ae2-a043-88cb9c91c426\",\"Description\":\"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-26 11:08:09.059\\r\\nProcessGuid: {f67648d5-4d39-5e56-0000-0010ec220200}\\r\\nProcessId: 3676\\r\\nQueryName: v10.events.data.microsoft.com\\r\\nQueryStatus: 0\\r\\nQueryResults: type: 5 v10.events.data.microsoft.com.aria.akadns.net;type: 5 onecollector.cloudapp.aria.akadns.net;::ffff:52.114.132.20;\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\",\"EventId\":22,\"Level\":4,\"Opcode\":0,\"Pid\":3780,\"ProviderGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"ProviderName\":\"Microsoft-Windows-Sysmon\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-02-26T11:08:11.071181600Z'/><EventRecordID>136242</EventRecordID><Correlation/><Execution ProcessID='3780' ThreadID='9096'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>WinAzureTest</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'></Data><Data Name='UtcTime'>2020-02-26 11:08:09.059</Data><Data Name='ProcessGuid'>{f67648d5-4d39-5e56-0000-0010ec220200}</Data><Data Name='ProcessId'>3676</Data><Data Name='QueryName'>v10.events.data.microsoft.com</Data><Data Name='QueryStatus'>0</Data><Data Name='QueryResults'>type: 5 v10.events.data.microsoft.com.aria.akadns.net;type: 5 onecollector.cloudapp.aria.akadns.net;::ffff:52.114.132.20;</Data><Data Name='Image'>C:\\\\Windows\\\\System32\\\\svchost.exe</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_WindowsDesktop\",\"Task\":22,\"Tid\":9096},\"time\":\"2020-02-26T11:08:11.0711816Z\"}",
"process": {
"pid": 3780,
"name": "svchost.exe",
"working_directory": "c:\\windows\\system32",
"executable": "c:\\windows\\system32\\svchost.exe",
"thread": {
"id": 9096
},
"parent": {
"pid": 3676
}
},
"action": {
"id": 22,
"name": "DNS query",
"record_id": 136242,
"type": "Microsoft-Windows-Sysmon/Operational",
"outcome": "success",
"properties": [
{
"opcode": 0
}
]
},
"dns": {
"answers": [
{
"name": "v10.events.data.microsoft.com.aria.akadns.net",
"type": "CNAME"
},
{
"name": "onecollector.cloudapp.aria.akadns.net",
"type": "CNAME"
},
{
"name": "::ffff:52.114.132.20",
"type": "AAAA"
}
],
"question": {
"name": "v10.events.data.microsoft.com"
},
"size_in_char": 29,
"response_code": "0",
"type": "answer"
},
"os": {
"family": "windows",
"platform": "windows"
},
"host": {
"hostname": "WinAzureTest"
},
"log": {
"hostname": "WinAzureTest"
},
"azure_windows": {
"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
"provider_name": "Microsoft-Windows-Sysmon",
"task": "22",
"opcode": "0",
"event_data": {
"Image": "C:\\Windows\\System32\\svchost.exe",
"ProcessGuid": "{f67648d5-4d39-5e56-0000-0010ec220200}",
"ProcessId": "3676",
"QueryName": "v10.events.data.microsoft.com",
"QueryResults": "type: 5 v10.events.data.microsoft.com.aria.akadns.net;type: 5 onecollector.cloudapp.aria.akadns.net;::ffff:52.114.132.20;",
"QueryStatus": "0",
"RuleName": null,
"UtcTime": "2020-02-26 11:08:09.059"
}
}
}
{
"event": {
"code": "3",
"created": "2019-12-18T16:57:17.936358800Z",
"provider": "Microsoft-Windows-Sysmon"
},
"message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-18 16:57:18.516\\r\\nProcessGuid: {4A43FA81-5A68-5DFA-0000-0010A992AC18}\\r\\nProcessId: 4364\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 10.100.8.36\\r\\nSourceHostname: AZNTPI-01.acme.local\\r\\nSourcePort: 55664\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 169.254.169.254\\r\\nDestinationHostname: \\r\\nDestinationPort: 80\\r\\nDestinationPortName: http\",\"EventId\":3,\"Level\":4,\"Opcode\":0,\"Pid\":2116,\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"ProviderName\":\"Microsoft-Windows-Sysmon\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-12-18T16:57:17.936358800Z'/><EventRecordID>189923</EventRecordID><Correlation/><Execution ProcessID='2116' ThreadID='3760'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>AZNTPI-01.acme.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'></Data><Data Name='UtcTime'>2019-12-18 16:57:18.516</Data><Data Name='ProcessGuid'>{4A43FA81-5A68-5DFA-0000-0010A992AC18}</Data><Data Name='ProcessId'>4364</Data><Data Name='Image'>C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe</Data><Data Name='User'>NT AUTHORITY\\\\SYSTEM</Data><Data Name='Protocol'>tcp</Data><Data Name='Initiated'>true</Data><Data Name='SourceIsIpv6'>false</Data><Data Name='SourceIp'>10.100.8.36</Data><Data Name='SourceHostname'>AZNTPI-01.acme.local</Data><Data Name='SourcePort'>55664</Data><Data Name='SourcePortName'></Data><Data Name='DestinationIsIpv6'>false</Data><Data Name='DestinationIp'>169.254.169.254</Data><Data Name='DestinationHostname'></Data><Data Name='DestinationPort'>80</Data><Data Name='DestinationPortName'>http</Data></EventData></Event>\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":3,\"Tid\":3760},\"time\":\"2019-12-18T16:57:17.9363588Z\"}",
"process": {
"pid": 2116,
"name": "powershell.exe",
"working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0",
"executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"thread": {
"id": 3760
},
"parent": {
"pid": 4364
}
},
"network": {
"transport": "tcp",
"type": "ipv4"
},
"source": {
"address": "AZNTPI-01.acme.local",
"ip": "10.100.8.36",
"port": 55664,
"domain": "AZNTPI-01.acme.local",
"subdomain": "AZNTPI-01.acme",
"size_in_char": 20
},
"destination": {
"address": "169.254.169.254",
"ip": "169.254.169.254",
"port": 80
},
"os": {
"family": "windows",
"platform": "windows"
},
"user": {
"name": "SYSTEM",
"domain": "NT AUTHORITY"
},
"action": {
"id": 3,
"name": "Network connection",
"record_id": 189923,
"type": "Microsoft-Windows-Sysmon/Operational",
"outcome": "success",
"target": "network-traffic",
"properties": [
{
"opcode": 0
}
]
},
"host": {
"hostname": "AZNTPI-01.acme.local"
},
"log": {
"hostname": "AZNTPI-01.acme.local"
},
"azure_windows": {
"provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"provider_name": "Microsoft-Windows-Sysmon",
"task": "3",
"opcode": "0",
"event_data": {
"DestinationHostname": null,
"DestinationIp": "169.254.169.254",
"DestinationIsIpv6": "false",
"DestinationPort": "80",
"DestinationPortName": "http",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Initiated": "true",
"ProcessGuid": "{4A43FA81-5A68-5DFA-0000-0010A992AC18}",
"ProcessId": "4364",
"Protocol": "tcp",
"RuleName": null,
"SourceHostname": "AZNTPI-01.acme.local",
"SourceIp": "10.100.8.36",
"SourceIsIpv6": "false",
"SourcePort": "55664",
"SourcePortName": null,
"User": "NT AUTHORITY\\SYSTEM",
"UtcTime": "2019-12-18 16:57:18.516"
}
},
"related": {
"user": [
"SYSTEM"
],
"ip": [
"10.100.8.36"
]
}
}
{
"user": {
"id": "S-1-5-18",
"name": "AZSQL-02$",
"domain": "ACME"
},
"host": {
"hostname": "AZSQL-02.acme.local"
},
"log": {
"hostname": "AZSQL-02.acme.local"
},
"azure_windows": {
"provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "13312",
"opcode": "0",
"event_data": {
"CommandLine": "C:\\Windows\\system32\\svchost.exe -k wsappx",
"NewProcessId": "0x12f0",
"NewProcessName": "C:\\Windows\\System32\\svchost.exe",
"ProcessId": "0x25c",
"SubjectDomainName": "ACME",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "AZSQL-02$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"TargetUserName": "-",
"TargetUserSid": "S-1-0-0",
"TokenElevationType": "%%1936"
}
},
"process": {
"pid": 4848,
"name": "svchost.exe",
"executable": "c:\\windows\\system32\\svchost.exe",
"working_directory": "c:\\windows\\system32",
"command_line": "c:\\windows\\system32\\svchost.exe -k wsappx",
"thread": {
"id": 8568
},
"parent": {
"pid": 604
}
},
"message": "{\"time\":\"2020-10-22T11:31:18.8344123Z\",\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"DeploymentId\":\"46c98274-e8d7-4247-a358-11a02975100a\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZSQL-02\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventId\":4688,\"Level\":0,\"Pid\":4,\"Tid\":8568,\"Opcode\":0,\"Task\":13312,\"Channel\":\"Security\",\"Description\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tAZSQL-02$\\r\\n\\tAccount Domain:\\t\\tACME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x12f0\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\r\\n\\tCreator Process ID:\\t0x25c\\r\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\svchost.exe -k wsappx\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"RawXml\":\"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-10-22T11:31:18.834412300Z'/><EventRecordID>13259890</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8568'/><Channel>Security</Channel><Computer>AZSQL-02.acme.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>AZSQL-02$</Data><Data Name='SubjectDomainName'>ACME</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x12f0</Data><Data Name='NewProcessName'>C:\\\\Windows\\\\System32\\\\svchost.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x25c</Data><Data Name='CommandLine'>C:\\\\Windows\\\\system32\\\\svchost.exe -k wsappx</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data></EventData></Event>\"}}",
"os": {
"family": "windows",
"platform": "windows"
},
"action": {
"id": 4688,
"outcome": "success",
"name": "A new process has been created",
"type": "Security",
"record_id": 13259890,
"properties": [
{
"opcode": 0
}
]
},
"related": {
"user": [
"AZSQL-02$"
]
},
"event": {
"code": "4688",
"provider": "Microsoft-Windows-Security-Auditing"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
action.properties |
object |
None |
action.target |
keyword |
None |
azure_windows.event_data |
object |
None |
azure_windows.opcode |
keyword |
None |
azure_windows.provider_guid |
keyword |
None |
azure_windows.provider_name |
keyword |
None |
azure_windows.task |
keyword |
None |
azure_windows.user.domain.name |
keyword |
None |
azure_windows.user.identifier |
keyword |
None |
azure_windows.user.name |
keyword |
None |
azure_windows.user.type |
keyword |
None |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
destination.size_in_char |
number |
None |
dns.answers |
object |
Array of DNS answers. |
dns.question.name |
keyword |
The name being queried. |
dns.response_code |
keyword |
The DNS response code. |
dns.size_in_char |
number |
None |
dns.type |
keyword |
The type of DNS event captured, query or answer. |
event.code |
keyword |
Identification code for this event. |
event.provider |
keyword |
Source of the event. |
file.created |
date |
File creation time. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.hostname |
keyword |
Hostname of the host. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
network.type |
keyword |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc |
process.command_line |
wildcard |
Full command line that started the process. |
process.executable |
keyword |
Absolute path to the process executable. |
process.hash.md5 |
keyword |
MD5 hash. |
process.hash.sha1 |
keyword |
SHA1 hash. |
process.hash.sha256 |
keyword |
SHA256 hash. |
process.hash.sha384 |
keyword |
|
process.hash.sha512 |
keyword |
SHA512 hash. |
process.name |
keyword |
Process name. |
process.parent.command_line |
wildcard |
Full command line that started the process. |
process.parent.executable |
keyword |
Absolute path to the process executable. |
process.parent.name |
keyword |
Process name. |
process.parent.pid |
long |
Process id. |
process.parent.working_directory |
keyword |
The working directory of the process. |
process.pid |
long |
Process id. |
process.thread.id |
long |
Thread ID. |
process.working_directory |
keyword |
The working directory of the process. |
registry.data.strings |
wildcard |
List of strings representing what was written to the registry. |
registry.data.type |
keyword |
Standard registry type for encoding contents |
registry.hive |
keyword |
Abbreviated name for the hive. |
registry.key |
keyword |
Hive-relative path of keys. |
registry.path |
keyword |
Full path, including hive, key and value |
registry.value |
keyword |
Name of the value written. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
source.size_in_char |
number |
None |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
Configure
This setup guide will show you how to forward events produced by a Windows Virtual Machine hosted on Azure platform to SEKOIA.IO.
Theses changes have to be made from the Azure Web Portal.
Azure Event Hubs
As a prerequisite, you need to choose an existing “resource group”, or create a new one (e.g. company-resource-group).
Retrieve your Subscription ID
You also need your “Subscription ID” if you don't have a default one. In Azure Web Portal, navigate to: “Home”, “Cost Management + Billing”, ”Subscriptions”. From there, copy the relevant “Subscription ID” that will be used in the command line (e.g. uuid)
Create the Event Hubs
Use Azure PowerShell (within Cloud Shell interface for example) to create a namespace (e.g. company-eventhub) and a specific Event Hub (e.g. windows-event) within your “resource group” (e.g. company-resource-group)
PS Azure:\> az eventhubs namespace create --name company-eventhub --resource-group company-resource-group --enable-kafka true --subscription uuid
PS Azure:\> az eventhubs eventhub create --resource-group company-resource-group --namespace-name company-eventhub --name windows-event --message-retention 3 --partition-count 4 --subscription uuid
Info
Please replace :
company-resource-groupwith the name of your “resource group”.uuidwith your subscription ID retrieved previously (see below).
Create “Shared Access Policies”
- Navigate to “Home”, “Event Hubs”, “company-eventhub - Shared access policies”. From there, you can create a policy (e.g.
RootManageSharedAccessKey) with the claimsManage,SendandListen, and note thePrimary Keythat will be used as theSharedAccessKey. - Navigate to “Home”, “Event Hubs”, “company-eventhub”, “windows-event - Shared access policies”. From there, you can create a policy (e.g.
sekoiaio) with the claimsListen. Once created, click on the policy and save theConnection string-primary key, to be sent to SEKOIA.IO. - Navigate to “Home”, “Event Hubs”, “company-eventhub”, ”windows-event - Consumer groups”. From there, you can create a consumer group (e.g.
sekoiaio).
Create a Blob Storage for Checkpointing
In order to allow SEKOIA.IO keep track of the consumed events, the next step consists in creating a dedicated Azure Blob Storage.
To proceed, you can use Azure PowerShell:
PS Azure:\> az storage account create --name "sekoiaiocheckpoint" --resource-group "company-resource-group"
PS Azure:\> az storage container create --name "windows-event" --account-name "sekoiaiocheckpoint"
Info
The container name, here windows-event should be the same as the Event Hub’s one.
You also need to replace company-resource-group with the name of your “resource group”.
Finally, you have to retrieve the connection string from Azure Web Portal by going in “Storage Accounts”, then in the created storage (sekoiaiocheckpoint) and finally in the “Access Keys” section. After clicking on “Show keys”, you can copy the first of the two connection strings.
Windows Virtual Machine
You need to activate and configure the diagnostic extension Microsoft.Insights.VMDiagnosticsSettings.
Navigate to “Home”, “Virtual machines”, “virtual machine name” (e.g. company-windows), “Settings” and “Extensions”. Install it and note the new StorageAccount name created (e.g. company-storage-account).
Navigate to “Home”, “Storage accounts”, “company-storage-account”, ”Access keys”. From there you can note the key value later used as the storageAccountKey.
You need to create two configuration files public_settings.json and protected_settings.json.
Once again you need Azure powershell to do it using your favorite text editor:
PS Azure:\> vim public_settings.json
Adapt the public settings configuration file with the value oh theses variables: Url, SharedAccessKeyName, StorageAccount.
{
"WadCfg": {
"DiagnosticMonitorConfiguration": {
"overallQuotaInMB": 4096,
"sinks": "applicationInsights.errors",
"DiagnosticInfrastructureLogs": {
"scheduledTransferLogLevelFilter": "Error"
},
"WindowsEventLog": {
"scheduledTransferPeriod": "PT1M",
"DataSource": [
{
"name": "Application!*"
},
{
"name": "System!*"
},
{
"name": "Security!*"
}
],
"sinks": "HotPath"
},
"Logs": {
"scheduledTransferPeriod": "PT1M",
"scheduledTransferLogLevelFilter": "Error",
"sinks": "HotPath"
}
},
"SinksConfig": {
"Sink": [
{
"name": "HotPath",
"type": "JsonBlob",
"EventHub": {
"Url": "https://company-eventhub.servicebus.windows.net/windows-event",
"SharedAccessKeyName": "RootManageSharedAccessKey"
}
},
{
"name": "applicationInsights",
"ApplicationInsights": "",
"Channels": {
"Channel": [
{
"logLevel": "Error",
"name": "errors"
}
]
}
}
]
}
},
"StorageAccount": "company-storage-account"
}
A more specific windows event log can be added by specifying the event log filename (e.g for Sysmon: "name": "Microsoft-Windows-Sysmon/Operational!*").
Then edit the protected settings configuration file:
PS Azure:\> vim protected_settings.json
Adapt the public protected settings configuration file with the value of theses variables: storageAccountName, storageAccountKey, Url, SharedAccessKeyName, SharedAccessKey:
{
"storageAccountName": "company-storage-account",
"storageAccountKey": "base64-string",
"storageAccountEndPoint": "https://core.windows.net",
"EventHub": {
"Url": "https://company-eventhub.servicebus.windows.net/windows-event",
"SharedAccessKeyName": "RootManageSharedAccessKey",
"SharedAccessKey": "base64-string"
}
}
Finally you could push the change of the diagnostic extension configuration (adapt the parameters resource-group, vm-name):
PS Azure:\> az vm extension set --publisher Microsoft.Azure.Diagnostics --name IaaSDiagnostics --version 1.5 --resource-group company-resource-group --vm-name company-windows --protected-settings protected_settings.json --settings public_settings.json --subscription uuid
Sysmon
Sysmon tool from Microsoft could improve the detection on Windows computers. You could download the tool on Microsoft website. If you do not know how to use and configure it, please check SwiftOnSecurity github.
Forward the Connection Keys to SEKOIA.IO
Finally, please send to SEKOIA.IO the following information:
- Azure Event Hub’s “Connection string-primary key” (e.g.
"Endpoint=sb://company-eventhub.servicebus.windows.net/;SharedAccessKeyName=sekoiaio;SharedAccessKey=XXXXXX;EntityPath=windows-event"). - Azure Event Hub’s consumer group name (e.g.
sekoiaio). - Azure Blob Storage’s connection string (e.g.
"DefaultEndpointsProtocol=https;AccountName=sekoiaiocheckpoint;AccountKey=XXXXX").