Beispielereignisnachrichten für das Sicherheitsereignisprotokoll Microsoft Windows

Verwenden Sie diese Beispielereignisnachrichten, um eine erfolgreiche Integration mit IBM QRadarzu überprüfen.
Wichtig: Fügen Sie aufgrund von Formatierungsproblemen das Nachrichtenformat in einen Texteditor ein und entfernen Sie dann alle Rücklauf-und Zeilenvorschubzeichen.

Microsoft Windows Security Event Log-Beispielnachrichten bei Verwendung von WinCollect

Das folgende Beispiel hat die Ereignis-ID 4624, die eine erfolgreiche Anmeldung für den Benutzer < Kontoname> mit der Quellen-IP-Adresse 10.0.0.1 und der Ziel-IP 10.0.0.2zeigt.

<13>May 08 10:45:44 microsoft.windows.test AgentDevice=WindowsLog<tab>AgentLogFile=Security<tab>PluginVersion=7.2.9.108<tab>Source=Microsoft-Windows-Security-Auditing<tab>Computer=microsoft.windows.test<tab>OriginatingComputer=10.0.0.2<tab>User=<tab>Domain=<tab>EventID=4624<tab>EventIDCode=4624<tab>EventType=8<tab>EventCategory=12544<tab>RecordNumber=649155826<tab>TimeGenerated=1588945541<tab>TimeWritten=1588945541<tab>Level=Log Always<tab>Keywords=Audit Success<tab>Task=SE_ADT_LOGON_LOGON<tab>Opcode=Info<tab>Message=An account was successfully logged on.  Subject:  Security ID:  NT AUTHORITY\SYSTEM  Account Name:  account_name$  Account Domain:  account_domain  Logon ID:  0x3E7  Logon Information:  Logon Type:  10  Restricted Admin Mode: No  Virtual Account:  No  Elevated Token:  Yes  Impersonation Level:  Impersonation  New Logon:  Security ID:  account_domain\account_name  Account Name:  account_name  Account Domain:  domain_name  Logon ID:  0x9A4D3C17  Linked Logon ID:  0x9A4D3CD6  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x3e4  Process Name:  C:\Windows\System32\svchost.exe  Network Information:  Workstation Name: workstation_name  Source Network Address: 10.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Das folgende Beispiel hat die Ereignis-ID 4624, die eine erfolgreiche Anmeldung für den Benutzer < target_user_name> mit der Quellen-IP-Adresse 10.0.0.1zeigt.

<13>May 08 14:54:03 microsoft.windows.test AgentDevice=NetApp\tAgentLogFile=Security\tPluginVersion=7.2.9.108\tSource=NetApp-Security-Auditing\tComputer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111\tOriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111\tUser=\tDomain=\tEventID=4624\tEventIDCode=4624\tEventType=8\tEventCategory=0\tRecordNumber=6706\tTimeGenerated=1588960308\tTimeWritten=1588960308\tLevel=LogAlways\tKeywords=AuditSuccess\tTask=None\tOpcode=Info\tMessage=IpAddress=10.0.0.1 IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

Beispielnachricht Microsoft Windows Security Event Log, wenn Sie Syslog verwenden, um Protokolle im Snare-Format zu erfassen

Das folgende Beispiel verfügt über die Ereignis-ID 4724, die zeigt, dass versucht wurde, das Kennwort eines Accounts zurückzusetzen, und dass der Accountname Administrator den Versuch unternommen hat.

Wichtig: Die Protokolle, die Sie an QRadar senden, müssen durch Tabulatoren begrenzt sein. Wenn Sie den Code aus diesem Beispiel ausschneiden und einfügen, stellen Sie sicher, dass Sie die Tabulatortaste drücken, die durch die Variablen < tab> angegeben ist, und entfernen Sie dann die Variablen.
<133>Aug 15 23:12:08 microsoft.windows.test MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password.    Subject:   Security ID:  subject_security_id   Account Name:  Administrator   Account Domain:  DOMAIN   Logon ID:  0x5cbdf    Target Account:   Security ID:  target_security_id   Account Name:  target_account_name   Account Domain:  DOMAIN  355

Beispielnachricht Microsoft Windows Security Event Log, wenn Sie Syslog verwenden, um Protokolle im LEEF-Format zu erfassen

Das folgende Beispiel hat die Ereignis-ID 8194, die zeigt, dass das Ereignis einen Volume Shadow Copy Service-Fehler generiert hat, der vom Benutzer < Benutzername> eingeleitet wurde.

<131>Apr 04 10:03:18 microsoft.windows.test LEEF:1.0|Microsoft|Windows|2k8r2|8194|devTime=2019-04-04T10:03:18GMT+02:00<tab>devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz<tab>cat=Error<tab>sev=2<tab>resource=microsoft.windows.test<tab>usrName=domain_name\user_name<tab>application=Group Policy Registry<tab>message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

Beispielnachricht Microsoft Windows Security Event Log, wenn Sie Syslog verwenden, um Protokolle im CEF-Format zu erfassen

Das folgende Beispiel hat die Ereignis-ID 7036 Service gestoppt, die anzeigt, dass ein Service in den Stoppstatus eingetreten ist.

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036|Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost=192.168.0.31 agt=192.168.0.31 agentZoneURI=/All Zones/example System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=5.2.5.6395.0 atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

Beispielnachricht Microsoft Windows Security Event Log, wenn Sie Syslog verwenden, um Protokolle mithilfe von Winlogbeats zu erfassen

Das folgende Beispiel weist die Ereignis-ID 'System' auf, die zeigt, dass NtpClient keinen manuellen Peer für die Verwendung als Zeitquelle festlegen konnte.

{"@timestamp":"2017-02-13T01:54:07.745Z","beat":{"hostname":"microsoft.windows.test","name":"microsoft.windows.test","version":"5.6.3"},"computer_name":"microsoft.windows.test","event_data":{"DomainPeer":"time.windows.test,0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","message":"NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.test,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id":996,"provider_guid":"{00000000-0000-0000-0000-000000000000}","record_number":"40292","source_name":"Microsoft-Windows-Time-Service","thread_id":3312,"type":"wineventlog","user":{"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

Beispielnachricht Microsoft Windows Security Event Log, wenn Sie Syslog verwenden, um Protokolle mithilfe von Azure Event Hubs zu erfassen

Das folgende Beispiel hat die Ereignis-ID 5061, die zeigt, dass es eine Verschlüsselungsoperation gab, die vom Benutzer < subject_user_name> abgeschlossen wurde.

{"time":"2019-05-07T17:53:30.0648172Z","category":"WindowsEventLogsTable","level":"Informational","properties":{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role":"IaaS","RoleInstance":"_role_instance","ProviderGuid":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft-Windows-Security-Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel":"Security","Description":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tsecurity_id\r\n\tAccount Name:\t\taccount_name\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t{11111111-1111-1111-1111-111111111111}\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","RawXml":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{22222222-2222-2222-2222-222222222222}'/><EventID>5061</EventID><Version>0</Version><Level>0</Level><Task>12290</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-05-07T17:53:30.064817200Z'/><EventRecordID>291478</EventRecordID><Correlation ActivityID='{33333333-3333-3333-3333-333333333333}'/><Execution ProcessID='700' ThreadID='1176'/><Channel>Security</Channel><Computer>computer_name</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>subject_user_sid</Data><Data Name='SubjectUserName'>subject_user_name</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>RSA</Data><Data Name='KeyName'>{44444444-4444-4444-4444-444444444444}</Data><Data Name='KeyType'>%%2499</Data><Data Name='Operation'>%%2480</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>"}}

Azure Überwachung des Agenten-Supports für Microsoft Windows Sicherheitsereignisprotokolle von Sentinel

Azure Der Monitor Agent (AMA) unterstützt Microsoft Windows -Ereignisprotokolle mithilfe von Microsoft Sentinel. Außerdem werden Protokolle von AMA, die über Event Hub eingehen, einschließlich Anwendungs- und Systemprotokolle, unterstützt.

Die folgenden Beispielprotokolle werden unterstützt.
  1. Windows-Sicherheitsereignisprotokoll (mithilfe von Sentinel von Event Hub)
    {"TimeGenerated":"2025-02-12T11:13:35.1159672Z","SourceSystem":"OpsManager","Computer":"amawintestvm","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":13571,"Level":"0","EventLevelName":"LogAlways","EventData":"<EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleId\">CoreNet-IPHTTPS-In</Data><Data Name=\"RuleName\">Core Networking - IPHTTPS (TCP-In)</Data><Data Name=\"RuleAttr\">Local Port</Data></EventData>","EventID":4957,"Activity":"4957 - Windows Firewall did not apply the following rule:","SourceComputerId":"123123123-a979-4eb8-99cb-123123123","EventOriginId":"1111111-a979-4eb8-99cb-1111111","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2025-02-12T11:14:07.1041483Z","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","SystemUserId":"N/A","Version":0,"Opcode":"0","Keywords":"0x8010000000000000","Correlation":"{1111111-201D-4B85-9BD0-1111111}","SystemProcessId":632,"SystemThreadId":676,"EventRecordId":"26004","_ItemId":"1111111-e932-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","Type":"SecurityEvent","TenantId":"1111111-3f02-4cea-962d-1111111","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  2. Beispiel für ein Anwendungsprotokoll
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:46:19.119850200Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data /><Data>0</Data><Data>WindowsUpdateFailure3</Data><Data>Not available</Data><Data>0</Data><Data>123.123.123.123</Data><Data>80240032</Data><Data>00000000-0000-0000-0000-000000000000</Data><Data>Scan</Data><Data>0</Data><Data>0</Data><Data>0</Data><Data>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Data><Data>{00000000-0000-0000-0000-000000000000}</Data><Data>0</Data><Data /><Data /><Data /><Data>0</Data><Data>1111111-e9c5-11ef-a811-1111111</Data><Data>262144</Data><Data /></EventData></DataItem>","EventID":1001,"EventLevel":4,"EventLevelName":"Information","EventLog":"Application","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param></Param><Param>0</Param><Param>WindowsUpdateFailure3</Param><Param>Not available</Param><Param>0</Param><Param>10.0.14393.1111111</Param><Param>80240032</Param><Param>00000000-0000-0000-0000-000000000000</Param><Param>Scan</Param><Param>0</Param><Param>0</Param><Param>0</Param><Param>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Param><Param>{00000000-0000-0000-0000-000000000000}</Param><Param>0</Param><Param></Param><Param></Param><Param></Param><Param>0</Param><Param>123123-e9c5-11ef-123-123</Param><Param>262144</Param><Param></Param>","RenderedDescription":"Fault bucket , type 0 Event Name: WindowsUpdateFailure3 Response: Not available Cab Id: 0  Problem signature: P1: 10.0.14393.7330 P2: 80240032 P3: 00000000-0000-0000-0000-000000000000 P4: Scan P5: 0 P6: 0 P7: 0 P8: <<PROCESS>>: powershell.exe P9: {00000000-0000-0000-0000-000000000000} P10: 0  Attached files:  These files may be available here:   Analysis symbol:  Rechecking for solution: 0 Report Id: 752be549-e9c5-11ef-a811-7c1e52166a41 Report Status: 262144 Hashed bucket: ","Source":"Windows Error Reporting","SourceSystem":"OpsManager","TenantId":"123123-3f02-4cea-962d-123123","TimeGenerated":"2025-02-13T04:46:19.1198502Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c5-11ef-933b-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  3. Beispiel für ein Systemprotokoll
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:23:12.558440300Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"param1\">Windows Defender Advanced Threat Protection Service</Data><Binary>530065006E00730065000000</Binary></EventData></DataItem>","EventID":7043,"EventLevel":2,"EventLevelName":"Error","EventLog":"System","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param>Windows Defender Advanced Threat Protection Service</Param>","RenderedDescription":"The Windows Defender Advanced Threat Protection Service service did not shut down properly after receiving a preshutdown control.","Source":"Service Control Manager","SourceSystem":"OpsManager","TenantId":"1111111-3f02-4cea-962d-1111111","TimeGenerated":"2025-02-13T04:23:12.5584403Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c2-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}

Microsoft Windows Beispielmeldungen aus dem Security Event Log, wenn Sie den Graylog Server verwenden, um das Syslog im CEF-Format zu sammeln.

Das folgende Beispiel hat eine Ereignis-ID von 4690, die zeigt, dass das Ereignis versucht wurde, ein Handle auf ein Objekt zu duplizieren.

<14>CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|log:1|111-1111-111-11-1111|3|Task=11111 Keywords=-9214364837600034816 Category=Handle Manipulation EventType=AUDIT_SUCCESS gl2_remote_ip=10.10.1.4 gl2_remote_port=49687 SourceProcessId=xxxx Opcode=Info source=SBE-1111 gl2_source_input=bbb1111111 SeverityValue=2 Version=0 SubjectDomainName=WORKGROUP gl2_source_node=111-1111-111-11-1111 ProcessID=4 SourceHandleId=xxxx timestamp=2024-12-06T13:12:35.000Z OpcodeValue=0 SourceModuleType=im_msvistalog level=6 Channel=Security gl2_message_id=111111 SourceName=Microsoft-Windows-Security-Auditing Severity=INFO SubjectLogonId=xxxx EventReceivedTime=2024-12-06 14:12:36 PlantID=1111 SourceModuleName=eventlog ProviderGuid={111-1111-111-11-1111} SubjectUserName=SBE-1111$ TargetProcessId=0x4 ThreadID=1111 TargetHandleId=0x1b58 EventID=4690 _id=111-1111-111-11-1111 RecordNumber=79577829 SubjectUserSid=S-1-5-18 start=1733490755000 msg=An attempt was made to duplicate a handle to an object. Requester: Security ID: S-1-5-18 Account Name: SBE-1111$ Account Domain: WORKGROUP Logon ID: xxxxx Source Handle Information: Source Handle ID: 0x1e4 Source Process ID: 0xeb0 New Handle Information: Target Handle ID: xxxxx Target Process ID: 0x4 externalId=111-1111-111-11-1111