Microsoft Windows Messaggi di eventi di esempio della sicurezza degli eventi di sicurezza

Utilizzare questi messaggi di evento di esempio per verificare una corretta integrazione con IBM QRadar.
Importante: A causa di formattazione dei problemi, incollare il formato del messaggio in un editor di testo e quindi rimuovere qualsiasi ritorno di trasporto o caratteri di alimentazione di linea.

Microsoft Windows quando si utilizza WinCollect

Il seguente esempio ha un ID evento 4624 che mostra un accesso riuscito per l'utente < account_name> che ha un indirizzo IP di origine 10.0.0.1 e un indirizzo IP di destinazione 10.0.0.2.

<13>May 08 10:45:44 microsoft.windows.test AgentDevice=WindowsLog<tab>AgentLogFile=Security<tab>PluginVersion=7.2.9.108<tab>Source=Microsoft-Windows-Security-Auditing<tab>Computer=microsoft.windows.test<tab>OriginatingComputer=10.0.0.2<tab>User=<tab>Domain=<tab>EventID=4624<tab>EventIDCode=4624<tab>EventType=8<tab>EventCategory=12544<tab>RecordNumber=649155826<tab>TimeGenerated=1588945541<tab>TimeWritten=1588945541<tab>Level=Log Always<tab>Keywords=Audit Success<tab>Task=SE_ADT_LOGON_LOGON<tab>Opcode=Info<tab>Message=An account was successfully logged on.  Subject:  Security ID:  NT AUTHORITY\SYSTEM  Account Name:  account_name$  Account Domain:  account_domain  Logon ID:  0x3E7  Logon Information:  Logon Type:  10  Restricted Admin Mode: No  Virtual Account:  No  Elevated Token:  Yes  Impersonation Level:  Impersonation  New Logon:  Security ID:  account_domain\account_name  Account Name:  account_name  Account Domain:  domain_name  Logon ID:  0x9A4D3C17  Linked Logon ID:  0x9A4D3CD6  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x3e4  Process Name:  C:\Windows\System32\svchost.exe  Network Information:  Workstation Name: workstation_name  Source Network Address: 10.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Il seguente esempio ha un ID evento 4624 che mostra un accesso riuscito per l'utente < target_user_name> che ha un indirizzo IP di origine di 10.0.0.1.

<13>May 08 14:54:03 microsoft.windows.test AgentDevice=NetApp\tAgentLogFile=Security\tPluginVersion=7.2.9.108\tSource=NetApp-Security-Auditing\tComputer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111\tOriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111\tUser=\tDomain=\tEventID=4624\tEventIDCode=4624\tEventType=8\tEventCategory=0\tRecordNumber=6706\tTimeGenerated=1588960308\tTimeWritten=1588960308\tLevel=LogAlways\tKeywords=AuditSuccess\tTask=None\tOpcode=Info\tMessage=IpAddress=10.0.0.1 IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

Microsoft Windows Messaggio di esempio di registrazione dell'evento di sicurezza quando si utilizza Syslog per raccogliere i log in formato Snare

Il seguente esempio ha un ID evento di 4724 che mostra che è stato effettuato un tentativo di reimpostazione della password di un account e che il tentativo è stato effettuato dal nome account Amministratore.

Importante I log che invii a QRadar devono essere delimitati da tabulazione. Se si taglia e incolla il codice da questo esempio, assicurarsi di premere il tasto tab dove indicato dalle variabili < tab> , quindi rimuovere le variabili.
<133>Aug 15 23:12:08 microsoft.windows.test MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password.    Subject:   Security ID:  subject_security_id   Account Name:  Administrator   Account Domain:  DOMAIN   Logon ID:  0x5cbdf    Target Account:   Security ID:  target_security_id   Account Name:  target_account_name   Account Domain:  DOMAIN  355

Microsoft Windows Security Event Log Event Log quando si utilizza Syslog per raccogliere i log in formato LEEF

Il seguente esempio ha un ID evento di 8194 che mostra che l'evento ha generato un errore Volume Shadow Copy Service avviato dall'utente < user_name> .

<131>Apr 04 10:03:18 microsoft.windows.test LEEF:1.0|Microsoft|Windows|2k8r2|8194|devTime=2019-04-04T10:03:18GMT+02:00<tab>devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz<tab>cat=Error<tab>sev=2<tab>resource=microsoft.windows.test<tab>usrName=domain_name\user_name<tab>application=Group Policy Registry<tab>message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

Microsoft Windows Messaggio di esempio di registrazione dell'evento di sicurezza quando si utilizza Syslog per raccogliere i log in formato CEF

Il seguente esempio ha un ID evento di 7036 Service Stopped che mostra che un servizio è entrato nello stato arrestato.

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036|Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost=192.168.0.31 agt=192.168.0.31 agentZoneURI=/All Zones/example System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=5.2.5.6395.0 atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

Microsoft Windows Messaggio di esempio di registrazione dell'evento di sicurezza quando si utilizza Syslog per raccogliere i log utilizzando Winlogbeats

Il seguente esempio ha un ID evento di sistema che dimostra che NtpClient non è stato in grado di impostare un peer manuale da utilizzare come origine di tempo.

{"@timestamp":"2017-02-13T01:54:07.745Z","beat":{"hostname":"microsoft.windows.test","name":"microsoft.windows.test","version":"5.6.3"},"computer_name":"microsoft.windows.test","event_data":{"DomainPeer":"time.windows.test,0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","message":"NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.test,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id":996,"provider_guid":"{00000000-0000-0000-0000-000000000000}","record_number":"40292","source_name":"Microsoft-Windows-Time-Service","thread_id":3312,"type":"wineventlog","user":{"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

Microsoft Windows Messaggio di esempio di registrazione dell'evento di sicurezza quando si utilizza Syslog per raccogliere i log utilizzando Azure Event Hubs

Il seguente esempio ha un ID evento di 5061 che mostra che c'era un'operazione crittografica completata dall'utente < soggt_user_name> .

{"time":"2019-05-07T17:53:30.0648172Z","category":"WindowsEventLogsTable","level":"Informational","properties":{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role":"IaaS","RoleInstance":"_role_instance","ProviderGuid":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft-Windows-Security-Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel":"Security","Description":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tsecurity_id\r\n\tAccount Name:\t\taccount_name\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t{11111111-1111-1111-1111-111111111111}\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","RawXml":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{22222222-2222-2222-2222-222222222222}'/><EventID>5061</EventID><Version>0</Version><Level>0</Level><Task>12290</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-05-07T17:53:30.064817200Z'/><EventRecordID>291478</EventRecordID><Correlation ActivityID='{33333333-3333-3333-3333-333333333333}'/><Execution ProcessID='700' ThreadID='1176'/><Channel>Security</Channel><Computer>computer_name</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>subject_user_sid</Data><Data Name='SubjectUserName'>subject_user_name</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>RSA</Data><Data Name='KeyName'>{44444444-4444-4444-4444-444444444444}</Data><Data Name='KeyType'>%%2499</Data><Data Name='Operation'>%%2480</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>"}}

Azure Monitoraggio Supporto agente per eventi di sicurezza dell' Microsoft Windows e Registri da Sentinel

Azure Monitor Agent (AMA) supporta i registri eventi di Microsoft Sentinel ( Microsoft Windows ). Sono supportati anche i log provenienti da AMA che arrivano utilizzando Event Hub, inclusi i log di applicazione e di sistema.

Sono supportati i seguenti log di esempio.
  1. Windows Security Event log (utilizzando Sentinel da Event Hub)
    {"TimeGenerated":"2025-02-12T11:13:35.1159672Z","SourceSystem":"OpsManager","Computer":"amawintestvm","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":13571,"Level":"0","EventLevelName":"LogAlways","EventData":"<EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleId\">CoreNet-IPHTTPS-In</Data><Data Name=\"RuleName\">Core Networking - IPHTTPS (TCP-In)</Data><Data Name=\"RuleAttr\">Local Port</Data></EventData>","EventID":4957,"Activity":"4957 - Windows Firewall did not apply the following rule:","SourceComputerId":"123123123-a979-4eb8-99cb-123123123","EventOriginId":"1111111-a979-4eb8-99cb-1111111","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2025-02-12T11:14:07.1041483Z","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","SystemUserId":"N/A","Version":0,"Opcode":"0","Keywords":"0x8010000000000000","Correlation":"{1111111-201D-4B85-9BD0-1111111}","SystemProcessId":632,"SystemThreadId":676,"EventRecordId":"26004","_ItemId":"1111111-e932-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","Type":"SecurityEvent","TenantId":"1111111-3f02-4cea-962d-1111111","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  2. Esempio di registro delle applicazioni
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:46:19.119850200Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data /><Data>0</Data><Data>WindowsUpdateFailure3</Data><Data>Not available</Data><Data>0</Data><Data>123.123.123.123</Data><Data>80240032</Data><Data>00000000-0000-0000-0000-000000000000</Data><Data>Scan</Data><Data>0</Data><Data>0</Data><Data>0</Data><Data>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Data><Data>{00000000-0000-0000-0000-000000000000}</Data><Data>0</Data><Data /><Data /><Data /><Data>0</Data><Data>1111111-e9c5-11ef-a811-1111111</Data><Data>262144</Data><Data /></EventData></DataItem>","EventID":1001,"EventLevel":4,"EventLevelName":"Information","EventLog":"Application","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param></Param><Param>0</Param><Param>WindowsUpdateFailure3</Param><Param>Not available</Param><Param>0</Param><Param>10.0.14393.1111111</Param><Param>80240032</Param><Param>00000000-0000-0000-0000-000000000000</Param><Param>Scan</Param><Param>0</Param><Param>0</Param><Param>0</Param><Param>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Param><Param>{00000000-0000-0000-0000-000000000000}</Param><Param>0</Param><Param></Param><Param></Param><Param></Param><Param>0</Param><Param>123123-e9c5-11ef-123-123</Param><Param>262144</Param><Param></Param>","RenderedDescription":"Fault bucket , type 0 Event Name: WindowsUpdateFailure3 Response: Not available Cab Id: 0  Problem signature: P1: 10.0.14393.7330 P2: 80240032 P3: 00000000-0000-0000-0000-000000000000 P4: Scan P5: 0 P6: 0 P7: 0 P8: <<PROCESS>>: powershell.exe P9: {00000000-0000-0000-0000-000000000000} P10: 0  Attached files:  These files may be available here:   Analysis symbol:  Rechecking for solution: 0 Report Id: 752be549-e9c5-11ef-a811-7c1e52166a41 Report Status: 262144 Hashed bucket: ","Source":"Windows Error Reporting","SourceSystem":"OpsManager","TenantId":"123123-3f02-4cea-962d-123123","TimeGenerated":"2025-02-13T04:46:19.1198502Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c5-11ef-933b-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  3. Esempio di registro di sistema
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:23:12.558440300Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"param1\">Windows Defender Advanced Threat Protection Service</Data><Binary>530065006E00730065000000</Binary></EventData></DataItem>","EventID":7043,"EventLevel":2,"EventLevelName":"Error","EventLog":"System","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param>Windows Defender Advanced Threat Protection Service</Param>","RenderedDescription":"The Windows Defender Advanced Threat Protection Service service did not shut down properly after receiving a preshutdown control.","Source":"Service Control Manager","SourceSystem":"OpsManager","TenantId":"1111111-3f02-4cea-962d-1111111","TimeGenerated":"2025-02-13T04:23:12.5584403Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c2-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}

Microsoft Windows Messaggi di esempio del Registro eventi di sicurezza quando si utilizza il server Graylog per raccogliere il Syslog in formato CEF.

Il seguente esempio ha un ID evento di 4690 che indica che l'evento è stato tentato per duplicare un handle a un oggetto.

<14>CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|log:1|111-1111-111-11-1111|3|Task=11111 Keywords=-9214364837600034816 Category=Handle Manipulation EventType=AUDIT_SUCCESS gl2_remote_ip=10.10.1.4 gl2_remote_port=49687 SourceProcessId=xxxx Opcode=Info source=SBE-1111 gl2_source_input=bbb1111111 SeverityValue=2 Version=0 SubjectDomainName=WORKGROUP gl2_source_node=111-1111-111-11-1111 ProcessID=4 SourceHandleId=xxxx timestamp=2024-12-06T13:12:35.000Z OpcodeValue=0 SourceModuleType=im_msvistalog level=6 Channel=Security gl2_message_id=111111 SourceName=Microsoft-Windows-Security-Auditing Severity=INFO SubjectLogonId=xxxx EventReceivedTime=2024-12-06 14:12:36 PlantID=1111 SourceModuleName=eventlog ProviderGuid={111-1111-111-11-1111} SubjectUserName=SBE-1111$ TargetProcessId=0x4 ThreadID=1111 TargetHandleId=0x1b58 EventID=4690 _id=111-1111-111-11-1111 RecordNumber=79577829 SubjectUserSid=S-1-5-18 start=1733490755000 msg=An attempt was made to duplicate a handle to an object. Requester: Security ID: S-1-5-18 Account Name: SBE-1111$ Account Domain: WORKGROUP Logon ID: xxxxx Source Handle Information: Source Handle ID: 0x1e4 Source Process ID: 0xeb0 New Handle Information: Target Handle ID: xxxxx Target Process ID: 0x4 externalId=111-1111-111-11-1111