On Mon, Feb 20, 2017 at 6:09 AM, InfoSec <gjahc...@compucenter.org> wrote: > The event is from a Windows 10 system. > > I have turned on logall. I am having a hard time regenerating event ID 5140, > however I have spotted several other event types where the xml field labels > are NOT logged up by OSSEC. > > In addition, in the specific example below, the order of the last two fields > is inverted. > > As presented by OSSEC, these event types (and several others) are just a > sequence of field content *without* field names. Without viewing the > original event in Window Event Viewer, it is difficult to make head or tail > of the content of such events. > > Event 4703 is filtered by the rules I have in place, below is a sanitized > capture of one event from the archives log. > > Example event 4703 from archives log: > 2017 Feb 20 10:19:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 20 12:19:00 > WinEvtLog: Security: AUDIT_SUCCESS(4703): > Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: > S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 C:\Program > Files (x86)\OSSEC-Agent\ossec-agent.exe 0x6d0 SeSecurityPrivilege - >
I don't understand. What information in the above log message are you expecting to be extracted? > Sanitized Text view in Event Viewer > > A user right was adjusted. <--- Not reported by Windows in XML > > Subject: > Security ID: SYSTEM > Account Name: HOSTNAME$ > Account Domain: DOMAIN > Logon ID: 0x3E7 > > Target Account: > Security ID: SYSTEM > Account Name: HOSTNAME$ > Account Domain: DOMAIN > Logon ID: 0x3E7 > > Process Information: > Process ID: 0x6d0 > Process Name: C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe > > Enabled Privileges: > - > > Disabled Privileges: > SeSecurityPrivilege > > And the XML Event Data > - <EventData> > <Data Name="SubjectUserSid">S-1-5-18</Data> > <Data Name="SubjectUserName">HOSTNAME$</Data> > <Data Name="SubjectDomainName">DOMAIN</Data> > <Data Name="SubjectLogonId">0x3e7</Data> > <Data Name="TargetUserSid">S-1-5-18</Data> > <Data Name="TargetUserName">HOSTNAME$</Data> > <Data Name="TargetDomainName">DOMAIN</Data> > <Data Name="TargetLogonId">0x3e7</Data> > <Data Name="ProcessName">C:\Program Files > (x86)\OSSEC-Agent\ossec-agent.exe</Data> > <Data Name="ProcessId">0x6d0</Data> > <Data Name="EnabledPrivilegeList">-</Data> > <Data Name="DisabledPrivilegeList">SeSecurityPrivilege</Data> > </EventData> > > > The labels in Windows AppLocker events are missing, in addition to certain > fields not being logged at all. > > Event in OSSEC: > 2017 Feb 20 12:59:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: > INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: > Hostname: %SYSTEM32%\NOTEPAD.EXE was allowed to run. > > Similar event in Event Viewer: > Log Name: Microsoft-Windows-AppLocker/EXE and DLL Source: > Microsoft-Windows-AppLocker Date: 2017-02-20 12:59:32 Event ID: 8002 Task > Category: None Level: Information Keywords: User: HOSTNAME\Username > Computer: Hostname Description: %SYSTEM32%\NOTEPAD.EXE was allowed to run. > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > <System> <Provider Name="Microsoft-Windows-AppLocker" > Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> <EventID>8002</EventID> > <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> > <Keywords>0x8000000000000000</Keywords> <TimeCreated > SystemTime="2017-02-20T10:59:32.601746800Z" /> > <EventRecordID>628604</EventRecordID> <Correlation /> <Execution > ProcessID="12408" ThreadID="6736" /> > <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> > <Computer>Hostname</Computer> <Security > UserID="S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" /> </System> > <UserData> <RuleAndFileData > xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0";> > <PolicyName>EXE</PolicyName> > <RuleId>{68A289F7-223A-46C9-A2B2-A7C6F18046DE}</RuleId> <RuleName>Program > Files (x86): MICROSOFT® WINDOWS® OPERATING SYSTEM signed by O=MICROSOFT > CORPORATION, L=REDMOND, S=WASHINGTON, C=US</RuleName> > <RuleSddl>D:(XA;;FX;;;S-1-5-11;((Exists APPID://FQBN) && > ((APPID://FQBN) >= ({"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, > C=US\MICROSOFT® WINDOWS® OPERATING > SYSTEM\*",2814749767106560}))))</RuleSddl> > <TargetUser>S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser> > <TargetProcessId>7820</TargetProcessId> > <FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath> > <FileHash>D7AE8D9D859B4F6DC703E2005CC10E836CCFFC38C4DB97C3C9DEF101D722E417</FileHash> > <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® > WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\10.0.10240.16425</Fqbn> > <TargetLogonId>0x28f2bf</TargetLogonId> </RuleAndFileData> </UserData> > </Event> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
