The events are sanitized.
*XML in Windows Event Viewer*:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-02-15T07:43:12.062985000Z" />
<EventRecordID>2076547748</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="13920" />
<Channel>Security</Channel>
<Computer>Desktop</Computer>
<Security />
</System>
- <EventData>
<Data
Name="SubjectUserSid">S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</Data>
<Data Name="SubjectUserName">UserName</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0xXXXXXX</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">9723</Data>
<Data Name="ShareName">\\*\IPC$</Data>
<Data Name="ShareLocalPath" />
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
*Event in Text Format (from Windows Event Viewer)*:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2017-02-15 09:43:12
Event ID: 5140
Task Category: File Share
Level: Information
Keywords: Audit Success
User: N/A
Computer: Desktop
Description:
A network share object was accessed.
Subject:
Security ID: DOMAIN\UseName
Account Name: UserName
Account Domain: DOMAIN
Logon ID: 0xXXXXXX
Network Information:
Object Type: File
Source Address: ::1
Source Port: 9723
Share Information:
Share Name: \\*\IPC$
Share Path:
Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)
*OSSEC Log Event (in json format)*:
{"rule":{"level":1,"comment":"Windows - A network share object was
accessed.","sidid":182047,"firedtimes":3,"groups":["win_audit"],"PCI_DSS":["10.6.1"]},"dstuser":"(no
user)","full_log":"2017 Feb 15 09:43:12 WinEvtLog: Security:
AUDIT_SUCCESS(5140): Microsoft-Windows-Security-Auditing: (no user): no
domain: Desktop: A network share object was accessed. Subject: Security
ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name:
GJahchan Account Domain: DESKTOP Logon ID: 0xXXXXXX Network
Information: Source Address: File Source Port: ::1 Share Name:
9723","id":"5140","status":"AUDIT_SUCCESS","data":"Microsoft-Windows-Security-Auditing","systemname":"Desktop","decoder":{"name":"windows"},"hostname":"Win10EntDsktp","agentip":"XXX.XXX.XX.X","timestamp":"2017
Feb 15 07:43:12","location":"WinEvtLog"}
*OSSEC Log Event (in multi-line log format)*:
2017 Feb 15 09:43:12 WinEvtLog: Security: AUDIT_SUCCESS(5140):
Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A
network share object was accessed. Subject: Security ID:
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: UserName
Account Domain: DOMAIN Logon ID: 0xXXXXXX Network Information:
Source Address: File Source Port: ::1 Share Name: 9723
*Corresponding Custom Rule*:
<rule id="182047" level="1">
<if_sid>18104</if_sid>
<id>^5140$</id>
<description>Windows - A network share object was
accessed.</description>
<group>pci_dss_10.6.1,</group>
</rule>
*Issues*:
The Source Address field is skipped, the Source Port is filled with the
Source Address, the Share Name is filled with the Source Port.
Share Name, Access Mask and Accesses fields are missing.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
