Windows Event¶
About¶
The Event Viewer is a Microsoft Management Console (MMC) snap-in that enables you to browse and manage event logs. It is an indispensable tool for monitoring the health of systems and troubleshooting issues when they arise. For the latest information about Event Viewer, see Event Viewer online.
Event Viewer enables you to perform the following tasks:
- View events from multiple event logs
- Save useful event filters as custom views that can be reused
- Schedule a task to run in response to an event
- Create and manage event subscriptions
Product Details¶
Vendor URL: Windows Event
Product Type: OS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Windows Event - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON and Syslog
Expected Normalization Rate: 80-90%
Data Label: WINEVTLOG
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccessMask | security_result.about.resource.name |
| AccessList | security_result.rule_id. |
| Account | principal.user.userid |
| AccountDomain | target.administrative_domain |
| AccountName | principal.user.roll_name |
| AccountName | principal.user.user_display_name |
| AccountName | principal.user.userid |
| AccountName | target.user.user_display_name |
| AccountName | target.user.userid |
| AccountToReset | target.user.id |
| AccountToReset | target.user.userid |
| AccountType | principal.user.roll_description |
| Action | about.labels.value |
| ad_EventRecordID | metadata.product_log_id |
| ad_properties | security_result.detection_fields.value.string_value |
| AdditionalInfo | security_result.description |
| Application | principal.application |
| appname | observer.application |
| Arguments | about.process.command_line |
| AttributeLDAPDisplayName | target.resource.name |
| AttributeLDAPDisplayName | target.resource.type |
| attribute_value | target.user.userid. |
| attribute_value | target.resource.name |
| AttributeValue | security_reesult.rule_labels |
| audit.info.process.name | principal.process.file.full_path |
| audit.target.username | target.user.userid |
| AuthenticationPackage | principal.application |
| AuthenticationPackageName | principal.application |
| AuthenticationPackageName | security_result.about.resource.name |
| AuthenticationSetId | target.resource.id |
| AuthenticationSetName | target.resource.name |
| CallerComputerName | principal.hostname |
| CallerProcessName | principal.process.file.full_path |
| CalloutKey | about.labels.value |
| CalloutName | about.labels.value |
| cat | metadata.description |
| Category | metadata.description |
| ChangeType | about.labels.value |
| Channel | security_result.summary |
| ClassName | target.resource.resource_subtype |
| client_ip | principal.ip |
| ClientUserName | target.user.userid |
| CloudAvailabilityZone | principal.cloud.availability_zone |
| Command | about.process.command_line |
| CommandLine | principal.process.command_line |
| CommandName | target.application |
| complete_username | principal.user.userid |
| Computer | principal.hostname |
| Computer | target.resource.type |
| Computer: DocumentPrinted.Param4 | target.asset.asset_id |
| Conditions | about.labels.value |
| ConnectionSecurityRuleId | target.resource.id |
| ConnectionSecurityRuleName | target.resource.name |
| CryptographicSetId | target.resource.id |
| CryptographicSetName | target.resource.name |
| Data_1 | principal.ip |
| Data_2 | target.url |
| Data1 | target.user.userid |
| Data2 | target.user.user_display_name |
| database_name | target.hostname |
| DestAddress | target.ip |
| DestMACAddress | target.mac |
| DestPort | target.port |
| DEVICE | principal.resource.type |
| DeviceDescription | target.resource.name |
| deviceNtDomain | principal.administrative_domain |
| DfsNamespace | target.resource.name |
| Direction | network.direction |
| dntdom | target.administrative_domain |
| DocumentPrinted.Param3 | target.user.user_display_name |
| DocumentPrinted.Param5 | target.resource.name |
| DocumentPrinted.Param7 | target.file.size |
| Domain | principal.administrative_domain |
| Domain | target.administrative_domain |
| domain | target.administration_domain |
| DomainName | target.administrative_domain |
| dproc | target.process.file.full_path |
| dst | target.ip |
| duid | about.labels.value |
| dvc | principal.ip |
| dvchost | principal.hostname |
| event_params.HostApplication | target.file.full_path |
| event_params.UserId | principal.user.userid |
| event_type | observer.application |
| EventCode | metadata.product_event_type |
| EventID | metadata.product_event_type |
| EventIDCode | metadata.product_event_type |
| EventType | security_result.summary. |
| ExecutionProcessId | principal.process.pid |
| ExecutionProcessID | target.process.pid |
| file_full_path | target.process.file.full_path |
| filename | target.file.full_path |
| filePath | target.file.full_path |
| FilterId | target.resource.id |
| FilterId | security_result.rule_id |
| FilterKey | about.labels.value |
| FilterName | target.resource.name |
| FilterRTID | security_result.rule_id |
| FilterType | about.labels.value |
| GroupMembership | target.user.group_identifiers |
| GroupName | target.group.group_display_name |
| HiveName | target.registry.registry_key |
| host | principal.hostname |
| host | principal.hostname |
| host.name | principal.hostname |
| HostApplication | target.file.full_path |
| HostApplication | target.process.command_line |
| Hostname | observer.hostname |
| Hostname | principal.hostname |
| Hostname | target.hostname |
| ImagePath | target.process.file.full_path |
| IpAddress | principal.ip |
| IpAddress | target.ip |
| IpPort | principal.port |
| IpPort | target.port |
| KeyFilePath | target.file.full_path |
| KeyLength | extensions.auth.auth_details |
| KeyName | target.resource.name |
| KeyTypeContainer | target.resource.type |
| KeyTypeContainer | target.resource.type |
| LayerId | about.labels.value |
| LayerKey | about.labels.value |
| LayerName | about.labels.value |
| LayerRTID | about.labels.value |
| LoadPluginFailed.PluginDllName | target.resource.name |
| LogFileCleared.SubjectUserName | target.user.userid |
| LogFileCleared.SubjectUserSid | target.user.windows_sid |
| LogonID | target.user.userid |
| LogonProcessName | target.process.file.full_path |
| LogonType | extensions.auth.auth_details |
| LogonType | extensions.auth.mechanism |
| MappedName | about.labels.value |
| MappingBy | about.labels.value |
| MemberName | target.user.userid |
| MemberSid | target.user.windows_sid |
| Message | security_result.description |
| Message | metadata.description |
| Microsoft | metadata.vendor_name |
| Namespace | target.file.full_path |
| namespace | target.resource.type |
| NewProcessId | target.process.pid |
| NewProcessName | principal.process.file.full_path |
| NewProcessName | target.process.file.full_path |
| NewSd | target.file.full_path |
| NewTargetUserName | target.user.userid |
| NewUacValue | target.resource.attribute.labels |
| NewValue | target.registry.registry_value_data |
| NULL | principal.user.userid |
| object_name | target.group.group_display_name |
| ObjectClass | target.resource.type |
| ObjectGUID | target.group.product_object_id |
| ObjectGUID | target.resource.id |
| ObjectName | target.file.full_path |
| ObjectName | target.process.file.full_path |
| ObjectName | target.registry.registry_key |
| ObjectName | target.resource.name |
| ObjectServer | target.resource.name |
| ObjectType | target.resource_type |
| ObjectValueName | target.registry.registry_value_name |
| OldSd | src.file.full_path |
| OldTargetUserName | src.user.userid |
| OldUacValue | principal.resource.attribute.labels |
| Operation | metadata.description |
| Operation. | security_result.description |
| OperationType | metadata.description |
| OriginatingComputer | principal.hostname |
| OriginatingComputer | principal.ip |
| OSPatch | principal.platform_patch_level |
| OSVersion | principal.platform_version |
| param1 | principal.resource.name |
| param1 | target.file.full_path |
| param3 | principal.resource.name |
| parsed_message | security_result.summary. |
| ParentProcessName | principal.process.file.full_path |
| Payload | target.process.file.full_path |
| PrinterCreated.Param1 | target.resource.name |
| PrivilegeList | security_result.about.resource.name |
| ProcessId | principal.process.pid |
| ProcessId | target.process.pid |
| ProcessName | principal.process.command_line |
| ProcessName | principal.process.file.full_path |
| ProcessName | target.process.file.full_path |
| ProcessPath | target.process.file.full_path |
| ProfileChanged | target.group.group_display_name |
| Properties | target.resource.id |
| Protocol | network.ip_protocol |
| ProviderGuid | metadata.product_log_id |
| ProviderKey | about.labels.value |
| ProviderName | about.labels.value |
| provider_name | target.resource.name |
| ProxyPolicyName | security_result.rule_id |
| Reason | security_result.summary |
| RecordNumber | observer.asset.product_object_id |
| RestrictedAdminMode | additional.fields.value.string_value |
| records.0.TenantId | metadata.product_deployment_id |
| RelativeTargetName | target.file.full_path |
| RemoteMachineID | target.hostname |
| RuleAttr | security_result.summary |
| RuleId | security_result.rule_id |
| RuleId | target.resource.id |
| RuleName | security_result.rule_name |
| RuleName | target.resource.name |
| SChannelName | extensions.auth.auth_details |
| SChannelType | additional.fields.value.string_value |
| ScriptName | target.file.full_path |
| SecurityID | principal.user.windows_sid |
| SecurityPackageName | target.file.full_path |
| SERVICE | principal.resource.type |
| ServiceFileName | target.process.file.full_path |
| ServiceName | about.labels.value |
| ServiceName | principal.application |
| ServiceName | target.process.command_line |
| ServiceName | target.resource.name |
| ServicePrincipalNames | security_result.about.application |
| ServiceSid | target.group.windows_sid |
| ServiceType | target.application |
| SettingType | target.resource.name |
| Severity | security_result.severity |
| ShareLocalPath | target.file.full_path |
| ShareLocalPath RelativeTargetName | target.file.full_path |
| ShareName | target.file.full_path |
| ShareName | target.resource.name |
| ShareName RelativeTargetName | target.file.full_path |
| SourceAddress | principal.ip |
| SourceHandleId | about.labels.key |
| SourceModuleName | metadata.description |
| SourceModuleType | observer.hostname |
| SourceName | observer.application |
| SourceName | principal.application |
| SourceName | target.application |
| SourcePort | principal.port |
| SourceProcessId | src.process.pid |
| Status | metadata.description |
| Status - reason | security_result.description |
| SubjectDomainName | principal.administrative_domain |
| SubjectDomainName | target.administrative_domain |
| SubjectLogonId | about.labels.value |
| SubjectUserName | principal.hostname |
| SubjectUserName | principal.user.user_display_name |
| SubjectUserName | principal.user.userid |
| SubjectUserName | target.user.userid |
| SubjectUserSid | principal.user.windows_sid |
| SubjectUserSid | target.user.windows_sid |
| SubscriptionManagerAddress | target.url |
| syslog_host | observer.hostname |
| syslog_host | principal.hostname |
| Target | target.administrative_domain |
| TargetDomainName | target.administrative_domain |
| TargetHandleId | about.labels.key |
| TargetOutboundDomainName | additional.fields.value.string_value |
| TargetOutboundUserName | additional.fields.value.string_value |
| TargetProcessId | target.process.pid |
| TargetSid | target.group.windows_sid |
| TargetSid | target.resource.id |
| TargetSid | target.user.windows_sid |
| TargetUserName | target.group.group_display_name |
| TargetUserName | target.resource.name |
| TargetUserName | target.user.email_addresses |
| TargetUserName | target.user.group_identifiers |
| TargetUserName | target.user.user_display_name |
| TargetUserName | target.user.userid |
| TargetUserSid | target.user.windows_sid |
| TargetUserSid | target.user.windows_sid |
| TaskName | target.resource.name |
| ThreadID | principal.process.pid |
| TicketEncryptionType | about.resource.name |
| TicketOptions | about.labels.value |
| UserID | principal.user.userid |
| UserID | principal.user.windows_sid |
| UserID | target.user.userid |
| UserName | principal.user.userid |
| username | target.user.user_display_name |
| username | target.user.userid |
| UserName | target.user.userid |
| username | principal.user.userid |
| user_name | target.user.userid |
| UserSid | principal.user.windows_sid |
| Weight | about.labels.value |
| Windows | metadata.product_name |
| WINDOWS | principal.platform |
| winlog.event_data.ObjectClass | target.resource.type |
| winlog.event_data.ObjectGUID | target.group.product_object_id |
| winlog.event_data.ObjectGUID | target.resource.id |
| Workstation | principal.hostname |
| Workstation | target.hostname |
| WorkstationName | principal.hostname |
| WorkstationName | target.hostname |
Product Event Types¶
| EventID, Category | UDM Event Classification |
|---|---|
| 16 | USER_RESOURCE_UPDATE_CONTENT |
| 104 | USER_RESOURCE_ACCESS |
| 517 | GENERIC_EVENT, USER_RESOURCE_UPDATE_CONTENT |
| 529 | USER_LOGIN |
| 600 | GENERIC_EVENT |
| 601 | GENERIC_EVENT, SERVICE_UNSPECIFIED |
| 800 | GENERIC_EVENT |
| 1100 | GENERIC_EVENT, SERVICE_STOP |
| 1102 | GENERIC_EVENT, SERVICE_STOP |
| 4103 | SERVICE_START |
| 4104 | SERVICE_START |
| 4622 | FILE_UNCATEGORIZED |
| 4624 | USER_LOGIN |
| 4625 | USER_LOGIN |
| 4627 | GROUP_UNCATEGORIZED |
| 4634 | USER_LOGOUT |
| 4648 | USER_LOGIN |
| 4656 | USER_RESOURCE_ACCESS |
| 4657 | REGISTRY_MODIFICATION |
| 4658 | USER_RESOURCE_ACCESS |
| 4660 | USER_RESOURCE_DELETION |
| 4661 | USER_RESOURCE_ACCESS |
| 4662 | USER_RESOURCE_ACCESS |
| 4663 | FILE_OPEN, REGISTRY_UNCATEGORIZED, PROCESS _OPEN, USER_RESOURCE_ACCESS |
| 4670 | FILE_MODIFICATION, REGISTRY_MODIFICATION, USER_RESOURCE_UPDATE_PERMISSIONS |
| 4672 | USER_LOGIN |
| 4673 | GENERIC_EVENT |
| 4674 | GENERIC_EVENT |
| 4688 | GENERIC_EVENT, PROCESS_LAUNCH |
| 4689 | GENERIC_EVENT, PROCESS_TERMINATION |
| 4690 | GENERIC_EVENT, PROCESS_UNCATEGORIZED |
| 4697 | GENERIC_EVENT,SERVICE_UNSPECIFIED |
| 4698 | SCHEDULED_TASK_CREATION |
| 4699 | SCHEDULED_TASK_DELETION |
| 4700 | SCHEDULED_TASK_ENABLE |
| 4701 | SCHEDULED_TASK_DISABLE |
| 4702 | SCHEDULED_TASK_MODIFICATION |
| 4715 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4719 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 4720 | USER_CREATION |
| 4722 | USER_CHANGE_PERMISSIONS |
| 4723 | USER_CHANGE_PASSWORD |
| 4724 | USER_CHANGE_PASSWORD |
| 4725 | USER_CHANGE_PERMISSIONS |
| 4726 | USER_DELETION |
| 4728 | GROUP_MODIFICATION |
| 4729 | GROUP_MODIFICATION |
| 4732 | GROUP_MODIFICATION |
| 4733 | GROUP_MODIFICATION |
| 4734 | GROUP_DELETION |
| 4735 | GROUP_MODIFICATION |
| 4737 | GROUP_MODIFICATION |
| 4738 | USER_UNCATEGORIZED |
| 4740 | USER_UNCATEGORIZED |
| 4741 | USER_RESOURCE_CREATION |
| 4742 | USER_RESOURCE_UPDATE_CONTENT |
| 4750 | USER_RESOURCE_UPDATE_CONTENT |
| 4751 | USER_RESOURCE_UPDATE_CONTENT |
| 4752 | GROUP_MODIFICATION |
| 4755 | GROUP_MODIFICATION |
| 4756 | GROUP_MODIFICATION |
| 4757 | GROUP_MODIFICATION |
| 4765 | USER_RESOURCE_UPDATE_CONTENT |
| 4767 | USER_CHANGE_PERMISSIONS |
| 4768 | GENERIC_EVENT |
| 4769 | GENERIC_EVENT |
| 4770 | GENERIC_EVENT |
| 4771 | USER_LOGIN |
| 4772 | USER_LOGIN |
| 4774 | USER_UNCATEGORIZED |
| 4776 | USER_UNCATEGORIZED |
| 4777 | USER_UNCATEGORIZED |
| 4781 | USER_UNCATEGORIZED |
| 4782 | FILE_READ |
| 4794 | USER_RESOURCE_UPDATE_CONTENT |
| 4798 | GROUP_UNCATEGORIZED |
| 4799 | GROUP_MODIFICATION |
| 4800 | USER_STATS |
| 4801 | USER_STATS |
| 4946 | SETTING_MODIFICATION |
| 4948 | SETTING_MODIFICATION |
| 4950 | SETTING_MODIFICATION |
| 4957 | SETTING_MODIFICATION |
| 4964 | GROUP_MODIFICATION |
| 4985 | GENERIC_EVENT |
| 5038 | GENERIC_EVENT, FILE_UNCATEGORIZED |
| 5042 | SETTING_MODIFICATION |
| 5045 | SETTING_MODIFICATION |
| 5048 | SETTING_MODIFICATION |
| 5058 | FILE_UNCATEGORIZED, USER_RESOURCE_ACCESS |
| 5059 | FILE_UNCATEGORIZED, USER_RESOURCE_ACCESS |
| 5061 | FILE_UNCATEGORIZED, USER_RESOURCE_ACCESS |
| 5136 | GROUP_MODIFICATION, USER_RESOURCE_UPDATE_CONTENT |
| 5140 | USER_RESOURCE_ACCESS |
| 5142 | USER_RESOURCE_ACCESS |
| 5145 | USER_RESOURCE_ACCESS |
| 5152 | GENERIC_EVENT, NETWORK_UNCATEGORIZED |
| 5156 | GENERIC_EVENT, NETWORK_UNCATEGORIZED |
| 5447 | GENERIC_EVENT, SETTING_MODIFICATION |
| 5859 | SERVICE_START |
| 5861 | SERVICE_START |
| 6006 | GENERIC_EVENT, SERVICE_STOP |
| 7022 | GENERIC_EVENT |
| 7023 | GENERIC_EVENT |
| 7024 | GENERIC_EVENT |
| 7026 | GENERIC_EVENT |
| 7031 | GENERIC_EVENT |
| 7032 | GENERIC_EVENT |
| 7034 | GENERIC_EVENT |
| 7036 | GENERIC_EVENT, SERVICE_START, SERVICE_STOP |
| 7045 | SERVICE_CREATION |
| 8004 | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
| 18452 | GENERIC_EVENT, USER_LOGIN |
| 18453 | USER_LOGIN, USER_UNCATEGORIZED |
| 18454 | USER_LOGIN, USER_UNCATEGORIZED |
| 18455 | USER_LOGIN, USER_UNCATEGORIZED |
| 18456 | GENERIC_EVENT, STATUS_UPDATE, USER_LOGIN |
| 30009 | USER_UNCATEGORIZED |
| 30010 | USER_UNCATEGORIZED |
| Logoff | USER_LOGOUT |
| Logon | USER_LOGIN |
Log Sample¶
<14>1 2021-10-01T11:17:35.614261-04:00 host Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="keywords" EventType="AUDIT_SUCCESS" EventID="5145" ProviderGuid="{providerguid}" Version="0" TaskValue="12811" OpcodeValue="0" RecordNumber="recordid" ExecutionThreadID="540" Channel="Security" Category="Detailed File Share" Opcode="Info" SubjectUserSid="sid" SubjectUserName="SYSTEM" SubjectDomainName="DOMAIN" SubjectLogonId="logonid" ObjectType="File" IpAddress="10.13.100.247" IpPort="62191" ShareName="\\\\*\\SYSVOL" ShareLocalPath="\\??\\C:\\Windows\\SYSVOL_DFSR\\sysvol" RelativeTargetName="DOMAIN.local\\Policies\\{polid}\\Machine\\registry.pol" AccessMask="0x80" AccessList="%%4423 ····" AccessReason="%%4423:·%%1801·D:(A;;0x1200a9;;;WD) ····" EventReceivedTime="2021-10-01 11:17:36" SourceModuleName="MS_AD2" SourceModuleType="im_msvistalog"] A network share object was checked to see whether client can be granted desired access. · Subject: ·Security ID:··sid ·Account Name:··account ·Account Domain:··DOMAIN ·Logon ID:··logonid Network Information:· ·Object Type:··File ·Source Address:··10.13.100.247 ·Source Port:··62191 · Share Information: ·Share Name:··\\*\SYSVOL ·Share Path:··\??\C:\Windows\SYSVOL_DFSR\sysvol ·Relative Target Name:·DOMAIN.local\Policies\{polid}\Machine\registry.pol Access Request Information: ·Access Mask:··0x80 ·Accesses:··ReadAttributes ···· Access Check Results: ·ReadAttributes:·Granted by·D:(A;;0x1200a9;;;WD) ····
Sample Parsing¶
metadata.product_log_id = "{providerguid}"
metadata.event_timestamp = "2021-10-01T15:17:35.614261Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows"
metadata.product_event_type = "5145"
metadata.description = "Detailed"
principal.hostname = "hostname"
principal.user.userid = "SYSTEM"
principal.user.windows_sid = "sid"
principal.platform = "WINDOWS"
principal.ip = "10.13.100.247"
principal.mac = "00:50:b6:e7:c5:b1"
principal.administrative_domain = "DOMAIN"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.13.100.247"
principal.asset.mac = "00:50:b6:e7:c5:b1"
target.port = 62191
target.file.full_path = "domain.local\Policies\{polid}\Machine\registry.pol"
target.resource.type = "File"
target.resource.name = "\\*\SYSVOL"
observer.hostname = "hostname"
observer.application = "Microsoft-Windows-Security-Auditing"
security_result.summary = "A network share object was checked to see whether client can be granted desired access. "
extensions.auth.mechanism = "MECHANISM_UNSPECIFIED"
Parser Alerting¶
This product currently does not have any Parser-based Alerting