Microsoft Windows Security Event Log sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Microsoft Windows Security Event Log sample messages when you use the Graylog server to collect the Syslog in CEF format.

The following sample has an event ID of 4690 that shows that the event attempting was made to duplicate a handle to an object.

<14>CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|log:1|111-1111-111-11-1111|3|Task=11111 Keywords=-9214364837600034816 Category=Handle Manipulation EventType=AUDIT_SUCCESS gl2_remote_ip=10.10.1.4 gl2_remote_port=49687 SourceProcessId=xxxx Opcode=Info source=SBE-1111 gl2_source_input=bbb1111111 SeverityValue=2 Version=0 SubjectDomainName=WORKGROUP gl2_source_node=111-1111-111-11-1111 ProcessID=4 SourceHandleId=xxxx timestamp=2024-12-06T13:12:35.000Z OpcodeValue=0 SourceModuleType=im_msvistalog level=6 Channel=Security gl2_message_id=111111 SourceName=Microsoft-Windows-Security-Auditing Severity=INFO SubjectLogonId=xxxx EventReceivedTime=2024-12-06 14:12:36 PlantID=1111 SourceModuleName=eventlog ProviderGuid={111-1111-111-11-1111} SubjectUserName=SBE-1111$ TargetProcessId=0x4 ThreadID=1111 TargetHandleId=0x1b58 EventID=4690 _id=111-1111-111-11-1111 RecordNumber=79577829 SubjectUserSid=S-1-5-18 start=1733490755000 msg=An attempt was made to duplicate a handle to an object. Requester: Security ID: S-1-5-18 Account Name: SBE-1111$ Account Domain: WORKGROUP Logon ID: xxxxx Source Handle Information: Source Handle ID: 0x1e4 Source Process ID: 0xeb0 New Handle Information: Target Handle ID: xxxxx Target Process ID: 0x4 externalId=111-1111-111-11-1111

Microsoft Windows Security Event Log sample messages when you use WinCollect

The following sample has an event ID of 4624 that shows a successful login for the <account_name> user that has a source IP address of 10.0.0.1 and a destination IP of 10.0.0.2.

<13>May 08 10:45:44 microsoft.windows.test AgentDevice=WindowsLog<tab>AgentLogFile=Security<tab>PluginVersion=7.2.9.108<tab>Source=Microsoft-Windows-Security-Auditing<tab>Computer=microsoft.windows.test<tab>OriginatingComputer=10.0.0.2<tab>User=<tab>Domain=<tab>EventID=4624<tab>EventIDCode=4624<tab>EventType=8<tab>EventCategory=12544<tab>RecordNumber=649155826<tab>TimeGenerated=1588945541<tab>TimeWritten=1588945541<tab>Level=Log Always<tab>Keywords=Audit Success<tab>Task=SE_ADT_LOGON_LOGON<tab>Opcode=Info<tab>Message=An account was successfully logged on.  Subject:  Security ID:  NT AUTHORITY\SYSTEM  Account Name:  account_name$  Account Domain:  account_domain  Logon ID:  0x3E7  Logon Information:  Logon Type:  10  Restricted Admin Mode: No  Virtual Account:  No  Elevated Token:  Yes  Impersonation Level:  Impersonation  New Logon:  Security ID:  account_domain\account_name  Account Name:  account_name  Account Domain:  domain_name  Logon ID:  0x9A4D3C17  Linked Logon ID:  0x9A4D3CD6  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x3e4  Process Name:  C:\Windows\System32\svchost.exe  Network Information:  Workstation Name: workstation_name  Source Network Address: 10.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

The following sample has an event ID of 4624 that shows a successful login for the <target_user_name> user that has a source IP address of 10.0.0.1.

<13>May 08 14:54:03 microsoft.windows.test AgentDevice=NetApp\tAgentLogFile=Security\tPluginVersion=7.2.9.108\tSource=NetApp-Security-Auditing\tComputer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111\tOriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111\tUser=\tDomain=\tEventID=4624\tEventIDCode=4624\tEventType=8\tEventCategory=0\tRecordNumber=6706\tTimeGenerated=1588960308\tTimeWritten=1588960308\tLevel=LogAlways\tKeywords=AuditSuccess\tTask=None\tOpcode=Info\tMessage=IpAddress=10.0.0.1 IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in Snare format

The following sample has an event ID of 4724 that shows that an attempt was made to reset an account's password, and that the attempt was made by the account name Administrator.

Important: The logs that you send to QRadar must be tab-delimited. If you cut and paste the code from this sample, make sure that you press the tab key where indicated by the <tab> variables, then remove the variables.
<133>Aug 15 23:12:08 microsoft.windows.test MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password.    Subject:   Security ID:  subject_security_id   Account Name:  Administrator   Account Domain:  DOMAIN   Logon ID:  0x5cbdf    Target Account:   Security ID:  target_security_id   Account Name:  target_account_name   Account Domain:  DOMAIN  355

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in LEEF format

The following sample has an event ID of 8194 that shows that the event generated a Volume Shadow Copy Service error that was initiated by the <user_name> user.

<131>Apr 04 10:03:18 microsoft.windows.test LEEF:1.0|Microsoft|Windows|2k8r2|8194|devTime=2019-04-04T10:03:18GMT+02:00<tab>devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz<tab>cat=Error<tab>sev=2<tab>resource=microsoft.windows.test<tab>usrName=domain_name\user_name<tab>application=Group Policy Registry<tab>message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in CEF format

The following sample has an event ID of 7036 Service Stopped that shows that a service entered the stopped state.

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036|Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost=192.168.0.31 agt=192.168.0.31 agentZoneURI=/All Zones/example System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=5.2.5.6395.0 atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Winlogbeats

The following sample has an event ID of System that shows that NtpClient was unable to set a manual peer to use as a time source.

{"@timestamp":"2017-02-13T01:54:07.745Z","beat":{"hostname":"microsoft.windows.test","name":"microsoft.windows.test","version":"5.6.3"},"computer_name":"microsoft.windows.test","event_data":{"DomainPeer":"time.windows.test,0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","message":"NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.test,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id":996,"provider_guid":"{00000000-0000-0000-0000-000000000000}","record_number":"40292","source_name":"Microsoft-Windows-Time-Service","thread_id":3312,"type":"wineventlog","user":{"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Azure Event Hubs

The following sample has an event ID of 5061 that shows that there was a cryptographic operation that is completed by the <subject_user_name> user.

{"time":"2019-05-07T17:53:30.0648172Z","category":"WindowsEventLogsTable","level":"Informational","properties":{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role":"IaaS","RoleInstance":"_role_instance","ProviderGuid":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft-Windows-Security-Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel":"Security","Description":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tsecurity_id\r\n\tAccount Name:\t\taccount_name\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t{11111111-1111-1111-1111-111111111111}\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","RawXml":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{22222222-2222-2222-2222-222222222222}'/><EventID>5061</EventID><Version>0</Version><Level>0</Level><Task>12290</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-05-07T17:53:30.064817200Z'/><EventRecordID>291478</EventRecordID><Correlation ActivityID='{33333333-3333-3333-3333-333333333333}'/><Execution ProcessID='700' ThreadID='1176'/><Channel>Security</Channel><Computer>computer_name</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>subject_user_sid</Data><Data Name='SubjectUserName'>subject_user_name</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>RSA</Data><Data Name='KeyName'>{44444444-4444-4444-4444-444444444444}</Data><Data Name='KeyType'>%%2499</Data><Data Name='Operation'>%%2480</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>"}}

Azure Monitor Agent Support for Microsoft Windows Security Events Logs from Sentinel

Azure Monitor Agent (AMA) supports Microsoft Windows Event logs by using Microsoft Sentinel. Also, logs from AMA that arrives by using Event Hub, including Application and System logs, are also supported.

The following sample logs are supported.
  1. Windows Security Event log (by using Sentinel from Event Hub)
    {"TimeGenerated":"2025-02-12T11:13:35.1159672Z","SourceSystem":"OpsManager","Computer":"amawintestvm","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":13571,"Level":"0","EventLevelName":"LogAlways","EventData":"<EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleId\">CoreNet-IPHTTPS-In</Data><Data Name=\"RuleName\">Core Networking - IPHTTPS (TCP-In)</Data><Data Name=\"RuleAttr\">Local Port</Data></EventData>","EventID":4957,"Activity":"4957 - Windows Firewall did not apply the following rule:","SourceComputerId":"123123123-a979-4eb8-99cb-123123123","EventOriginId":"1111111-a979-4eb8-99cb-1111111","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2025-02-12T11:14:07.1041483Z","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","SystemUserId":"N/A","Version":0,"Opcode":"0","Keywords":"0x8010000000000000","Correlation":"{1111111-201D-4B85-9BD0-1111111}","SystemProcessId":632,"SystemThreadId":676,"EventRecordId":"26004","_ItemId":"1111111-e932-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","Type":"SecurityEvent","TenantId":"1111111-3f02-4cea-962d-1111111","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  2. Sample Application log
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:46:19.119850200Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data /><Data>0</Data><Data>WindowsUpdateFailure3</Data><Data>Not available</Data><Data>0</Data><Data>123.123.123.123</Data><Data>80240032</Data><Data>00000000-0000-0000-0000-000000000000</Data><Data>Scan</Data><Data>0</Data><Data>0</Data><Data>0</Data><Data>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Data><Data>{00000000-0000-0000-0000-000000000000}</Data><Data>0</Data><Data /><Data /><Data /><Data>0</Data><Data>1111111-e9c5-11ef-a811-1111111</Data><Data>262144</Data><Data /></EventData></DataItem>","EventID":1001,"EventLevel":4,"EventLevelName":"Information","EventLog":"Application","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param></Param><Param>0</Param><Param>WindowsUpdateFailure3</Param><Param>Not available</Param><Param>0</Param><Param>10.0.14393.1111111</Param><Param>80240032</Param><Param>00000000-0000-0000-0000-000000000000</Param><Param>Scan</Param><Param>0</Param><Param>0</Param><Param>0</Param><Param>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Param><Param>{00000000-0000-0000-0000-000000000000}</Param><Param>0</Param><Param></Param><Param></Param><Param></Param><Param>0</Param><Param>123123-e9c5-11ef-123-123</Param><Param>262144</Param><Param></Param>","RenderedDescription":"Fault bucket , type 0 Event Name: WindowsUpdateFailure3 Response: Not available Cab Id: 0  Problem signature: P1: 10.0.14393.7330 P2: 80240032 P3: 00000000-0000-0000-0000-000000000000 P4: Scan P5: 0 P6: 0 P7: 0 P8: <<PROCESS>>: powershell.exe P9: {00000000-0000-0000-0000-000000000000} P10: 0  Attached files:  These files may be available here:   Analysis symbol:  Rechecking for solution: 0 Report Id: 752be549-e9c5-11ef-a811-7c1e52166a41 Report Status: 262144 Hashed bucket: ","Source":"Windows Error Reporting","SourceSystem":"OpsManager","TenantId":"123123-3f02-4cea-962d-123123","TimeGenerated":"2025-02-13T04:46:19.1198502Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c5-11ef-933b-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}
  3. Sample System log
    {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:23:12.558440300Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"param1\">Windows Defender Advanced Threat Protection Service</Data><Binary>530065006E00730065000000</Binary></EventData></DataItem>","EventID":7043,"EventLevel":2,"EventLevelName":"Error","EventLog":"System","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param>Windows Defender Advanced Threat Protection Service</Param>","RenderedDescription":"The Windows Defender Advanced Threat Protection Service service did not shut down properly after receiving a preshutdown control.","Source":"Service Control Manager","SourceSystem":"OpsManager","TenantId":"1111111-3f02-4cea-962d-1111111","TimeGenerated":"2025-02-13T04:23:12.5584403Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c2-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}