Microsoft Windows Security Event Log 샘플 이벤트 메시지

<13>May 08 10:45:44 microsoft.windows.test AgentDevice=WindowsLog<tab>AgentLogFile=Security<tab>PluginVersion=7.2.9.108<tab>Source=Microsoft-Windows-Security-Auditing<tab>Computer=microsoft.windows.test<tab>OriginatingComputer=10.0.0.2<tab>User=<tab>Domain=<tab>EventID=4624<tab>EventIDCode=4624<tab>EventType=8<tab>EventCategory=12544<tab>RecordNumber=649155826<tab>TimeGenerated=1588945541<tab>TimeWritten=1588945541<tab>Level=Log Always<tab>Keywords=Audit Success<tab>Task=SE_ADT_LOGON_LOGON<tab>Opcode=Info<tab>Message=An account was successfully logged on.  Subject:  Security ID:  NT AUTHORITY\SYSTEM  Account Name:  account_name$  Account Domain:  account_domain  Logon ID:  0x3E7  Logon Information:  Logon Type:  10  Restricted Admin Mode: No  Virtual Account:  No  Elevated Token:  Yes  Impersonation Level:  Impersonation  New Logon:  Security ID:  account_domain\account_name  Account Name:  account_name  Account Domain:  domain_name  Logon ID:  0x9A4D3C17  Linked Logon ID:  0x9A4D3CD6  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x3e4  Process Name:  C:\Windows\System32\svchost.exe  Network Information:  Workstation Name: workstation_name  Source Network Address: 10.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

<13>May 08 14:54:03 microsoft.windows.test AgentDevice=NetApp\tAgentLogFile=Security\tPluginVersion=7.2.9.108\tSource=NetApp-Security-Auditing\tComputer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111\tOriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111\tUser=\tDomain=\tEventID=4624\tEventIDCode=4624\tEventType=8\tEventCategory=0\tRecordNumber=6706\tTimeGenerated=1588960308\tTimeWritten=1588960308\tLevel=LogAlways\tKeywords=AuditSuccess\tTask=None\tOpcode=Info\tMessage=IpAddress=10.0.0.1 IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

<133>Aug 15 23:12:08 microsoft.windows.test MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password.    Subject:   Security ID:  subject_security_id   Account Name:  Administrator   Account Domain:  DOMAIN   Logon ID:  0x5cbdf    Target Account:   Security ID:  target_security_id   Account Name:  target_account_name   Account Domain:  DOMAIN  355

<131>Apr 04 10:03:18 microsoft.windows.test LEEF:1.0|Microsoft|Windows|2k8r2|8194|devTime=2019-04-04T10:03:18GMT+02:00<tab>devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz<tab>cat=Error<tab>sev=2<tab>resource=microsoft.windows.test<tab>usrName=domain_name\user_name<tab>application=Group Policy Registry<tab>message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036|Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost=192.168.0.31 agt=192.168.0.31 agentZoneURI=/All Zones/example System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=5.2.5.6395.0 atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

{"@timestamp":"2017-02-13T01:54:07.745Z","beat":{"hostname":"microsoft.windows.test","name":"microsoft.windows.test","version":"5.6.3"},"computer_name":"microsoft.windows.test","event_data":{"DomainPeer":"time.windows.test,0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","message":"NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.test,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id":996,"provider_guid":"{00000000-0000-0000-0000-000000000000}","record_number":"40292","source_name":"Microsoft-Windows-Time-Service","thread_id":3312,"type":"wineventlog","user":{"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

{"time":"2019-05-07T17:53:30.0648172Z","category":"WindowsEventLogsTable","level":"Informational","properties":{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role":"IaaS","RoleInstance":"_role_instance","ProviderGuid":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft-Windows-Security-Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel":"Security","Description":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tsecurity_id\r\n\tAccount Name:\t\taccount_name\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t{11111111-1111-1111-1111-111111111111}\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","RawXml":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{22222222-2222-2222-2222-222222222222}'/><EventID>5061</EventID><Version>0</Version><Level>0</Level><Task>12290</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-05-07T17:53:30.064817200Z'/><EventRecordID>291478</EventRecordID><Correlation ActivityID='{33333333-3333-3333-3333-333333333333}'/><Execution ProcessID='700' ThreadID='1176'/><Channel>Security</Channel><Computer>computer_name</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>subject_user_sid</Data><Data Name='SubjectUserName'>subject_user_name</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>RSA</Data><Data Name='KeyName'>{44444444-4444-4444-4444-444444444444}</Data><Data Name='KeyType'>%%2499</Data><Data Name='Operation'>%%2480</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>"}}

1. Windows 보안 이벤트 로그(Event Hub의 Sentinel 사용)

   {"TimeGenerated":"2025-02-12T11:13:35.1159672Z","SourceSystem":"OpsManager","Computer":"amawintestvm","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":13571,"Level":"0","EventLevelName":"LogAlways","EventData":"<EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleId\">CoreNet-IPHTTPS-In</Data><Data Name=\"RuleName\">Core Networking - IPHTTPS (TCP-In)</Data><Data Name=\"RuleAttr\">Local Port</Data></EventData>","EventID":4957,"Activity":"4957 - Windows Firewall did not apply the following rule:","SourceComputerId":"123123123-a979-4eb8-99cb-123123123","EventOriginId":"1111111-a979-4eb8-99cb-1111111","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2025-02-12T11:14:07.1041483Z","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","SystemUserId":"N/A","Version":0,"Opcode":"0","Keywords":"0x8010000000000000","Correlation":"{1111111-201D-4B85-9BD0-1111111}","SystemProcessId":632,"SystemThreadId":676,"EventRecordId":"26004","_ItemId":"1111111-e932-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","Type":"SecurityEvent","TenantId":"1111111-3f02-4cea-962d-1111111","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}

2. 애플리케이션 로그 샘플

   {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:46:19.119850200Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data /><Data>0</Data><Data>WindowsUpdateFailure3</Data><Data>Not available</Data><Data>0</Data><Data>123.123.123.123</Data><Data>80240032</Data><Data>00000000-0000-0000-0000-000000000000</Data><Data>Scan</Data><Data>0</Data><Data>0</Data><Data>0</Data><Data>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Data><Data>{00000000-0000-0000-0000-000000000000}</Data><Data>0</Data><Data /><Data /><Data /><Data>0</Data><Data>1111111-e9c5-11ef-a811-1111111</Data><Data>262144</Data><Data /></EventData></DataItem>","EventID":1001,"EventLevel":4,"EventLevelName":"Information","EventLog":"Application","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param></Param><Param>0</Param><Param>WindowsUpdateFailure3</Param><Param>Not available</Param><Param>0</Param><Param>10.0.14393.1111111</Param><Param>80240032</Param><Param>00000000-0000-0000-0000-000000000000</Param><Param>Scan</Param><Param>0</Param><Param>0</Param><Param>0</Param><Param>&amp;lt;&amp;lt;PROCESS&amp;gt;&amp;gt;: powershell.exe</Param><Param>{00000000-0000-0000-0000-000000000000}</Param><Param>0</Param><Param></Param><Param></Param><Param></Param><Param>0</Param><Param>123123-e9c5-11ef-123-123</Param><Param>262144</Param><Param></Param>","RenderedDescription":"Fault bucket , type 0 Event Name: WindowsUpdateFailure3 Response: Not available Cab Id: 0  Problem signature: P1: 10.0.14393.7330 P2: 80240032 P3: 00000000-0000-0000-0000-000000000000 P4: Scan P5: 0 P6: 0 P7: 0 P8: <<PROCESS>>: powershell.exe P9: {00000000-0000-0000-0000-000000000000} P10: 0  Attached files:  These files may be available here:   Analysis symbol:  Rechecking for solution: 0 Report Id: 752be549-e9c5-11ef-a811-7c1e52166a41 Report Status: 262144 Hashed bucket: ","Source":"Windows Error Reporting","SourceSystem":"OpsManager","TenantId":"123123-3f02-4cea-962d-123123","TimeGenerated":"2025-02-13T04:46:19.1198502Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c5-11ef-933b-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}

3. 샘플 시스템 로그

   {"Computer":"amawintestvm","EventCategory":0,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2025-02-13T04:23:12.558440300Z\" sourceHealthServiceId=\"1111111-a979-4eb8-99cb-1111111\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"param1\">Windows Defender Advanced Threat Protection Service</Data><Binary>530065006E00730065000000</Binary></EventData></DataItem>","EventID":7043,"EventLevel":2,"EventLevelName":"Error","EventLog":"System","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-1111111-3f02-4cea-962d-1111111","ParameterXml":"<Param>Windows Defender Advanced Threat Protection Service</Param>","RenderedDescription":"The Windows Defender Advanced Threat Protection Service service did not shut down properly after receiving a preshutdown control.","Source":"Service Control Manager","SourceSystem":"OpsManager","TenantId":"1111111-3f02-4cea-962d-1111111","TimeGenerated":"2025-02-13T04:23:12.5584403Z","Type":"Event","UserName":"N/A","_ItemId":"1111111-e9c2-11ef-933c-1111111","_Internal_WorkspaceResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourcegroups/amawintestrcgp/providers/microsoft.operationalinsights/workspaces/amawintestloganaws","_ResourceId":"/subscriptions/1111111-1c76-41d7-8443-1111111/resourceGroups/AMAWINTESTRCGP/providers/Microsoft.Compute/virtualMachines/amawintestvm"}

<14>CEF:0|Graylog|graylog-output-syslog:cefsender|2.3.1|log:1|111-1111-111-11-1111|3|Task=11111 Keywords=-9214364837600034816 Category=Handle Manipulation EventType=AUDIT_SUCCESS gl2_remote_ip=10.10.1.4 gl2_remote_port=49687 SourceProcessId=xxxx Opcode=Info source=SBE-1111 gl2_source_input=bbb1111111 SeverityValue=2 Version=0 SubjectDomainName=WORKGROUP gl2_source_node=111-1111-111-11-1111 ProcessID=4 SourceHandleId=xxxx timestamp=2024-12-06T13:12:35.000Z OpcodeValue=0 SourceModuleType=im_msvistalog level=6 Channel=Security gl2_message_id=111111 SourceName=Microsoft-Windows-Security-Auditing Severity=INFO SubjectLogonId=xxxx EventReceivedTime=2024-12-06 14:12:36 PlantID=1111 SourceModuleName=eventlog ProviderGuid={111-1111-111-11-1111} SubjectUserName=SBE-1111$ TargetProcessId=0x4 ThreadID=1111 TargetHandleId=0x1b58 EventID=4690 _id=111-1111-111-11-1111 RecordNumber=79577829 SubjectUserSid=S-1-5-18 start=1733490755000 msg=An attempt was made to duplicate a handle to an object. Requester: Security ID: S-1-5-18 Account Name: SBE-1111$ Account Domain: WORKGROUP Logon ID: xxxxx Source Handle Information: Source Handle ID: 0x1e4 Source Process ID: 0xeb0 New Handle Information: Target Handle ID: xxxxx Target Process ID: 0x4 externalId=111-1111-111-11-1111