The field names. Instead of what is being collected,
2017 Feb 21 13:33:23 WinEvtLog: Security: AUDIT_SUCCESS(4627): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Username HOSTNAME 0x22d8dd8 7 1 1 <LF><CR> <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX} <TAB><TAB>%{S-1-1-0} <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX} <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX} <TAB><TAB>%{S-1-5-32-562} <TAB><TAB>%{S-1-5-32-578} <TAB><TAB>%{S-1-5-32-556} <TAB><TAB>%{S-1-5-32-555} <TAB><TAB>%{S-1-5-32-545} <TAB><TAB>%{S-1-5-4} <TAB><TAB>%{S-1-2-1} <TAB><TAB>%{S-1-5-11} <TAB><TAB>%{S-1-5-15} <TAB><TAB>%{S-1-5-113} <TAB><TAB>%{S-1-2-0} <TAB><TAB>%{S-1-5-64-10} <TAB><TAB>%{S-1-16-8448}<SPACE> The event should be logged as follows (parts in Red are missing, without them an operator has *no clue* as to what the various pieces of information contained in the event are, unless he looks at a similar one in native Windows Event Viewer): 2017 Feb 21 13:33:23 WinEvtLog: Security: AUDIT_SUCCESS(4627): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: Group Membership. Subject: Security ID: S-1-5-18 Account Name: HOSTNAME$ Account Domain: DOMAIN Logon ID: 0x3e7 Target User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Target User Name: Username Target Domain Name: HOSTNAME Target Logon ID: 0x22d8dd8 Logon Type: 7 Event IDX: 1 Event Count: 1 Group Membership:<LF><CR> <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX} <TAB><TAB>%{S-1-1-0} <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX} <TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX} <TAB><TAB>%{S-1-5-32-562} <TAB><TAB>%{S-1-5-32-578} <TAB><TAB>%{S-1-5-32-556} <TAB><TAB>%{S-1-5-32-555} <TAB><TAB>%{S-1-5-32-545} <TAB><TAB>%{S-1-5-4} <TAB><TAB>%{S-1-2-1} <TAB><TAB>%{S-1-5-11} <TAB><TAB>%{S-1-5-15} <TAB><TAB>%{S-1-5-113} <TAB><TAB>%{S-1-2-0} <TAB><TAB>%{S-1-5-64-10} <TAB><TAB>%{S-1-16-8448}<SPACE> -------------------------------------------------------------------------------------------------------------- *Event ID 4703*: *Reported in archives.log* 2017 Feb 21 17:31:27 (W10EntDsktp) 192.168.16.1->WinEvtLog 2017 Feb 21 19:31:13 WinEvtLog: Security: AUDIT_SUCCESS(4703): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: S-1-5-18 DESKTOP$ COMPUCENTER 0x3e7 S-1-5-18 DESKTOP$ COMPUCENTER 0x3e7 C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe 0x11dc SeSecurityPrivilege - What should have been logged as (missng bits in red): 2017 Feb 21 17:31:27 (W10EntDsktp) 192.168.16.1->WinEvtLog 2017 Feb 21 19:31:13 WinEvtLog: Security: AUDIT_SUCCESS(4703): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: A user right was adjusted. Subject: Security ID: S-1-5-18 Account Name: HOSTNAME$ Account Domain: DOMAIN Logon ID: 0x3e7 Target: Security ID: S-1-5-18 Account Name: HOSTNAME$ Account Domain: DOMAIN Logon ID: 0x3e7 Process Name: C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe Process ID: 0x11dc Enabled Security Privilege: SeSecurityPrivilege Disabled Security Privilege: - -------------------------------------------------------------------------------------------------------------- *AppLocker Event ID: 8002* In OSSEC Archive log: 2017 Feb 21 17:24:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 21 19:23:45 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: Hostname: %SYSTEM32%\DLLHOST.EXE was allowed to run. Without the missing information, the logged event is of *little security value*. It is the missing information that allows the event to be correlated with other types of events: Process ID, Logon ID, Security ID. The AppLocker Policy/Rule Details are critical for troubleshooting. *What should have been logged*: 2017 Feb 21 17:24:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 21 19:23:45 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: INFORMATION(8002): Microsoft-Windows-AppLocker: Rule and File Data: Policy Name: EXE Rule ID: {06EB0E7E-0F84-4D34-BF02-E59A8CAF9D61} Rule Name: Drive C:: INTERNET EXPLORER signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US Rule SDDL: D:(XA;;FX;;;S-1-5-11;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLORER\*",3096224743817216})))) Target User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Target Process ID: 1148 File Path: %SYSTEM32%\DLLHOST.EXE File Hash: 32527C58E1ED8888E4A8C5AEEF30BD9AECD584E9DD03976F83A8498C30EF3936 FQBN: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLORER\IELOWUTIL.EXE\11.0.10240.16384 Target Logon ID: 0x42c61d -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.