hhh

Author: v-amolpatil

Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventMicrosoftSecurityEvent.yaml

@@ -1,7 +1,7 @@
 Parser:
     Title: Registry Event ASIM parser for Microsoft Windows Events (registry creation event)
     Version: "0.3.1"
-    LastUpdated: Jun 19, 2024
+    LastUpdated: Jun 20, 2024
 Product:
     Name: Security Events
 Normalization:

Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSecurityEvent.yaml

@@ -1,7 +1,7 @@
 Parser:
     Title: Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)
     Version: "0.3.1"
-    LastUpdated: Jun 19, 2024
+    LastUpdated: Jun 20, 2024
 Product:
     Name: Security Events
 Normalization:

Sample Data/ASIM/Microsoft_Security Events_RegistryEvent_IngestedLogs.csv

@@ -1,8 +1,8 @@
 TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationPackageName,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,InterfaceUuid,IpAddress,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonGuid,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,ParentProcessName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,Status,SubjectAccount,SubcategoryGuid,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,SubjectLogonId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubjectUserSid,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonGuid,TargetLogonId,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,EventLevelName,SourceComputerId,EventOriginId,MG,TimeCollected,ManagementGroupName,SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,Type,_ResourceId,ParentProcessId
-12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:45,OpsManager,test\abc100$,Machine,abc200.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:45,OpsManager,test\abc005$,Machine,abc005$.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
   <Data Name=""SubjectUserSid"">S-1-5-18</Data>
-  <Data Name=""SubjectUserName"">test005$</Data>
-  <Data Name=""SubjectDomainName"">testdom</Data>
+  <Data Name=""SubjectUserName"">abc005$</Data>
+  <Data Name=""SubjectDomainName"">test</Data>
   <Data Name=""SubjectLogonId"">0x3e7</Data>
   <Data Name=""ObjectServer"">Security</Data>
   <Data Name=""ObjectType"">Key</Data>
@@ -13,11 +13,11 @@ TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName
   <Data Name=""ProcessId"">0xef8</Data>
   <Data Name=""ProcessName"">C:\Program Files\Windows Defender Advanced Threat Protection\test.exe</Data>
   <Data Name=""ResourceAttributes"">-</Data>
-</EventData>",4657,4657 - An attempt was made to access an object,,,,,,%%1537 ,0x10000,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0x830,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,REG_NONE,%%1872,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\test\HeartBeats\EndpointErrors\0,Security,Key,REG_NONE,,,,,,REG_DWORD,%%1876,%%1906,,,,,,,,,,,MsTest.exe,0xef8,C:\Program Files\Windows Defender Advanced Threat Protection\MsTest.exe,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test\abc005$,,,,test,,0x3e7,,,abc005$,S-1-5-18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LogAlways,ab4cf18f-60a7-4a88-8631-1cd2cb123456,ab4cf18f-60a7-4a88-8631-1cd2cb123456,00000000-0000-0000-0000-000000000001,6/24/2025 4:45,AOI-12345aea-6210-464b-a6dd-49f0fd95cef1,N/A,1,0,0x8020000000000000,,4,6952,693044958,SecurityEvent,/subscriptions/1abcd518-a6b8-4766-b099-d5c77b664f1d/resourcegroups/iam-test/providers/microsoft.compute/virtualmachines/abc005,cc
-12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc101$,Machine,abc201.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+</EventData>",4657,4657 - An attempt was made to access an object.,,,,,,%%1537 ,0x10000,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0x830,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,REG_NONE,%%1872,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\test\HeartBeats\EndpointErrors\0,Security,Key,REG_NONE,,,,,,REG_DWORD,%%1876,%%1906,,,,,,,,,,,MsTest.exe,0xef8,C:\Program Files\Windows Defender Advanced Threat Protection\MsTest.exe,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test\abc005$,,,,test,,0x3e7,,,abc005$,S-1-5-18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LogAlways,ab4cf18f-60a7-4a88-8631-1cd2cb123456,ab4cf18f-60a7-4a88-8631-1cd2cb123456,00000000-0000-0000-0000-000000000001,6/24/2025 4:45,AOI-12345aea-6210-464b-a6dd-49f0fd95cef1,N/A,1,0,0x8020000000000000,,4,6952,693044958,SecurityEvent,/subscriptions/1abcd518-a6b8-4766-b099-d5c77b664f1d/resourcegroups/iam-test/providers/microsoft.compute/virtualmachines/abc005,cc
+12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc005$,Machine,abc005$.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
   <Data Name=""SubjectUserSid"">S-1-5-18</Data>
-  <Data Name=""SubjectUserName"">test005$</Data>
-  <Data Name=""SubjectDomainName"">testdom</Data>
+   <Data Name=""SubjectUserName"">abc005$</Data>
+  <Data Name=""SubjectDomainName"">test</Data>
   <Data Name=""SubjectLogonId"">0x3e7</Data>
   <Data Name=""ObjectServer"">Security</Data>
   <Data Name=""ObjectType"">Key</Data>
@@ -29,11 +29,10 @@ TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName
   <Data Name=""ProcessName"">C:\Program Files\Windows Defender Advanced Threat Protection\test.exe</Data>
   <Data Name=""ResourceAttributes"">-</Data>
 </EventData>",4657,4657 - An attempt was made to access an object,,,,,,%%1537 ,0x20000,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0x830,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,REG_SZ,%%1873,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\test\HeartBeats\EndpointErrors\0,Security,Key,REG_SZ,,,,,,REG_MULTI_SZ,%%1879,%%1906,,,,,,,,,,,MsTest.exe,0xef8,C:\Program Files\Windows Defender Advanced Threat Protection\MsTest.exe,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test\abc006$,,,,test,,0x3e7,,,abc006$,S-1-5-18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LogAlways,ab4cf18f-60a7-4a88-8631-1cd2cb123457,ab4cf18f-60a7-4a88-8631-1cd2cb123457,00000000-0000-0000-0000-000000000001,6/24/2025 4:48,AOI-12345aea-6210-464b-a6dd-49f0fd95cef2,N/A,1,0,0x8020000000000000,,4,6952,693044972,SecurityEvent,/subscriptions/1abcd518-a6b8-4766-b099-d5c77b664f1d/resourcegroups/iam-test/providers/microsoft.compute/virtualmachines/abc006,cc
-12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc102$,Machine,abc202.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc005$,Machine,abc005$.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
   <Data Name=""SubjectUserSid"">S-1-5-18</Data>
-  <Data Name=""SubjectUserName"">test005$</Data>
-  <Data Name=""SubjectDomainName"">testdom</Data>
-  <Data Name=""SubjectLogonId"">0x3e7</Data>
+  <Data Name=""SubjectUserName"">abc005$</Data>
+  <Data Name=""SubjectDomainName"">test</Data>  <Data Name=""SubjectLogonId"">0x3e7</Data>
   <Data Name=""ObjectServer"">Security</Data>
   <Data Name=""ObjectType"">Key</Data>
   <Data Name=""ObjectName"">\REGISTRY\MACHINE\SOFTWARE\test\test1\HeartBeats\EndpointErrors\0</Data>
@@ -44,10 +43,10 @@ TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName
   <Data Name=""ProcessName"">C:\Program Files\Windows Defender Advanced Threat Protection\test.exe</Data>
   <Data Name=""ResourceAttributes"">-</Data>
 </EventData>",4657,4657 - An attempt was made to access an object,,,,,,%%1537 ,0x20006,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0x1104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,REG_NONE,%%1872,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\test\HeartBeats\EndpointErrors\0,Security,Key,REG_NONE,,,,,,REG_DWORD,%%1876,%%1905,,,,,,,,,,,MsTest.exe,0xef8,C:\Program Files\Windows Defender Advanced Threat Protection\MsTest.exe,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test\abc007$,,,,test,,0x3e7,,,abc007$,S-1-5-18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LogAlways,ab4cf18f-60a7-4a88-8631-1cd2cb123474,ab4cf18f-60a7-4a88-8631-1cd2cb123474,00000000-0000-0000-0000-000000000001,6/24/2025 4:48,AOI-12345aea-6210-464b-a6dd-49f0fd95cef19,N/A,1,0,0x8020000000000000,,4,6952,693062466,SecurityEvent,/subscriptions/1abcd518-a6b8-4766-b099-d5c77b664f1d/resourcegroups/iam-test/providers/microsoft.compute/virtualmachines/abc023,cc
-12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc103$,Machine,abc203.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:48,OpsManager,test\abc005$,Machine,abc005$.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
   <Data Name=""SubjectUserSid"">S-1-5-18</Data>
-  <Data Name=""SubjectUserName"">test005$</Data>
-  <Data Name=""SubjectDomainName"">testdom</Data>
+   <Data Name=""SubjectUserName"">abc005$</Data>
+  <Data Name=""SubjectDomainName"">test</Data>
   <Data Name=""SubjectLogonId"">0x3e7</Data>
   <Data Name=""ObjectServer"">Security</Data>
   <Data Name=""ObjectType"">Key</Data>
@@ -61,7 +60,7 @@ TenantId,TimeGenerated,SourceSystem,Account,AccountType,Computer,EventSourceName
 </EventData>",4657,4657 - An attempt was made to access an object,,,,,,%%1537 ,0x40000,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0x1104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,REG_SZ,%%1873,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\test\HeartBeats\EndpointErrors\0,Security,Key,REG_SZ,,,,,,REG_MULTI_SZ,%%1879,%%1905,,,,,,,,,,,MsTest1.exe,0xef8,C:\Program Files\Windows Defender Advanced Threat Protection\MsTest.exe,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test\abc008$,,,,test,,0x3e7,,,abc008$,S-1-5-18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LogAlways,ab4cf18f-60a7-4a88-8631-1cd2cb123475,ab4cf18f-60a7-4a88-8631-1cd2cb123475,00000000-0000-0000-0000-000000000001,6/24/2025 4:48,AOI-12345aea-6210-464b-a6dd-49f0fd95cef20,N/A,1,0,0x8020000000000000,,4,6952,693062480,SecurityEvent,/subscriptions/1abcd518-a6b8-4766-b099-d5c77b664f1d/resourcegroups/iam-test/providers/microsoft.compute/virtualmachines/abc024,cc
 12345aea-6210-464b-a6dd-49f0fd95cef1,6/24/2025 4:45,OpsManager,test\abc005$,Machine,abc005$.test.net,Microsoft-Windows-Security-Auditing,Security,12801,0,"<EventData xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
   <Data Name=""SubjectUserSid"">S-1-5-18</Data>
-    <Data Name=""SubjectUserName"">test\abc005$</Data>
+    <Data Name=""SubjectUserName"">abc005$</Data>
   <Data Name=""SubjectDomainName"">test</Data>
   <Data Name=""SubjectLogonId"">0x3e7</Data>
   <Data Name=""ObjectServer"">Security</Data>