Skip to content

Commit 8295f61

Browse files
nterl0knterl0k
authored
Add files via upload
1 parent 9b794ad commit 8295f61

File tree

2 files changed

+32
-0
lines changed

2 files changed

+32
-0
lines changed

data_sources/windows_event_log_security_4700.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
name: Windows Event Log Security 4700
2+
id: 22184889-0f07-46b9-b25f-8a55a9ad63
3+
version: 1
4+
date: '2025-03-11'
5+
author: Steven Dick
6+
description: Data source object for Windows Event Log Security 4700
7+
source: XmlWinEventLog:Security
8+
sourcetype: xmlwineventlog
9+
separator: EventID
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- EventID
16+
example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4700</EventID> <Version>0</Version> <Level>0</Level> <Task>12804</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" /> <EventRecordID>344861</EventRecordID> <Correlation /> <Execution ProcessID="516" ThreadID="756" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System><EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x364eb</Data> <Data Name="TaskName">\\Microsoft\\StartListener</Data> <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> </EventData> </Event>'

data_sources/windows_event_log_security_4702.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
name: Windows Event Log Security 4702
2+
id: 167e378e-3675-4042-b611-d3bfb6d2abc7
3+
version: 1
4+
date: '2025-03-11'
5+
author: Steven Dick
6+
description: Data source object for Windows Event Log Security 4702
7+
source: XmlWinEventLog:Security
8+
sourcetype: xmlwineventlog
9+
separator: EventID
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- EventID
16+
example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4702</EventID> <Version>0</Version> <Level>0</Level> <Task>12804</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" /> <EventRecordID>344863</EventRecordID> <Correlation /> <Execution ProcessID="516" ThreadID="596" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System><EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x364eb</Data> <Data Name="TaskName">\\Microsoft\\StartListener</Data> <Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> </EventData> </Event>'

0 commit comments

Comments
 (0)