Data Source: Windows Event Log Security 5136

Date: 2024-07-18

ID: 7ba3737e-231e-455d-824e-cd077749f835

Author: Patrick Bareiss, Splunk

Description

Data source object for Windows Event Log Security 5136

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 8.9.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">AppCorrelationID</span>
  
  <span class="pill kill-chain">AttributeLDAPDisplayName</span>
  
  <span class="pill kill-chain">AttributeSyntaxOID</span>
  
  <span class="pill kill-chain">AttributeValue</span>
  
  <span class="pill kill-chain">Caller_Domain</span>
  
  <span class="pill kill-chain">Caller_User_Name</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">DSName</span>
  
  <span class="pill kill-chain">DSType</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">ObjectClass</span>
  
  <span class="pill kill-chain">ObjectDN</span>
  
  <span class="pill kill-chain">ObjectGUID</span>
  
  <span class="pill kill-chain">OpCorrelationID</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">OperationType</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SubjectDomainName</span>
  
  <span class="pill kill-chain">SubjectLogonId</span>
  
  <span class="pill kill-chain">SubjectUserName</span>
  
  <span class="pill kill-chain">SubjectUserSid</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_nt_domain</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-17T20:51:01.321860300Z'/><EventRecordID>1997365</EventRecordID><Correlation ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution ProcessID='652' ThreadID='5112'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data Name='AppCorrelationID'>-</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x95675</Data><Data Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data Name='ObjectClass'>user</Data><Data Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data Name='AttributeSyntaxOID'>2.5.5.12</Data><Data Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data Name='OperationType'>%%14674</Data></EventData></Event>

Source: GitHub | Version: 1