Data Source: Windows Event Log Security 4887

Date: 2025-01-23

ID: 994c7b19-a623-4231-9818-f00e453b9a75

Author: Patrick Bareiss, Splunk

Description

Logs cryptographic operations performed by a Windows system, including details about the certificate or key used and the operation type.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields


            1
            _time
          
            3
            ActivityID
          
            5
            Attributes
          
            7
            Channel
          
            9
            Computer
          
            11
            Disposition
          
            13
            Error_Code
          
            15
            EventCode
          
            17
            EventData_Xml
          
            19
            EventID
          
            21
            EventRecordID
          
            23
            Guid
          
            25
            Keywords
          
            27
            Level
          
            29
            Name
          
            31
            Opcode
          
            33
            ProcessID
          
            35
            RecordNumber
          
            37
            RequestId
          
            39
            Requester
          
            41
            Subject
          
            43
            SubjectKeyIdentifier
          
            45
            SystemTime
          
            47
            System_Props_Xml
          
            49
            Task
          
            51
            ThreadID
          
            53
            Version
          
            55
            action
          
            57
            app
          
            59
            date_hour
          
            61
            date_mday
          
            63
            date_minute
          
            65
            date_month
          
            67
            date_second
          
            69
            date_wday
          
            71
            date_year
          
            73
            date_zone
          
            75
            dest
          
            77
            dvc
          
            79
            dvc_nt_host
          
            81
            event_id
          
            83
            eventtype
          
            85
            host
          
            87
            id
          
            89
            index
          
            91
            linecount
          
            93
            name
          
            95
            product
          
            97
            punct
          
            99
            signature
          
            101
            signature_id
          
            103
            source
          
            105
            sourcetype
          
            107
            splunk_server
          
            109
            status
          
            111
            subject
          
            113
            ta_windows_action
          
            115
            tag
          
            117
            tag::action
          
            119
            tag::eventtype
          
            121
            timeendpos
          
            123
            timestartpos
          
            125
            vendor
          
            127
            vendor_product
          
            129

...

not set

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4887</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-09T14:54:02.171703300Z'/><EventRecordID>1830974609</EventRecordID><Correlation ActivityID='{28AAD79F-81AB-0001-BED7-AA28AB81D901}'/><Execution ProcessID='668' ThreadID='3160'/><Channel>Security</Channel><Computer>cert_authority.attack_range.local</Computer><Security/></System><EventData><Data Name='RequestId'>7</Data><Data Name='Requester'>attack_range\attack_user</Data><Data Name='Attributes'>CertificateTemplate:VulnerableTemplate_ESC1

zed

Source: GitHub | Version: 2