question

RedbourneMichael-3296 avatar image
0 Votes"
RedbourneMichael-3296 asked ·

XML Data Elements in Modern Windows

Afternoon folks,

I'm looking for a full event schema and template for XML data. In short what I'm trying to do is build a system where I can import logs to a SIEM that are from minutes to months old from a compromised server or endpoint. Our normal system will not import old logs. After some digging around I settled on exporting EVTs as XML data. From there I can grep (or Regex) on the fields I need. I've already created most of the regex from the simple fields. However I'm running into some issues grabbing the fields from the <Data> [info here] </Data> tags. The problem with the Data tags is that the information inside of it changes based on the template being used, which I suspect is based directly on the EventID. I need all possible fields that can be implemented into the <Data></Data> tags. I did some snooping through Windows' documentation online for the Event Schema types. Overview. Schema Elements. Complex Types.

Under the Schema Elements, I'm looking for all fields inside the EventData element. Here's an example, where I've italized the field names I'm looking for (though I need all of them).

 <EventData> 
     <Data Name='*SubjectUserSid*'>SID</Data>
     <Data Name='*SubjectUserName*'>USERNAME</Data> 
     <Data Name='*SubjectDomainName*'>DOMAIN</Data> 
     <Data Name='*SubjectLogonId*'>LOGINID</Data> 
     <Data Name='*PrivilegeList*'>SeSecurityPrivilege 
                 SeBackupPrivilege 
                 SeRestorePrivilege 
                 SeTakeOwnershipPrivilege 
                 SeDebugPrivilege 
                 SeSystemEnvironmentPrivilege 
                 SeLoadDriverPrivilege 
                 SeImpersonatePrivilege 
                 SeEnableDelegationPrivilege</Data> 
 </EventData>

I haven't been able to find anything where all of those fields exist, under any documentation. I tried pulling up the Event Schema (2004/08) on Microsoft's schema webpage listed in the XML data, but that document was moved. Any guidance is appreciated.

*Note: actual data in the above snippet of event data has been removed to protect company information as the log was from a domain controller. The field names remain untouched.

Cheers, Mike

windows-server
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It is not clear to me what you are asking. Since you say Regex I get the impression you are writing a program or script but you do not say what language you are using. You probably want to use an appropriate library to read the XML as XML instead of trying to use grep (or Regex); those tools are likely to be more, not less, work for what you need to do.

1 Vote 1 ·

If you want to consult a question about development, kindly add a development tag in your post, the experts work on this tag will help you

1 Vote 1 ·

Added dev and Event Viewer tags - didn't realize I could make tags myself.

0 Votes 0 ·

1 Answer

RedbourneMichael-3296 avatar image
0 Votes"
RedbourneMichael-3296 answered ·

@SimpleSamples - Sorry, it's not letting me reply directly too you, even after dropping the character count below a 1000.

This is being written for a UDSM/Log Source Xtension in QRadar - there is no way to implement a library. However the base language to pull the data in is perl. The regex flavour used in QRadar is Java. The perl side of this is done, just for the record. The data can already be imported in, it's just a matter of taking the dat imported in, and doing something useful with it.

In a given event, they have certain guaranteed fields. For example, every Security log will have a channel, event ID, etc. However, each "Event ID" will have a different set of more unique fields under the <Data> tags. Those fields are unique to the event id.

Example:
Event ID 4624:
<EventData>
<Data Name='SubjectUserSid'>SID</Data>
<Data Name='SubjectUserName'>USERNAME</Data>
<Data Name='SubjectDomainName'>DOMAIN</Data>
...
</EventData>

EventID 4728:
<EventData>
<Previous tags from logon Event>
<Data Name='TargetUserInformation'>TUINFO</Data>
<Data Name='GroupName'>GROUPNAME</Data>
<Data Name='....'></Data>
</EventData>

Note the additional new fields of the Target information (U/N, SID, Domain), group name. These are the varying fields I'm hoping are documented somewhere.

Cheers

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Debugging windows log is beyond scope of forums support so if further assistance were needed you could open a request ticket with Microsoft support.
https://support.serviceshub.microsoft.com/supportforbusiness

0 Votes 0 ·