I'm looking for a full event schema and template for XML data. In short what I'm trying to do is build a system where I can import logs to a SIEM that are from minutes to months old from a compromised server or endpoint. Our normal system will not import old logs. After some digging around I settled on exporting EVTs as XML data. From there I can grep (or Regex) on the fields I need. I've already created most of the regex from the simple fields. However I'm running into some issues grabbing the fields from the <Data> [info here] </Data> tags. The problem with the Data tags is that the information inside of it changes based on the template being used, which I suspect is based directly on the EventID. I need all possible fields that can be implemented into the <Data></Data> tags. I did some snooping through Windows' documentation online for the Event Schema types. Overview. Schema Elements. Complex Types.
Under the Schema Elements, I'm looking for all fields inside the EventData element. Here's an example, where I've italized the field names I'm looking for (though I need all of them).
<EventData> <Data Name='*SubjectUserSid*'>SID</Data> <Data Name='*SubjectUserName*'>USERNAME</Data> <Data Name='*SubjectDomainName*'>DOMAIN</Data> <Data Name='*SubjectLogonId*'>LOGINID</Data> <Data Name='*PrivilegeList*'>SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege</Data> </EventData>
I haven't been able to find anything where all of those fields exist, under any documentation. I tried pulling up the Event Schema (2004/08) on Microsoft's schema webpage listed in the XML data, but that document was moved. Any guidance is appreciated.
*Note: actual data in the above snippet of event data has been removed to protect company information as the log was from a domain controller. The field names remain untouched.