XML Data Elements in Modern Windows

Redbourne,Michael 6 Reputation points
2021-03-18T16:05:55.643+00:00

Afternoon folks,

I'm looking for a full event schema and template for XML data. In short what I'm trying to do is build a system where I can import logs to a SIEM that are from minutes to months old from a compromised server or endpoint. Our normal system will not import old logs. After some digging around I settled on exporting EVTs as XML data. From there I can grep (or Regex) on the fields I need. I've already created most of the regex from the simple fields. However I'm running into some issues grabbing the fields from the <Data> [info here] </Data> tags. The problem with the Data tags is that the information inside of it changes based on the template being used, which I suspect is based directly on the EventID. I need all possible fields that can be implemented into the <Data></Data> tags. I did some snooping through Windows' documentation online for the Event Schema types. Overview. Schema Elements. Complex Types.

Under the Schema Elements, I'm looking for all fields inside the EventData element. Here's an example, where I've italized the field names I'm looking for (though I need all of them). 

<EventData>   
    <Data Name='*SubjectUserSid*'>SID</Data>  
    <Data Name='*SubjectUserName*'>USERNAME</Data>   
    <Data Name='*SubjectDomainName*'>DOMAIN</Data>   
    <Data Name='*SubjectLogonId*'>LOGINID</Data>   
    <Data Name='*PrivilegeList*'>SeSecurityPrivilege   
                SeBackupPrivilege   
                SeRestorePrivilege   
                SeTakeOwnershipPrivilege   
                SeDebugPrivilege   
                SeSystemEnvironmentPrivilege   
                SeLoadDriverPrivilege   
                SeImpersonatePrivilege   
                SeEnableDelegationPrivilege</Data>   
</EventData>

I haven't been able to find anything where all of those fields exist, under any documentation. I tried pulling up the Event Schema (2004/08) on Microsoft's schema webpage listed in the XML data, but that document was moved. Any guidance is appreciated.

*Note: actual data in the above snippet of event data has been removed to protect company information as the log was from a domain controller. The field names remain untouched.

Cheers, Mike

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,122 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Redbourne,Michael 6 Reputation points
    2021-03-19T13:18:24.567+00:00

    @Sam of Simple Samples - Sorry, it's not letting me reply directly too you, even after dropping the character count below a 1000.

    This is being written for a UDSM/Log Source Xtension in QRadar - there is no way to implement a library. However the base language to pull the data in is perl. The regex flavour used in QRadar is Java. The perl side of this is done, just for the record. The data can already be imported in, it's just a matter of taking the dat imported in, and doing something useful with it.

    In a given event, they have certain guaranteed fields. For example, every Security log will have a channel, event ID, etc. However, each "Event ID" will have a different set of more unique fields under the <Data> tags. Those fields are unique to the event id.

    Example:
    Event ID 4624:
    <EventData>
    <Data Name='SubjectUserSid'>SID</Data>
    <Data Name='SubjectUserName'>USERNAME</Data>
    <Data Name='SubjectDomainName'>DOMAIN</Data>
    ...
    </EventData>

    EventID 4728:
    <EventData>
    <Previous tags from logon Event>
    <Data Name='TargetUserInformation'>TUINFO</Data>
    <Data Name='GroupName'>GROUPNAME</Data>
    <Data Name='....'></Data>
    </EventData>

    Note the additional new fields of the Target information (U/N, SID, Domain), group name. These are the varying fields I'm hoping are documented somewhere.

    Cheers