Stay organized with collections Save and categorize content based on your preferences.

Change log for WINEVTLOG

Date Changes
2022-08-26 1. Changed EventType Mapping for EventId: 7036 of Service Control Manager.
2022-08-12 1. Added support for new EventID: 8010, 8017 of SourceName Microsoft-Windows-DNS-Client.
2. Added support for new EventID: 5857, 5858, 5859, 5860 of SourceName Microsoft-Windows-WMI-Activity.
3. For field PossibleCause, added on_error tag for handling replace failure error.
4. If target.hostname is empty then we have mapped DnsHostName with target.hostname UDM field otherwise we have mapped DnsHostName with target.asset.attribute.labels.key/value.
2022-08-01 1) Added support for new EventID:8021, 8022, 8025 of SourceName Microsoft-Windows-AppLocker.
2) Added mapping for FilePath,FileHash,Fqbn for EventID 8003, 8004, 8006, 8007.
3) Added mapping of Message field for EventID 1100.
4) Removed target_user_id due to dupliucation issue with target_group_display_name for EventID 4728,4732.
5) Added support for new EventID: 105, 6, 7 of SourceName WudfUsbccidDriver
6) Added support for new EventID: 12 of SourceName Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
7) Added support for new EventID: 11 of SourceName Microsoft-Windows-Wininit
8) Added support for new EventID: 1068 of SourceName Microsoft-Windows-GroupPolicy
2022-07-11 1) Added support of new EventID:195, 196 of SourceName Microsoft-Windows-USB-USBHUB3.
2) Added support of new EventID:10001, 10002, 10100 of SourceName Microsoft-Windows-DriverFrameworks-UserMode.
3) Added support of new EventID:1014, 8015, 8018, 8019, 8020, 8027, 8033 of SourceName Microsoft-Windows-DNS-Client.
4) Removed user.role_name and user.role_description, Replaced with user.attribute.roles.name and user.attribute.roles.description
5) Added support for new EventID:2,19 of SourceName Microsoft-Windows-WHEA-Logger.
6) Added support for new EventID:20 of SourceName Microsoft-Windows-Kernel-General.
7) Added support for new EventID:22 of SourceName Microsoft-Windows-UserModePowerService.
8) Added support for new EventID:1000,1001 of SourceName Microsoft-Windows-LoadPerf.
9) Added support for new EventID:132, 142 of SourceName Microsoft-Windows-WinRM.
10) Added support for new EventID:4100 of SourceName Microsoft-Windows-PowerShell.
11) Added support for new EventID:24, 130 of SourceName Microsoft-Windows-Time-Service.
12) Added support for new EventID:10317 of SourceName Microsoft-Windows-NDIS.
13) Added support for new EventID:14205 of SourceName Microsoft-Windows-WMPNSS-Service
14) Added support for new EventID:16963, 16966 of SourceName Microsoft-Windows-Directory-Services-SAM.
11) Added support for new EventID:14, 15, 24 of SourceName TPM.
12) Added support for new EventID:4, 59, 61, 16385, 16392 of SourceName Microsoft-Windows-Bits-Client.
13) Removed Generic_Event usage from WINEVTLOG gold parser
14) Added mapping of Message field for EventID 104.
2022-07-04 1) Added FR language support for EventID 1102.
2022-06-17 1) Added support of new EventID:145 of SourceName Microsoft-Windows-WinRM.
2) Added mapping of Category GUIDs for EventID 4719.
3) Mapped AccountName and Domain by splitting Data_1 field for EventID 8222.
2022-06-07 1) Added support of new eventID:77 of Provider name: Microsoft-Windows-CertificationAuthority.
2) Added gsub and modified the grok pattern to avoid incorrect mapping of key 'MemberName' mapped to UDM field 'target.user.user_display_name'.
2022-05-24 1) Action set to ALLOW for error code equal to 0x0 for EventID 4776.
2) Added mapping for AuthenticationPackageName for EventID 4624, 4625.
3) Added support for EventID 400 for provider name PowerShell .
4) Added mapping for ScriptBlockID in EventID 4104.
5) Updated mapping of DeviceName for EventID 98, 140 from prinicpal.hostname to target.resource_name.
6) Added support for EventID 3, 60, 100, 187, 1096, 1127, 8000, 8003, 8004, 8006, 8007, 8021, 8024, 10000, 10004, 10111, 14204.
7) Added security_result.severity for EventID 10110.
8) Added ServiceFileName mapping for EventID 7045.
9) Mapped Computer field with intermediary.hostname.
10) Mappedd UserAccountControl for EventID 4738.
11) Added mapping for TargetOutboundUserName in EventID 4624.
2022-05-10 1) Enhanced WINEVTLOG GOLD Parser by adding support of WINDOWS 11 and WINDOWS SERVER 2022 events.
2) Added support of new events: 1202, 102, 11, 10, 18, 1000, 1027, 1025, 10110, 1026, 1282, 1130, 10118, 1, 4000, 4101, 4001, 400.
3) For 5137 & 5141, mapped SubjectLogonId with principal.labels.key/value.
4) Mapped Computer field with intermediary.hostname.
5) For 4719, mapped the value of AuditPolicyChanges with about.labels.key/value.
6) For 5141, mapped ObjectClass field with target.labels.key/value.
7) Action set to ALLOW for error codes equal to 0x0.
8) Added mapping of TargetOutboundUserName in EventID 4624.
9) Added raw value of AccessList in target.resource.attribute.permissions.name.
10) For 4698, 4699 and 4702, mapped task_command with principal.process.file.full_path and task_arguments with principal.process.command_line.
2022-04-27 Promoted Gold Parser from test to new global default.
2022-04-22 1) Added EventID 1202 (Provider name: SceCli) and Event ID 102 (Provider Name: Microsoft-Windows-TaskScheduler).
2022-04-21 1) For every event mapped Message field for Microsoft-Windows-Security-Auditing.
2) For EventID 5137 mapped ObjectClass, ObjectDN.
3) For EventID 5136 mapped AttributeValue.
4) For EventID 4769 mapped TicketOptions, TicketEncryptionType.
5) For EventID 4662 mapped ObjectType
6) For EventID 4625 mapped FailureReason
7) For EventID 4742 mapped SubjectLogonId
8) Mapped Computer as intermediary.hostname.
2022-03-30 1) Added mapping of `Channel` field for all the Event IDs.
2) For EventID `5861` and SourceName `Microsoft-Windows-WMI-Activity`, changed mapping of `Channel` field from `security_result.summary` to `about.labels.key/value`.
3) Added mapping of Task field for Event ID 4702.
4) Extracted Event Description from Message field for Event ID 4767.
5) Added gsub to handle "·" present in Message field for Event ID 4719.
6) Added mapping of DSName and DSType field for Event ID 5137 & 5141.
7) Added mapping of ObjectClass field for Event ID 5141.
8) Added mapping of OriginalVolume(Data_9), ShadowDeviceName(Data_8) and ProcessName(Data_3) field for Event ID 8222.
9) Added mapping of OriginalVolume(Data_8) and ShadowDeviceName(Data_7) field for Event ID 8223.
2022-03-29 1) Added mapping of TargetLogonId field for Event ID 4624.
2) Added mapping of ServiceSid field for Event ID 4769.
3) Added mapping of NewObjectDN and OldObjectDN fields for Event ID 5139.
4) Added mapping of DnsHostName field for Event ID 4741.
5) Added mapping for SubjectLogonId field.
6 )Mapped actual hostname from FQDN name in Event ID 4768.