Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extra Colon Parsed in JSON for EventID 4697 when downcase_description_keys = false #116

Open
BlakeHensleyy opened this issue Nov 18, 2024 · 0 comments
Open

Extra Colon Parsed in JSON for EventID 4697 when downcase_description_keys = false #116

BlakeHensleyy opened this issue Nov 18, 2024 · 0 comments

Comments

@BlakeHensleyy
Copy link
Contributor

BlakeHensleyy commented Nov 18, 2024
edited
Loading

Here is a sample description for EventID 4697

A service was installed in the system.

Subject:
	Security ID:		SYSTEM
	Account Name:		824ZWL3$
	Account Domain:		WORKGROUP
	Logon ID:		0x3E7

Service Information:
	Service Name: 		WpnUserService_a46b7
	Service File Name:	C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
	Service Type: 		0xE0
	Service Start Type:	2
	Service Account: 	LocalSystem

Here is a sample of what it looks like with downcase_description_keys = false

{
  "ProviderName": "Microsoft-Windows-Security-Auditing",
  "ProviderGUID": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
  "EventID": "4697",
  "Level": "0",
  "Task": "12289",
  "Opcode": "0",
  "Keywords": "0x8020000000000000",
  "TimeCreated": "2024-11-18T18:18:22.1877179Z",
  "EventRecordID": "37492098",
  "ActivityID": "{d95bbe83-5cf5-44b8-bbd1-9ed12125ae7e}",
  "ProcessID": "728",
  "ThreadID": "7948",
  "Channel": "Security",
  "Computer": "ComputerName",
  "Version": "1",
  "Subject.Security_ID": "S-1-5-21-3432303226-618804411-81073225-3118",
  "Subject.Account_Name": "Username",
  "Subject.Account_Domain": "Domain",
  "Subject.Logon_ID": "0xFB6524B",
  "Service_Information.Service_Name:": "TestService14",
  "Service_Information.Service_File_Name": "C:\\test_service.bat",
  "Service_Information.Service_Type:": "0x10",
  "Service_Information.Service_Start_Type": "2",
  "Service_Information.Service_Account:": "LocalSystem",
}

Here is a sample of what it looks like with downcase_description_keys = true

{
  "ProviderName": "Microsoft-Windows-Security-Auditing",
  "ProviderGUID": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
  "EventID": "4697",
  "Level": "0",
  "Task": "12289",
  "Opcode": "0",
  "Keywords": "0x8020000000000000",
  "TimeCreated": "2024-11-18T18:21:28.8693449Z",
  "EventRecordID": "37492172",
  "ActivityID": "{0cc575d8-4ab3-47d7-a9e7-7b84cba265b2}",
  "ProcessID": "728",
  "ThreadID": "7948",
  "Channel": "Security",
  "Computer": "ComputerName",
  "Version": "1",
  "subject.security_id": "S-1-5-21-3432303226-618804411-81073225-3118",
  "subject.account_name": "Username",
  "subject.account_domain": "Domain",
  "subject.logon_id": "0xFB6524B",
  "service_information.service_name:": "TestService14",
  "service_information.service_file_name": "C:\\test_service.bat",
  "service_information.service_type:": "0x10",
  "service_information.service_start_type": "2",
  "service_information.service_account:": "LocalSystem",
}

For some reason the fields ServiceName, ServiceType, and ServiceAccount all have an extra : at the end of the key name when downcase_description_keys is set to false. This causes issues when the logs are ingested into a SIEM. Does anyone know why this is?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlakeHensleyy