Windows Security logs, Computer Account Management auditing fields mismatch between events

OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)

MIT License

1.22k stars 212 forks source link

Windows Security logs, Computer Account Management auditing fields mismatch between events #90

Open nicolasreich opened 3 years ago

nicolasreich commented 3 years ago

In the Data Dictionary of Windows Security Event 4741, the field UserParameters is translated into target_host_user_paremeters (with a typo), and UserAccountControl into target_host_user_account_control. For Event 4742, the corresponding fields are translated into target_host_parameters and target_host_account_control, so with one user fewer. I haven't been able to find those defined in the CDM; what is the right standard field name?

Cyb3rWard0g commented 3 years ago

Hey @nicolasreich ! Thank you very much for going through the events standardization and providing feedback. We are still working on those and trying to create the right data entity for those and attributes. I will add that to the list of upcoming updates. I believe initially it was meant to be part of the Target Entity. That needs to be reviewed.