tiffb
commented
9 months ago Hi nasbench,
Thank you for contacting us. We'll review the information you've provided.
Open nasbench opened 9 months ago
tiffb
commented
9 months ago Hi nasbench,
Thank you for contacting us. We'll review the information you've provided.
tiffb
commented
8 months ago Nasbench, we appreciate the feedback and supportive material. We definitely see how more distinguishing event information would be helpful, and the potential to include it. As for linking telemetry, this could also be quite valuable but would likely require the team to do a little more research to ensure appropriate conclusions/usage of associated events and note any potential caveats/risks when linking different events and mappings together. The project team is looking into the level of effort needed and determine the way forward.
nasbench
commented
8 months ago Thanks for the response. I appreciate all the efforts you're doing.
I would say the provider information is easily obtainable from the event itself and is a quick win and that level of accuracy is necessary, especially when adding more events. As collisions are inevitable.
Solving the other caveats might take more time and is challenging to maintain / research (at least at the start or when adding new events). So this can be a future enhancements.
Regardless appreciate you taking a look into this and let me know if you need more info or with anything I can provide.
This PR adds
A new column for the windows events CSV for Event provider data.
In the case of PowerShell event, I also duplicated the line to account for both PowerShell 7 and PowerShell 5. As they have different providers and it make sense to track both
A couple of notes for discussion and maybe further enhancement I can provide.
In some cases the events exists in older version of Windows but were either removed from newer versions or replaced. Here 2 examples currently in the set
As I described here. Both EIDs 2004 and 2006 still exist in the
Microsoft-Windows-Windows Firewall With Advanced Securitylog. But (at least in my testing) they've been replaced by EIDs 2071 and 2052 respectively.Another example would EIDs 6005 and 6006 related to the Event Log service. At least from testing these events no longer exist on modern version and are from older providers (I might be wrong but couldn't find them in the typical provider
Microsoft-Windows-Eventlog(see here and here)These cases introduce an interesting challenge (while its rare). Maybe adding a windows version or another column called
Remarksto mention these kind of issues when found. Imo this would be interesting.A final suggestion is I think its a good idea to include a
Channelcolumn as well. This would allow in the future to be more granular and maybe provide ETW relevant events that are generated in non enabled by default channels such as Analytic, Performance,...etc.Example would be in addition to EID 4688 from Security, maybe also mention EID 1 from the
Microsoft-Kernel-Processwhich capture the same information. While users can't make use of it necessarily, it would help broaden the discussion around telemetry and raise awareness and can be used as a reference.Note: This PR closes #16