mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
1f87644a23
* Initial cut of Win tables schema * Add context * Formatting fixes * Add bitlocker_info * Remove temp stuff * Remove temp stuff redux * Apply suggestions from code review Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca> * Update bitlocker_info.yml * Edited for clarity Co-authored-by: Guillaume Ross <guillaume@binaryfactory.ca>
21 lines
1.0 KiB
YAML
21 lines
1.0 KiB
YAML
name: windows_eventlog
|
|
examples: >-
|
|
Tracking user account changes is a key part of both detection & incident response. This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. There are many other relevant EventIDs that should be monitored as well:
|
|
|
|
- [4722: Account enabled](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4722)
|
|
|
|
- [4724: Password reset](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724)
|
|
|
|
- [4728: Added to a security-enabled global group](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)
|
|
|
|
|
|
```
|
|
|
|
SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'"
|
|
|
|
```
|
|
|
|
notes: >-
|
|
* This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.
|
|
|
|
* The information returned in the `data` column will be JSON formatted, which will require additional parsing. |