Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an Event Log Activity Class #1014

Merged
merged 78 commits into from
Apr 29, 2024
Merged

Conversation

mikeradka
Copy link
Contributor

@mikeradka mikeradka commented Apr 3, 2024

Related Issue:

#839 Event Log Activity eg 'Audit Log Cleared'

Description of changes:

This PR introduces a new class designed for actions related to monitoring the System Event Log Service.

image

@mikeradka mikeradka added enhancement New feature or request system_activity Issues related to System Activity Category labels Apr 3, 2024
@mikeradka mikeradka self-assigned this Apr 3, 2024
@mikeradka mikeradka added the v1.2.0 Changes marked for version v1.2.0 of OCSF label Apr 3, 2024
@mikeradka mikeradka changed the title Add an Event Log Activity class DRAFT: Add an Event Log Activity class Apr 3, 2024
@floydtree floydtree added v1.3.0 Changes marked for v1.3.0 of OCSF and removed v1.2.0 Changes marked for version v1.2.0 of OCSF labels Apr 15, 2024
@jasonbreimer
Copy link
Contributor

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

@jasonbreimer
Copy link
Contributor

Another thought...when looking at clear event log it looks like there are return code status values. This list is oddly limited linked below but I see "success" and "privilege missing". Do we want to capture the successful event or get down to this next layer of capturing a failure by adding some kind of status/return code for each activity id?

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile

@mikeradka
Copy link
Contributor Author

mikeradka commented Apr 16, 2024

Another thought...when looking at clear event log it looks like there are return code status values. This list is oddly limited linked below but I see "success" and "privilege missing". Do we want to capture the successful event or get down to this next layer of capturing a failure by adding some kind of status/return code for each activity id?

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile

That is a good find! Thanks for the suggestion - will take a look at what is possible, it seems like this may be good context to capture.

EDIT: After checking this out, I think status_code and status_detail should work for this. I added more specific descriptions for these attributes within the context of this class, and gave the info in this page as examples.

@mikeradka mikeradka requested a review from jasonbreimer April 16, 2024 16:41
@mikeradka mikeradka closed this Apr 17, 2024
@mikeradka mikeradka deleted the event_log_activity_class branch April 17, 2024 22:21
@mikeradka mikeradka restored the event_log_activity_class branch April 17, 2024 22:25
@mikeradka mikeradka reopened this Apr 17, 2024
@mikeradka mikeradka force-pushed the event_log_activity_class branch from 2600e91 to 5c35e95 Compare April 17, 2024 22:28
@mikeradka
Copy link
Contributor Author

Created Issue #1047 to address the discrepancy in validation failure output.

@mikeradka
Copy link
Contributor Author

mikeradka commented Apr 18, 2024

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

This is a good suggestion, @jasonbreimer. I took a look at the Microsoft wevtutil documentation, and it notes:

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

The Archive, and Clear actions are covered, and I've added Export to the actions. However, I am not yet certain on how we should approach uninstall event manifests and run queries. Maybe Uninstall and Query actions are sufficient, but I would like to get some further inputs.

@floydtree, @pagbabian-splunk, @k2niner any thoughts on whether Uninstall and Query could work as activities for this new class?

Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
@mikeradka mikeradka marked this pull request as ready for review April 19, 2024 20:48
@mikeradka mikeradka changed the title DRAFT: Add an Event Log Activity class Add an Event Log Activity class Apr 19, 2024
@mikeradka mikeradka requested a review from k2niner April 19, 2024 20:49
Signed-off-by: Michael Radka <[email protected]>
Signed-off-by: Michael Radka <[email protected]>
@mikeradka mikeradka changed the title Add an Event Log Activity class Add an Event Log Activity class Apr 19, 2024
@mikeradka mikeradka changed the title Add an Event Log Activity class Add an Event Log Activity Class Apr 19, 2024
@mikeradka mikeradka added the non_breaking Non Breaking, backwards compatible changes label Apr 19, 2024
@pagbabian-splunk
Copy link
Contributor

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

This is a good suggestion, @jasonbreimer. I took a look at the Microsoft wevtutil documentation, and it notes:

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

The Archive, and Clear actions are covered, and I've added Export to the actions. However, I am not yet certain on how we should approach uninstall event manifests and run queries. Maybe Uninstall and Query actions are sufficient, but I would like to get some further inputs.

@floydtree, @pagbabian-splunk, @k2niner any thoughts on whether Uninstall and Query could work as activities for this new class?

If we don't yet know how to address these two activities, we can hold off until we do, and add them later. Unless @jasonbreimer or others have a use case of course. I haven't researched it so I don't have any informed suggestion at the moment.

CHANGELOG.md Outdated Show resolved Hide resolved
Signed-off-by: Michael Radka <[email protected]>
@mikeradka mikeradka requested a review from floydtree April 23, 2024 18:25
Signed-off-by: Michael Radka <[email protected]>
events/system/event_log.json Show resolved Hide resolved
@floydtree floydtree merged commit b9506f9 into ocsf:main Apr 29, 2024
2 checks passed
@mikeradka mikeradka deleted the event_log_activity_class branch May 23, 2024 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes system_activity Issues related to System Activity Category v1.3.0 Changes marked for v1.3.0 of OCSF
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants