Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade windows decoders #175

Merged
merged 3 commits into from Aug 24, 2018
Merged

Upgrade windows decoders #175

merged 3 commits into from Aug 24, 2018

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Aug 23, 2018

Compatibility with TerminalServices-Gateway event type added.

2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(200): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(200): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".'
       timestamp: '2018 Aug 20 10:09:53'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(200): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'INFORMATION'
       id: '200'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       auth_method: 'NTLM'
       protocol: 'HTTP'

**Phase 3: Completed filtering (rules).
       Rule id: '18257'
       Level: '3'
       Description: 'Windows: TS Gateway login success.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 07:41:27 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(201): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 07:41:27 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(201): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".'
       timestamp: '2018 Aug 20 07:41:27'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(201): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'ERROR'
       id: '201'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       auth_method: 'NTLM'
       protocol: 'HTTP'
       error_code: '23003'

**Phase 3: Completed filtering (rules).
       Rule id: '18258'
       Level: '5'
       Description: 'Windows: TS Gateway login failure.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 07:32:33 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(202): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The administrator disconnected the user "someuser\somedomain", on client computer "1.2.3.4", from the following network resource: "resourceName". Before the user was disconnected, the client transferred 149218 bytes and received 196031 bytes using HTTP connection protocol. The client session duration was 85 seconds.

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 07:32:33 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(202): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The administrator disconnected the user "someuser\somedomain", on client computer "1.2.3.4", from the following network resource: "resourceName". Before the user was disconnected, the client transferred 149218 bytes and received 196031 bytes using HTTP connection protocol. The client session duration was 85 seconds.'
       timestamp: '2018 Aug 20 07:32:33'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(202): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The administrator disconnected the user "someuser\somedomain", on client computer "1.2.3.4", from the following network resource: "resourceName". Before the user was disconnected, the client transferred 149218 bytes and received 196031 bytes using HTTP connection protocol. The client session duration was 85 seconds.'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'INFORMATION'
       id: '202'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       resource: 'resourceName'
       protocol: 'HTTP'

**Phase 3: Completed filtering (rules).
       Rule id: '18259'
       Level: '3'
       Description: 'Windows: TS Gateway user disconnected.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(300): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met resource authorization policy requirements and was therefore authorized to connect to resource "resourceName".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(300): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met resource authorization policy requirements and was therefore authorized to connect to resource "resourceName".'
       timestamp: '2018 Aug 20 10:09:53'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(300): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met resource authorization policy requirements and was therefore authorized to connect to resource "resourceName".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'INFORMATION'
       id: '300'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       resource: 'resourceName'

**Phase 3: Completed filtering (rules).
       Rule id: '18257'
       Level: '3'
       Description: 'Windows: TS Gateway login success.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 07:55:34 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(301): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet resource authorization policy requirements and was therefore not authorized to resource "resourceName". The following error occurred: "23002".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 07:55:34 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(301): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet resource authorization policy requirements and was therefore not authorized to resource "resourceName". The following error occurred: "23002".'
       timestamp: '2018 Aug 20 07:55:34'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(301): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet resource authorization policy requirements and was therefore not authorized to resource "resourceName". The following error occurred: "23002".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'ERROR'
       id: '301'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       resource: 'resourceName'
       error_code: '23002'

**Phase 3: Completed filtering (rules).
       Rule id: '18258'
       Level: '5'
       Description: 'Windows: TS Gateway login failure.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(302): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", connected to resource "resourceName". Connection protocol used: "HTTP".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(302): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", connected to resource "resourceName". Connection protocol used: "HTTP".'
       timestamp: '2018 Aug 20 10:09:53'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(302): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", connected to resource "resourceName". Connection protocol used: "HTTP".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'INFORMATION'
       id: '302'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       resource: 'resourceName'
       protocol: 'HTTP'

**Phase 3: Completed filtering (rules).
       Rule id: '18257'
       Level: '3'
       Description: 'Windows: TS Gateway login success.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 20 10:10:36 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(303): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", disconnected from the following network resource: "resourceName". Before the user disconnected, the client transferred 1285 bytes and received 3122 bytes. The client session duration was 43 seconds. Connection protocol used: "HTTP".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 20 10:10:36 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(303): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", disconnected from the following network resource: "resourceName". Before the user disconnected, the client transferred 1285 bytes and received 3122 bytes. The client session duration was 43 seconds. Connection protocol used: "HTTP".'
       timestamp: '2018 Aug 20 10:10:36'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(303): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", disconnected from the following network resource: "resourceName". Before the user disconnected, the client transferred 1285 bytes and received 3122 bytes. The client session duration was 43 seconds. Connection protocol used: "HTTP".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'INFORMATION'
       id: '303'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '1.2.3.4'
       resource: 'resourceName'
       protocol: 'HTTP'

**Phase 3: Completed filtering (rules).
       Rule id: '18259'
       Level: '3'
       Description: 'Windows: TS Gateway user disconnected.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

2018 Aug 21 09:49:54 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: WARNING(304): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "195.160.232.242", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "resourceName". Connection protocol used: "HTTP". The following error occurred: "23005".

**Phase 1: Completed pre-decoding.
       full event: '2018 Aug 21 09:49:54 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: WARNING(304): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "195.160.232.242", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "resourceName". Connection protocol used: "HTTP". The following error occurred: "23005".'
       timestamp: '2018 Aug 21 09:49:54'
       hostname: 'manager1'
       program_name: 'WinEvtLog'
       log: 'Microsoft-Windows-TerminalServices-Gateway/Operational: WARNING(304): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "195.160.232.242", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "resourceName". Connection protocol used: "HTTP". The following error occurred: "23005".'

**Phase 2: Completed decoding.
       decoder: 'windows'
       type: 'Microsoft-Windows-TerminalServices-Gateway/Operational'
       status: 'WARNING'
       id: '304'
       account: 'NETWORK SERVICE'
       system_name: 'some-host-name'
       dstuser: 'someuser\somedomain'
       dstip: '195.160.232.242'
       resource: 'resourceName'
       protocol: 'HTTP'
       error_code: '23005'

**Phase 3: Completed filtering (rules).
       Rule id: '18258'
       Level: '5'
       Description: 'Windows: TS Gateway login failure.'
       Info - Text: 'https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx'
**Alert to be generated.

@frgv
Windows decoders upgrade
f1d4e62 
Compatibility with TerminalServices-Gateway event type added.
@frgv
update revision
7f914be
@frgv frgv requested a review from jesuslinares August 23, 2018 14:20
@jesuslinares jesuslinares changed the base branch from 3.5 to 3.6 August 24, 2018 16:42
@jesuslinares
Copy link
Contributor

Great!!

@jesuslinares jesuslinares merged commit bb3801d into 3.6 Aug 24, 2018
@jesuslinares jesuslinares deleted the Upgrade-Windows-Decoders branch August 24, 2018 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frgv @jesuslinares