How to extract fields from the Microsoft-Windows-Security-Auditing
{
"_raw": "{"Id":4634,"Version":0,"Qualifiers":null,"Level":0,"Task":12545,"Opcode":0,"Keywords":-9214364837600034816,"RecordId":24675211,"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderId":"54849625-5478-4994-a5ba-3e3b0328c30d","LogName":"Security","ProcessId":816,"ThreadId":2972,"MachineName":"vmwopsadm02-dev.hq.xxx.com","UserId":null,"TimeCreated":"\/Date(1686604325474)\/","ActivityId":null,"RelatedActivityId":null,"ContainerLog":"ForwardedEvents","MatchedQueryIds":[],"Bookmark":{},"LevelDisplayName":"Information","OpcodeDisplayName":"Info","TaskDisplayName":"Logoff","KeywordsDisplayNames":["Audit Success"],"Properties":[{"Value":"S-1-5-21-3567637-1906459281-1427260136-1830845"},{"Value":"VMWOPSADM03-DEV$"},{"Value":"xxx"},{"Value":"0xbc526b"},{"Value":"3"}],"Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3567637-1906459281-1427260136-1830845\r\n\tAccount Name:\t\tVMWOPSADM03-DEV$\r\n\tAccount Domain:\t\txxx\r\n\tLogon ID:\t\t0xBC526B\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."}",
"source": "ForwardedEvents",
"host": "vmwitetmpxxx-tst",
"_time": 1686604325.474,
"cribl_breaker": "windows event logs"
}
Answers
-
Hi @Qian Zhao, can you help us understand what you are trying to do with the event? We can definitely help you extract relevant data, but you have not provided us enough information.
0 -
Hi @Brendan Dalpe, thanks. For now, I can use the crible function (parser, flatten) to extract the fields from the original JSON object, only I don't understand how to convert the timestamp into the format %Y-%m-%dT%H:%M:%S.%f%z, it does not realize the expected format after using the auto timestamp function.
0
