Upgrade windows decoders (#175)

* Windows decoders upgrade Compatibility with TerminalServices-Gateway event type added. * update revision
wazuh · Aug 24, 2018 · bb3801d · bb3801d
1 parent 6ba116c
commit bb3801d
Showing 1 changed file with 78 additions and 0 deletions.
diff --git a/decoders/0380-windows_decoders.xml b/decoders/0380-windows_decoders.xml
@@ -519,6 +519,84 @@ Event ID 1117:
 
 <!-- Windows Defender END -->
 
+
+<!-- Terminal Services 
+
+ - 2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(200): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
+
+ - 2018 Aug 20 07:41:27 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(201): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
+
+ - 2018 Aug 20 07:32:33 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(202): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The administrator disconnected the user "someuser\somedomain", on client computer "1.2.3.4", from the following network resource: "resourceName". Before the user was disconnected, the client transferred 149218 bytes and received 196031 bytes using HTTP connection protocol. The client session duration was 85 seconds.
+
+ - 2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(300): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", met resource authorization policy requirements and was therefore authorized to connect to resource "resourceName".
+ 
+ - 2018 Aug 20 07:55:34 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: ERROR(301): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", did not meet resource authorization policy requirements and was therefore not authorized to resource "resourceName". The following error occurred: "23002".
+
+ - 2018 Aug 20 10:09:53 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(302): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", connected to resource "resourceName". Connection protocol used: "HTTP".
+
+ - 2018 Aug 20 10:10:36 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: INFORMATION(303): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "1.2.3.4", disconnected from the following network resource: "resourceName". Before the user disconnected, the client transferred 1285 bytes and received 3122 bytes. The client session duration was 43 seconds. Connection protocol used: "HTTP".
+
+ - 2018 Aug 21 09:49:54 WinEvtLog: Microsoft-Windows-TerminalServices-Gateway/Operational: WARNING(304): Microsoft-Windows-TerminalServices-Gateway: NETWORK SERVICE: NT AUTHORITY: some-host-name: The user "someuser\somedomain", on client computer "195.160.232.242", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "resourceName". Connection protocol used: "HTTP". The following error occurred: "23005".
+ 
+-->
+
+
+<decoder name="TerminalServices-Gateway">
+ <type>windows</type>
+ <parent>windows</parent>
+ <prematch>Microsoft-Windows-TerminalServices-Gateway/Operational</prematch>
+ <regex>^(Microsoft-Windows-TerminalServices-Gateway/Operational): (\w+)\((\d+)\): \.+: </regex>
+ <regex>(\.+): \.+: (\S+): </regex>
+ <order>type, status, id, account, system_name</order>
+ <fts>name, location, system_name</fts>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">\whe user "(\.+)", on client computer "(\.*)", </regex>
+ <order>user, dstip</order>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">resource\p* "(\.*)"</regex>
+ <order>resource</order>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">method used was: "(\.*)"</regex>
+ <order>auth_method</order>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">protocol used: "(\.*)"</regex>
+ <order>protocol</order>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">using (\.*) connection protocol.</regex>
+ <order>protocol</order>
+</decoder>
+
+<decoder name="TerminalServices-Gateway">
+ <parent>windows</parent>
+ <type>windows</type>
+ <regex offset="after_regex">error occurred: "(\.*)"</regex>
+ <order>error_code</order>
+</decoder>
+
+
+<!-- Terminal Services END -->
+
+
 <!-- Windows generic -->
 
 <!--