Integration Name
System [system]
Dataset Name
system.security
Integration Version
v2.6.0
Agent Version
8.18.4
OS Version and Architecture
Windows Security Events
User Goal
Windows Security events 5136 "A directory service object was modified." has additional information in the messages field that should be parsed. Specifically, towards the end of the messages field there is an Operation: section that contains a Type: value. This type field shows what operation was done and is needed for alerting and tuning. This Operation: value should be it's own field and/or mapped to the event.reason field.
Existing Features
There is no field that shows the Operation: Type: besides the messages field. This creates an issue when having analysts quickly find what operation was done and also in tuning any rules that look for this eventID.
What did you see?
When you expand the messages field for 5136 you see something like the following at the end of the field values:
Operation:
Type: Value Deleted
Anything else?
There does not appear to be this value in any other location that we can tell besides the messages field.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136
Integration Name
System [system]
Dataset Name
system.security
Integration Version
v2.6.0
Agent Version
8.18.4
OS Version and Architecture
Windows Security Events
User Goal
Windows Security events 5136 "A directory service object was modified." has additional information in the messages field that should be parsed. Specifically, towards the end of the messages field there is an Operation: section that contains a Type: value. This type field shows what operation was done and is needed for alerting and tuning. This Operation: value should be it's own field and/or mapped to the event.reason field.
Existing Features
There is no field that shows the Operation: Type: besides the messages field. This creates an issue when having analysts quickly find what operation was done and also in tuning any rules that look for this eventID.
What did you see?
When you expand the messages field for 5136 you see something like the following at the end of the field values:
Operation:
Type: Value Deleted
Anything else?
There does not appear to be this value in any other location that we can tell besides the messages field.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136