Request for Information on Microsoft-Windows-Winlogon/Operational Logs
Hello,
I am trying to normalize events collected in the SIEM system from the Microsoft-Windows-Winlogon/Operational log, but I cannot find sufficient information in the Microsoft Knowledge Base regarding the interpretation of these logs.
I found some information about this event on GitHub, but it is not enough for a proper understanding of the logs (https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Winlogon.xml#L99), as the numerical interpretation of the value in the Event field remains unclear.
On Microsoft resources, I found information about Winlogon events, but there are no event identifiers (EventID), task codes (Task), or event codes (Event) listed (https://learn.microsoft.com/ru-ru/windows/win32/secauthn/winlogon-notification-events). Additionally, we found a resource that provides views of logs for various Winlogon events, but the information there is not particularly helpful (https://windows-event-explorer.app.elstc.co/publisher/Microsoft-Windows-Winlogon).
Due to the above, I lack a sufficient understanding of the logs collected from the Winlogon journal and how to read them effectively.
Furthermore, I would like to obtain more detailed information about notification subscribers. They appear in the logs of two devices, both domain-joined and non-domain-joined.
I would like to understand what types of events indicate in this log so that I can determine which types of events are necessary for collection and how to make them more informative. Please share any information that could help with this issue. Ideally, I would appreciate a manual with interpretations of Winlogon logs.
Also I write my question here: https://answers.microsoft.com/ru-ru/windows/forum/all/request-for-information-on-microsoft-windows/05febfb0-44aa-4d66-b2f5-6b0d090fb637
Example message:
The winlogon notification subscriber <%{SubscriberName}> began handling the notification event (%{Event}).
In XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{MyGUID}" />
<EventID>812</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>811</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000010000</Keywords>
<TimeCreated SystemTime="2024-09-18T14:43:13.0238548Z" />
<EventRecordID>18820</EventRecordID>
<Correlation />
<Execution ProcessID="9168" ThreadID="8616" />
<Channel>Microsoft-Windows-Winlogon/Operational</Channel>
<Computer>ComputerName</Computer>
<Security UserID="MySecurityUserID" />
</System>
<EventData>
<Data Name="Event">N</Data>
<Data Name="SubscriberName">TermSrv</Data>
</EventData>
</Event>
Thank you for your assistance!