Windows Event Pack
5 minute read
Edge Delta Pipeline Pack for Windows Event Logs to OCSF
Overview
The Edge Delta Windows Event Log to OCSF pack normalizes and transforms Windows Event Log messages into the Open Cybersecurity Schema Framework (OCSF) format. This pack enables standardized security analysis, SIEM correlation, and downstream processing by converting Windows-specific event data into a universal cybersecurity schema.
Pack Description
1. Data Ingestion
All Windows Event Log messages first enter via the Pack Source, which marks the logical entry point for data within this pack. The expected input format is JSON-structured Windows Event Logs containing fields like eventId, level, source, timestamp, message, computerName, and eventData.
2. Parse, Transform, and Normalize (via Multi-Processor Sequence)
Logs then move to a multiprocessor node, which chains several processors executed sequentially on every log:
- name: demo_template_input_cde6_multiprocessor
type: sequence
user_description: Multi Processor
processors:
- type: ottl_transform
metadata: '{"id":"30bLyhYXuPBEKWP8Wem6e789xzL","type":"parse-json","name":"Parse JSON","isRecommendation":true}'
data_types:
- log
statements: |-
set(cache["parsed-json"], ParseJSON(body))
merge_maps(attributes, cache["parsed-json"], "upsert") where IsMap(attributes) and IsMap(cache["parsed-json"])
set(attributes, cache["parsed-json"]) where not (IsMap(attributes) and IsMap(cache["parsed-json"]))
- type: ottl_transform
metadata: '{"id":"fvosE0v5rNgsZqfcX9WTu","type":"parse-timestamp","name":"Parse Timestamp","isRecommendation":true}'
data_types:
- log
statements: set(timestamp, UnixMilli(Time(attributes["timestamp"], "2006-01-02T15:04:05Z07:00")))
- type: ottl_transform
metadata: '{"id":"m94GP7Z-_pjl088_wNdIs","type":"copy-field","name":"Update body","isRecommendation":true}'
data_types:
- log
statements: set(body, attributes["message"])
- type: ottl_transform
metadata: '{"id":"_3wWnRebCVyosNkH-l7zE","type":"delete-field","name":"Delete Field"}'
data_types:
- log
statements: delete_key(attributes, "message")
- type: ottl_transform
metadata: '{"id":"1p9fpcYPhWPKyUbjhOLHE","type":"ottl_transform","name":"Custom"}'
data_types:
- log
statements: |-
// Add your custom code here
set(attributes["event_id"], String(attributes["eventId"]))
delete_key(attributes, "eventId")
- type: lookup
metadata: '{"id":"UKm8w4QUg7gH5GEsGNVog","type":"lookup","name":"Lookup"}'
data_types:
- log
location_path: ed://event_id_to_ocsf_class.csv
key_fields:
- event_field: attributes["event_id"]
lookup_field: event_id
out_fields:
- event_field: attributes["class_uid"]
lookup_field: class_uid
- event_field: attributes["class_name"]
lookup_field: class_name
- type: lookup
metadata: '{"id":"LcjLr5NEa4oD9IQ07PvfH","type":"lookup","name":"Lookup"}'
data_types:
- log
location_path: ed://source_to_ocsf_category.csv
key_fields:
- event_field: attributes["source"]
lookup_field: source
out_fields:
- event_field: attributes["category_uid"]
lookup_field: category_uid
- event_field: attributes["category_name"]
lookup_field: category_name
- type: lookup
metadata: '{"id":"BQP1SCzoXfwTPSw2XfB55","type":"lookup","name":"Lookup"}'
data_types:
- log
location_path: ed://level_to_ocsf_severity.csv
key_fields:
- event_field: attributes["level"]
lookup_field: level
out_fields:
- event_field: attributes["severity_id"]
lookup_field: severity_id
- event_field: attributes["severity"]
lookup_field: severity
This Multi-Processor sequence consists of eight steps:
2.1. Parse JSON
The Parse JSON processor parses the Windows Event Log message body as JSON and merges the parsed fields into the attributes. If attributes is already a map, it merges using upsert (update or insert). If not, it replaces attributes with the parsed JSON map.
2.2. Parse Timestamp
The Parse Timestamp processor converts the Windows Event Log timestamp from ISO 8601 format (2006-01-02T15:04:05Z07:00) to Unix milliseconds format for standardized time handling across different systems.
2.3. Update Body
The Update body processor moves the Windows Event Log message content from attributes["message"] to the main body field, ensuring the human-readable event description is properly positioned.
2.4. Delete Field
The Delete Field processor removes the original message field from attributes to avoid duplication after moving it to the body.
2.5. Field Normalization
The Custom processor performs field normalization by:
- Converting
eventId(numeric) toevent_id(string) for OCSF compatibility - Removing the original
eventIdfield to avoid duplication
2.6. Event ID to OCSF Class Lookup
The Event ID Lookup processor uses a CSV lookup table (event_id_to_ocsf_class.csv) to map Windows Event IDs to OCSF class information:
- Input:
attributes["event_id"](e.g., “4624”, “4688”, “1116”) - Output:
attributes["class_uid"](e.g., 3002, 1007, 2001)attributes["class_name"](e.g., “Authentication”, “Process Activity”, “Security Finding”)
2.7. Source to OCSF Category Lookup
The Source Lookup processor uses a CSV lookup table (source_to_ocsf_category.csv) to map Windows Event Log sources/channels to OCSF categories:
- Input:
attributes["source"](e.g., “Microsoft-Windows-Security-Auditing”, “Microsoft-Windows-Sysmon/Operational”) - Output:
attributes["category_uid"](e.g., 3, 1, 4)attributes["category_name"](e.g., “Identity & Access Management”, “System Activity”, “Network Activity”)
2.8. Level to OCSF Severity Lookup
The Level Lookup processor uses a CSV lookup table (level_to_ocsf_severity.csv) to map Windows Event Log levels to OCSF severity information:
- Input:
attributes["level"](e.g., “Information”, “Warning”, “Error”, “Critical”) - Output:
attributes["severity_id"](e.g., 1, 3, 4, 5)attributes["severity"](e.g., “Informational”, “Medium”, “High”, “Critical”)
3. Pack Destination
All transformed and OCSF-normalized log entries are routed to Pack Destination.
- name: Pack Destination
type: compound_output
OCSF Transformation Details
Supported Event Types
This pack supports transformation of the following Windows Event Log types:
| Event Category | Event IDs | OCSF Class | Examples |
|---|---|---|---|
| Authentication | 4624, 4625, 4634, 4647, 4648, 4768-4771, 4776 | Authentication (3002) | User logon/logoff, Kerberos events |
| Process Activity | 4688, 4689, Sysmon 1, 5 | Process Activity (1007) | Process creation/termination |
| File System | 4656, 4658, 4663, Sysmon 11 | File System Activity (1001) | File access, creation, deletion |
| Network Activity | 5156, 5157, Sysmon 3, 22 | Network Activity (4001) | Network connections, DNS queries |
| Registry | 4657, Sysmon 12-14 | Registry (1009) | Registry modifications |
| Security Findings | 1116-1119, Windows Defender events | Security Finding (2001) | Malware detection, security alerts |
| System Activity | 7036, 7040, 7045, 1000-1002 | System Activity (1004) | Service state changes, application events |
Supported Sources/Channels
- System Event Logs: Application, System, Security, Setup
- Security Logs: Microsoft-Windows-Security-Auditing
- Monitoring: Microsoft-Windows-Sysmon/Operational
- PowerShell: Microsoft-Windows-PowerShell/Operational
- Security Tools: Microsoft-Windows-Windows Defender/Operational
- Network: Microsoft-Windows-DNS-Client/Operational
- System Services: Microsoft-Windows-TaskScheduler/Operational
- And many more…
Field Mappings
| Windows Event Log Field | OCSF Field | Description |
|---|---|---|
eventId | event_id, class_uid, class_name | Event identification and classification |
source | category_uid, category_name | Event source categorization |
level | severity_id, severity | Event severity mapping |
timestamp | timestamp | Normalized to Unix milliseconds |
message | body | Human-readable event description |
computerName | computerName | Host identifier (preserved) |
eventData.* | eventData.* | Event-specific data (preserved) |
Requirements
- Edge Delta agent with OTTL transform and lookup processor support
- Three CSV lookup tables:
event_id_to_ocsf_class.csv(72 event ID mappings)source_to_ocsf_category.csv(60+ source mappings)level_to_ocsf_severity.csv(14 severity level mappings)
Output Format
After processing, Windows Event Logs are transformed into OCSF-compliant format with standardized fields for security analysis, SIEM correlation, and downstream processing. The output maintains all original Windows-specific data while adding OCSF classification fields.
Use Cases
- SIEM Integration: Standardized format for security information and event management systems
- Cross-Platform Analysis: Unified schema for analyzing events across different security tools
- Compliance Reporting: Standardized categorization for regulatory compliance
- Threat Detection: Enhanced context for security monitoring and alerting
- Data Lake Ingestion: Consistent schema for big data analytics platforms
Sample Input
{"eventId":1000,"level":"Error","source":"Application Error","timestamp":"2025-07-15T10:30:00.123Z","message":"Faulting application name: notepad.exe, version: 10.0.19041.1320, time stamp: 0x60c2b0e5","computerName":"DESKTOP-ABC123","eventData":{"faultingApplicationName":"notepad.exe","faultingApplicationVersion":"10.0.19041.1320","faultingModuleName":"ntdll.dll","exceptionCode":"0xc0000005"}}
{"eventId":4624,"level":"Information","source":"Microsoft-Windows-Security-Auditing","timestamp":"2025-07-15T10:25:00.456Z","message":"An account was successfully logged on","computerName":"DESKTOP-ABC123","eventData":{"subjectUserSid":"S-1-5-18","subjectUserName":"SYSTEM","targetUserSid":"S-1-5-21-123456789-987654321-111111111-1001","targetUserName":"john.doe","logonType":"2","logonProcessName":"User32","authenticationPackageName":"Negotiate","workstationName":"DESKTOP-ABC123","sourceNetworkAddress":"192.168.1.100","sourcePort":"0"}}
{"eventId":7036,"level":"Information","source":"Service Control Manager","timestamp":"2025-07-15T10:20:00.789Z","message":"The Windows Update service entered the stopped state","computerName":"DESKTOP-ABC123","eventData":{"serviceName":"wuauserv","state":"stopped"}}
{"eventId":4104,"level":"Warning","source":"Microsoft-Windows-PowerShell","timestamp":"2025-07-15T10:35:00.234Z","message":"Creating Scriptblock text (1 of 1)","computerName":"DESKTOP-ABC123","eventData":{"scriptBlockId":"{12345678-1234-5678-9012-123456789012}","scriptBlockText":"Get-Process | Where-Object {$_.CPU -gt 100}","messageNumber":"1","messageTotal":"1"}}
{"eventId":1,"level":"Information","source":"Microsoft-Windows-Sysmon","timestamp":"2025-07-15T10:40:00.567Z","message":"Process creation","computerName":"DESKTOP-ABC123","eventData":{"processId":"1234","image":"C:\\Windows\\System32\\cmd.exe","commandLine":"cmd.exe /c dir","user":"DESKTOP-ABC123\\john.doe","parentProcessId":"5678","parentImage":"C:\\Windows\\explorer.exe"}}
{"eventId":1116,"level":"Warning","source":"Microsoft-Windows-Windows Defender","timestamp":"2025-07-15T10:45:00.890Z","message":"Antimalware platform detected malware or other potentially unwanted software","computerName":"DESKTOP-ABC123","eventData":{"threatName":"Trojan:Win32/Suspicious.File","path":"C:\\Users\\john.doe\\Downloads\\suspicious.exe","action":"Quarantine","user":"DESKTOP-ABC123\\john.doe"}}
{"eventId":3008,"level":"Warning","source":"Microsoft-Windows-DNS-Client","timestamp":"2025-07-15T10:50:00.123Z","message":"DNS query failed","computerName":"DESKTOP-ABC123","eventData":{"queryName":"badsite.example.com","queryType":"A","errorCode":"9003","serverIp":"8.8.8.8"}}
{"eventId":201,"level":"Information","source":"Microsoft-Windows-TaskScheduler","timestamp":"2025-07-15T10:55:00.456Z","message":"Task Scheduler successfully completed task","computerName":"DESKTOP-ABC123","eventData":{"taskName":"\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan","actionName":"C:\\Windows\\system32\\UsoClient.exe","resultCode":"0"}}
{"eventId":1,"level":"Information","source":"Microsoft-Windows-Kernel-General","timestamp":"2025-07-15T11:00:00.789Z","message":"The system time has changed","computerName":"DESKTOP-ABC123","eventData":{"oldTime":"2025-07-15T10:59:59.000Z","newTime":"2025-07-15T11:00:00.000Z","reason":"SystemTimeSet"}}
{"eventId":10016,"level":"Error","source":"Microsoft-Windows-DriverFrameworks-UserMode","timestamp":"2025-07-15T11:05:00.234Z","message":"A problem occurred with a User Mode Driver Framework device","computerName":"DESKTOP-ABC123","eventData":{"deviceInstanceId":"USB\\VID_1234&PID_5678\\1234567890","driverName":"usbdevice.sys","errorCode":"0x80070005"}}