From c940f69f9d6a5ef4e82ea107bd922159fad6d271 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 22 Oct 2018 12:10:13 -0700 Subject: [PATCH] edits --- .../auditing/how-to-list-xml-elements-in-eventdata.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index e928396835..7bfef9f9db 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -121,9 +121,9 @@ Description : A security-enabled local group was deleted. ``` -For the "Subject: Security Id:" text element, it will use the fourth element in the Template, "SubjectUserSid". +For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. -For "Additional Information Privileges:", it would use the eighth element "PrivelegeList". +For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.