deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 18:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 12259: edits

Browse Source 
edits
This commit is contained in:
Justin Hall 2018-10-22 19:12:59 +00:00
commit 04ec446f5a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -121,9 +121,9 @@ Description : A security-enabled local group was deleted.
``` ```
For the "Subject: Security Id:" text element, it will use the fourth element in the Template, "SubjectUserSid". For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
For "Additional Information Privileges:", it would use the eighth element "PrivelegeList". For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**.
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.