I am trying to use OSQuery in an environment with WEF/WEC and what I am trying to do is to collect all the Windows Events that are stored via subscriptions in the WEC servers.
My problem is that when I gather the windows events via OSQuery I do not seem to be able to get the field "Computer" which includes the hostname that actually generated the event.
Did somebody manage to get this working? Or is it an actual limitation of OSquery? When looking at the windows_events table schema (https://osquery.io/schema/4.5.1/#windows_events) it does not seem that the "Computer" field has been taken in account.
As an example, I have a WEC configured in a host named DESKTOP-JC2OUUQ and I have a subscription there for a laptop named DESKTOP-BEH0A7O. The eventlogs are flowing correctly towards WEC an i can receive them. Following is one of the events I am receiving:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">16384</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-22T16:20:17.2647971Z" />
<EventRecordID>907</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>DESKTOP-BEH0A7O</Computer>
<Security />
</System>
<EventData>
<Data>2020-12-18T12:30:17Z</Data>
<Data>RulesEngine</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>Successfully scheduled Software Protection service for re-start at 2020-12-18T12:30:17Z. Reason: RulesEngine.</Message>
<Level>Information</Level>
<Task />
<Opcode />
<Channel />
<Provider>Microsoft-Windows-Security-SPP</Provider>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>
When I try to collect this event with OSQuery, i get the following output:
{
"name": "windows_events_query",
"hostIdentifier": "DESKTOP-JC2OUUQ",
"calendarTime": "Thu Oct 22 16:26:14 2020 UTC",
"unixTime": 1603383974,
"epoch": 0,
"counter": 0,
"numerics": false,
"decorations": {
"host_uuid": "A7A0828C-1264-4E24-A67F-F5B69BE86165",
"username": "vagrant"
},
"columns": {
"data": "{\"EventData\":[\"2020-12-18T12:30:17Z\",\"RulesEngine\"]}",
"datetime": "2020-10-22T16:20:17.2647971Z",
"eventid": "16384",
"keywords": "0x80000000000000",
"level": "4",
"provider_guid": "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
"provider_name": "Microsoft-Windows-Security-SPP",
"source": "Application",
"task": "0",
"time": "1603383958"
},
"action": "added"
}
As you can see, among other fields I am not seeing the "Computer" tag which, to my knowledge is the only one containing the actual host who generated the event. Is there any way to get that value with OSQuery or is it a limitation?
Thanks!
