From 02288814b616c5974db7ba1d035100e2d56310ae Mon Sep 17 00:00:00 2001 From: Mahdi Hamedani Nezhad <150752864+thegreatmhn@users.noreply.github.com> Date: Wed, 11 Jun 2025 19:38:33 +0330 Subject: [PATCH 1/7] Create domain_enumeration_using_netdom.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This Pull Request adds a new detection to identify potential enumeration of Active Directory infrastructure using the netdom.exe utility. It targets specific keywords in the process command-line arguments such as: QUERY, WORKSTATION, SERVER, DC, OU, PDC, FSMO, and TRUST These arguments are commonly associated with discovery of domain topology, trust relationships, and FSMO roles — tactics that are frequently used during internal reconnaissance and lateral movement in enterprise environments. --- .../domain_enumeration_using_netdom.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 detections/endpoint/domain_enumeration_using_netdom.yml diff --git a/detections/endpoint/domain_enumeration_using_netdom.yml b/detections/endpoint/domain_enumeration_using_netdom.yml new file mode 100644 index 0000000000..865c5c14e0 --- /dev/null +++ b/detections/endpoint/domain_enumeration_using_netdom.yml @@ -0,0 +1,36 @@ +name: Netdom Active Directory Enumeration +id: 4d12a2e8-4b9a-4b4d-8f67-73b94bbafea1 +version: 1 +date: '2025-06-11' +author: Mahdi Hamedani Nezhad +status: experimental +type: TTP +data_source: [] +description: This detection identifies potential Active Directory enumeration behavior by observing the use of `netdom.exe` with suspicious keywords such as QUERY, WORKSTATION, SERVER, DC, OU, PDC, FSMO, and TRUST. These terms often indicate an attempt to enumerate domain infrastructure or trust relationships. Detection of this behavior is important for identifying internal reconnaissance or preparation for lateral movement within an Active Directory environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) (Processes.process="* QUERY *" OR Processes.process="* WORKSTATION *" OR Processes.process="* SERVER *" OR Processes.process="* DC *" OR Processes.process="* OU *" OR Processes.process="* PDC *" OR Processes.process="* FSMO *" OR Processes.process="* TRUST *") by Processes.action Processes.dest Processes.process_name Processes.process_path Processes.user Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: Ensure endpoint process auditing is enabled and ingested into the Endpoint.Processes datamodel. Validate that command-line arguments are captured for processes. +known_false_positives: Netdom is a legitimate tool and may be used by administrators for valid purposes. Filtering may be necessary based on known admin hosts or service accounts. +references: +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netdom +- https://attack.mitre.org/techniques/T1069/002/ +drilldown_searches: [] +tags: + analytic_story: + - Active Directory Discovery + - Domain Trust Discovery + asset_type: Endpoint + atomic_guid: [] + mitre_attack_id: + - T1069.002 + - T1482 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: Manual Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/active_directory/command_line/netdom_enum.log + source: WinEventLog:Security + sourcetype: XmlWinEventLog From a1eb2f58af8c75c18af1aca6938520c8b6f52c42 Mon Sep 17 00:00:00 2001 From: Mahdi Hamedani Nezhad <150752864+thegreatmhn@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:36:47 +0330 Subject: [PATCH 2/7] Update and rename domain_enumeration_using_netdom.yml to netdom_active_directory_enumeration.yml.yml --- ...g_netdom.yml => netdom_active_directory_enumeration.yml.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename detections/endpoint/{domain_enumeration_using_netdom.yml => netdom_active_directory_enumeration.yml.yml} (97%) diff --git a/detections/endpoint/domain_enumeration_using_netdom.yml b/detections/endpoint/netdom_active_directory_enumeration.yml.yml similarity index 97% rename from detections/endpoint/domain_enumeration_using_netdom.yml rename to detections/endpoint/netdom_active_directory_enumeration.yml.yml index 865c5c14e0..1d70c67e34 100644 --- a/detections/endpoint/domain_enumeration_using_netdom.yml +++ b/detections/endpoint/netdom_active_directory_enumeration.yml.yml @@ -7,7 +7,7 @@ status: experimental type: TTP data_source: [] description: This detection identifies potential Active Directory enumeration behavior by observing the use of `netdom.exe` with suspicious keywords such as QUERY, WORKSTATION, SERVER, DC, OU, PDC, FSMO, and TRUST. These terms often indicate an attempt to enumerate domain infrastructure or trust relationships. Detection of this behavior is important for identifying internal reconnaissance or preparation for lateral movement within an Active Directory environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) (Processes.process="* QUERY *" OR Processes.process="* WORKSTATION *" OR Processes.process="* SERVER *" OR Processes.process="* DC *" OR Processes.process="* OU *" OR Processes.process="* PDC *" OR Processes.process="* FSMO *" OR Processes.process="* TRUST *") by Processes.action Processes.dest Processes.process_name Processes.process_path Processes.user Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) (Processes.process="* QUERY *" OR Processes.process="* WORKSTATION *" OR Processes.process="* SERVER *" OR Processes.process="* DC *" OR Processes.process="* OU *" OR Processes.process="* PDC *" OR Processes.process="* FSMO *" OR Processes.process="* TRUST *") by Processes.action Processes.dest Processes.process_name Processes.process_path Processes.user Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `netdom_active_directory_enumeration_filter`' how_to_implement: Ensure endpoint process auditing is enabled and ingested into the Endpoint.Processes datamodel. Validate that command-line arguments are captured for processes. known_false_positives: Netdom is a legitimate tool and may be used by administrators for valid purposes. Filtering may be necessary based on known admin hosts or service accounts. references: From e985011a0a8f2e2e983144c840b8e7e1532a940a Mon Sep 17 00:00:00 2001 From: Mahdi Hamedani Nezhad <150752864+thegreatmhn@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:38:18 +0330 Subject: [PATCH 3/7] fixing rule issues --- ...numeration.yml.yml => netdom_active_directory_enumeration.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{netdom_active_directory_enumeration.yml.yml => netdom_active_directory_enumeration.yml} (100%) diff --git a/detections/endpoint/netdom_active_directory_enumeration.yml.yml b/detections/endpoint/netdom_active_directory_enumeration.yml similarity index 100% rename from detections/endpoint/netdom_active_directory_enumeration.yml.yml rename to detections/endpoint/netdom_active_directory_enumeration.yml From ee78b5742eb4ef45717d9c214590591f7dbab246 Mon Sep 17 00:00:00 2001 From: Mahdi Hamedani Nezhad <150752864+thegreatmhn@users.noreply.github.com> Date: Thu, 12 Jun 2025 20:37:20 +0330 Subject: [PATCH 4/7] Update netdom_active_directory_enumeration.yml --- detections/endpoint/netdom_active_directory_enumeration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/netdom_active_directory_enumeration.yml b/detections/endpoint/netdom_active_directory_enumeration.yml index 1d70c67e34..82d05dd415 100644 --- a/detections/endpoint/netdom_active_directory_enumeration.yml +++ b/detections/endpoint/netdom_active_directory_enumeration.yml @@ -1,4 +1,4 @@ -name: Netdom Active Directory Enumeration +name: netdom_active_directory_enumeration id: 4d12a2e8-4b9a-4b4d-8f67-73b94bbafea1 version: 1 date: '2025-06-11' From 29e62be9ef6ef547b88dfd4981a1bd572d3660f7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 12 Jun 2025 21:51:20 +0200 Subject: [PATCH 5/7] Update and rename netdom_active_directory_enumeration.yml to windows_active_directory_enumeration_via_netdom.yml --- .../netdom_active_directory_enumeration.yml | 36 ------- ...ctive_directory_enumeration_via_netdom.yml | 93 +++++++++++++++++++ 2 files changed, 93 insertions(+), 36 deletions(-) delete mode 100644 detections/endpoint/netdom_active_directory_enumeration.yml create mode 100644 detections/endpoint/windows_active_directory_enumeration_via_netdom.yml diff --git a/detections/endpoint/netdom_active_directory_enumeration.yml b/detections/endpoint/netdom_active_directory_enumeration.yml deleted file mode 100644 index 82d05dd415..0000000000 --- a/detections/endpoint/netdom_active_directory_enumeration.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: netdom_active_directory_enumeration -id: 4d12a2e8-4b9a-4b4d-8f67-73b94bbafea1 -version: 1 -date: '2025-06-11' -author: Mahdi Hamedani Nezhad -status: experimental -type: TTP -data_source: [] -description: This detection identifies potential Active Directory enumeration behavior by observing the use of `netdom.exe` with suspicious keywords such as QUERY, WORKSTATION, SERVER, DC, OU, PDC, FSMO, and TRUST. These terms often indicate an attempt to enumerate domain infrastructure or trust relationships. Detection of this behavior is important for identifying internal reconnaissance or preparation for lateral movement within an Active Directory environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) (Processes.process="* QUERY *" OR Processes.process="* WORKSTATION *" OR Processes.process="* SERVER *" OR Processes.process="* DC *" OR Processes.process="* OU *" OR Processes.process="* PDC *" OR Processes.process="* FSMO *" OR Processes.process="* TRUST *") by Processes.action Processes.dest Processes.process_name Processes.process_path Processes.user Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `netdom_active_directory_enumeration_filter`' -how_to_implement: Ensure endpoint process auditing is enabled and ingested into the Endpoint.Processes datamodel. Validate that command-line arguments are captured for processes. -known_false_positives: Netdom is a legitimate tool and may be used by administrators for valid purposes. Filtering may be necessary based on known admin hosts or service accounts. -references: -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netdom -- https://attack.mitre.org/techniques/T1069/002/ -drilldown_searches: [] -tags: - analytic_story: - - Active Directory Discovery - - Domain Trust Discovery - asset_type: Endpoint - atomic_guid: [] - mitre_attack_id: - - T1069.002 - - T1482 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint -tests: -- name: Manual Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/active_directory/command_line/netdom_enum.log - source: WinEventLog:Security - sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml b/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml new file mode 100644 index 0000000000..54c0f4b2f1 --- /dev/null +++ b/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml @@ -0,0 +1,93 @@ +name: Windows Active Directory Enumeration Via Netdom +id: 4d12a2e8-4b9a-4b4d-8f67-73b94bbafea1 +version: 1 +date: '2025-06-11' +author: Mahdi Hamedani Nezhad +status: production +type: Anomaly +description: | + This detection identifies potential Active Directory enumeration behavior by observing the use of `netdom.exe` + with specific keywords such as "QUERY", "WORKSTATION", "SERVER", "DC", "OU", "PDC", "FSMO", or "TRUST". + These terms often indicate an attempt to enumerate domain infrastructure or trust relationships. + If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating + further attacks such as privilege escalation or lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes where + (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) + Processes.process IN ("* QUERY *", "* WORKSTATION *", "* SERVER *", "* DC *", "* OU *", "* PDC *", "* FSMO *", "* TRUST *") + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_active_directory_enumeration_via_netdom_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: | + Netdom is a legitimate tool and may be used by administrators for valid purposes. Filtering may be necessary based on known admin hosts or service accounts. +references: +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netdom +- https://attack.mitre.org/techniques/T1069/002/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified performing domain enumeration on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Active Directory Discovery + - Domain Trust Discovery + asset_type: Endpoint + atomic_guid: [] + mitre_attack_id: + - T1069.002 + - T1482 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/active_directory/command_line/netdom_enum.log + source: WinEventLog:Security + sourcetype: XmlWinEventLog From 9ea17c6f02a28c53fc6c9e518cb0fe0dc10781a5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 12 Jun 2025 21:59:56 +0200 Subject: [PATCH 6/7] Update windows_active_directory_enumeration_via_netdom.yml --- .../windows_active_directory_enumeration_via_netdom.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml b/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml index 54c0f4b2f1..c094d20db3 100644 --- a/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml +++ b/detections/endpoint/windows_active_directory_enumeration_via_netdom.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: | This detection identifies potential Active Directory enumeration behavior by observing the use of `netdom.exe` - with specific keywords such as "QUERY", "WORKSTATION", "SERVER", "DC", "OU", "PDC", "FSMO", or "TRUST". + with the "QUERY" flag along with specific parameters such as, "WORKSTATION", "SERVER", "DC", "OU", "PDC", "FSMO", or "TRUST". These terms often indicate an attempt to enumerate domain infrastructure or trust relationships. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network. @@ -18,8 +18,8 @@ data_source: search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where - (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) - Processes.process IN ("* QUERY *", "* WORKSTATION *", "* SERVER *", "* DC *", "* OU *", "* PDC *", "* FSMO *", "* TRUST *") + (Processes.process_name=netdom.exe OR Processes.original_file_name=netdom.exe) Processes.process="* QUERY *" + Processes.process IN ("* WORKSTATION *", "* SERVER *", "* DC *", "* OU *", "* PDC *", "* FSMO *", "* TRUST *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path From 554cfc0ecfd68543416bc8c71f18b70ca180fe88 Mon Sep 17 00:00:00 2001 From: Mahdi Hamedani Nezhad <150752864+thegreatmhn@users.noreply.github.com> Date: Mon, 7 Jul 2025 12:34:11 +0330 Subject: [PATCH 7/7] Create enable_ip_routing_on_windows_endpoint.yml This detection monitors changes to the 'IPEnableRouter' registry value under 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', which enables IP forwarding on Windows systems. Enabling routing is uncommon on most endpoints and may indicate lateral movement, network pivoting, or malicious reconfiguration activity. The rule uses the Endpoint.Registry data model and includes metadata, references, RBA configuration, MITRE mappings, and drilldowns, following ESCU contribution standards. --- .../enable_ip_routing_on_windows_endpoint.yml | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 detections/endpoint/enable_ip_routing_on_windows_endpoint.yml diff --git a/detections/endpoint/enable_ip_routing_on_windows_endpoint.yml b/detections/endpoint/enable_ip_routing_on_windows_endpoint.yml new file mode 100644 index 0000000000..15ad2db16c --- /dev/null +++ b/detections/endpoint/enable_ip_routing_on_windows_endpoint.yml @@ -0,0 +1,85 @@ +name: Enable IP Routing On Windows Endpoint +id: f6b49ed5-05bb-4c11-b2b5-98c92dceea9b +version: 1 +date: '2025-07-07' +author: Mahdi Hamedani Nezhad +status: production +type: Anomaly +description: | + This detection identifies the enabling of IP routing on a Windows system by monitoring changes to the `IPEnableRouter` registry key. + Malicious actors may enable IP forwarding on compromised hosts to pivot network traffic or build rogue routing paths, allowing lateral movement or data exfiltration. + This behavior is suspicious in most enterprise environments and warrants investigation, especially if the change originates from an unexpected process or user. +data_source: +- Windows Registry +- Sysmon EventID 13 +- Splunk Windows TA (registry auditing) +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_value_name="IPEnableRouter" + AND Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters*" + AND Registry.registry_value_data="0x00000001") + by Registry.action Registry.dest Registry.process_guid Registry.process_id + Registry.registry_hive Registry.registry_path Registry.registry_key_name + Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type + Registry.status Registry.user Registry.vendor_product + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `enable_ip_routing_on_windows_endpoint_filter` +how_to_implement: | + This detection relies on registry monitoring through tools like Sysmon (Event ID 13) or native Windows Event Logging with registry auditing enabled. + Ensure that logs are normalized to the `Endpoint.Registry` data model using the Common Information Model (CIM). + Deploy the Splunk Add-on for Microsoft Windows and configure registry auditing or ingest data from an EDR that supports registry event telemetry. +known_false_positives: | + Some legitimate administrative scripts or configuration management tools may enable IP routing intentionally, especially on gateway servers or routers. + Filtering based on user, process, or host may be necessary in such environments. +references: +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/enable-ip-routing +- https://attack.mitre.org/techniques/T1098/ +drilldown_searches: +- name: View registry modification events for - "$dest$" + search: '%original_detection_search% | search dest="$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The registry key IPEnableRouter was set to enable routing on $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: registry_value_name + type: registry_key +tags: + analytic_story: + - Lateral Movement + - Windows Registry Monitoring + asset_type: Endpoint + atomic_guid: [] + mitre_attack_id: + - T1098 + - T1562.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test - Enable IP Routing + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/windows/registry/enable_ip_routing.reg.log + source: WinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog