<html lang="en">
<body>
  
  <p>
    <b>[OOTB] Microsoft Products via KES WIN. Version 5</b><br>
  	Change log:
	<ul>
			<li>Support of some event types (event ID 7000, 7009, 7023, 7034, 7031, 7011, 7001, 7043) generated by "Service Control Manager" was added.</li>
			<li>New extra normalizers were added: "Service Control Manager", "7000 7009 7023 7034", "7031", "7011", "7001", "7043".</li>
			<li>Event names for events with ID 7009, 7023, 7034, 7031, 7011, 7001, 7043 were added to the dictionary "[OOTB] Windows. EventIDs and Event Names mapping".</li>
			<li>New regular expression was added to the extra normalizer "4103 ContextInfo regexp".</li>
			<li>Event enrichment with dictionary was removed from the extra normalizer "4738".</li>
			<li>Extra normalizer "4742" was removed.</li>
			<li>Event enrichment to the KUMA field "DeviceAction" in the extra normalizer "4657" was changed. Text of event enrichment "New Registry Value created" was replaced with text "New registry value created".  Text of event enrichment "Existing Registry Value modified" was replaced with text "Existing registry value modified". Text of event enrichment "Registry Value Deleted" was replaced with text "Registry value deleted".</li>
			<li>New event enrichment was added in the extra normalizer "Extra 5136". Data from the KUMA field "DeviceCustomString4" copied to the KUMA field "DeviceAction".</li>
			<li>Field mapping was changed in the extra normalizer "A computer account management".  Event field "Event.EventData.Data.TargetDomainName" mapped from the KUMA field "DeviceCustomString6" to the KUMA field "DestinationNtDomain". Event field "Event.EventData.Data.TargetUserName" was mapped from the KUMA field "DeviceCustomString1" to the KUMA field to the KUMA field "DestinationUserName". Event field "Event.EventData.Data.NewUacValue" was mapped to the KUMA field "DeviceCustomString5".  Event field "Event.EventData.Data.OldUacValue" was mapped to the KUMA field "DeviceCustomString4".  Event field "Event.EventData.Data.UserAccountControl"was mapped to the KUMA field "DeviceCustomString6". Event field "Event.EventData.Data.HomeDirectory" was mapped to the KUMA field "FileName".  Event field "Event.EventData.Data.HomePath" was mapped to the KUMA field "FilePath". Event field "Event.EventData.Data.PasswordLastSet" was mapped to the KUMA field "DeviceCustomDate1".</li>
			<li>Event enrichment was changed in the extra normalizer "A computer account management".  Event enrichment with constant was removed from the KUMA field "DeviceCustomString6Label".  Event enrichment with template was removed from the KUMA field "DeviceCustomString6"</li>
			<li>New regular expression was added to the extra normalizer "Windows PowerShell 400 403 regexp".</li>
			<li>In the extra normalizer "Terminal Server" filter parameters were updated. Logical condition was changed to "OR", new condition "Microsoft-Windows-TerminalServices-LocalSessionManager" was added.</li>
			<li>New extra normalizer "23 (TerminalServer)" was added.</li>
			<li>Normalizer structure optimization. Extra normalizers 21(TerminalServer), 22(TerminalServer), 24(TerminalServer), 25(TerminalServer) were combined to extra normalizer "21 22 24 25(TerminalServer)". </li>
			<li>Parameter "XML Atributes" was disabled in the extra normalizer "1149 (TerminalServer)".</li>
			<li>Event name was added for the event with ID 23 (TerminalServer) to the dictionary "22(TerminalServer)".</li>
			<li>Event enrichment with constant to the KUMA field "Message" was updated in the extra normalizers "21 22 24 25(TerminalServer)", "39 (TerminalServer), "1149 (TerminalServer)".</li>
			<li>Event enrichment to the KUMA field "OldFileType" was removed from the extra normalizer "Terminal Server".</li>
			<li>Regular expression in the event enrichment to the KUMA field "DestinationUserName" in the extra normalizer "21 22 24 25(TerminalServer)" was updated.</li>
			<li>Extra normalizer "4104" was changed. Event enrichment from the KUMA field "Message" to the KUMA field "FileName" was deleted.</li>
			<li>New extra normalizers were added: "Microsoft-Windows-SMBServer", "SMBServer 3000", "SMBServer 3000 RenderingInfo.Message parsing".</li>
			<li>Field mapping was changed in the extra normalizer "5145" . Event field "Event.EventData.Data.RelativeTargetName" was mapped from the KUMA field "DestinationServiceName" to the KUMA field "FileName".</li>
			<li>Mapping in the extra normalizer "4624" was changed. Event field "Event.EventData.Data.LmPackageName" was mapped to the KUMA field "FlexString2".</li>
		</ul>
	</p>
    
    <p>
    <b>[OOTB] Microsoft Products via KES WIN. Version 4</b><br>
  	Change log:
	<ul>
		<li>New extra normalizers were added: "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "255", "25", "26", "27,28,29", "Sysmon", "4100", "4105", "8193", "8194", "8197", "24577", "24595", "53249", "53250", "53504", "24596", "24597", "24598", "24599", "107", "1074", "109", "42", "4928", "4932", "4935", "4944", "4956", "5031", "6144,6145", "4615", "4618", "4626", "4627", "4634", "4647", "An IPsec main/quick mode negotiation failed", "4656", "4658", "4659", "4660 4661", "4666", "4670", "4673", "4674", "4689", "4690", "4691", "Audit DPAPI Activity", "4764", "KRB ticket request failed", "4774", "4777", "4781", "4793", "4797", "WS or ScreenSaver Operations", "4818", "4819", "4820", "4821", "4822", "4824", "4826", "4906", "4907", "4908", "4911", "4912", "4913", "4953", "4957", "4958", "IPsec Main/Extended Modes established/failed", "4985", "5051", "5057", "5058", "5060/5061", "A cryptographic operations attempts", "5071", "OCSP 5122/5123", "Windows Filtering Platform has blocked a packet", "5168", "5378", "IPsec QM association established/ended", "PAStore Engine failed, IPsec failed and 6145", "5633", "6272 6278 6279 6280", "6273", "6281", "6410", "6416", "5379", "5380", "5381", "5382", "5159", "5447", "6274", "6276", "6274,6276", "4742", "4739", "5448", "1102", "1105", "4898", "4610", "5000 (Defender)", "5001 (Defender)", "5002 (Defender)", "5010 (Defender)", "5012 (Defender)", "1006 (Defender)", "5007 (Defender)", "1116 (Defender)", "2000 (Defender)", "5004 (Defender)", "1000 (Defender)", "1001 (Defender)", "1015 (Defender)", "1117 (Defender)", "Microsoft Defender", "12550", "16641 16642", "1600", "20790", "33012 19020 19040 33834", "33483", "33480", "33481", "33452", "33454", "33456 33458", "13002 13003 18304 19070 19080 19090", "2014", "2000 2001 2003 2008", "2004", "2007", "2018", "2009", "2500", "2502", "2503", "Hyper-V 8", "156", "155"</li>
		<li>Support of some event types from the event log "Microsoft Windows PowerShell" were added. 	New extra normalizers were added: "Windows PowerShell journal", "Windows PowerShell 400 403", "Windows PowerShell 400 403 regexp", "Windows PowerShell 800", "Windows PowerShell 800 regexp", "Windows PowerShell 600", "Windows PowerShell 600 regexp", "4610".</li>
		<li>Mapping in the main normalizer was changed. Mapping of the event field "Event.EventData.Data.AuthenticationPackageName" was removed from the KUMA field "DeviceCustomString5".</li>
		<li>Parsing of the event ID 4898 from the Windows Security log was added. New extra normalizer "4898" was added.</li>
		<li>Field mapping was changed in the extra normalizers 4618, 4626, 4634, 4647, "WS or ScreenSaver Operations". Event field "Event.EventData.Data.TargetLogonId" was mapped to the KUMA field "FlexString2".</li>
		<li>Field mapping was changed in the extra normalizers 6416, 5381, 4826, 5382, 5379. Event field "Event.EventData.Data.SubjectUserSid" was mapped to the KUMA field "SourceUserID". Event field "Event.EventData.Data.SubjectLogonId" was mapped to the KUMA field "FlexString1".</li>
		<li>Field mapping was changed in the extra normalizers 4719, 5051, "5888 5889 5890". Event field "Event.EventData.Data.SubjectUserSid" was mapped to the KUMA field "DestinationUserID".</li>
		<li>Dictionary "[OOTB] Windows. EventIDs and Event Names mapping" was updated. Name of the event with ID 6272 was changed to "Network Policy Server granted access to a user".</li>
		<li>Field mapping was changed in main normalizer. Event field "Event.EventData.Data.IpAddress" was mapped from the KUMA field "DeviceCustomIPv6Address2" to the KUMA field "SourceAddress".</li>
		<li>Event enrichment was changed in main normalizer. Source of the enrichment with regular expression to the KUMA field "SourceAddress" was changed from the KUMA field "DeviceCustomIPv6Address2" to the KUMA field "SourceAddress".</li>
		<li>Field mapping was changed in the extra normalizers 4821, 5145, 4771, 4769, 4820, 5140, 4648 , 4625. Event field "Event.EventData.Data.IpAddress" mapping was removed from the KUMA field "SourceAddress".</li>
		<li>Field mapping was changed in the extra normalizers 5145, 4771, 4769, 5140, 4624, 4770, 4768. Event field "Event.EventData.Data.IpAddress" mapping was removed from the KUMA field "DeviceCustomIPv6Address2".</li>
		<li>Field mapping was changed in the extra normalizers 4771, 4770. Event field "Event.EventData.Data.IpAddress" mapping was removed from the KUMA field "DeviceCustomString3".</li>
		<li>Field mapping was changed in the extra normalizers "KRB ticket request failed". Event field "Event.EventData.Data.IpAddress" mapping was removed from the KUMA field "DeviceCustomIPv6Address1".</li>
		<li>Field mapping was changed in the extra normalizers "Windows Filtering Platform actions". Event field "Event.EventData.Data.SourceAddress" mapping was removed from the KUMA field "DeviceCustomIPv6Address2". Event field "Event.EventData.Data.DestAddress" mapping was removed from the KUMA field "DeviceCustomIPv6Address3".</li>
		<li>Event enrichments were changed in the extra normalizers 5, 18, 15, 10, 7, 11, 13, 17, 22, 23, 25. Type of event enrichment to the KUMA field "FileName" was changed from the "replacewithregexp" to the "regexp". Regular expressions in the event enrichments to the KUMA fields "FileName" and "FilePath" were fixed.</li>
		<li>Event enrichments were changed in the extra normalizer 11. Type of event enrichment to the KUMA field "OldFileName" was changed from the "replacewithregexp" to the "regexp". Regular expressions in the event enrichments to the KUMA fields "OldFileName" and "OldFilePath" were fixed.</li>
		<li>Type of event enrichment in the extra normalizer "4663" in the field DeviceCustomString6 was changed from "dictionary" to "replace".</li>
	</ul>
	</p>
  
  	<p>
    <b>[OOTB] Microsoft Products via KES WIN. Version 3</b><br>
  	Change log:
	<ul>
		<li>New event mutations were added to the event field "msg" in the extra normalizer "xml normalizer" (in the parameter "Field to pass into normalizer").</li>
		<li>New condition was added to the extra normalizer "xml normalizer".</li>
		<li>New extra noralizer "CEF events normalization" was added.</li>
	</ul>
	</p>
  
	<p>
    <b>[OOTB] Microsoft Products via KES WIN. Version 2</b><br>
   	Filter "[OOTB] Microsoft Products via KES WIN - Event filter for collector" was added to the package.
	</p>
  
  <p>
    <b>[OOTB] Microsoft Products via KES WIN. Version 1</b><br>
   	This is the first version of the package.
  </p>

</body>
</html>