Windows Serializer
The Windows Serializer in Observo AI allows you to convert raw Windows event logs into structured formats like JSON for seamless integration with SIEM and log management systems.
Purpose
Windows Serializer ensures that critical security events, such as logins, process creations, and access attempts, are properly formatted and enriched for better analysis. This helps organizations streamline threat detection, compliance reporting, and forensic investigations by maintaining consistent, machine-readable log data.
Usage
Select Windows Serializer transform. Add Name (required) and Description (optional).
General Configuration:
Bypass Transform: Defaults to disable. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.
Add Filter Conditions: Defaults to disable. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.
Serializer: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.
Output: At present, Splunk is the only supported output format for this transform.
Examples
Serialize Windows Security Log (JSON Format)
Scenario: Serialize Windows Security Log. Input
Feb 26 12:50:00 WIN-SERVER1 Security 4624 An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Logon ID: 0x3E7. New Logon: Security ID: S-1-5-21-123456789-123456789-123456789-1001 Account Name: user1 Logon Type: 2 Source Network Address: 192.168.1.100
Feb 26 12:51:10 WIN-SERVER1 Security 4625 An account failed to log on. Account Name: user2 Logon Type: 3 Failure Reason: Unknown user name or bad password Source Network Address: 192.168.1.101
Feb 26 12:52:20 WIN-SERVER1 Security 4670 Object access attempted. Object Name: C:\SensitiveFile.txt Accesses: WRITE_OWNER, WRITE_DAC Account Name: admin1
Feb 26 12:53:30 WIN-SERVER1 Security 4688 A new process has been created. New Process Name: C:\Windows\System32\cmd.exe Creator Process Name: C:\Windows\explorer.exe Account Name: user3
Feb 26 12:54:40 WIN-SERVER1 Security 4720 A user account was created. Account Name: new_user Account Enabled: Yes Creator: admin2Output
{
"timestamp": "2024-02-26T12:50:00Z",
"device": "WIN-SERVER1",
"event_id": 4624,
"event_type": "Successful Logon",
"user": "user1",
"logon_type": 2,
"source_ip": "192.168.1.100",
"subject_security_id": "S-1-5-18",
"new_logon_id": "S-1-5-21-123456789-123456789-123456789-1001"
}
{
"timestamp": "2024-02-26T12:51:10Z",
"device": "WIN-SERVER1",
"event_id": 4625,
"event_type": "Failed Logon",
"user": "user2",
"logon_type": 3,
"source_ip": "192.168.1.101",
"failure_reason": "Unknown user name or bad password"
}
{
"timestamp": "2024-02-26T12:52:20Z",
"device": "WIN-SERVER1",
"event_id": 4670,
"event_type": "Object Access Attempt",
"user": "admin1",
"object_name": "C:\\SensitiveFile.txt",
"accesses": ["WRITE_OWNER", "WRITE_DAC"]
}
{
"timestamp": "2024-02-26T12:53:30Z",
"device": "WIN-SERVER1",
"event_id": 4688,
"event_type": "New Process Created",
"user": "user3",
"process_name": "C:\\Windows\\System32\\cmd.exe",
"creator_process": "C:\\Windows\\explorer.exe"
}
{
"timestamp": "2024-02-26T12:54:40Z",
"device": "WIN-SERVER1",
"event_id": 4720,
"event_type": "User Account Created",
"user": "new_user",
"account_enabled": true,
"creator": "admin2"
}Results: This structured transformation makes Windows Security logs searchable, analyzable, and SIEM-ready for better threat detection and forensic investigations.
Windows Serialization Best Practices
Use Consistent Field Mappings: Ensure Windows event log fields are properly mapped to standardized keys such as event_id, user, source_ip for uniform log processing across systems.
Choose the Right Output Format: Select JSON, CEF, or Syslog based on SIEM or log management compatibility to optimize parsing and correlation.
Normalize Timestamps: Use ISO 8601 (UTC) format (YYYY-MM-DDTHH:MM:SSZ) to ensure consistent time-based analysis and avoid timezone discrepancies.
Limit Field Lengths: Follow format-specific restrictions such as CEF field length limits to prevent truncation or data loss in downstream systems.
Escape Special Characters: Properly encode characters like |, =, and \ in CEF to preserve data integrity and avoid formatting errors.
Exclude Redundant or Empty Fields: Remove unnecessary fields to reduce log size and improve log processing efficiency.
Maintain Log Integrity: Ensure original log details are accurately retained during serialization, avoiding loss of critical security information.
Validate Serialization Output: Test serialized logs in SIEM environments such as Splunk, ArcSight, QRadar to confirm proper parsing and usability.
Monitor for Data Quality Issues: Regularly check for serialization errors, missing fields, and inconsistencies to maintain high-quality, structured log data.
Optimize for Security & Compliance: Include essential security metadata such as logon_type, process_name, object_accesses to enhance threat detection and regulatory compliance.
By following these best practices, Windows event logs are efficiently serialized, ensuring seamless ingestion, analysis, and threat monitoring in SIEMs and security platforms.
Related Functions
CEF Serializer: Converts structured security event logs into the standardized CEF format, ensuring compatibility with SIEM systems like ArcSight, Splunk, and QRadar.
CEF Parser: Extracts and normalizes fields from CEF-formatted logs, enabling efficient search, correlation, and analysis in SIEM systems.
Last updated
Was this helpful?