Updated and Added Data Dictionaries

- Event 104 - A log file was cleared: Added standard names, descriptions, sample values, and event sample in xml format.
- Event 1100 - Windows Event Log service has shut down: Added dictionary without event fields and added event sample in xml format.
- Event 1102 - The audit log was cleared: standard names, descriptions, sample values, and event sample in xml format.
- Event 6005 - The event log service was started: Added dictionary with event sample in xml format. We still need to review the event fields section of dictionary.
- Event 6006 - The event log service was stopped: Added dictionary with event sample in xml format. We still need to review the event fields section of dictionary.
- Event 4656 - Handle requested to registry object: updated descriptions to make reference to registry objects.
- Event 4656 - handle requested to service object: Added dictionary with event sample in xml format.
- Event 4697 - a service was installed in the system: Removed double quotation marks from descriptions and added event sample in xml format.

windows/etw-providers/Microsoft-Windows-Eventlog/events/event-104.yml

@@ -1,28 +1,28 @@
-name: Event 104 - Logclear
-description:
+name: Event 104 - A log file was cleared
+description: This event generates every time a log files is cleared
 platform: windows
 log_source: Microsoft-Windows-Eventlog
 event_id: '104'
 event_version: '0'
 event_fields:
-- standard_name: TBD
+- standard_name: user_name
   standard_type: TBD
   name: SubjectUserName
   type: UnicodeString
-  description:
-  sample_value:
-- standard_name: TBD
+  description: The name of the account that cleared the log file
+  sample_value: pedro
+- standard_name: user_domain
   standard_type: TBD
   name: SubjectDomainName
   type: UnicodeString
-  description:
-  sample_value:
+  description: Subject's domain or computer name
+  sample_value: PEDRO01
 - standard_name: TBD
   standard_type: TBD
   name: Channel
   type: UnicodeString
-  description:
-  sample_value:
+  description: Name of Log file cleared
+  sample_value: Microsoft-Windows-PowerShell/Operational
 - standard_name: TBD
   standard_type: TBD
   name: BackupPath
@@ -33,3 +33,32 @@ references:
 tags:
 - etw_level_Informational
 - etw_task_Logclear
+event_sample:
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
+        <EventID>104</EventID> 
+        <Version>0</Version> 
+        <Level>4</Level> 
+        <Task>104</Task> 
+        <Opcode>0</Opcode> 
+        <Keywords>0x8000000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-08-09T14:44:05.786938100Z" /> 
+        <EventRecordID>1113</EventRecordID> 
+        <Correlation /> 
+        <Execution ProcessID="1444" ThreadID="2044" /> 
+        <Channel>System</Channel> 
+        <Computer>Pedro01</Computer> 
+        <Security UserID="S-1-5-21-968647429-258479840-2507984072-1001" /> 
+      </System> 
+      <UserData> 
+        <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"> 
+          <SubjectUserName>pedro</SubjectUserName> 
+          <SubjectDomainName>PEDRO01</SubjectDomainName> 
+          <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
+          <BackupPath> </BackupPath> 
+        </LogFileCleared> 
+      </UserData> 
+    </Event> 

windows/etw-providers/Microsoft-Windows-Eventlog/events/event-1100.yml

@@ -0,0 +1,36 @@
+name: Event 1100 - Windows Event Log service has shut down
+description: This event generates every time Windows Event Log service has shut down
+platform: windows
+log_source: Microsoft-Windows-Eventlog
+event_id: '1101'
+event_version: '0'
+event_fields: []
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
+tags:
+- etw_level_Informational
+event_sample:
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
+        <EventID>1100</EventID> 
+        <Version>0</Version> 
+        <Level>4</Level> 
+        <Task>103</Task> 
+        <Opcode>0</Opcode> 
+        <Keywords>0x4020000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-08-08T19:56:55.801610900Z" /> 
+        <EventRecordID>243916</EventRecordID> 
+        <Correlation /> 
+        <Execution ProcessID="976" ThreadID="6056" /> 
+        <Channel>Security</Channel> 
+        <Computer>Pedro01</Computer> 
+        <Security /> 
+      </System> 
+      <UserData> 
+        <ServiceShutdown xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"> 
+        </ServiceShutdown> 
+      </UserData> 
+    </Event>

windows/etw-providers/Microsoft-Windows-Eventlog/events/event-1102.yml

@@ -1,35 +1,65 @@
-name: Event 1102 - Logclear
-description:
+name: Event 1102 - The audit log was cleared
+description: This event generates every time Windows Security audit log files is cleared
 platform: windows
 log_source: Microsoft-Windows-Eventlog
 event_id: '1102'
 event_version: '0'
 event_fields:
-- standard_name: TBD
+- standard_name: user_sid
   standard_type: TBD
   name: SubjectUserSid
   type: SID
-  description:
-  sample_value:
-- standard_name: TBD
+  description: SID of the account that cleared the system security audit log
+  sample_value: S-1-5-21-968647429-258479840-2507984072-1001
+- standard_name: user_name
   standard_type: TBD
   name: SubjectUserName
   type: UnicodeString
-  description:
-  sample_value:
-- standard_name: TBD
+  description: The name of the account that cleared the system security audit log
+  sample_value: pedro
+- standard_name: user_domain
   standard_type: TBD
   name: SubjectDomainName
   type: UnicodeString
-  description:
-  sample_value:
-- standard_name: TBD
+  description: Subject's domain or computer name
+  sample_value: PEDRO01
+- standard_name: user_logon_id
   standard_type: TBD
   name: SubjectLogonId
   type: HexInt64
-  description:
-  sample_value:
+  description: Logon ID of the subject's logon session
+  sample_value: 0x20256d6
 references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
 tags:
 - etw_level_Informational
 - etw_task_Logclear
+event_sample:
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
+        <EventID>1102</EventID> 
+        <Version>0</Version> 
+        <Level>4</Level> 
+        <Task>104</Task> 
+        <Opcode>0</Opcode> 
+        <Keywords>0x4020000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-08-09T14:44:05.629920700Z" /> 
+        <EventRecordID>266417</EventRecordID> 
+        <Correlation /> 
+        <Execution ProcessID="1444" ThreadID="2044" /> 
+        <Channel>Security</Channel> 
+        <Computer>Pedro01</Computer> 
+        <Security /> 
+      </System> 
+      <UserData> 
+        <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"> 
+          <SubjectUserSid>S-1-5-21-968647429-258479840-2507984072-1001</SubjectUserSid> 
+          <SubjectUserName>pedro</SubjectUserName> 
+          <SubjectDomainName>PEDRO01</SubjectDomainName> 
+          <SubjectLogonId>0x20256d6</SubjectLogonId> 
+        </LogFileCleared> 
+      </UserData> 
+    </Event> 

windows/etw-providers/Microsoft-Windows-Eventlog/events/event-6005.yml

@@ -0,0 +1,37 @@
+name: Event 6005 - The Event Log service was started
+description: The Event Log service was started. Indicates the system startup.
+platform: windows
+log_source: Microsoft-Windows-Eventlog
+event_id: '6005'
+event_version: '0'
+event_fields:
+- standard_name: TBD
+  standard_type: TBD
+  name: Binary
+  type: TBD
+  description: TBD
+  sample_value: E607080002000900100009001B0038000000000000000000
+references:
+- https://www.shellhacks.com/windows-shutdown-reboot-event-ids-get-logs/
+tags:
+- etw_level_Informational
+event_sample:
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="EventLog" /> 
+        <EventID Qualifiers="32768">6005</EventID> 
+        <Level>4</Level> 
+        <Task>0</Task> 
+        <Keywords>0x80000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-08-09T16:09:27.056581000Z" /> 
+        <EventRecordID>686</EventRecordID> 
+        <Channel>System</Channel> 
+        <Computer>Pedro01</Computer> 
+        <Security /> 
+      </System> 
+      <EventData> 
+        <Binary>E607080002000900100009001B0038000000000000000000</Binary> 
+      </EventData> 
+    </Event> 

windows/etw-providers/Microsoft-Windows-Eventlog/events/event-6006.yml

@@ -0,0 +1,37 @@
+name: Event 6006 - The Event Log service was stopped
+description: The Event Log service was stopped. Indicates the proper system shutdown.
+platform: windows
+log_source: Microsoft-Windows-Eventlog
+event_id: '6006'
+event_version: '0'
+event_fields:
+- standard_name: TBD
+  standard_type: TBD
+  name: Binary
+  type: TBD
+  description: TBD
+  sample_value: 0100000031F40800
+references:
+- https://www.shellhacks.com/windows-shutdown-reboot-event-ids-get-logs/
+tags:
+- etw_level_Informational
+event_sample:
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="EventLog" /> 
+        <EventID Qualifiers="32768">6006</EventID> 
+        <Level>4</Level> 
+        <Task>0</Task> 
+        <Keywords>0x80000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-08-09T16:08:38.915070600Z" /> 
+        <EventRecordID>678</EventRecordID> 
+        <Channel>System</Channel> 
+        <Computer>Pedro01</Computer> 
+        <Security /> 
+      </System> 
+      <EventData> 
+        <Binary>0100000031F40800</Binary> 
+      </EventData> 
+    </Event> 

windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4656_registry_v1.yml

@@ -1,5 +1,5 @@
-name: 'Event ID 4656: A handle to an object was requested'
-description: This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+name: 'Event ID 4656: A handle to a registry object was requested'
+description: This event indicates that specific access was requested for a registry object.
 platform: windows
 log_source: Microsoft-Windows-Security-Auditing
 event_id: '4656'
@@ -10,13 +10,13 @@ event_fields:
   standard_type: TBD
   name: SubjectUserSid
   type: SID
-  description: SID of account that requested a handle to an object.
+  description: SID of account that requested a handle to a registry object.
   sample_value: S-1-5-21-3457937927-2839227994-823803824-1104
 - standard_name: user_name
   standard_type: TBD
   name: SubjectUserName
   type: UnicodeString
-  description: the name of the account that requested a handle to an object.
+  description: the name of the account that requested a handle to a registry object.
   sample_value: dadmin
 - standard_name: user_domain
   standard_type: TBD
@@ -52,7 +52,7 @@ event_fields:
   standard_type: TBD
   name: HandleId
   type: Pointer
-  description: 'hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object."'
+  description: 'hexadecimal value of a handle to registry key path. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object."'
   sample_value: '0x0'
 - standard_name: transaction_guid
   standard_type: TBD