Hi,

I can collect Security Events Windows in XML format and send them to my SIEM like i wanted

the result is here for an event 4624

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-10-08T09:48:30.960813800Z'/><EventRecordID>457357</EventRecordID><Correlation/><Execution ProcessID='620' ThreadID='4724'/><Channel>Security</Channel><Computer>test</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>test$</Data><Data Name='TargetDomainName'>test.com</Data><Data Name='TargetLogonId'>0xeb6a3</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{49b0407a-e478-e673-1f20-942e0965289d}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>49805</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

but now i want some magic and i'm not Harry potter lol

i dont know if it's possible but i would like to

1. use xm_resolver to resolve SID from the SubjectUserSid ?
2. rename <Data Name='TargetUserName'>test$</Data> into <Data Name='computer'>test$</Data> if the eventid = 4624 ?
3. send the final result my siem in LEEF or JSon ?

i don't find any good exemple on internet and all i'm trying is fail.. if someone can help ? thx ;)