Page Comparison

...

Rw ui tabs macro

Rw tab

title	Tables 1-4

box.devo_ea.events_windows
box.devo_ua.events_windows
box.win
box.win_classic

Anchor
tag1
tag1
box.devo_ea.events_windows

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

srcTimestamp

utcTime

Code Block
isnotnull(srcTimestamp) ? srcTimestamp : utcTime

timestamp

source

-

Code Block
"box.devo_ea.events_windows"

str

keywords

str

event_type

-

Code Block
null('')

str

channel

logName

str

category

task

str

event_id

eventID

int4

username

userName

user

Code Block
isnotnull(userName) ? userName : user

str

security_id

targetUserSid

targetSid

subjectUserSid

userSid

Code Block
isnotnull(targetSid) ? targetSid : isnotnull(targetUserSid) ? targetUserSid : isnotnull(userSid) ? userSid : subjectUserSid

str

account

subjectUserName

targetUserName

Code Block
isnotnull(targetUserName) ? targetUserName : subjectUserName

str

domain

subjectDomainName

targetDomainName

Code Block
isnotnull(targetDomainName) ? targetDomainName : subjectDomainName

str

machine_ip

hostIp

deaAgentHostIp

Code Block
isnotnull(deaAgentHostIp) ? ip4(deaAgentHostIp) : ip4(hostIp)

ip4

subject_security_id

userSid

str

subject_username

userName

subjectUserName

Code Block
isnotnull(subjectUserName) ? subjectUserName : userName

str

subject_domain

subjectDomainName

str

subject_logon_id

subjectLogonId

str

target_security_id

targetUserSid

targetSid

Code Block
isnotnull(targetSid) ? targetSid : targetUserSid

str

target_username

targetUserName

str

target_domain

targetDomainName

str

target_logon_id

targetLogonId

logonId

Code Block
isnotnull(targetLogonId) ? targetLogonId : logonId

str

target_object

targetObject

str

target_image

targetImage

str

member_security_id

memberSid

str

member_name

memberName

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

samAccountName

str

logon_type

logonType

str

logon_guid

logonGuid

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

objectName

str

object_value_name

objectValueName

str

object_type

objectType

str

object_server

objectServer

str

object_handle

handleId

str

object_resource_attribute

-

Code Block
null('')

str

pid

callerProcessId

processId

Code Block
isnotnull(processId) ? processId : callerProcessId

str

process_name

parentProcessName

path

processName

callerProcessName

Code Block
isnotnull(path) ? path : isnotnull(processName) ? processName : isnotnull(parentProcessName) ? parentProcessName : callerProcessName

str

process_guid

processGuid

str

service

serviceName

str

service_file_name

imagePath

serviceFileName

Code Block
isnotnull(serviceFileName) ? serviceFileName : imagePath

str

service_account

accountName

serviceAccount

Code Block
isnotnull(serviceAccount) ? serviceAccount : accountName

str

machine

computerName

hostname

deaAgentHostname

Code Block
isnotnull(computerName) ? computerName : isnotnull(deaAgentHostname) ? deaAgentHostname : hostname

str

workstation

workstationName

workstation

Code Block
isnotnull(workstation) ? workstation : workstationName

str

message

rawMessage

str

extended_message

rawMessage

str

source_name

providerName

str

source_image

-

Code Block
null('')

str

source_hostname

computerName

sourceHostname

deaAgentHostname

Code Block
isnotnull(sourceHostname) ? sourceHostname : isnotnull(computerName) ? computerName : deaAgentHostname

str

source_ip

ipAddress

sourceIp

Code Block
isnotnull(sourceIp) ? sourceIp : ipAddress

str

source_port

ipPort

sourcePort

Code Block
isnotnull(sourcePort) ? sourcePort : ipPort

str

destination_hostname

destHostname

str

destination_ip

destIp

str

destination_port

destPort

str

status

statusCode

Code Block
isnotnull(status) ? status : statusCode

str

sub_status

subStatus

str

accesses

accessList

str

access_mask

accessMask

str

granted_access

grantedAccess

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevationType

str

mandatory_label

mandatoryLabel

str

caller_process_name

callerProcessId

processId

Code Block
isnotnull(callerProcessId) ? callerProcessId : processId

str

caller_process_name

callerProcessName

processName

Code Block
isnotnull(callerProcessName) ? callerProcessName : processName

str

new_pid

newProcessId

str

new_process_name

newProcessName

str

parent_pid

parentProcessId

str

parent_process_name

parentProcessName

str

parent_process_guid

parentProcessGuid

str

parent_command_line

parentCommandLine

str

process_command_line

scriptBlockText

commandLine

Code Block
isnotnull(scriptBlockText) ? scriptBlockText : commandLine

str

file_path

-

Code Block
null('')

str

file_version

fileVersion

str

original_file_name

originalFileName

str

current_directory

currentDirectory

str

integrity_level

integrityLevel

str

hashes

str

company

str

product

str

description

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

shareLocalPath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceName

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOptions

str

ticket_encryption_type

ticketEncryptionType

str

signature

str

initiated

str

key_length

keyLength

Code Block
int8(keyLength)

int8

reason

failureReason

accessReason

Code Block
isnull(failureReason) ? accessReason : failureReason

str

image

imagePath

image

Code Block
isnotnull(image) ? image : imagePath

str

parent_image

parentImage

str

context_info

contextInfo

str

engine_version

engineVersion

str

host_version

hostVersion

str

payload

str

layer_rtid

layerRTID

str

authentication_package_name

authenticationPackageName

str

new_value

newValue

str

privilege_list

privilegeList

str

attribute_value

attributeValue

str

attribute_ldap_display_name

attributeLDAPDisplayName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

scriptBlockId

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag2
tag2
box.devo_ua.events_windows

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

srcTimestamp

utcTime

Code Block
isnotnull(srcTimestamp) ? srcTimestamp : utcTime

timestamp

source

-

Code Block
"box.devo_ua.events_windows"

str

keywords

str

event_type

-

Code Block
null('')

str

channel

logName

str

category

task

str

event_id

eventID

int4

username

userName

user

Code Block
isnotnull(userName) ? userName : user

str

security_id

targetUserSid

targetSid

subjectUserSid

userSid

Code Block
isnotnull(targetSid) ? targetSid : isnotnull(targetUserSid) ? targetUserSid : isnotnull(userSid) ? userSid : subjectUserSid

str

account

subjectUserName

targetUserName

Code Block
isnotnull(targetUserName) ? targetUserName : subjectUserName

str

domain

subjectDomainName

targetDomainName

Code Block
isnotnull(targetDomainName) ? targetDomainName : subjectDomainName

str

machine_ip

duaAgentHostIp

hostIp

Code Block
isnotnull(duaAgentHostIp) ? ip4(duaAgentHostIp) : ip4(hostIp)

ip4

subject_security_id

userSid

str

subject_username

userName

subjectUserName

Code Block
isnotnull(subjectUserName) ? subjectUserName : userName

str

subject_domain

subjectDomainName

str

subject_logon_id

subjectLogonId

str

target_security_id

targetUserSid

targetSid

Code Block
isnotnull(targetSid) ? targetSid : targetUserSid

str

target_username

targetUserName

str

target_domain

targetDomainName

str

target_logon_id

targetLogonId

logonId

Code Block
isnotnull(targetLogonId) ? targetLogonId : logonId

str

target_object

targetObject

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

memberName

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

samAccountName

str

logon_type

logonType

str

logon_guid

logonGuid

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

objectName

str

object_value_name

objectValueName

str

object_type

objectType

str

object_server

objectServer

str

object_handle

handleId

str

object_resource_attribute

-

Code Block
null('')

str

pid

callerProcessId

processId

Code Block
isnotnull(processId) ? processId : callerProcessId

str

process_name

parentProcessName

path

processName

callerProcessName

Code Block
isnotnull(path) ? path : isnotnull(processName) ? processName : isnotnull(parentProcessName) ? parentProcessName : callerProcessName

str

process_guid

processGuid

str

service

serviceName

str

service_file_name

imagePath

serviceFileName

Code Block
isnotnull(serviceFileName) ? serviceFileName : imagePath

str

service_account

accountName

serviceAccount

Code Block
isnotnull(serviceAccount) ? serviceAccount : accountName

str

machine

computerName

hostname

duaAgentHostname

Code Block
isnotnull(computerName) ? computerName : isnotnull(duaAgentHostname) ? duaAgentHostname : hostname

str

workstation

workstationName

workstation

Code Block
isnotnull(workstation) ? workstation : workstationName

str

message

rawMessage

str

extended_message

rawMessage

str

source_name

providerName

str

source_image

-

Code Block
null('')

str

source_hostname

computerName

sourceHostname

duaAgentHostname

Code Block
isnotnull(sourceHostname) ? sourceHostname : isnotnull(computerName) ? computerName : duaAgentHostname

str

source_ip

ipAddress

sourceIp

Code Block
isnotnull(sourceIp) ? sourceIp : ipAddress

str

source_port

ipPort

sourcePort

Code Block
isnotnull(sourcePort) ? sourcePort : ipPort

str

destination_hostname

destHostname

str

destination_ip

destIp

str

destination_port

destPort

str

status

statusCode

Code Block
isnotnull(status) ? status : statusCode

str

sub_status

subStatus

str

accesses

accessList

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevationType

str

mandatory_label

mandatoryLabel

str

caller_process_name

callerProcessId

processId

Code Block
isnotnull(callerProcessId) ? callerProcessId : processId

str

caller_process_name

callerProcessName

processName

Code Block
isnotnull(callerProcessName) ? callerProcessName : processName

str

new_pid

newProcessId

str

new_process_name

newProcessName

str

parent_pid

parentProcessId

str

parent_process_name

parentProcessName

str

parent_process_guid

parentProcessGuid

str

parent_command_line

parentCommandLine

str

process_command_line

scriptBlockText

commandLine

Code Block
isnotnull(scriptBlockText) ? scriptBlockText : commandLine

str

file_path

-

Code Block
null('')

str

file_version

fileVersion

str

original_file_name

originalFileName

str

current_directory

currentDirectory

str

integrity_level

integrityLevel

str

hashes

str

company

str

product

str

description

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

shareLocalPath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceName

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOptions

str

ticket_encryption_type

ticketEncryptionType

str

signature

str

initiated

str

key_length

keyLength

Code Block
int8(keyLength)

int8

reason

failureReason

accessReason

Code Block
isnull(failureReason) ? accessReason : failureReason

str

image

imagePath

image

Code Block
isnotnull(image) ? image : imagePath

str

parent_image

parentImage

str

context_info

contextInfo

str

engine_version

engineVersion

str

host_version

hostVersion

str

payload

str

layer_rtid

layerRTID

str

authentication_package_name

authenticationPackageName

str

new_value

newValue

str

privilege_list

privilegeList

str

attribute_value

attributeValue

str

attribute_ldap_display_name

attributeLDAPDisplayName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

scriptBlockId

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag3
tag3
box.win

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

srceventdate

timestamp

source

-

Code Block
"box.win"

str

keywords

str

event_type

logType

str

channel

logSource

str

category

str

event_id

eventID

int4

username

str

security_id

subjectSecId

secId

Code Block
isnotnull(secId) ? secId : subjectSecId

str

account

subjectUsername

account

Code Block
isnotnull(account) ? account : subjectUsername

str

domain

subjectDomain

domain

Code Block
isnotnull(domain) ? domain : subjectDomain

str

machine_ip

machineIp

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

secId

str

target_username

account

str

target_domain

domain

str

target_logon_id

logonId

str

target_object

targetObject

str

target_image

targetImage

str

member_security_id

memberSid

str

member_name

member

str

group_security_id

groupSecurityId

str

group_name

groupGroupName

str

group_domain

groupGroupDomain

str

sam_account_name

samAccount

str

logon_type

logonType

Code Block
str(logonType)

str

logon_guid

logonGuid

str

logon_process

logonProcess

logonProc

Code Block
isnotnull(logonProc) ? logonProc : logonProcess

str

user_account_control

-

Code Block
null('')

str

object_name

objName

str

object_value_name

objValueName

str

object_type

objType

str

object_server

objServer

str

object_handle

objHandle

str

object_resource_attribute

resourceAttr

str

pid

procId

str

process_name

procName

str

process_guid

procGuid

str

service

str

service_file_name

imagePath

serviceFileName

Code Block
isnotnull(serviceFileName) ? serviceFileName : imagePath

str

service_account

accountName

serviceAccount

Code Block
isnotnull(serviceAccount) ? serviceAccount : accountName

str

machine

str

workstation

workstationName

workstation

Code Block
isnotnull(workstation) ? workstation : workstationName

str

message

str

extended_message

extMessage

str

source_name

sourceName

str

source_image

-

Code Block
null('')

str

source_hostname

srcHost

str

source_ip

srcIp

str

source_port

srcPort

str

destination_hostname

dstHostname

str

destination_ip

dstIp

str

destination_port

dstPort

str

status

str

sub_status

subStatus

str

accesses

str

access_mask

AccessMask

str

granted_access

grantedAccess

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevType

str

mandatory_label

mandatoryLabel

str

caller_process_name

procId

str

caller_process_name

procName

str

new_pid

newProcId

str

new_process_name

newProcName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

procName

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

commandLine

str

file_path

filePath

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computer

str

device

str

pipe_name

pipeName

str

query_name

queryName

str

query_status

queryStatus

str

query_results

queryResults

str

share_name

shareName

str

share_local_path

shareLocalPath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceName

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketEncType

str

signature

str

initiated

str

key_length

keyLength

int8

reason

reasonCode

Code Block
isnull(reason) ? reasonCode : reason

str

image

imagePath

str

parent_image

parentImage

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

LayerRuntimeId

str

authentication_package_name

authPkg

str

new_value

newValue

str

privilege_list

privileges

str

attribute_value

dsValue

str

attribute_ldap_display_name

dsLDAPName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag4
tag4
box.win_classic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

Timestamp_str

timestamp

source

-

Code Block
"box.win_classic"

str

keywords

Keywords

str

event_type

EventType

str

channel

LogName

str

category

TaskCategory

str

event_id

EventCode

Code Block
int4(EventCode)

int4

username

targetUsername

subjectUsername

newLogonUserName

Code Block
isnotnull(targetUsername) ? targetUsername : isnotnull(subjectUsername) ? subjectUsername : newLogonUserName

str

security_id

targetSecId

subjectSecId

Code Block
isnotnull(targetSecId) ? targetSecId : subjectSecId

str

account

targetUsername

subjectUsername

newLogonUserName

Code Block
isnotnull(targetUsername) ? targetUsername : isnotnull(subjectUsername) ? subjectUsername : newLogonUserName

str

domain

targetDomain

subjectDomain

Code Block
isnotnull(targetDomain) ? targetDomain : subjectDomain

str

machine_ip

machineIp

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

targetSecId

str

target_username

targetUsername

str

target_domain

targetDomain

str

target_logon_id

targetLogonId

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

memberName

str

group_security_id

groupSecId

str

group_name

groupName

str

group_domain

groupDomain

str

sam_account_name

samAccountName

str

logon_type

logonType

str

logon_guid

subjectLogonGUID

targetLogonGuid

Code Block
isnotnull(targetLogonGuid) ? targetLogonGuid : subjectLogonGUID

str

logon_process

-

Code Block
null('')

str

user_account_control

userAccountControl_str

str

object_name

objectName

str

object_value_name

-

Code Block
null('')

str

object_type

objectType

str

object_server

objectServer

str

object_handle

-

Code Block
null('')

str

object_resource_attribute

-

Code Block
null('')

str

pid

procId

str

process_name

procName

str

process_guid

-

Code Block
null('')

str

service

serviceName

str

service_file_name

serviceFileName

str

service_account

serviceAccount

str

machine

-

Code Block
null('')

str

workstation

str

message

Message

str

extended_message

-

Code Block
null('')

str

source_name

SourceName

str

source_image

-

Code Block
null('')

str

source_hostname

-

Code Block
null('')

str

source_ip

srcIp

str

source_port

-

Code Block
null('')

str

destination_hostname

-

Code Block
null('')

str

destination_ip

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

status

failureStatus

str

sub_status

failureSubStatus

str

accesses

accesses_list

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

-

Code Block
null('')

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevationType

str

mandatory_label

mandatoryLabel

str

caller_process_name

procId

str

caller_process_name

procName

str

new_pid

newProcId

str

new_process_name

newProcName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

procCmdLine

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

ComputerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

sharePath

str

relative_target_name

relativeTargetName

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketOpts

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

keyLength

Code Block
int8(keyLength)

int8

reason

resultCode

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

-

Code Block
null('')

str

authentication_package_name

-

Code Block
null('')

str

new_value

-

Code Block
null('')

str

privilege_list

privileges_str

str

attribute_value

-

Code Block
null('')

str

attribute_ldap_display_name

-

Code Block
null('')

str

audit_policy_changes

-

Code Block
null('')

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

-

Code Block
null('')

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Rw tab

title	Tables 5-8

box.win_cloudwatch
box.win_hf
box.win_kinesis
box.win_nxlog

Anchor
tag5
tag5
box.win_cloudwatch

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

serverdate

timestamp

source

-

Code Block
"box.win_cloudwatch"

str

keywords

str

event_type

logType

str

channel

logSource

str

category

str

event_id

eventID

int4

username

str

security_id

subjectSecId

secId

Code Block
isnotnull(secId) ? secId : subjectSecId

str

account

subjectUsername

account

Code Block
isnotnull(account) ? account : subjectUsername

str

domain

subjectDomain

domain

Code Block
isnotnull(domain) ? domain : subjectDomain

str

machine_ip

machineIp

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

secId

str

target_username

account

str

target_domain

domain

str

target_logon_id

logonId

str

target_object

targetObject

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

member

str

group_security_id

groupSecurityId

str

group_name

groupGroupName

str

group_domain

groupGroupDomain

str

sam_account_name

samAccount

str

logon_type

logonType

Code Block
str(logonType)

str

logon_guid

logonGuid

str

logon_process

logonProc

str

user_account_control

userAccountControl

str

object_name

objName

str

object_value_name

objValueName

str

object_type

objType

str

object_server

objServer

str

object_handle

objHandle

str

object_resource_attribute

resourceAttr

str

pid

procId

str

process_name

procName

str

process_guid

-

Code Block
null('')

str

service

str

service_file_name

imagePath

serviceFileName

Code Block
isnotnull(serviceFileName) ? serviceFileName : imagePath

str

service_account

accountName

serviceAccount

Code Block
isnotnull(serviceAccount) ? serviceAccount : accountName

str

machine

logStream

str

workstation

workstationName

workstation

Code Block
isnotnull(workstation) ? workstation : workstationName

str

message

str

extended_message

extMessage

str

source_name

sourceName

str

source_image

-

Code Block
null('')

str

source_hostname

srcHost

str

source_ip

srcIp

str

source_port

srcPort

str

destination_hostname

srcHost

str

destination_ip

dstIp

str

destination_port

dstPort

str

status

str

sub_status

subStatus

str

accesses

str

access_mask

AccessMask

str

granted_access

-

Code Block
null('')

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevType

str

mandatory_label

mandatoryLabel

str

caller_process_name

procId

str

caller_process_name

procName

str

new_pid

newProcId

str

new_process_name

newProcName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

procName

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

commandLine

str

file_path

filePath

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computer

str

device

str

pipe_name

pipeName

str

query_name

queryName

str

query_status

queryStatus

str

query_results

queryResults

str

share_name

shareName

str

share_local_path

shareLocalPath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceName

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketEncType

str

signature

str

initiated

str

key_length

keyLength

int8

reason

reasonCode

str

image

imagePath

str

parent_image

parentImage

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

LayerRuntimeId

str

authentication_package_name

authPkg

str

new_value

newValue

str

privilege_list

privileges

str

attribute_value

dsValue

str

attribute_ldap_display_name

dsLDAPName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag6
tag6
box.win_hf

Field in union table

Field in custom table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

datetime

UtcTime

Code Block
isnotnull(datetime) ? parsedate(datetime, "MM/DD/YYYY hh:mm:ss A", "UTC") : UtcTime

timestamp

source

-

Code Block
"box.win_hf"

str

keywords

Keywords

str

event_type

EventType

str

channel

LogName

str

category

Category

str

event_id

EventCode

Code Block
int4(EventCode)

int4

username

User_Name

str

security_id

Sid

str

account

subjectUsername

Account_name

Code Block
isnotnull(Account_name) ? Account_name : subjectUsername

str

domain

Domain

str

machine_ip

-

Code Block
ip4('')

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

Sid

str

target_username

Account_name

str

target_domain

Domain

str

target_logon_id

Logon_ID

str

target_object

TargetObject

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

-

Code Block
null('')

str

group_security_id

Group_Security_ID

str

group_name

Group_Name

str

group_domain

Group_Domain

str

sam_account_name

-

Code Block
null('')

str

logon_type

Logon_Type

str

logon_guid

Logon_GUID

str

logon_process

Logon_Process

str

user_account_control

-

Code Block
null('')

str

object_name

Object_Name

str

object_value_name

-

Code Block
null('')

str

object_type

Object_Type

str

object_server

Object_Server

str

object_handle

Object_Handle_ID

str

object_resource_attribute

-

Code Block
null('')

str

pid

Process_ID

ProcessId

Code Block
isnotnull(ProcessId) ? ProcessId : Process_ID

str

process_name

Process_Name

str

process_guid

ProcessGuid

Code Block
isnotnull(ProcessGuid) ? ProcessGuid : ProcessGuid

str

service

Service_Name

str

service_file_name

Service_File_Name

str

service_account

Service_Account

str

machine

machineName

str

workstation

Workstation_Name

str

message

Message

str

extended_message

rawMessage

str

source_name

SourceName

str

source_image

Image

str

source_hostname

SourceHostname

str

source_ip

SourceIp

str

source_port

SourcePort

str

destination_hostname

DestinationHostname

str

destination_ip

DestinationIp

str

destination_port

DestinationPort

str

status

Status_code

str

sub_status

Failure_Sub_Status

str

accesses

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

Operation_Properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

-

Code Block
null('')

str

mandatory_label

-

Code Block
null('')

str

caller_process_name

Process_ID

ProcessId

Code Block
isnotnull(ProcessId) ? ProcessId : Process_ID

str

caller_process_name

Process_Name

str

new_pid

-

Code Block
null('')

str

new_process_name

-

Code Block
null('')

str

parent_pid

ParentProcessId

str

parent_process_name

Process_Name

str

parent_process_guid

ParentProcessGuid

str

parent_command_line

ParentCommandLine

str

process_command_line

CommandLine

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

CurrentDirectory

str

integrity_level

IntegrityLevel

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

IMPHASH

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

ComputerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

sharePath

str

relative_target_name

-

Code Block
null('')

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

-

Code Block
null('')

str

task_content

-

Code Block
null('')

str

ticket_options

Ticket_Options

str

ticket_encryption_type

Ticket_Encryption_Type

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

Key_Length

Code Block
int8(Key_Length)

int8

reason

Error_Reason

Failure_Reason

Code Block
isnotnull(Error_Reason) ? Error_Reason : Failure_Reason

str

image

Image

str

parent_image

ParentImage

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

Host_Version

str

payload

-

Code Block
null('')

str

layer_rtid

-

Code Block
null('')

str

authentication_package_name

Authentication_Package

str

new_value

-

Code Block
null('')

str

privilege_list

Privileges

str

attribute_value

-

Code Block
null('')

str

attribute_ldap_display_name

-

Code Block
null('')

str

audit_policy_changes

-

Code Block
null('')

str

power_shell_script_block_id

ScriptBlock_ID

str

operation_type

Operation_Type

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag7
tag7
box.win_kinesis

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

TimeCreated

timestamp

source

-

Code Block
"box.win_kinesis"

str

keywords

Keywords

str

event_type

-

Code Block
null('')

str

channel

LogName

str

category

-

Code Block
null('')

str

event_id

EventId

int4

username

UserName

str

security_id

subject__security_id

account_information__security_id

Code Block
isnotnull(account_information__security_id) ? account_information__security_id : subject__security_id

str

account

subject__account_name

UserName

account_information__account_name

Code Block
isnotnull(account_information__account_name) ? account_information__account_name : isnotnull(subject__account_name) ? subject__account_name : UserName

str

domain

account_information__account_domain

subject__account_domain

Code Block
isnotnull(account_information__account_domain) ? account_information__account_domain : subject__account_domain

str

machine_ip

hostIp

ip4

subject_security_id

subject__security_id

str

subject_username

subject__account_name

str

subject_domain

subject__account_domain

str

subject_logon_id

subject__logon_id

str

target_security_id

account_information__security_id

str

target_username

account_information__account_name

str

target_domain

account_information__account_domain

str

target_logon_id

-

Code Block
null('')

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

-

Code Block
null('')

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

attribute__sam_account_name

str

logon_type

str

logon_guid

-

Code Block
null('')

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

str

object_value_name

str

object_type

str

object_server

str

object_handle

object_handle_id

str

object_resource_attribute

-

Code Block
null('')

str

pid

process_information__process_id

str

process_name

process_information__process_name

str

process_guid

-

Code Block
null('')

str

service

service_information__service_name

str

service_file_name

service_information__service_file_name

str

service_account

service_information__service_account

str

machine

MachineName

str

workstation

network_information__workstation_name

str

message

Description

str

extended_message

Description

str

source_name

ProviderName

str

source_image

-

Code Block
null('')

str

source_hostname

hostname

str

source_ip

network_information__source_address

str

source_port

-

Code Block
null('')

str

destination_hostname

-

Code Block
null('')

str

destination_ip

network_information__destination_address

str

destination_port

network_information__destination_port

str

status

-

Code Block
null('')

str

sub_status

failure_reason__sub_status

str

accesses

access_request_information__accesses

str

access_mask

access_request_information__access_mask

str

granted_access

-

Code Block
null('')

str

properties

access_request_information__properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

-

Code Block
null('')

str

mandatory_label

-

Code Block
null('')

str

caller_process_name

process_information__process_id

str

caller_process_name

process_information__process_name

str

new_pid

-

Code Block
null('')

str

new_process_name

-

Code Block
null('')

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

-

Code Block
null('')

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

-

Code Block
null('')

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

share_information__share_name

str

share_local_path

share_information__share_path

str

relative_target_name

share_information__relative_target_name

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

task_information__task_name

str

task_content

task_information__task_content

str

ticket_options

additional_information__ticket_options

str

ticket_encryption_type

additional_information__ticket_encryption_type

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

detailed_authentication_information__key_length

Code Block
int8(detailed_authentication_information__key_length)

int8

reason

access_request_information__access_reasons

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

filter_information__layer_runtime_id

str

authentication_package_name

detailed_authentication_information__authentication_package

str

new_value

change_information__new_value

str

privilege_list

additional_information__privileges

str

attribute_value

attribute__value

str

attribute_ldap_display_name

attribute__ldap_display_name

str

audit_policy_changes

audit_policy__changes

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag8
tag8
box.win_nxlog

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

UtcTime

timestamp

Code Block
isnotnull(timestamp) ? timestamp : UtcTime

timestamp

source

-

Code Block
"box.win_nxlog"

str

keywords

Keywords

str

event_type

EventType

str

channel

Channel

str

category

Category

str

event_id

EventID

int4

username

User

str

security_id

SubjectUserSid

TargetSid

Code Block
isnotnull(TargetSid) ? TargetSid : SubjectUserSid

str

account

SubjectUserName

TargetUserName

Code Block
isnotnull(TargetUserName) ? TargetUserName : SubjectUserName

str

domain

SubjectDomainName

TargetDomainName

Code Block
isnotnull(TargetDomainName) ? TargetDomainName : SubjectDomainName

str

machine_ip

hostIp

ip4

subject_security_id

SubjectUserSid

str

subject_username

SubjectUserName

str

subject_domain

SubjectDomainName

str

subject_logon_id

SubjectLogonId

str

target_security_id

TargetSid

str

target_username

TargetUserName

str

target_domain

TargetDomainName

str

target_logon_id

TargetLogonId

str

target_object

TargetObject

str

target_image

TargetImage

str

member_security_id

MemberSid

str

member_name

MemberName

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

SamAccountName

str

logon_type

LogonType

str

logon_guid

LogonGuid

str

logon_process

-

Code Block
null('')

str

user_account_control

UserAccountControl

str

object_name

ObjectName

str

object_value_name

ObjectValueName

str

object_type

ObjectType

str

object_server

ObjectServer

str

object_handle

HandleId

str

object_resource_attribute

-

Code Block
null('')

str

pid

ProcessId

CallerProcessId

Code Block
isnotnull(ProcessId) ? ProcessId : CallerProcessId

str

process_name

CallerProcessName

ProcessName

Code Block
isnotnull(ProcessName) ? ProcessName : CallerProcessName

str

process_guid

ProcessGuid

str

service

ServiceName

str

service_file_name

ServiceFileName

ImagePath

Code Block
isnotnull(ServiceFileName) ? ServiceFileName : ImagePath

str

service_account

AccountName

ServiceAccount

Code Block
isnotnull(ServiceAccount) ? ServiceAccount : AccountName

str

machine

Hostname

str

workstation

WorkstationName

Workstation

Code Block
isnotnull(WorkstationName) ? WorkstationName : Workstation

str

message

Message

str

extended_message

Message

str

source_name

SourceName

str

source_image

SourceImage

str

source_hostname

Hostname

str

source_ip

IpAddress

str

source_port

IpPort

str

destination_hostname

DestinationHostname

str

destination_ip

DestinationIp

str

destination_port

DestinationPort

str

status

Status

str

sub_status

subStatus

str

accesses

AccessList

str

access_mask

AccessMask

str

granted_access

GrantedAccess

str

properties

Properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

TokenElevationType

str

mandatory_label

MandatoryLabel

str

caller_process_name

ProcessId

CallerProcessId

Code Block
isnotnull(CallerProcessId) ? CallerProcessId : ProcessId

str

caller_process_name

CallerProcessName

ProcessName

Code Block
isnotnull(CallerProcessName) ? CallerProcessName : ProcessName

str

new_pid

NewProcessId

str

new_process_name

NewProcessName

str

parent_pid

ParentProcessId

str

parent_process_name

ParentProcessName

str

parent_process_guid

ParentProcessGuid

str

parent_command_line

ParentCommandLine

str

process_command_line

CommandLine

str

file_path

-

Code Block
null('')

str

file_version

FileVersion

str

original_file_name

OriginalFileName

str

current_directory

CurrentDirectory

str

integrity_level

IntegrityLevel

str

hashes

Hashes

str

company

Company

str

product

Product

str

description

Description

str

import_hash

ImpHash

str

start_module

StartModule

str

start_function

StartFunction

str

computer_name

-

Code Block
null('')

str

device

Device

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

ShareName

str

share_local_path

ShareLocalPath

str

relative_target_name

RelativeTargetName

str

class_id

ClassId

str

class_name

ClassName

str

device_id

DeviceId

str

device_name

DeviceName

str

task_name

TaskName

str

task_content

TaskContent

str

ticket_options

TicketOptions

str

ticket_encryption_type

TicketEncryptionType

str

signature

Signature

str

initiated

Initiated

str

key_length

KeyLength

Code Block
int8(KeyLength)

int8

reason

FailureReason

AccessReason

Code Block
isnull(FailureReason) ? AccessReason : FailureReason

str

image

Image

str

parent_image

ParentImage

str

context_info

ContextInfo

str

engine_version

EngineVersion

str

host_version

HostVersion

str

payload

Payload

str

layer_rtid

LayerRTID

str

authentication_package_name

AuthenticationPackageName

str

new_value

NewValue

str

privilege_list

PrivilegeList

str

attribute_value

AttributeValue

str

attribute_ldap_display_name

AttributeLDAPDisplayName

str

audit_policy_changes

AuditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

OperationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Rw tab

title	Tables 9-12

box.win_quest.change_auditor.leef
box.win_snare
box.win_solarwinds
box.win_winlogbeat

Anchor
tag9
tag9
box.win_quest.change_auditor.leef

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

isotimestamp

timestamp

source

-

Code Block
"box.win_quest.change_auditor"

str

keywords

-

Code Block
null('')

str

event_type

facility

str

channel

-

Code Block
null('')

str

category

action

str

event_id

EventID

int4

username

user

str

security_id

userSid

str

account

user

str

domain

str

machine_ip

ipAddress

ip4

subject_security_id

userSid

str

subject_username

user

str

subject_domain

domain

str

subject_logon_id

id

str

target_security_id

userSid

str

target_username

user

str

target_domain

domain

str

target_logon_id

-

Code Block
null('')

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

-

Code Block
null('')

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

samAccountName

str

logon_type

-

Code Block
null('')

str

logon_guid

-

Code Block
null('')

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

objectName

str

object_value_name

-

Code Block
null('')

str

object_type

objectClass

str

object_server

-

Code Block
null('')

str

object_handle

-

Code Block
null('')

str

object_resource_attribute

-

Code Block
null('')

str

pid

-

Code Block
null('')

str

process_name

-

Code Block
null('')

str

process_guid

-

Code Block
null('')

str

service

-

Code Block
null('')

str

service_file_name

-

Code Block
null('')

str

service_account

-

Code Block
null('')

str

machine

computer

str

workstation

-

Code Block
null('')

str

message

description

str

extended_message

description

str

source_name

-

Code Block
null('')

str

source_image

-

Code Block
null('')

str

source_hostname

serverFqdn

str

source_ip

originIPv4

Code Block
str(originIPv4)

str

source_port

-

Code Block
null('')

str

destination_hostname

-

Code Block
null('')

str

destination_ip

-

Code Block
null('')

str

destination_port

dstPort

str

status

adStatusCode

str

sub_status

-

Code Block
null('')

str

accesses

-

Code Block
null('')

str

access_mask

-

Code Block
null('')

str

granted_access

-

Code Block
null('')

str

properties

-

Code Block
null('')

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

-

Code Block
null('')

str

mandatory_label

-

Code Block
null('')

str

caller_process_name

-

Code Block
null('')

str

caller_process_name

-

Code Block
null('')

str

new_pid

-

Code Block
null('')

str

new_process_name

-

Code Block
null('')

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

-

Code Block
null('')

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computer

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

-

Code Block
null('')

str

share_local_path

-

Code Block
null('')

str

relative_target_name

-

Code Block
null('')

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

-

Code Block
null('')

str

task_content

-

Code Block
null('')

str

ticket_options

-

Code Block
null('')

str

ticket_encryption_type

-

Code Block
null('')

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

-

Code Block
null(int8(0))

int8

reason

-

Code Block
null('')

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

-

Code Block
null('')

str

authentication_package_name

-

Code Block
null('')

str

new_value

-

Code Block
null('')

str

privilege_list

-

Code Block
null('')

str

attribute_value

-

Code Block
null('')

str

attribute_ldap_display_name

-

Code Block
null('')

str

audit_policy_changes

-

Code Block
null('')

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

-

Code Block
null('')

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag10
tag10
box.win_snare

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

srceventdate

timestamp

source

-

Code Block
"box.win_snare"

str

keywords

-

Code Block
null('')

str

event_type

logType

str

channel

logSource

str

category

str

event_id

eventID

int4

username

str

security_id

subjectSecId

secId

Code Block
isnotnull(secId) ? secId : subjectSecId

str

account

subjectUsername

account

Code Block
isnotnull(account) ? account : subjectUsername

str

domain

subjectDomain

domain

Code Block
isnotnull(domain) ? domain : subjectDomain

str

machine_ip

machineIp

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

secId

str

target_username

account

str

target_domain

domain

str

target_logon_id

logonId

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

member

str

group_security_id

groupSecurityId

str

group_name

groupName

str

group_domain

groupDomain

str

sam_account_name

SamAccountName

str

logon_type

logonType

str

logon_guid

logonGuid

str

logon_process

logonProc

str

user_account_control

UserAccountControl

str

object_name

objName

str

object_value_name

objValueName

str

object_type

objType

str

object_server

objServer

str

object_handle

objHandle

str

object_resource_attribute

objResourceAtt

str

pid

callerProcId

procId

Code Block
isnotnull(procId) ? procId : callerProcId

str

process_name

procName

callerProcName

Code Block
isnotnull(procName) ? procName : callerProcName

str

process_guid

-

Code Block
null('')

str

service

str

service_file_name

serviceFileName

str

service_account

serviceAccount

str

machine

computerName

str

workstation

str

message

expanded

str

extended_message

expanded

str

source_name

sourceName

str

source_image

-

Code Block
null('')

str

source_hostname

HostName

str

source_ip

srcIp

str

source_port

srcPort

str

destination_hostname

-

Code Block
null('')

str

destination_ip

dstIp

str

destination_port

dstPort

str

status

str

sub_status

subStatus

str

accesses

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

str

recovery_reason

recoveryReason

str

token_elevation_type

tokenElevType

str

mandatory_label

mandatoryLabel

str

caller_process_namecallerProcId

callerProcId

procId

Code Block
isnotnull(callerProcId) ? callerProcId : procId

str

caller_process_name

procName

callerProcName

Code Block
isnotnull(callerProcName) ? callerProcName : procName

str

new_pid

newProcessId

str

new_process_name

newProcessName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

procCmdLine

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

sharePath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceName

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketEncType

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

keyLength

int8

reason

reasonCode

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

context

str

engine_version

EngineVersion

str

host_version

HostVersion

str

payload

eventSummary

str

layer_rtid

layerRTID

str

authentication_package_name

authPkg

str

new_value

newValue

str

privilege_list

privileges

str

attribute_value

dsValue

str

attribute_ldap_display_name

dsLDAPName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag11
tag11
box.win_solarwinds

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

submitTime

timestamp

source

-

Code Block
"box.win_solarwinds"

str

keywords

-

Code Block
null('')

str

event_type

logType

str

channel

logSource

str

category

str

event_id

eventID

int4

username

userName

str

security_id

subjectSecId

secId

Code Block
isnotnull(secId) ? secId : subjectSecId

str

account

subjectUsername

account

Code Block
isnotnull(account) ? account : subjectUsername

str

domain

subjectDomain

domain

Code Block
isnotnull(domain) ? domain : subjectDomain

str

machine_ip

machineIp

ip4

subject_security_id

subjectSecId

str

subject_username

subjectUsername

str

subject_domain

subjectDomain

str

subject_logon_id

subjectLogonId

str

target_security_id

secId

str

target_username

account

str

target_domain

domain

str

target_logon_id

targetLogonId

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

memberName

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

samAccountName

str

logon_type

logonType

str

logon_guid

subjectLogonGUID

targetLogonGuid

Code Block
isnotnull(targetLogonGuid) ? targetLogonGuid : subjectLogonGUID

str

logon_process

-

Code Block
null('')

str

user_account_control

userAccountControl_str

str

object_name

objName

str

object_value_name

objValueName

str

object_type

objType

str

object_server

objServer

str

object_handle

objHandleID

str

object_resource_attribute

-

Code Block
null('')

str

pid

procId

str

process_name

procName

str

process_guid

-

Code Block
null('')

str

service

serviceName

str

service_file_name

serviceFileName

str

service_account

serviceAccount

str

machine

computerName

str

workstation

str

message

msg

str

extended_message

msg

str

source_name

sourceName

str

source_image

-

Code Block
null('')

str

source_hostname

hostname

str

source_ip

srcIp

str

source_port

srcPort

str

destination_hostname

-

Code Block
null('')

str

destination_ip

dstIp

str

destination_port

dstPort

str

status

str

sub_status

subStatus

str

accesses

accesses_list

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevationType

str

mandatory_label

mandatoryLabel

str

caller_process_name

procId

str

caller_process_name

procName

str

new_pid

newProcId

str

new_process_name

newProcName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

procCmdLine

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computerName

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

sharePath

str

relative_target_name

relativeTargetName

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketEncType

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

keyLength

int8

reason

reasonCode

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

layerRTID

str

authentication_package_name

authPkg

str

new_value

newValue

str

privilege_list

privileges_list

str

attribute_value

attributeValue

str

attribute_ldap_display_name

attributeLDAPDisplayName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

objOpType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag12
tag12
box.win_winlogbeat

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

at_timestamp

winlog__event_data__UtcTime

Code Block
isnotnull(at_timestamp) ? at_timestamp : winlog__event_data__UtcTime

timestamp

source

-

Code Block
"box.win_winlogbeat"

str

keywords

-

Code Block
null('')

str

event_type

winlog__keywords_first

str

channel

winlog__channel

str

category

winlog__task

str

event_id

winlog__event_id

int4

username

winlog__user__name

winlog__event_data__User

Code Block
isnotnull(winlog__user__name) ? winlog__user__name : winlog__event_data__User

str

security_id

winlog__event_data__SubjectUserSid

winlog__event_data__TargetUserSid

Code Block
isnotnull(winlog__event_data__TargetUserSid) ? winlog__event_data__TargetUserSid : winlog__event_data__SubjectUserSid

str

account

winlog__event_data__TargetUserName

winlog__event_data__SubjectUserName

Code Block
isnotnull(winlog__event_data__TargetUserName) ? winlog__event_data__TargetUserName : winlog__event_data__SubjectUserName

str

domain

winlog__user__domain

str

machine_ip

host__ip_first

Code Block
ip4(host__ip_first)

ip4

subject_security_id

winlog__event_data__SubjectUserSid

str

subject_username

winlog__event_data__SubjectUserName

str

subject_domain

winlog__event_data__SubjectDomainName

str

subject_logon_id

winlog__event_data__SubjectLogonId

str

target_security_id

winlog__event_data__TargetUserSid

str

target_username

winlog__event_data__TargetUserName

str

target_domain

winlog__event_data__TargetDomainName

str

target_logon_id

winlog__event_data__TargetLogonId

str

target_object

winlog__event_data__TargetObject

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

winlog__event_data__MemberName

str

group_security_id

group__id

str

group_name

group__name

str

group_domain

group__domain

str

sam_account_name

winlog__event_data__SamAccountName

str

logon_type

winlog__event_data__LogonType

str

logon_guid

winlog__event_data__LogonGuid

str

logon_process

winlog__event_data__LogonProcessName

str

user_account_control

-

Code Block
null('')

str

object_name

winlog__event_data__ObjectName

str

object_value_name

winlog__event_data__ObjectValueName

str

object_type

winlog__event_data__ObjectType

str

object_server

winlog__event_data__ObjectServer

str

object_handle

winlog__event_data__HandleId

str

object_resource_attribute

-

Code Block
null('')

str

pid

winlog__event_data__CallerProcessId

winlog__event_data__ProcessId

Code Block
isnotnull(winlog__event_data__ProcessId) ? winlog__event_data__ProcessId : winlog__event_data__CallerProcessId

str

process_name

winlog__event_data__CallerProcessName

winlog__event_data__ProcessName

Code Block
isnotnull(winlog__event_data__ProcessName) ? winlog__event_data__ProcessName : winlog__event_data__CallerProcessName

str

process_guid

winlog__event_data__ProcessGuid

str

service

winlog__event_data__ServiceName

str

service_file_name

winlog__event_data__ServiceFileName

winlog__event_data__ImagePath

Code Block
isnotnull(winlog__event_data__ServiceFileName) ? winlog__event_data__ServiceFileName : winlog__event_data__ImagePath

str

service_account

winlog__event_data__ServiceAccount

str

machine

host__hostname

str

workstation

winlog__event_data__WorkstationName

winlog__event_data__Workstation

Code Block
isnotnull(winlog__event_data__WorkstationName) ? winlog__event_data__WorkstationName : winlog__event_data__Workstation

str

message

str

extended_message

-

Code Block
null('')

str

source_name

winlog__provider_name

str

source_image

-

Code Block
null('')

str

source_hostname

host__name

str

source_ip

winlog__event_data__IpAddress

str

source_port

winlog__event_data__IpPort

str

destination_hostname

-

Code Block
null('')

str

destination_ip

winlog__event_data__DestIp

str

destination_port

winlog__event_data__DestPort

str

status

event__outcome

str

sub_status

winlog__event_data__sub_status

str

accesses

winlog__event_data__AccessList

str

access_mask

winlog__event_data__AccessMask

str

granted_access

-

Code Block
null('')

str

properties

winlog__event_data__Properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

winlog__event_data__TokenElevationType

str

mandatory_label

winlog__event_data__MandatoryLabel

str

caller_process_name

winlog__event_data__CallerProcessId

winlog__event_data__ProcessId

Code Block
isnotnull(winlog__event_data__CallerProcessId) ? winlog__event_data__CallerProcessId : winlog__event_data__ProcessId

str

caller_process_name

winlog__event_data__ProcessName

winlog__event_data__CallerProcessName

Code Block
isnotnull(winlog__event_data__CallerProcessName) ? winlog__event_data__CallerProcessName : winlog__event_data__ProcessName

str

new_pid

winlog__event_data__NewProcessId

str

new_process_name

winlog__event_data__NewProcessName

str

parent_pid

winlog__event_data__ParentProcessId

str

parent_process_name

process__parent__name

str

parent_process_guid

winlog__event_data__ParentProcessGuid

str

parent_command_line

winlog__event_data__ParentCommandLine

str

process_command_line

process__command_line

str

file_path

-

Code Block
null('')

str

file_version

winlog__event_data__FileVersion

str

original_file_name

winlog__event_data__OriginalFileName

str

current_directory

winlog__event_data__CurrentDirectory

str

integrity_level

winlog__event_data__IntegrityLevel

str

hashes

winlog__event_data__Hashes

str

company

winlog__event_data__Company

str

product

winlog__event_data__Product

str

description

winlog__event_data__Description

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

winlog__computer_name

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

winlog__event_data__QueryName

str

query_status

winlog__event_data__QueryStatus

str

query_results

winlog__event_data__QueryResults

str

share_name

winlog__event_data__ShareName

str

share_local_path

winlog__event_data__ShareLocalPath

str

relative_target_name

winlog__event_data__RelativeTargetName

str

class_id

winlog__event_data__ClassId

str

class_name

winlog__event_data__ClassName

str

device_id

winlog__event_data__DeviceId

str

device_name

winlog__event_data__DeviceDescription

str

task_name

winlog__event_data__TaskName

str

task_content

winlog__event_data__TaskContent

str

ticket_options

winlog__event_data__TicketOptions

str

ticket_encryption_type

winlog__event_data__TicketEncryptionType

str

signature

winlog__event_data__Signature

str

initiated

winlog__event_data__Initiated

str

key_length

winlog__event_data__KeyLength

Code Block
int8(winlog__event_data__KeyLength)

int8

reason

winlog__event_data__FailureReason

winlog__event_data__AccessReason

Code Block
isnull(winlog__event_data__FailureReason) ? winlog__event_data__AccessReason : winlog__event_data__FailureReason

str

image

winlog__event_data__Image

str

parent_image

winlog__event_data__ParentImage

str

context_info

winlog__event_data__ContextInfo

str

engine_version

message__engineVersion

str

host_version

message__hostVersion

str

payload

winlog__event_data__Payload

str

layer_rtid

winlog__event_data__LayerRTID

str

authentication_package_name

winlog__event_data__AuthenticationPackageName

str

new_value

winlog__event_data__NewValue

str

privilege_list

winlog__event_data__PrivilegeList

str

attribute_value

winlog__event_data__AttributeValue

str

attribute_ldap_display_name

winlog__event_data__AttributeLDAPDisplayName

str

audit_policy_changes

winlog__event_data__AuditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

winlog__event_data__OperationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Rw tab

title	Tables 13-17

box.winNxlog
cef0.microsoft.microsoftWindows
cloud.azure.vm.applicationevent
cloud.azure.vm.securityevent
cloud.azure.vm.systemevent

Anchor
tagwin
tagwin
box.winNxlog

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

timestamp

source

-

Code Block
"box.winNxlog"

str

keywords

Keywords

str

event_type

str

channel

SourceName

str

category

Category

str

event_id

str

username

User

str

security_id

str

account

TargetUserName

SubjectUserName

Code Block
isnotnull(TargetUserName) ? TargetUserName : SubjectUserName

str

domain

SubjectDomainName

TargetDomainName

Code Block
isnotnull(TargetDomainName) ? TargetDomainName : SubjectDomainName

str

machine_ip

str

subject_security_id

str

subject_username

str

subject_domain

str

subject_logon_id

str

target_security_id

str

target_username

str

target_domain

str

target_logon_id

str

target_object

str

target_image

str

member_security_id

str

member_name

str

group_security_id

str

group_name

str

group_domain

str

sam_account_name

str

logon_type

str

logon_guid

str

logon_process

str

user_account_control

str

object_name

str

object_value_name

str

object_type

str

object_server

str

object_handle

str

object_resource_attribute

str

object_class

ObjectClass

str

object_dn

ObjectDN

str

pid

str

process_name

str

process_guid

str

service

ServiceName

str

service_file_name

str

service_account

str

machine

Hostname

str

workstation

WorkstationName

str

message

Message

str

extended_message

str

source_name

str

source_image

str

source_hostname

str

source_ip

str

source_ipv4

ip4

source_port

str

destination_hostname

str

destination_ip

str

destination_ipv4

ip4

destination_port

str

status

Status

str

sub_status

SubStatus

str

accesses

AccessList

str

access_mask

str

granted_access

str

properties

Properties

str

recovery_reason

str

token_elevation_type

str

mandatory_label

str

caller_pid

str

caller_process_name

str

new_pid

str

new_process_name

str

parent_pid

str

parent_process_name

str

parent_process_guid

str

parent_command_line

str

process_command_line

str

file_path

str

file_version

str

original_file_name

str

current_directory

str

integrity_level

str

hashes

Hashes

str

company

Company

str

product

Product

str

description

Description

str

import_hash

str

start_module

str

start_function

str

computer_name

str

device

Device

str

pipe_name

str

query_name

str

query_status

str

query_results

str

share_name

str

share_local_path

str

relative_target_name

str

class_id

str

class_name

str

device_id

str

device_name

str

task_name

str

task_content

str

ticket_options

str

ticket_encryption_type

str

signature

Signature

str

initiated

Initiated

str

key_length

int8

reason

FailureReason

AccessReason

Code Block
isnull(FailureReason) ? AccessReason : FailureReason

str

image

Image

str

parent_image

str

context_info

str

engine_version

str

host_version

str

payload

Payload

str

layer_rtid

str

authentication_package_name

str

new_value

str

privilege_list

str

attribute_value

str

attribute_ldap_display_name

str

audit_policy_changes

str

power_shell_script_block_id

str

operation_type

str

source_process_guid

-

Code Block
null('')

str

image_loaded

-

Code Block
null('')

str

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
tagmicro
tagmicro
cef0.microsoft.microsoftWindows

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

timestamp

source

-

Code Block
"cef0.microsoft.microsoftWindows"

str

keywords

deviceSeverity

str

event_type

str

channel

deviceFacility

str

category

cat

str

event_id

str

username

duser

suser

Code Block
isnotnull(suser) ? suser : duser

str

security_id

str

account

duser

suser

Code Block
isnotnull(duser) ? duser : suser

str

domain

dhost

shost

Code Block
isnotnull(dhost) ? dhost : shost

str

machine_ip

str

subject_security_id

str

subject_username

str

subject_domain

str

subject_logon_id

str

target_security_id

str

target_username

str

target_domain

str

target_logon_id

str

target_object

str

target_image

str

member_security_id

str

member_name

str

group_security_id

str

group_name

str

group_domain

str

sam_account_name

str

logon_type

str

logon_guid

str

logon_process

str

user_account_control

str

object_name

str

object_value_name

str

object_type

str

object_server

str

object_handle

str

object_resource_attribute

str

object_class

cs5

cs5Label

Code Block
cs5Label -> "Object:Class" ? cs5 : null('')

str

object_dn

cs6

cs6Label

Code Block
cs6Label -> "Object:DN" ? cs6 : null('')

str

pid

str

process_name

str

process_guid

str

service

destinationServiceName

str

service_file_name

str

service_account

str

machine

dvchost

str

workstation

shost

str

message

msg

str

extended_message

str

source_name

str

source_image

str

source_hostname

str

source_ip

str

source_ipv4

ip4

source_port

str

destination_hostname

str

destination_ip

str

destination_ipv4

ip4

destination_port

str

status

outcome

str

sub_status

cs1Label

cs1

Code Block
cs1Label -> "Sub Status" ? cs1 : null('')

str

accesses

filePermission

str

access_mask

str

granted_access

str

properties

-

Code Block
null('')

str

recovery_reason

str

token_elevation_type

str

mandatory_label

str

caller_pid

str

caller_process_name

str

new_pid

str

new_process_name

str

parent_pid

str

parent_process_name

str

parent_process_guid

str

parent_command_line

str

process_command_line

str

file_path

str

file_version

str

original_file_name

str

current_directory

str

integrity_level

str

hashes

-

Code Block
null('')

str

company

embDeviceVendor

str

product

embDeviceProduct

str

description

-

Code Block
null('')

str

import_hash

str

start_module

str

start_function

str

computer_name

str

device

dvchost

str

pipe_name

str

query_name

str

query_status

str

query_results

str

share_name

str

share_local_path

str

relative_target_name

str

class_id

str

class_name

str

device_id

str

device_name

str

task_name

str

task_content

str

ticket_options

str

ticket_encryption_type

str

signature

signatureID

eventid

Code Block
isnotnull(eventid) ? eventid : signatureID

str

initiated

-

Code Block
null('')

str

key_length

int8

reason

str

image

-

Code Block
null('')

str

parent_image

str

context_info

str

engine_version

str

host_version

str

payload

-

Code Block
null('')

str

layer_rtid

str

authentication_package_name

str

new_value

str

privilege_list

str

attribute_value

str

attribute_ldap_display_name

str

audit_policy_changes

str

power_shell_script_block_id

str

operation_type

str

source_process_guid

-

Code Block
null('')

str

image_loaded

-

Code Block
null('')

str

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
tag14
tag14
cloud.azure.vm.applicationevent

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

TimeGenerated

timestamp

source

-

Code Block
"cloud.azure.vm.applicationevent"

str

keywords

-

Code Block
null('')

str

event_type

-

Code Block
null('')

str

channel

EventLog

str

category

EventCategory

Code Block
str(EventCategory)

str

event_id

EventID

int4

username

UserName

str

security_id

-

Code Block
null('')

str

account

UserName

str

domain

-

Code Block
null('')

str

machine_ip

-

Code Block
ip4('')

ip4

subject_security_id

-

Code Block
null('')

str

subject_username

-

Code Block
null('')

str

subject_domain

-

Code Block
null('')

str

subject_logon_id

-

Code Block
null('')

str

target_security_id

-

Code Block
null('')

str

target_username

-

Code Block
null('')

str

target_domain

-

Code Block
null('')

str

target_logon_id

-

Code Block
null('')

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

-

Code Block
null('')

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

-

Code Block
null('')

str

logon_type

-

Code Block
null('')

str

logon_guid

-

Code Block
null('')

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

-

Code Block
null('')

str

object_value_name

-

Code Block
null('')

str

object_type

-

Code Block
null('')

str

object_server

-

Code Block
null('')

str

object_handle

-

Code Block
null('')

str

object_resource_attribute

-

Code Block
null('')

str

pid

-

Code Block
null('')

str

process_name

-

Code Block
null('')

str

process_guid

-

Code Block
null('')

str

service

-

Code Block
null('')

str

service_file_name

-

Code Block
null('')

str

service_account

-

Code Block
null('')

str

machine

Computer

str

workstation

-

Code Block
null('')

str

message

RenderedDescription

str

extended_message

rawMessage

str

source_name

Source

str

source_image

-

Code Block
null('')

str

source_hostname

Computer

hostname

Code Block
isnotnull(Computer) ? Computer : hostname

str

source_ip

-

Code Block
null('')

str

source_port

-

Code Block
null('')

str

destination_hostname

-

Code Block
null('')

str

destination_ip

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

status

-

Code Block
null('')

str

sub_status

-

Code Block
null('')

str

accesses

-

Code Block
null('')

str

access_mask

-

Code Block
null('')

str

granted_access

-

Code Block
null('')

str

properties

-

Code Block
null('')

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

-

Code Block
null('')

str

mandatory_label

-

Code Block
null('')

str

caller_process_name

-

Code Block
null('')

str

caller_process_name

-

Code Block
null('')

str

new_pid

-

Code Block
null('')

str

new_process_name

-

Code Block
null('')

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

-

Code Block
null('')

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

Computer

str

device

-

Code Block
null('')

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

-

Code Block
null('')

str

share_local_path

-

Code Block
null('')

str

relative_target_name

-

Code Block
null('')

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

-

Code Block
null('')

str

task_name

-

Code Block
null('')

str

task_content

-

Code Block
null('')

str

ticket_options

-

Code Block
null('')

str

ticket_encryption_type

-

Code Block
null('')

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

-

Code Block
null(int8(0))

int8

reason

-

Code Block
null('')

str

image

-

Code Block
null('')

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

-

Code Block
null('')

str

authentication_package_name

-

Code Block
null('')

str

new_value

-

Code Block
null('')

str

privilege_list

-

Code Block
null('')

str

attribute_value

-

Code Block
null('')

str

attribute_ldap_display_name

-

Code Block
null('')

str

audit_policy_changes

-

Code Block
null('')

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

-

Code Block
null('')

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag15
tag15
cloud.azure.vm.securityevent

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

TimeGenerated

timestamp

source

-

Code Block
"cloud.azure.vm.securityevent"

str

keywords

str

event_type

eventType

str

channel

str

category

task

task_str

Code Block
isnotnull(task_str) ? task_str : str(task)

str

event_id

eventID

int4

username

account

str

security_id

targetUserSid

subjectUserSid

Code Block
isnotnull(targetUserSid) ? targetUserSid : subjectUserSid

str

account

str

domain

subjectDomainName

targetDomainName

Code Block
isnotnull(targetDomainName) ? targetDomainName : subjectDomainName

str

machine_ip

ipAddress

Code Block
ip4(ipAddress)

ip4

subject_security_id

subjectUserSid

str

subject_username

subjectUserName

str

subject_domain

subjectDomainName

str

subject_logon_id

subjectLogonId

str

target_security_id

targetUserSid

targetSid

Code Block
isnotnull(targetSid) ? targetSid : targetUserSid

str

target_username

targetUserName

str

target_domain

targetDomainName

str

target_logon_id

targetLogonId

str

target_object

targetObject

str

target_image

-

Code Block
null('')

str

member_security_id

memberSid

str

member_name

memberName

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

samAccountName

str

logon_type

logonType

Code Block
str(logonType)

str

logon_guid

logonGuid

str

logon_process

logonProcessName

str

user_account_control

userAccountControl

str

object_name

objectName

str

object_value_name

objectValueName

str

object_type

objectType

str

object_server

objectServer

str

object_handle

handleId

str

object_resource_attribute

-

Code Block
null('')

str

pid

callerProcessId

processId

Code Block
isnotnull(processId) ? processId : callerProcessId

str

process_name

callerProcessName

processName

Code Block
isnotnull(processName) ? processName : callerProcessName

str

process_guid

procGuid

str

service

serviceName

str

service_file_name

imagePath

serviceFileName

Code Block
isnotnull(serviceFileName) ? serviceFileName : imagePath

str

service_account

accountName

serviceAccount

Code Block
isnotnull(serviceAccount) ? serviceAccount : accountName

str

machine

computer

hostname

Code Block
isnotnull(computer) ? computer : hostname

str

workstation

workstationName

workstation

Code Block
isnotnull(workstation) ? workstation : workstationName

str

message

rawMessage

str

extended_message

rawMessage

str

source_name

eventSourceName

str

source_image

imagePath

str

source_hostname

computer

hostname

Code Block
isnotnull(computer) ? computer : hostname

str

source_ip

ipAddress

Code Block
ip4(ipAddress)

str

source_port

ipPort

str

destination_hostname

-

Code Block
null('')

str

destination_ip

dstIp

str

destination_port

dstPort

str

status

str

sub_status

-

Code Block
null('')

str

accesses

accessList

str

access_mask

accessMask

str

granted_access

-

Code Block
null('')

str

properties

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

tokenElevationType

str

mandatory_label

mandatoryLabel

str

caller_process_name

callerProcessId

processId

Code Block
isnotnull(callerProcessId) ? callerProcessId : processId

str

caller_process_name

callerProcessName

processName

Code Block
isnotnull(callerProcessName) ? callerProcessName : processName

str

new_pid

newProcessId

str

new_process_name

newProcessName

str

parent_pid

-

Code Block
null('')

str

parent_process_name

parentProcessName

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

commandLine

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

homeDirectory

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

computer

str

device

str

pipe_name

pipeName

str

query_name

queryName

str

query_status

queryStatus

str

query_results

-

Code Block
null('')

str

share_name

shareName

str

share_local_path

shareLocalPath

str

relative_target_name

relativeTargetName

str

class_id

classId

str

class_name

className

str

device_id

deviceId

str

device_name

deviceDescription

str

task_name

taskName

str

task_content

taskContent

str

ticket_options

ticketOpts

str

ticket_encryption_type

ticketEncType

str

signature

str

initiated

str

key_length

keyLength

Code Block
int8(keyLength)

int8

reason

failureReason

accessReason

Code Block
isnull(failureReason) ? failureReason : accessReason

str

image

imagePath

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

layerRuntimeId

str

authentication_package_name

authenticationPackageName

str

new_value

newValue

str

privilege_list

privilegeList

str

attribute_value

attributes

str

attribute_ldap_display_name

dsLDAPName

str

audit_policy_changes

auditPolicyChanges

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

operationType

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag16
tag16
cloud.azure.vm.systemevent

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source_event_date

TimeGenerated

timestamp

source

-

Code Block
"cloud.azure.vm.systemevent"

str

keywords

-

Code Block
null('')

str

event_type

-

Code Block
null('')

str

channel

EventLog

str

category

EventCategory

Code Block
str(EventCategory)

str

event_id

EventID

int4

username

UserName

str

security_id

-

Code Block
null('')

str

account

UserName

str

domain

-

Code Block
null('')

str

machine_ip

-

Code Block
ip4('')

ip4

subject_security_id

-

Code Block
null('')

str

subject_username

-

Code Block
null('')

str

subject_domain

-

Code Block
null('')

str

subject_logon_id

-

Code Block
null('')

str

target_security_id

-

Code Block
null('')

str

target_username

-

Code Block
null('')

str

target_domain

-

Code Block
null('')

str

target_logon_id

-

Code Block
null('')

str

target_object

-

Code Block
null('')

str

target_image

-

Code Block
null('')

str

member_security_id

-

Code Block
null('')

str

member_name

-

Code Block
null('')

str

group_security_id

-

Code Block
null('')

str

group_name

-

Code Block
null('')

str

group_domain

-

Code Block
null('')

str

sam_account_name

-

Code Block
null('')

str

logon_type

-

Code Block
null('')

str

logon_guid

-

Code Block
null('')

str

logon_process

-

Code Block
null('')

str

user_account_control

-

Code Block
null('')

str

object_name

-

Code Block
null('')

str

object_value_name

-

Code Block
null('')

str

object_type

-

Code Block
null('')

str

object_server

-

Code Block
null('')

str

object_handle

-

Code Block
null('')

str

object_resource_attribute

-

Code Block
null('')

str

pid

procId

str

process_name

procName

str

process_guid

-

Code Block
null('')

str

service

str

service_file_name

serviceFileName

str

service_account

serviceAccount

str

machine

Computer

str

workstation

-

Code Block
null('')

str

message

RenderedDescription

str

extended_message

rawMessage

str

source_name

Source

str

source_image

-

Code Block
null('')

str

source_hostname

Computer

hostname

Code Block
isnotnull(Computer) ? Computer : hostname

str

source_ip

-

Code Block
null('')

str

source_port

-

Code Block
null('')

str

destination_hostname

-

Code Block
null('')

str

destination_ip

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

status

-

Code Block
null('')

str

sub_status

-

Code Block
null('')

str

accesses

-

Code Block
null('')

str

access_mask

-

Code Block
null('')

str

granted_access

-

Code Block
null('')

str

properties

-

Code Block
null('')

str

recovery_reason

-

Code Block
null('')

str

token_elevation_type

-

Code Block
null('')

str

mandatory_label

-

Code Block
null('')

str

caller_process_name

procId

str

caller_process_name

procName

str

new_pid

-

Code Block
null('')

str

new_process_name

-

Code Block
null('')

str

parent_pid

-

Code Block
null('')

str

parent_process_name

-

Code Block
null('')

str

parent_process_guid

-

Code Block
null('')

str

parent_command_line

-

Code Block
null('')

str

process_command_line

-

Code Block
null('')

str

file_path

-

Code Block
null('')

str

file_version

-

Code Block
null('')

str

original_file_name

-

Code Block
null('')

str

current_directory

-

Code Block
null('')

str

integrity_level

-

Code Block
null('')

str

hashes

-

Code Block
null('')

str

company

-

Code Block
null('')

str

product

-

Code Block
null('')

str

description

-

Code Block
null('')

str

import_hash

-

Code Block
null('')

str

start_module

-

Code Block
null('')

str

start_function

-

Code Block
null('')

str

computer_name

Computer

str

device

deviceName

str

pipe_name

-

Code Block
null('')

str

query_name

-

Code Block
null('')

str

query_status

-

Code Block
null('')

str

query_results

-

Code Block
null('')

str

share_name

-

Code Block
null('')

str

share_local_path

-

Code Block
null('')

str

relative_target_name

-

Code Block
null('')

str

class_id

-

Code Block
null('')

str

class_name

-

Code Block
null('')

str

device_id

-

Code Block
null('')

str

device_name

deviceName

str

task_name

-

Code Block
null('')

str

task_content

-

Code Block
null('')

str

ticket_options

-

Code Block
null('')

str

ticket_encryption_type

-

Code Block
null('')

str

signature

-

Code Block
null('')

str

initiated

-

Code Block
null('')

str

key_length

-

Code Block
null(int8(0))

int8

reason

str

image

imagePath

str

parent_image

-

Code Block
null('')

str

context_info

-

Code Block
null('')

str

engine_version

-

Code Block
null('')

str

host_version

-

Code Block
null('')

str

payload

-

Code Block
null('')

str

layer_rtid

-

Code Block
null('')

str

authentication_package_name

-

Code Block
null('')

str

new_value

-

Code Block
null('')

str

privilege_list

-

Code Block
null('')

str

attribute_value

-

Code Block
null('')

str

attribute_ldap_display_name

-

Code Block
null('')

str

audit_policy_changes

-

Code Block
null('')

str

power_shell_script_block_id

-

Code Block
null('')

str

operation_type

-

Code Block
null('')

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

...

Versions Compared

Old Version 27

New Version Current

Key

Anchor
tag1
tag1
box.devo_ea.events_windows

Anchor
tag2
tag2
box.devo_ua.events_windows

Anchor
tag3
tag3
box.win

Anchor
tag4
tag4
box.win_classic

Anchor
tag5
tag5
box.win_cloudwatch

Anchor
tag6
tag6
box.win_hf

Anchor
tag7
tag7
box.win_kinesis

Anchor
tag8
tag8
box.win_nxlog

Anchor
tag9
tag9
box.win_quest.change_auditor.leef

Anchor
tag10
tag10
box.win_snare

Anchor
tag11
tag11
box.win_solarwinds

Anchor
tag12
tag12
box.win_winlogbeat

Anchor
tagwin
tagwin
box.winNxlog

Anchor
tagmicro
tagmicro
cef0.microsoft.microsoftWindows

Anchor
tag14
tag14
cloud.azure.vm.applicationevent

Anchor
tag15
tag15
cloud.azure.vm.securityevent

Anchor
tag16
tag16
cloud.azure.vm.systemevent

Page Comparison

Versions Compared

Old Version 27

New Version Current

Key

Anchortag1tag1box.devo_ea.events_windows

Anchortag2tag2box.devo_ua.events_windows

Anchortag3tag3box.win

Anchortag4tag4box.win_classic

Anchortag5tag5box.win_cloudwatch

Anchortag6tag6box.win_hf

Anchortag7tag7box.win_kinesis

Anchortag8tag8box.win_nxlog

Anchortag9tag9box.win_quest.change_auditor.leef

Anchortag10tag10box.win_snare

Anchortag11tag11box.win_solarwinds

Anchortag12tag12box.win_winlogbeat

Anchortagwintagwinbox.winNxlog

Anchortagmicrotagmicrocef0.microsoft.microsoftWindows

Anchortag14tag14cloud.azure.vm.applicationevent

Anchortag15tag15cloud.azure.vm.securityevent

Anchortag16tag16cloud.azure.vm.systemevent

Anchor
tag1
tag1
box.devo_ea.events_windows

Anchor
tag2
tag2
box.devo_ua.events_windows

Anchor
tag3
tag3
box.win

Anchor
tag4
tag4
box.win_classic

Anchor
tag5
tag5
box.win_cloudwatch

Anchor
tag6
tag6
box.win_hf

Anchor
tag7
tag7
box.win_kinesis

Anchor
tag8
tag8
box.win_nxlog

Anchor
tag9
tag9
box.win_quest.change_auditor.leef

Anchor
tag10
tag10
box.win_snare

Anchor
tag11
tag11
box.win_solarwinds

Anchor
tag12
tag12
box.win_winlogbeat

Anchor
tagwin
tagwin
box.winNxlog

Anchor
tagmicro
tagmicro
cef0.microsoft.microsoftWindows

Anchor
tag14
tag14
cloud.azure.vm.applicationevent

Anchor
tag15
tag15
cloud.azure.vm.securityevent

Anchor
tag16
tag16
cloud.azure.vm.systemevent