Document toolboxDocument toolbox

box.win_cloudwatch

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_cloudwatch identify events generated by

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as box.win_cloudwatch. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

box

win_cloudwatch

security

 

us

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

box.win_cloudwatch.security.us

box.win_cloudwatch

Table structure

This is the set displayed by these tables.

Field

Type

Extra label

Field

Type

Extra label

eventdate

timestamp

-

machine

str

-

machineIp

ip4

-

application

str

-

aws_region

str

-

logSource

str

-

serverdate

str

-

keywords

str

-

eventID

int4

-

sourceName

str

-

username

str

-

logType

str

-

computer

str

-

category

str

-

srcIp

str

-

srcPort

str

-

dstIp

str

-

dstPort

str

-

secId

str

-

account

str

-

domain

str

-

subjectSecId

str

-

subjectUsername

str

-

subjectDomain

str

-

subjectLogonId

str

-

logonType

int4

-

impersonationLevel

str

-

restrictedSidCount

int4

-

elevatedToken

str

-

reasonCode

str

-

status

str

-

subStatus

str

-

logonId

str

-

logonGuid

str

-

procId

str

-

procName

str

-

newProcId

str

-

newProcName

str

-

commandLine

str

-

workstation

str

-

logonProc

str

-

authPkg

str

-

transitedService

str

-

pkgName

str

-

keyLength

int8

-

samAccount

str

-

displayName

str

-

principalName

str

-

homeDir

str

-

homeDrive

str

-

scriptPath

str

-

profilePath

str

-

userWorkstations

str

-

lastPass

str

-

accExpire

str

-

groupId

int8

-

delegate

str

-

oldUac

str

-

newUac

str

-

userAccountControl

str

-

userParams

str

-

sidHistory

str

-

logonHours

str

-

service

str

-

serviceSid

str

-

serviceFileName

str

-

serviceType

str

-

serviceStartType

str

-

serviceAccount

str

-

imagePath

str

-

startType

str

-

accountName

str

-

ticketOpts

str

-

ticketEncType

str

-

privileges

str

-

member

str

-

memberSid

str

-

filePath

str

-

objName

str

-

objValueName

str

-

objType

str

-

objServer

str

-

objHandle

str

-

oldValueType

str

-

oldValue

str

-

newValueType

str

-

newValue

str

-

resourceAttr

str

-

tokenElevType

str

-

mandatoryLabel

str

-

layerRuntimeId

str

-

accessMask

str

-

accesses

str

-

shareName

str

-

shareLocalPath

str

-

relativeTargetName

str

-

className

str

-

targetObject

str

-

dsName

str

-

dsType

str

-

dsDN

str

-

dsGUID

str

-

dsClass

str

-

dsLDAPName

str

-

dsSyntax

str

-

dsValue

str

-

dsCorrelationId

str

-

dsApplicationCorrelationId

str

-

operationType

str

-

device

str

-

pipeName

str

-

queryName

str

-

queryStatus

str

-

queryResults

str

-

signature

str

-

initiated

str

-

properties

str

-

auditPolicyChanges

str

-

data

str

-

message

str

-

id

str

-

timestamp

timestamp

-

win_message

str

-

owner

str

-

logGroup

str

-

logStream

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓