Document toolboxDocument toolbox

box.all.win

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
3 min read
[ 1 Introduction ] [ 2 Source tables ] [ 3 Table structure ] [ 4 Field transformations ]

Introduction

This union table collects information from a set of tables that contain system events generated and sent from Windows machines.

Source tables

The information displayed is extracted from the following tables:

  • box.devo_ua.events_windows

  • box.win

  • box.winNxlog

  • box.win_kinesis

  • box.win_nxlog

  • box.win_quest.change_auditor.leef

  • box.win_snare

  • box.win_solarwinds

  • box.devo_ea.events_windows

  • box.win_winlogbeat

  • box.win_classic

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field

Data type

Extra fields

Field

Data type

Extra fields

eventdate

timestamp



source

str



keywords

str



eventType

str



channel

str



category

str



eventID

int



eventId

int



username

str



secId

str



account

str



domain

str



machineIp

ip



subjectSecId

str



subjectUsername

str



subjectDomain

str



subjectLogonId

str



targetSecId

str



targetUsername

str



targetDomain

str



memberSecId

str



memberName

str



groupSecurityId

str



groupName

str



groupDomain

str



srceventdate

timestamp



LogonType

str



samAccount

str



objName

str



objValueName

str



accessMask

str



attributeLDAPDisplayName

str



attributeValue

str



auditPolicyChanges

str



authenticationPackageName

str



company

str



computerName

str



contextInfo

str



currentDirectory

str



description

str



device

str



deviceClassName

str



dstPort

str



engineVersion

str



fileVersion

str



hostVersion

str



impHash

str



initiated

str



objTypestr

str



procName

str



procId

str



service

str



serviceFileName

str



serviceAccount

str



machine

str



workstation

str



srcHost

str



message

str



extMessage

str



srcIp

str



dstIp

str



status

str



sourceName

str



accesses

str



recoveryReason

str



objServer

str



objHandle

str



objResourceAtt

str



tokenElevType

str



mandatoryLabel

str



callerProcId

str



callerProcName

str



newProcId

str



newProcName

str



parentProcessName

str



procCmdLine

str



rawMessage

str



hostchain

str

tag

str

raw

str

integrityLevel

str



layerRTID

str



newValue

str



payload

str



pipeName

str



powerShellScriptBlockId

str



privilegeList

str



properties

str



queryName

str



queryResults

str



queryStatus

str



relativeTargetName

str



shareName

str



signature

str



startFunction

str



startModule

str



targetSecId

str



targetUsername

str



targetLogonId

str



targetObject

str



ticketEncryptionType

str



ticketOptions

str



Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.