Document toolboxDocument toolbox

box.win_cloudwatch

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 22, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_cloudwatch identify events generated by Windows CloudWatch.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as box.win_cloudwatch. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Windows CloudWatch

box.win_cloudwatch.security.us

box.win_cloudwatch

box.win_cloudwatch.system.us

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

box.win_cloudwatch

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

machineIp

ip4

 

application

str

 

aws_region

str

 

logSource

str

 

serverdate

str

 

keywords

str

 

eventID

int4

 

sourceName

str

 

username

str

 

logType

str

 

computer

str

 

category

str

 

srcIp

str

 

srcPort

str

 

dstIp

str

 

dstPort

str

 

secId

str

 

account

str

 

domain

str

 

subjectSecId

str

 

subjectUsername

str

 

subjectDomain

str

 

subjectLogonId

str

 

logonType

int4

 

impersonationLevel

str

 

restrictedSidCount

int4

 

elevatedToken

str

 

reasonCode

str

 

status

str

 

subStatus

str

 

logonId

str

 

logonGuid

str

 

procId

str

 

procName

str

 

newProcId

str

 

newProcName

str

 

commandLine

str

 

workstation

str

 

logonProc

str

 

authPkg

str

 

transitedService

str

 

pkgName

str

 

keyLength

int8

 

samAccount

str

 

displayName

str

 

principalName

str

 

homeDir

str

 

homeDrive

str

 

scriptPath

str

 

profilePath

str

 

userWorkstations

str

 

lastPass

str

 

accExpire

str

 

groupId

int8

 

delegate

str

 

oldUac

str

 

newUac

str

 

userAccountControl

str

 

userParams

str

 

sidHistory

str

 

logonHours

str

 

service

str

 

serviceSid

str

 

serviceFileName

str

 

serviceType

str

 

serviceStartType

str

 

serviceAccount

str

 

imagePath

str

 

parentImage

str

 

startType

str

 

accountName

str

 

ticketOpts

str

 

ticketEncType

str

 

privileges

str

 

member

str

 

memberSid

str

 

filePath

str

 

objName

str

 

objValueName

str

 

objType

str

 

objServer

str

 

objHandle

str

 

oldValueType

str

 

oldValue

str

 

newValueType

str

 

newValue

str

 

resourceAttr

str

 

tokenElevType

str

 

mandatoryLabel

str

 

layerRuntimeId

str

 

accessMask

str

 

accesses

str

 

shareName

str

 

shareLocalPath

str

 

relativeTargetName

str

 

deviceId

str

 

deviceName

str

 

classId

str

 

className

str

 

taskName

str

 

taskContent

str

 

targetObject

str

 

dsName

str

 

dsType

str

 

dsDN

str

 

dsGUID

str

 

dsClass

str

 

dsLDAPName

str

 

dsSyntax

str

 

dsValue

str

 

dsCorrelationId

str

 

dsApplicationCorrelationId

str

 

operationType

str

 

device

str

 

pipeName

str

 

queryName

str

 

queryStatus

str

 

queryResults

str

 

signature

str

 

initiated

str

 

properties

str

 

auditPolicyChanges

str

 

data

str

 

message

str

 

id

str

 

timestamp

timestamp

 

win_message

str

 

owner

str

 

logGroup

str

 

logStream

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓