box.win_classic
Introduction
The tags beginning with box.win_classic
identify events generated by Windows Classic.
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as box.win_classic
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Windows Classic |
|
|
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
box.win_classic
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
type |
| Â | vtype | Â |
Timestamp |
| parsedate(Timestamp_str, dateformat("MM/DD/YYYY hh:mm:ss A", "utc")) | Timestamp_str | Â |
LogName |
| Â | Â | Â |
SourceName |
| Â | Â | Â |
EventCode |
| Â | Â | Â |
EventType |
| Â | Â | Â |
Type |
| Â | Â | Â |
ComputerName |
| Â | Â | Â |
TaskCategory |
| Â | Â | Â |
OpCode |
| Â | Â | Â |
RecordNumber |
| Â | Â | Â |
Keywords |
| Â | Â | Â |
newLogonUserName |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
subjectLogonGUID |
| Â | Â | Â |
targetSecId |
| Â | Â | Â |
targetUsername |
| Â | Â | Â |
targetDomain |
| Â | Â | Â |
targetLogonId |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
memberName |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
groupSecId |
| Â | Â | Â |
groupName |
| Â | Â | Â |
groupDomain |
| Â | Â | Â |
objectName |
| Â | Â | Â |
objectType |
| Â | Â | Â |
objectServer |
| Â | Â | Â |
logonType |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
serviceName |
| Â | Â | Â |
serviceFileName |
| Â | Â | Â |
serviceAccount |
| Â | Â | Â |
workstation |
| Â | Â | Â |
procId |
| Â | Â | Â |
procName |
| Â | Â | Â |
procCmdLine |
| Â | Â | Â |
failureStatus |
| Â | Â | Â |
failureSubStatus |
| Â | Â | Â |
samAccountName |
| Â | Â | Â |
shareName |
| Â | Â | Â |
sharePath |
| Â | Â | Â |
relativeTargetName |
| Â | Â | Â |
ticketOpts |
| Â | Â | Â |
privileges_str |
| join(privileges, ",") | privileges | Â |
accessMask |
| Â | Â | Â |
accesses_list |
| Â | Â | Â |
userAccountControl_str |
| join(userAccountControl, ",") | userAccountControl | Â |
newProcId |
| Â | Â | Â |
newProcName |
| Â | Â | Â |
tokenElevationType |
| Â | Â | Â |
mandatoryLabel |
| Â | Â | Â |
taskName |
| Â | Â | Â |
taskContent |
| Â | Â | Â |
keyLength |
| Â | Â | Â |
resultCode |
| Â | Â | Â |
Message |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |
box.win_classic.application
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
Timestamp |
| Timestamp_str | Â | |
LogName |
| Â | Â | Â |
SourceName |
| Â | Â | Â |
EventCode |
| Â | Â | Â |
EventType |
| Â | Â | Â |
Type |
| Â | Â | Â |
ComputerName |
| Â | Â | Â |
TaskCategory |
| Â | Â | Â |
OpCode |
| Â | Â | Â |
RecordNumber |
| Â | Â | Â |
Keywords |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
subjectLogonGUID |
| Â | Â | Â |
targetSecId |
| Â | Â | Â |
targetUsername |
| Â | Â | Â |
targetDomain |
| Â | Â | Â |
targetLogonId |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
logonType |
| Â | Â | Â |
memberName |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
serviceName |
| Â | Â | Â |
procName |
| Â | Â | Â |
failureStatus |
| Â | Â | Â |
samAccountName |
| Â | Â | Â |
productName |
| Â | Â | Â |
productVersion |
| Â | Â | Â |
productLanguage |
| Â | Â | Â |
manufacturer |
| Â | Â | Â |
resultCode |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |
box.win_classic.other
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
Timestamp |
| Timestamp_str | Â | |
LogName |
| Â | Â | Â |
SourceName |
| Â | Â | Â |
EventCode |
| Â | Â | Â |
EventType |
| Â | Â | Â |
Type |
| Â | Â | Â |
ComputerName |
| Â | Â | Â |
TaskCategory |
| Â | Â | Â |
OpCode |
| Â | Â | Â |
RecordNumber |
| Â | Â | Â |
Keywords |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
subjectLogonGUID |
| Â | Â | Â |
targetSecId |
| Â | Â | Â |
targetUsername |
| Â | Â | Â |
targetDomain |
| Â | Â | Â |
targetLogonId |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
memberName |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
logonType |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
serviceName |
| Â | Â | Â |
procName |
| Â | Â | Â |
failureStatus |
| Â | Â | Â |
samAccountName |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |
box.win_classic.security
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
Timestamp |
| Timestamp_str | Â | |
LogName |
| Â | Â | Â |
SourceName |
| Â | Â | Â |
EventCode |
| Â | Â | Â |
EventType |
| Â | Â | Â |
Type |
| Â | Â | Â |
ComputerName |
| Â | Â | Â |
TaskCategory |
| Â | Â | Â |
OpCode |
| Â | Â | Â |
RecordNumber |
| Â | Â | Â |
Keywords |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
subjectLogonGUID |
| Â | Â | Â |
objectServer |
| Â | Â | Â |
objectType |
| Â | Â | Â |
objectName |
| Â | Â | Â |
handleId |
| Â | Â | Â |
logonType |
| Â | Â | Â |
restrictedAdminMode |
| Â | Â | Â |
virtualAccount |
| Â | Â | Â |
elevatedToken |
| Â | Â | Â |
impersonationLevel |
| Â | Â | Â |
newLogonSecId |
| Â | Â | Â |
newLogonUserName |
| Â | Â | Â |
newLogonDomain |
| Â | Â | Â |
newLogonId |
| Â | Â | Â |
newLogonLinkedId |
| Â | Â | Â |
newLogonNetworkAccountName |
| Â | Â | Â |
newLogonNetworkAccountDomain |
| Â | Â | Â |
newLogonGuid |
| Â | Â | Â |
targetSecId |
| Â | Â | Â |
targetUsername |
| Â | Â | Â |
targetDomain |
| Â | Â | Â |
targetLogonId |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
memberName |
| Â | Â | Â |
groupSecId |
| Â | Â | Â |
groupName |
| Â | Â | Â |
groupDomain |
| Â | Â | Â |
serviceName |
| Â | Â | Â |
serviceId |
| Â | Â | Â |
ticketOpts |
| Â | Â | Â |
ticketEncType |
| Â | Â | Â |
resultCode |
| Â | Â | Â |
preAuthType |
| Â | Â | Â |
privileges_str |
| privileges | Â | |
shareName |
| Â | Â | Â |
sharePath |
| Â | Â | Â |
relativeTargetName |
| Â | Â | Â |
certIssuerName |
| Â | Â | Â |
certSerialNumber |
| Â | Â | Â |
certThumbprint |
| Â | Â | Â |
taskName |
| Â | Â | Â |
taskContent |
| Â | Â | Â |
taskNewContent |
| Â | Â | Â |
failureReason |
| Â | Â | Â |
failureStatus |
| Â | Â | Â |
failureSubStatus |
| Â | Â | Â |
targetServerName |
| Â | Â | Â |
targetInfo |
| Â | Â | Â |
samAccountName |
| Â | Â | Â |
displayName |
| Â | Â | Â |
userPrincipalName |
| Â | Â | Â |
homeDirectory |
| Â | Â | Â |
homeDrive |
| Â | Â | Â |
scriptPath |
| Â | Â | Â |
profilePath |
| Â | Â | Â |
userWorkstations |
| Â | Â | Â |
passwordLastSet |
| Â | Â | Â |
accountExpires |
| Â | Â | Â |
primaryGroupId |
| Â | Â | Â |
allowedToDelegateTo |
| Â | Â | Â |
oldUACValue |
| Â | Â | Â |
newUACValue |
| Â | Â | Â |
userAccountContro_str |
| userAccountControl | Â | |
userParameters |
| Â | Â | Â |
sidHistory |
| Â | Â | Â |
logonHours |
| Â | Â | Â |
logonAccount |
| Â | Â | Â |
errorCode |
| Â | Â | Â |
dsTreeDelete |
| Â | Â | Â |
dsCorrelationId |
| Â | Â | Â |
dsAppCorrelationId |
| Â | Â | Â |
dsName |
| Â | Â | Â |
dsType |
| Â | Â | Â |
dsDN |
| Â | Â | Â |
dsGUID |
| Â | Â | Â |
dsClass |
| Â | Â | Â |
accessMask |
| Â | Â | Â |
accesses_str |
| accesses | Â | |
accesscheckResults_str |
| accesscheckResults | Â | |
procId |
| Â | Â | Â |
procName |
| Â | Â | Â |
newProcId |
| Â | Â | Â |
newProcName |
| Â | Â | Â |
tokenElevationType |
| Â | Â | Â |
procCmdLine |
| Â | Â | Â |
workstation |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
objType |
| Â | Â | Â |
resourceAttributes |
| Â | Â | Â |
logonProc |
| Â | Â | Â |
authPkg |
| Â | Â | Â |
transitedServices |
| Â | Â | Â |
pkgName |
| Â | Â | Â |
keyLength |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |
box.win_classic.system
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
Timestamp |
| Timestamp_str | Â | |
LogName |
| Â | Â | Â |
SourceName |
| Â | Â | Â |
EventCode |
| Â | Â | Â |
EventType |
| Â | Â | Â |
Type |
| Â | Â | Â |
ComputerName |
| Â | Â | Â |
TaskCategory |
| Â | Â | Â |
OpCode |
| Â | Â | Â |
RecordNumber |
| Â | Â | Â |
Keywords |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
subjectLogonGUID |
| Â | Â | Â |
targetSecId |
| Â | Â | Â |
targetUsername |
| Â | Â | Â |
targetDomain |
| Â | Â | Â |
targetLogonId |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
memberName |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
serviceName |
| Â | Â | Â |
serviceFileName |
| Â | Â | Â |
serviceType |
| Â | Â | Â |
serviceStartType |
| Â | Â | Â |
serviceAccount |
| Â | Â | Â |
samAccountName |
| Â | Â | Â |
logonType |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
procName |
| Â | Â | Â |
failureStatus |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |