box.win_classic
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with box.win_classic identify events generated by Windows Classic.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as box.win_classic. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Windows Classic |
|
|
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
box.win_classic
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
machineIp |
|
|
|
|
type |
|
| vtype |
|
Timestamp |
| parsedate(Timestamp_str, dateformat("MM/DD/YYYY hh:mm:ss A", "utc")) | Timestamp_str |
|
LogName |
|
|
|
|
SourceName |
|
|
|
|
EventCode |
|
|
|
|
EventType |
|
|
|
|
Type |
|
|
|
|
ComputerName |
|
|
|
|
TaskCategory |
|
|
|
|
OpCode |
|
|
|
|
RecordNumber |
|
|
|
|
Keywords |
|
|
|
|
newLogonUserName |
|
|
|
|
subjectSecId |
|
|
|
|
subjectUsername |
|
|
|
|
subjectDomain |
|
|
|
|
subjectLogonId |
|
|
|
|
subjectLogonGUID |
|
|
|
|
targetSecId |
|
|
|
|
targetUsername |
|
|
|
|
targetDomain |
|
|
|
|
targetLogonId |
|
|
|
|
targetLogonGuid |
|
|
|
|
memberName |
|
|
|
|
memberSid |
|
|
|
|
groupSecId |
|
|
|
|
groupName |
|
|
|
|
groupDomain |
|
|
|
|
objectName |
|
|
|
|
objectType |
|
|
|
|
objectServer |
|
|
|
|
logonType |
|
|
|
|
srcIp |
|
|
|
|
srcPort |
|
|
|
|
serviceName |
|
|
|
|
serviceFileName |
|
|
|
|
serviceAccount |
|
|
|
|
workstation |
|
|
|
|
procId |
|
|
|
|
procName |
|
|
|
|
procCmdLine |
|
|
|
|
failureStatus |
|
|
|
|
failureSubStatus |
|
|
|
|
samAccountName |
|
|
|
|
shareName |
|
|
|
|
sharePath |
|
|
|
|
relativeTargetName |
|
|
|
|
ticketOpts |
|
|
|
|
privileges_str |
| join(privileges, ",") | privileges |
|
accessMask |
|
|
|
|
accesses_list |
|
|
|
|
userAccountControl_str |
| join(userAccountControl, ",") | userAccountControl |
|
newProcId |
|
|
|
|
newProcName |
|
|
|
|
tokenElevationType |
|
|
|
|
mandatoryLabel |
|
|
|
|
taskName |
|
|
|
|
taskContent |
|
|
|
|
keyLength |
|
|
|
|
resultCode |
|
|
|
|
Message |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|
box.win_classic.application
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
machineIp |
|
|
|
|
Timestamp |
| Timestamp_str |
| |
LogName |
|
|
|
|
SourceName |
|
|
|
|
EventCode |
|
|
|
|
EventType |
|
|
|
|
Type |
|
|
|
|
ComputerName |
|
|
|
|
TaskCategory |
|
|
|
|
OpCode |
|
|
|
|
RecordNumber |
|
|
|
|
Keywords |
|
|
|
|
subjectSecId |
|
|
|
|
subjectUsername |
|
|
|
|
subjectDomain |
|
|
|
|
subjectLogonId |
|
|
|
|
subjectLogonGUID |
|
|
|
|
targetSecId |
|
|
|
|
targetUsername |
|
|
|
|
targetDomain |
|
|
|
|
targetLogonId |
|
|
|
|
targetLogonGuid |
|
|
|
|
logonType |
|
|
|
|
memberName |
|
|
|
|
memberSid |
|
|
|
|
srcIp |
|
|
|
|
srcPort |
|
|
|
|
serviceName |
|
|
|
|
procName |
|
|
|
|
failureStatus |
|
|
|
|
samAccountName |
|
|
|
|
productName |
|
|
|
|
productVersion |
|
|
|
|
productLanguage |
|
|
|
|
manufacturer |
|
|
|
|
resultCode |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|
box.win_classic.other
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
machineIp |
|
|
|
|
Timestamp |
| Timestamp_str |
| |
LogName |
|
|
|
|
SourceName |
|
|
|
|
EventCode |
|
|
|
|
EventType |
|
|
|
|
Type |
|
|
|
|
ComputerName |
|
|
|
|
TaskCategory |
|
|
|
|
OpCode |
|
|
|
|
RecordNumber |
|
|
|
|
Keywords |
|
|
|
|
subjectSecId |
|
|
|
|
subjectUsername |
|
|
|
|
subjectDomain |
|
|
|
|
subjectLogonId |
|
|
|
|
subjectLogonGUID |
|
|
|
|
targetSecId |
|
|
|
|
targetUsername |
|
|
|
|
targetDomain |
|
|
|
|
targetLogonId |
|
|
|
|
targetLogonGuid |
|
|
|
|
memberName |
|
|
|
|
memberSid |
|
|
|
|
logonType |
|
|
|
|
srcIp |
|
|
|
|
srcPort |
|
|
|
|
serviceName |
|
|
|
|
procName |
|
|
|
|
failureStatus |
|
|
|
|
samAccountName |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|
box.win_classic.security
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
machineIp |
|
|
|
|
Timestamp |
| Timestamp_str |
| |
LogName |
|
|
|
|
SourceName |
|
|
|
|
EventCode |
|
|
|
|
EventType |
|
|
|
|
Type |
|
|
|
|
ComputerName |
|
|
|
|
TaskCategory |
|
|
|
|
OpCode |
|
|
|
|
RecordNumber |
|
|
|
|
Keywords |
|
|
|
|
subjectSecId |
|
|
|
|
subjectUsername |
|
|
|
|
subjectDomain |
|
|
|
|
subjectLogonId |
|
|
|
|
subjectLogonGUID |
|
|
|
|
objectServer |
|
|
|
|
objectType |
|
|
|
|
objectName |
|
|
|
|
handleId |
|
|
|
|
logonType |
|
|
|
|
restrictedAdminMode |
|
|
|
|
virtualAccount |
|
|
|
|
elevatedToken |
|
|
|
|
impersonationLevel |
|
|
|
|
newLogonSecId |
|
|
|
|
newLogonUserName |
|
|
|
|
newLogonDomain |
|
|
|
|
newLogonId |
|
|
|
|
newLogonLinkedId |
|
|
|
|
newLogonNetworkAccountName |
|
|
|
|
newLogonNetworkAccountDomain |
|
|
|
|
newLogonGuid |
|
|
|
|
targetSecId |
|
|
|
|
targetUsername |
|
|
|
|
targetDomain |
|
|
|
|
targetLogonId |
|
|
|
|
targetLogonGuid |
|
|
|
|
memberSid |
|
|
|
|
memberName |
|
|
|
|
groupSecId |
|
|
|
|
groupName |
|
|
|
|
groupDomain |
|
|
|
|
serviceName |
|
|
|
|
serviceId |
|
|
|
|
ticketOpts |
|
|
|
|
ticketEncType |
|
|
|
|
resultCode |
|
|
|
|
preAuthType |
|
|
|
|
privileges_str |
| privileges |
| |
shareName |
|
|
|
|
sharePath |
|
|
|
|
relativeTargetName |
|
|
|
|
certIssuerName |
|
|
|
|
certSerialNumber |
|
|
|
|
certThumbprint |
|
|
|
|
taskName |
|
|
|
|
taskContent |
|
|
|
|
taskNewContent |
|
|
|
|
failureReason |
|
|
|
|
failureStatus |
|
|
|
|
failureSubStatus |
|
|
|
|
targetServerName |
|
|
|
|
targetInfo |
|
|
|
|
samAccountName |
|
|
|
|
displayName |
|
|
|
|
userPrincipalName |
|
|
|
|
homeDirectory |
|
|
|
|
homeDrive |
|
|
|
|
scriptPath |
|
|
|
|
profilePath |
|
|
|
|
userWorkstations |
|
|
|
|
passwordLastSet |
|
|
|
|
accountExpires |
|
|
|
|
primaryGroupId |
|
|
|
|
allowedToDelegateTo |
|
|
|
|
oldUACValue |
|
|
|
|
newUACValue |
|
|
|
|
userAccountContro_str |
| userAccountControl |
| |
userParameters |
|
|
|
|
sidHistory |
|
|
|
|
logonHours |
|
|
|
|
logonAccount |
|
|
|
|
errorCode |
|
|
|
|
dsTreeDelete |
|
|
|
|
dsCorrelationId |
|
|
|
|
dsAppCorrelationId |
|
|
|
|
dsName |
|
|
|
|
dsType |
|
|
|
|
dsDN |
|
|
|
|
dsGUID |
|
|
|
|
dsClass |
|
|
|
|
accessMask |
|
|
|
|
accesses_str |
| accesses |
| |
accesscheckResults_str |
| accesscheckResults |
| |
procId |
|
|
|
|
procName |
|
|
|
|
newProcId |
|
|
|
|
newProcName |
|
|
|
|
tokenElevationType |
|
|
|
|
procCmdLine |
|
|
|
|
workstation |
|
|
|
|
srcIp |
|
|
|
|
srcPort |
|
|
|
|
objType |
|
|
|
|
resourceAttributes |
|
|
|
|
logonProc |
|
|
|
|
authPkg |
|
|
|
|
transitedServices |
|
|
|
|
pkgName |
|
|
|
|
keyLength |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|
box.win_classic.system
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
machineIp |
|
|
|
|
Timestamp |
| Timestamp_str |
| |
LogName |
|
|
|
|
SourceName |
|
|
|
|
EventCode |
|
|
|
|
EventType |
|
|
|
|
Type |
|
|
|
|
ComputerName |
|
|
|
|
TaskCategory |
|
|
|
|
OpCode |
|
|
|
|
RecordNumber |
|
|
|
|
Keywords |
|
|
|
|
subjectSecId |
|
|
|
|
subjectUsername |
|
|
|
|
subjectDomain |
|
|
|
|
subjectLogonId |
|
|
|
|
subjectLogonGUID |
|
|
|
|
targetSecId |
|
|
|
|
targetUsername |
|
|
|
|
targetDomain |
|
|
|
|
targetLogonId |
|
|
|
|
targetLogonGuid |
|
|
|
|
memberName |
|
|
|
|
memberSid |
|
|
|
|
serviceName |
|
|
|
|
serviceFileName |
|
|
|
|
serviceType |
|
|
|
|
serviceStartType |
|
|
|
|
serviceAccount |
|
|
|
|
samAccountName |
|
|
|
|
logonType |
|
|
|
|
srcIp |
|
|
|
|
srcPort |
|
|
|
|
procName |
|
|
|
|
failureStatus |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
|