box.win_classic

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_classic identify events generated by Windows Classic.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as box.win_classic. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Windows Classic	`box.win_classic.application` `box.win_classic.other` `box.win_classic.security` `box.win_classic.system`	`box.win_classic`
	`box.win_classic.application`	`box.win_classic.application`
	`box.win_classic.other`	`box.win_classic.other`
	`box.win_classic.security`	`box.win_classic.security`
	`box.win_classic.system`	`box.win_classic.system`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

box.win_classic
box.win_classic.application
box.win_classic.other
box.win_classic.security
box.win_classic.system

box.win_classic

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
machineIp	`ip4`
type	`str`		vtype
Timestamp	`timestamp`	`parsedate(Timestamp_str, dateformat("MM/DD/YYYY hh:mm:ss A", "utc"))`	Timestamp_str
LogName	`str`
SourceName	`str`
EventCode	`str`
EventType	`str`
Type	`str`
ComputerName	`str`
TaskCategory	`str`
OpCode	`str`
RecordNumber	`int4`
Keywords	`str`
newLogonUserName	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
subjectLogonGUID	`str`
targetSecId	`str`
targetUsername	`str`
targetDomain	`str`
targetLogonId	`str`
targetLogonGuid	`str`
memberName	`str`
memberSid	`str`
groupSecId	`str`
groupName	`str`
groupDomain	`str`
objectName	`str`
objectType	`str`
objectServer	`str`
logonType	`str`
srcIp	`str`
srcPort	`str`
serviceName	`str`
serviceFileName	`str`
serviceAccount	`str`
workstation	`str`
procId	`str`
procName	`str`
procCmdLine	`str`
failureStatus	`str`
failureSubStatus	`str`
samAccountName	`str`
shareName	`str`
sharePath	`str`
relativeTargetName	`str`
ticketOpts	`str`
privileges_str	`str`	`join(privileges, ",")`	privileges
accessMask	`str`
accesses_list	`str`
userAccountControl_str	`str`	`join(userAccountControl, ",")`	userAccountControl
newProcId	`str`
newProcName	`str`
tokenElevationType	`str`
mandatoryLabel	`str`
taskName	`str`
taskContent	`str`
keyLength	`int4`
resultCode	`str`
Message	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`

box.win_classic.application

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
machineIp	`ip4`
Timestamp	`timestamp`	Timestamp_str
LogName	`str`
SourceName	`str`
EventCode	`str`
EventType	`str`
Type	`str`
ComputerName	`str`
TaskCategory	`str`
OpCode	`str`
RecordNumber	`int4`
Keywords	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
subjectLogonGUID	`str`
targetSecId	`str`
targetUsername	`str`
targetDomain	`str`
targetLogonId	`str`
targetLogonGuid	`str`
logonType	`str`
memberName	`str`
memberSid	`str`
srcIp	`str`
srcPort	`str`
serviceName	`str`
procName	`str`
failureStatus	`str`
samAccountName	`str`
productName	`str`
productVersion	`str`
productLanguage	`str`
manufacturer	`str`
resultCode	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

box.win_classic.other

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
machineIp	`ip4`
Timestamp	`timestamp`	Timestamp_str
LogName	`str`
SourceName	`str`
EventCode	`str`
EventType	`str`
Type	`str`
ComputerName	`str`
TaskCategory	`str`
OpCode	`str`
RecordNumber	`int4`
Keywords	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
subjectLogonGUID	`str`
targetSecId	`str`
targetUsername	`str`
targetDomain	`str`
targetLogonId	`str`
targetLogonGuid	`str`
memberName	`str`
memberSid	`str`
logonType	`str`
srcIp	`str`
srcPort	`str`
serviceName	`str`
procName	`str`
failureStatus	`str`
samAccountName	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

box.win_classic.security

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
machineIp	`ip4`
Timestamp	`timestamp`	Timestamp_str
LogName	`str`
SourceName	`str`
EventCode	`str`
EventType	`str`
Type	`str`
ComputerName	`str`
TaskCategory	`str`
OpCode	`str`
RecordNumber	`int4`
Keywords	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
subjectLogonGUID	`str`
objectServer	`str`
objectType	`str`
objectName	`str`
handleId	`str`
logonType	`str`
restrictedAdminMode	`str`
virtualAccount	`str`
elevatedToken	`str`
impersonationLevel	`str`
newLogonSecId	`str`
newLogonUserName	`str`
newLogonDomain	`str`
newLogonId	`str`
newLogonLinkedId	`str`
newLogonNetworkAccountName	`str`
newLogonNetworkAccountDomain	`str`
newLogonGuid	`str`
targetSecId	`str`
targetUsername	`str`
targetDomain	`str`
targetLogonId	`str`
targetLogonGuid	`str`
memberSid	`str`
memberName	`str`
groupSecId	`str`
groupName	`str`
groupDomain	`str`
serviceName	`str`
serviceId	`str`
ticketOpts	`str`
ticketEncType	`str`
resultCode	`str`
preAuthType	`str`
privileges_str	`str`	privileges
shareName	`str`
sharePath	`str`
relativeTargetName	`str`
certIssuerName	`str`
certSerialNumber	`str`
certThumbprint	`str`
taskName	`str`
taskContent	`str`
taskNewContent	`str`
failureReason	`str`
failureStatus	`str`
failureSubStatus	`str`
targetServerName	`str`
targetInfo	`str`
samAccountName	`str`
displayName	`str`
userPrincipalName	`str`
homeDirectory	`str`
homeDrive	`str`
scriptPath	`str`
profilePath	`str`
userWorkstations	`str`
passwordLastSet	`str`
accountExpires	`str`
primaryGroupId	`str`
allowedToDelegateTo	`str`
oldUACValue	`str`
newUACValue	`str`
userAccountContro_str	`str`	userAccountControl
userParameters	`str`
sidHistory	`str`
logonHours	`str`
logonAccount	`str`
errorCode	`str`
dsTreeDelete	`str`
dsCorrelationId	`str`
dsAppCorrelationId	`str`
dsName	`str`
dsType	`str`
dsDN	`str`
dsGUID	`str`
dsClass	`str`
accessMask	`str`
accesses_str	`str`	accesses
accesscheckResults_str	`str`	accesscheckResults
procId	`str`
procName	`str`
newProcId	`str`
newProcName	`str`
tokenElevationType	`str`
procCmdLine	`str`
workstation	`str`
srcIp	`str`
srcPort	`str`
objType	`str`
resourceAttributes	`str`
logonProc	`str`
authPkg	`str`
transitedServices	`str`
pkgName	`str`
keyLength	`int4`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`

box.win_classic.system

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
machineIp	`ip4`
Timestamp	`timestamp`	Timestamp_str
LogName	`str`
SourceName	`str`
EventCode	`str`
EventType	`str`
Type	`str`
ComputerName	`str`
TaskCategory	`str`
OpCode	`str`
RecordNumber	`int4`
Keywords	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
subjectLogonGUID	`str`
targetSecId	`str`
targetUsername	`str`
targetDomain	`str`
targetLogonId	`str`
targetLogonGuid	`str`
memberName	`str`
memberSid	`str`
serviceName	`str`
serviceFileName	`str`
serviceType	`str`
serviceStartType	`str`
serviceAccount	`str`
samAccountName	`str`
logonType	`str`
srcIp	`str`
srcPort	`str`
procName	`str`
failureStatus	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`