Document toolboxDocument toolbox

box.win_kinesis

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Aug 22, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_kinesis identify events generated by the Windows Kinesis Agent.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as box.win_kinesis. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Windows Kinesis Agent

  • box.win_kinesis.security

  • box.win_kinesis.security

box.win_kinesis

box.win_kinesis.application

box.win_kinesis.application

box.win_kinesis.invalid

box.win_kinesis.invalid

box.win_kinesis.security

box.win_kinesis.security

box.win_kinesis.security

box.win_kinesis.security

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

box.win_kinesis

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

hostIp

ip4

 

 

type

str

vtype

 

EventId

int4

 

 

Description

str

 

 

LevelDisplayName

str

 

 

LogName

str

 

 

MachineName

str

 

 

ProviderName

str

 

 

TimeCreated

str

 

 

Index

int4

 

 

UserName

str

 

 

Keywords

str

 

 

subject__security_id

str

 

 

subject__account_name

str

 

 

subject__account_domain

str

 

 

subject__logon_id

str

 

 

account_information__security_id

str

 

 

account_information__account_name

str

 

 

account_information__account_domain

str

 

 

network_information__workstation_name

str

 

 

network_information__source_address

str

 

 

network_information__source_port

str

 

 

network_information__destination_address

str

 

 

network_information__destination_port

str

 

 

failure_reason__failure_reason

str

 

 

failure_reason__status

str

 

 

failure_reason__sub_status

str

 

 

process_information__process_id

str

 

 

process_information__process_name

str

 

 

service_information__service_id

str

 

 

service_information__service_name

str

 

 

service_information__service_file_name

str

 

 

service_information__service_type

str

 

 

service_information__service_start_type

str

 

 

service_information__service_account

str

 

 

access_request_information__access_mask

str

 

 

access_request_information__accesses

str

 

 

access_request_information__access_reasons

str

 

 

access_request_information__properties

str

 

 

logon_type

str

 

 

object_server

str

 

 

object_name

str

 

 

object_type

str

 

 

object_value_name

str

 

 

object_handle_id

str

 

 

operation_type

str

 

 

share_information__share_name

str

 

 

share_information__share_path

str

 

 

share_information__relative_target_name

str

 

 

task_information__task_name

str

 

 

task_information__task_content

str

 

 

attribute__sam_account_name

str

 

 

attribute__ldap_display_name

str

 

 

attribute__value

str

 

 

additional_information__ticket_options

str

 

 

additional_information__ticket_encryption_type

str

 

 

additional_information__privileges

str

 

 

audit_policy__changes

str

 

 

change_information__new_value

str

 

 

filter_information__layer_runtime_id

str

 

 

detailed_authentication_information__authentication_package

str

 

 

detailed_authentication_information__key_length

int8

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

 

box.win_kinesis.application

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

EventId

int4

 

Description

str

 

LevelDisplayName

str

 

LogName

str

 

MachineName

str

 

ProviderName

str

 

TimeCreated

str

 

Index

int4

 

UserName

str

 

Keywords

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

 

box.win_kinesis.invalid

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

host

str

split(hostchain, "=", 0)

hostchain

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

 

box.win_kinesis.security

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

EventId

int4

 

Description

str

 

LevelDisplayName

str

 

LogName

str

 

MachineName

str

 

ProviderName

str

 

TimeCreated

str

 

Index

int4

 

UserName

str

 

Keywords

str

 

account_information__security_id

str

 

account_information__account_name

str

 

account_information__account_domain

str

 

account_information__logon_guid

str

 

service_information__service_name

str

 

service_information__service_id

str

 

service_information__service_file_name

str

 

service_information__service_type

str

 

service_information__service_start_type

str

 

service_information__service_account

str

 

application_information__process_id

str

 

application_information__application_name

str

 

subject__security_id

str

 

subject__account_name

str

 

subject__account_domain

str

 

subject__logon_id

str

 

logon_type

str

 

new_logon__security_id

str

 

new_logon__account_name

str

 

new_logon__account_domain

str

 

new_logon__logon_id

str

 

new_logon__logon_guid

str

 

failure_reason__failure_reason

str

 

failure_reason__status

str

 

failure_reason__sub_status

str

 

process_information__process_id

str

 

process_information__process_name

str

 

network_information__direction

str

 

network_information__workstation_name

str

 

network_information__source_network_address

str

 

network_information__source_address

str

 

network_information__source_port

str

 

network_information__client_address

str

 

network_information__client_port

str

 

network_information__destination_address

str

 

network_information__destination_port

str

 

network_information__protocol

str

 

network_information__object_type

str

 

share_information__share_name

str

 

share_information__share_path

str

 

share_information__relative_target_name

str

 

task_information__task_name

str

 

task_information__task_content

str

 

access_request_information__access_mask

str

 

access_request_information__accesses

str

 

access_request_information__properties

str

 

access_request_information__access_reasons

str

 

access_check_results

str

 

filter_information__filter_runtime_id

str

 

filter_information__layer_name

str

 

filter_information__layer_runtime_id

str

 

detailed_authentication_information__logon_process

str

 

detailed_authentication_information__authentication_package

str

 

detailed_authentication_information__transited_services

str

 

detailed_authentication_information__package_name

str

 

detailed_authentication_information__key_length

int8

 

additional_information__ticket_options

str

 

additional_information__ticket_encryption_type

str

 

additional_information__failure_code

str

 

additional_information__result_code

str

 

additional_information__transited_services

str

 

additional_information__pre_authentication_type

str

 

object_server

str

 

object_name

str

 

object_type

str

 

object_value_name

str

 

object_handle_id

str

 

operation_type

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

 

box.win_kinesis.system

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

EventId

int4

 

Description

str

 

LevelDisplayName

str

 

LogName

str

 

MachineName

str

 

ProviderName

str

 

TimeCreated

str

 

Index

int4

 

UserName

str

 

Keywords

str

 

service_information__service_name

str

 

service_information__service_file_name

str

 

service_information__service_type

str

 

service_information__service_start_type

str

 

service_information__service_account

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

Â