Document toolboxDocument toolbox

box.win_quest

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Aug 22, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_quest identify events generated by WinQuest.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as box.win_quest. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

WinQuest

box.win_quest.change_auditor.leef

box.win_quest.change_auditor.leef

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

box.win_quest.change_auditor.leef

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

EventID

int4

 

 

 

eventId

int8

int8(EventID)

EventID

 

priority

str

 

 

 

version

str

 

 

 

isotimestamp

timestamp

 

 

 

hostname

str

 

 

 

application

str

 

 

 

PID

str

 

 

 

messageID

str

 

 

 

structured_data

str

 

 

 

leef_version

str

 

 

 

embDeviceVendor

str

 

 

 

embDeviceProduct

str

 

 

 

deviceVersion

str

 

 

 

dst

str

 

 

 

dstPort

str

 

 

 

devTimeFormat

str

 

 

 

recordId

str

 

 

 

event

str

 

 

 

link

str

 

 

 

action

str

 

 

 

facility

str

 

 

 

severity

str

 

 

 

subsystem

str

 

 

 

result

str

 

 

 

questEventID

str

 

 

 

agentID

str

 

 

 

eventClassID

str

 

 

 

subsystemID

str

 

 

 

facilityID

str

 

 

 

valueTypeID

str

 

 

 

severityID

str

 

 

 

actionID

str

 

 

 

resultID

str

 

 

 

devTime

timestamp

 

 

 

timeZoneOffset

str

 

 

 

timeBatched

timestamp

 

 

 

timeOfDay

str

 

 

 

timeReceived

timestamp

 

 

 

coordinatorId

str

 

 

 

userSid

str

 

 

 

userSIDHash

str

 

 

 

user

str

 

 

 

userNameHash

str

 

 

 

userDisplay

str

 

 

 

origin

str

 

 

 

userAddressHash

str

 

 

 

originIPv4

ip4

 

 

 

userAddressIPv4Hash

str

 

 

 

originIPv6

str

 

 

 

userAddressIPv6Hash

str

 

 

 

userMailHash

str

 

 

 

from

str

 

 

 

description

str

 

 

 

serverDn

str

 

 

 

serverFqdn

str

 

 

 

serverFQDNHash

str

 

 

 

computer

str

 

 

 

serverNameHash

str

 

 

 

serverOu

str

 

 

 

osVersion

str

 

 

 

ipAddress

ip4

 

 

 

iPAddressHash

str

 

 

 

dc

str

 

 

 

exchange

str

 

 

 

domainID

str

 

 

 

parentDomainID

str

 

 

 

domainDn

str

 

 

 

domainFqdn

str

 

 

 

domain

str

 

 

 

domainNameHash

str

 

 

 

siteID

str

 

 

 

siteDn

str

 

 

 

site

str

 

 

 

siteNameHash

str

 

 

 

organizationalUnit

str

 

 

 

organizationalUnitHash

str

 

 

 

parentObjectID

str

 

 

 

objectID

str

 

 

 

objectClass

str

 

 

 

objectClassHash

str

 

 

 

objectName

str

 

 

 

objectNameHash

str

 

 

 

attributeName

str

 

 

 

objectDn

str

 

 

 

objectCanonical

str

 

 

 

objectCanonicalHash

str

 

 

 

sslTls

str

 

 

 

kerberos

str

 

 

 

adOriginatingObjectID

str

 

 

 

adUsnChangedPre

str

 

 

 

adUsnChangedPost

str

 

 

 

samAccountName

str

 

 

 

userPrincipalName

str

 

 

 

adStatusCode

str

 

 

 

administrator

str

 

 

 

originAdSite

str

 

 

 

simpleBind

str

 

 

 

authPort

str

 

 

 

id

str

 

 

 

eventID1

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓