box.win_winlogbeat

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with box.win_winlogbeat identify events generated by Winlogbeat.

Valid tags and data tables

The full tag must have at least 2 levels. The first two are fixed as box.win_winlogbeat. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Winlogbeat	`box.win_winlogbeat.application` `box.win_winlogbeat.sysmon` `box.win_winlogbeat.security` `box.win_winlogbeat.applocker`	`box.win_winlogbeat`
	`box.win_winlogbeat.adpwprotect`	`box.win_winlogbeat.adpwprotect`
	`box.win_winlogbeat.application`	`box.win_winlogbeat.application`
	`box.win_winlogbeat.applocker`	`box.win_winlogbeat.applocker`
	`box.win_winlogbeat.authentication`	`box.win_winlogbeat.authentication`
	`box.win_winlogbeat.bits-client`	`box.win_winlogbeat.bitsClient`
	`box.win_winlogbeat.codeintegrity`	`box.win_winlogbeat.codeintegrity`
	`box.win_winlogbeat.deviceguard`	`box.win_winlogbeat.deviceguard`
	`box.win_winlogbeat.dns`	`box.win_winlogbeat.dns`
	`box.win_winlogbeat.forwarding`	`box.win_winlogbeat.forwarding`
	`box.win_winlogbeat.kernel-pnp`	`box.win_winlogbeat.kernelPnp`
	`box.win_winlogbeat.ntlm`	`box.win_winlogbeat.ntlm`
	`box.win_winlogbeat.oalerts`	`box.win_winlogbeat.oalerts`
	`box.win_winlogbeat.powershell`	`box.win_winlogbeat.powershell`
	`box.win_winlogbeat.security`	`box.win_winlogbeat.security`
	`box.win_winlogbeat.security-mitigations`	`box.win_winlogbeat.securityMitigations`
	`box.win_winlogbeat.setup`	`box.win_winlogbeat.setup`
	`box.win_winlogbeat.smb`	`box.win_winlogbeat.smb`
	`box.win_winlogbeat.sysmon`	`box.win_winlogbeat.sysmon`
	`box.win_winlogbeat.system`	`box.win_winlogbeat.system`
	`box.win_winlogbeat.taskscheduler`	`box.win_winlogbeat.taskscheduler`
	`box.win_winlogbeat.terminalservices`	`box.win_winlogbeat.terminalservices`
	`box.win_winlogbeat.win32k`	`box.win_winlogbeat.win32k`
	`box.win_winlogbeat.windows_defender`	`box.win_winlogbeat.windows_defender`
	`box.win_winlogbeat.windows_firewall`	`box.win_winlogbeat.windows_firewall`
	`box.win_winlogbeat.windowsupdateclient`	`box.win_winlogbeat.windowsupdateclient`
	`box.win_winlogbeat.wmi-activity`	`box.win_winlogbeat.wmiActivity`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables: