box.win

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Deprecated parser

Note that the box.win parser is deprecated and no longer supported by Devo. We recommend to use the corresponding box.win_* parser for your specific technology. Learn more about these parsers here.

Introduction

The system logs from a Windows machine are assigned the box.win tag.

Windows events must be converted to syslog format before being sent to the Devo Cloud. One tool useful for this is the Snare Agent for Windows from InterSectAlliance, which can read the Windows event logs in their native format and forward them to a remote syslog server - in this case, to a Devo Relay or ProxyServerContainer where the box.win tag can be applied to the events.

Devo Relay - This is the recommended option for environments with a high volume of Windows events - for example, simultaneously collecting logs from more than ten Windows machines. In this case, you configure the Snare Agent to send the logs to the UDP/TCP port 13002 on the Devo Relay. This port is preconfigured to receive Windows system events, tag them as box.win, then forward them to the Devo Cloud.

Valid tags and data tables

The full tag must have at least 2 levels. The first two are fixed as box.win. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Windows events	`box.win`	`box.win`

For more information, read more about Devo tags.

How is the data sent to Devo?

Learn how to ingest events to the box.win table in this article.

Table structure

These are the fields displayed in this table:

box.win

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
machineIp	`ip4`
groupName	`str`
logSource	`str`
srceventdate	`timestamp`	`nvl(timeCreated, nvl(parsedate(serverdate, serverdate_fmt), serverdate))`	serverdate_fmt timeCreated serverdate
keywords	`str`
eventType	`str`
eventID	`int4`
sourceName	`str`
username	`str`
sidType	`str`
logType	`str`
srcHost	`str`
category	`str`
direction	`str`
srcIp	`str`
srcPort	`str`
dstIp	`str`
dstPort	`str`
dstHostname	`str`
protocol	`str`
secId	`str`
account	`str`
domain	`str`
subjectSecId	`str`
subjectUsername	`str`
subjectDomain	`str`
subjectLogonId	`str`
logonType	`int4`
memberSecId	`str`
memberAcctName	`str`
groupSecurityId	`str`
groupGroupName	`str`
groupGroupDomain	`str`
impersonationLevel	`str`
restrictedAdminMode	`str`
targetOutboundUserName	`str`
targetOutboundDomainName	`str`
virtualAccount	`str`
targetLinkedLogonId	`str`
elevatedToken	`str`
reason	`str`
reasonCode	`str`
status	`str`
subStatus	`str`
logonId	`str`
logonGuid	`str`
procId	`str`
procName	`str`
procGuid	`str`
newProcId	`str`
newProcName	`str`
commandLine	`str`
workstation	`str`
workstationName	`str`
logonProc	`str`
logonProcess	`str`
authPkg	`str`
keyLength	`int8`
servername	`str`
targetInfo	`str`
targetLogonGuid	`str`
description	`str`
extraInfo	`str`
samAccount	`str`
displayName	`str`
principalName	`str`
homeDir	`str`
homeDrive	`str`
filePath	`str`
scriptPath	`str`
profilePath	`str`
userWorkstations	`str`
lastPass	`str`
accExpire	`str`
groupId	`int8`
logonHours	`str`
service	`str`
serviceSid	`str`
serviceFileName	`str`
serviceType	`str`
serviceStartType	`str`
serviceAccount	`str`
imagePath	`str`
parentImage	`str`
startType	`str`
accountName	`str`
ticketOpts	`str`
ticketEncType	`str`
preAuthType	`int4`
preAuthType2	`str`
certIssuer	`str`
certSerial	`str`
certThumbprint	`str`
privileges	`str`
destDra	`str`
srcDra	`str`
namingCtx	`str`
options	`str`
sessionId	`str`
startUsn	`str`
endUsn	`str`
member	`str`
memberSid	`str`
context	`str`
serverUrl	`str`
serverId	`str`
computer	`str`
ComputerAccountChange	`str`
SamAccountName	`str`
DisplayName	`str`
UserPrincipalName	`str`
HomeDirectory	`str`
HomePath	`str`
ScriptPath	`str`
ProfilePath	`str`
UserWorkstations	`str`
PasswordLastSet	`str`
AccountExpires	`str`
PrimaryGroupId	`str`
AllowedToDelegateTo	`str`
OldUacValue	`str`
NewUacValue	`str`
UserAccountControl	`str`
UserParameters	`str`
SidHistory	`str`
LogonHours	`str`
DnsHostName	`str`
ServicePrincipalNames	`str`
serviceServer	`str`
discardedMessages	`int4`
objName	`str`	`trim(objName2)`	objName2
objValueName	`str`
objType	`str`	`trim(objType2)`	objType2
objServer	`str`		objServer2
objHandle	`str`		objHandle2
objValName	`str`		objValName2
oldValueType	`str`
oldValue	`str`
newValueType	`str`
newValue	`str`
resourceAttr	`str`
tokenElevType	`str`
mandatoryLabel	`str`
desiredAccess	`str`
failCode	`str`
user	`str`
logonFail	`str`
appName	`str`
filterRuntimeId	`str`
LayerName	`str`
LayerRuntimeId	`str`
AccessMask	`str`
AccessList	`str`
accesses	`str`
grantedAccess	`str`
DNS_XfrScopeOptionValue	`int4`
DHCP_macAddress	`str`
DHCP_error	`str`
shareName	`str`
shareLocalPath	`str`
relativeTargetName	`str`
deviceId	`str`
deviceName	`str`
classId	`str`
className	`str`
taskName	`str`
taskContent	`str`
targetObject	`str`
targetImage	`str`
dsName	`str`
dsType	`str`
dsDN	`str`
dsOldDN	`str`
dsNewDN	`str`
dsGUID	`str`
dsClass	`str`
dsLDAPName	`str`
dsSyntax	`str`
dsValue	`str`
dsCorrelationId	`str`
dsApplicationCorrelationId	`str`
operationType	`str`
treeDelete	`str`
device	`str`
pipeName	`str`
queryName	`str`
queryStatus	`str`
queryResults	`str`
signature	`str`
initiated	`str`
properties	`str`
auditPolicyChanges	`str`
data	`str`
message	`str`
extMessage	`str`
criticality	`int4`
evtCounter	`int8`
evtCounter2	`int8`
unkData	`str`
hostchain	`str`
tag	`str`			✓
rawMessage	`str`