BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 18_Taxonomy

Windows

Version 1.2

\

Fields

Data Type

event.category

array

event.dataset

text

event.module

text

event.kind

text

event.outcome

text

event.type

array

event.action

text

event.id

text

event.original

event.severity

text

event.created

date

event.reason

text

uuid

text

organisation.id

text

sensor.id

text

source.as.organization.name

text

source.geo.city_name

text

source.geo.country_code

text

source.geo.country_name

text

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

source.geo.continent_code

text

destination.as.organization.name

text

destination.geo.city_name

text

destination.geo.country_code

text

destination.geo.country_name

text

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

destination.geo.continent_code

text

source.as.number

text

threatintel.entity

text

threatintel.lookup

text

source.locality

text

destination.locality

text

network.community_id

text

host.name

text

user.name

text

user.domain

text

process.name

text

process.executable

text

process.args

array

process.pid

int

process.parent.executable

text

process.parent.name

text

process.parent.args

tect

process.working_directory

text

process.parent.pid

int

file.path

text

source.ip

ip

source.port

int

destination.ip

ip

destination.port

int

registry.path

text

registry.value

text

hash.imphash

text

hash.md5

text

destination.​domain

text

destination.​ip

ip

destination.​port

int

error.​message

text

network.​direction

text

network.​protocol

text

network.​transport

text

network.​type

text

source.​address

ip

source.​domain

rext

source.​ip

ip

source.​port

int

rule.name

text

process.pe.imphash

text

process.command_line

text

process.parent.command_line

text

process.pe.original_file_name

text

process.pe.company

text

process.pe.description

text

process.pe.file_version

text

process.pe.product

text

file.hash

text

file.pe.imphash

text

file.name

text

file.code_signature.subject_name

text

file.pe.original_file_name

text

file.pe.company

text

file.pe.description

text

file.pe.file_version

text

file.pe.product

text

file.code_signature.signed

text

dns.question.name

text

network.type

text

sysmon.dns.status

text

sysmon.file.archived

text

sysmon.file.is_executable

text

powershell.engine.new_state

text

powershell.engine.previous_state

text

powershell.provider.new_state

text

powershell.provider.name

text

powershell.sequence

text

powershell.engine.version

text

powershell.process.executable_version

text

powershell.command.value

text

powershell.command.path

text

powershell.command.name

text

source.user.name

text

source.user.domain

text

powershell.file.script_block_text

text

powershell.file.script_block_id

text

rule.uuid

text

rule.id

text

error.code

text

winlog.accesslist

winlog.accessmask

winlog.accesses

source.user.id

winlog.action

winlog.address

winlog.allowedtodelegateto

winlog.appid

winlog.appname

winlog.application

winlog.applicationpath

winlog.attributeldapdisplayname

winlog.attributevalue

winlog.auditpolicychanges

winlog.auditsourcename

package.name (remove)

winlog.binary

winlog.calltrace

winlog.caption

winlog.certthumbprint

winlog.classname

winlog.clientprocessid

winlog.contents

winlog.contextinfo

winlog.failurecode

winlog.feature_name

winlog.filenamebuffer

winlog.grantedaccess

winlog.impersonationlevel

winlog.integritylevel

winlog.keylength

winlog.keywords

winlog.layerrtid

winlog.level

winlog.localname

winlog.logontype

winlog.message

winlog.modifyingapplication

winlog.name

winlog.newname

winlog.newtargetusername

winlog.newtemplatecontent

winlog.newuacvalue

winlog.newvalue

winlog.objectclass

winlog.objectname

winlog.objectserver

winlog.objecttype

winlog.objectvaluename

winlog.olduacvalue

winlog.oldvalue

winlog.origin

winlog.originalfilename

winlog.packagefullname

winlog.packagepath

winlog.parentcommandline

winlog.parentimage

winlog.parentprocessid

winlog.parentuser

winlog.path

winlog.pipename

winlog.possiblecause

winlog.previouscreationutctime

winlog.privilegelist

winlog.processid

winlog.processname

winlog.processnamebuffer

winlog.processpath

winlog.product

winlog.properties

winlog.protocol

winlog.provider

winlog.providername

winlog.provider_name

winlog.qname

winlog.query

winlog.queryname

winlog.reason

winlog.relativetargetname

winlog.remotename

winlog.requestedpolicy

winlog.samaccountname

winlog.searchfilter

winlog.servername

winlog.service

winlog.servicefilename

winlog.servicename

winlog.serviceprincipalnames

winlog.servicestarttype

winlog.servicetype

winlog.sharename

winlog.sidhistory

winlog.sidlist

winlog.signature

winlog.signaturestatus

winlog.signed

winlog.sourceaddress

winlog.sourcecommandline

winlog.sourcefilename

winlog.sourcehostname

winlog.sourceimage

winlog.sourceip

winlog.sourcename

winlog.sourceparentimage

winlog.sourceport

winlog.startaddress

winlog.startfunction

winlog.startmodule

winlog.state

winlog.status

winlog.subcategoryguid

winlog.subjectdomainname

winlog.subjectlogonid

winlog.subjectusername

winlog.subjectusersid

winlog.targetfilename

winlog.targetimage

user.id

destination.user.name

winlog.targetparentimage

winlog.targetparentprocessid

winlog.targetservername

winlog.targetsid

winlog.targetusername

winlog.targetusersid

winlog.taskcontent

winlog.taskcontentnew

winlog.taskname

winlog.templatecontent

winlog.ticketencryptiontype

winlog.ticketoptions

winlog.type

winlog.user

winlog.username

winlog.value

winlog.workstation

winlog.workstationname

winlog.param1

winlog.param2

winlog.param3

winlog.payload

winlog.process

related.user

array

related.hash

array

related.ip

array

related.hosts

array

agent.type

text

log.type

text

observer.type

text

threatintel.days

int

threatintel.event_data

text

threatintel.malware.malware

text

threatintel.malware.timestamp

date/time

threatintel.tags

text

threatintel.white_list

text

threatintel.severity

text

message

asset.category

array

asset.rank

int

asset.type

array

destination.address

ip

destination.user.group.id

text

destination.user.group.name

text

destination.user_name

text

dns.answers

array

dns.response_code

text

event.channel

text

event.code

int

event.provider

text

group.domain

text

group.id

text

group.name

text

host.ip

ip

observer.product

text

observer.vendor

text

registry.hive

text

registry.key

text

service.name

text

service.state

text

service.type

text

user.target.domain

text

user.type

text

event.outcome

text

new fields to add

network.direction

winlog.exceptioncode

winlog.logonprocessname

winlog.authenticationpackagename

winlog.devicedescription

winlog.devicename

winlog.errorcode

winlog.source_name

winlog.hivename

winlog.imagename

winlog.new_value

winlog.old_value

winlog.objectname

package.path

winlog.filterorigin

winlog.scriptblocktext

winlog.description

winlog.targetname

winlog.targetoutboundusername

winlog.targetlogonid

source.domain

winlog.subjectname

PreviousWireless Access ControllersNextLoad Balancers (LB)