01_Introduction
02_Unified Cyber Defense Platform
03_The Stack
04_Features and capabilities
05_Operations
06_Architecture
- Architecture - Version 3
- Architecture - Version 4
07_Integration
- Cisco pxGrid Integration
- Threat Intel Sources
08_Use cases
- SIGMA Rules
  SIGMA Detection Attributes
  Understanding SIGMA Rule
  Creating SIGMA Rule
09_CaseHub
10_Active-Defense-Services
- Services (ADS - LIADS)
  Network Services
  Database Services
  Web-Apps
- Tokens (ADS - Tokens)
11_Data-Pipeline-Manager (DPM)
- Basic Concepts
- Getting Started
12_Deployment / Log Forwarding
13_MITRE ATT&CK
- MITRE ATT&CK Coverage by Tactic
- MITRE ATT&CK Coverage by Technique
14_BluArmour Endpoint Protection
- BluArmour For ICS / AirGapped Networks
15_BluGenie
16_Best Practices
17_Threat Hunt
18_Taxonomy
19_Product Videos
Appendix A

Powered by GitBook

On this page

Windows

Version 1.2

\

PreviousWireless Access Controllers NextLoad Balancers (LB)

Version 1.2

\

Fields

Data Type

event.category

array

event.dataset

text

event.module

text

event.kind

text

event.outcome

text

event.type

array

event.action

text

event.id

text

event.original

event.severity

text

event.created

date

event.reason

text

uuid

text

organisation.id

text

sensor.id

text

source.as.organization.name

text

source.geo.city_name

text

source.geo.country_code

text

source.geo.country_name

text

source.geo.location.lat

geopoint

source.geo.location.lon

geopoint

source.geo.region_name

text

source.geo.continent_code

text

destination.as.organization.name

text

destination.geo.city_name

text

destination.geo.country_code

text

destination.geo.country_name

text

destination.geo.location.lat

geopoint

destination.geo.location.lon

geopoint

destination.geo.region_name

text

destination.geo.continent_code

text

source.as.number

text

threatintel.entity

text

threatintel.lookup

text

source.locality

text

destination.locality

text

network.community_id

text

host.name

text

user.name

text

user.domain

text

process.name

text

process.executable

text

process.args

array

process.pid

int

process.parent.executable

text

process.parent.name

text

process.parent.args

tect

process.working_directory

text

process.parent.pid

int

file.path

text

source.ip

ip

source.port

int

destination.ip

ip

destination.port

int

registry.path

text

registry.value

text

hash.imphash

text

hash.md5

text

destination.domain

text

destination.ip

ip

destination.port

int

error.message

text

network.direction

text

network.protocol

text

network.transport

text

network.type

text

source.address

ip

source.domain

rext

source.ip

ip

source.port

int

rule.name

text

process.pe.imphash

text

process.command_line

text

process.parent.command_line

text

process.pe.original_file_name

text

process.pe.company

text

process.pe.description

text

process.pe.file_version

text

process.pe.product

text

file.hash

text

file.pe.imphash

text

file.name

text

file.code_signature.subject_name

text

file.pe.original_file_name

text

file.pe.company

text

file.pe.description

text

file.pe.file_version

text

file.pe.product

text

file.code_signature.signed

text

dns.question.name

text

network.type

text

sysmon.dns.status

text

sysmon.file.archived

text

sysmon.file.is_executable

text

powershell.engine.new_state

text

powershell.engine.previous_state

text

powershell.provider.new_state

text

powershell.provider.name

text

powershell.sequence

text

powershell.engine.version

text

powershell.process.executable_version

text

powershell.command.value

text

powershell.command.path

text

powershell.command.name

text

source.user.name

text

source.user.domain

text

powershell.file.script_block_text

text

powershell.file.script_block_id

text

rule.uuid

text

rule.id

text

error.code

text

winlog.accesslist

winlog.accessmask

winlog.accesses

source.user.id

winlog.action

winlog.address

winlog.allowedtodelegateto

winlog.appid

winlog.appname

winlog.application

winlog.applicationpath

winlog.attributeldapdisplayname

winlog.attributevalue

winlog.auditpolicychanges

winlog.auditsourcename

package.name (remove)

winlog.binary

winlog.calltrace

winlog.caption

winlog.certthumbprint

winlog.classname

winlog.clientprocessid

winlog.contents

winlog.contextinfo

winlog.failurecode

winlog.feature_name

winlog.filenamebuffer

winlog.grantedaccess

winlog.impersonationlevel

winlog.integritylevel

winlog.keylength

winlog.keywords

winlog.layerrtid

winlog.level

winlog.localname

winlog.logontype

winlog.message

winlog.modifyingapplication

winlog.name

winlog.newname

winlog.newtargetusername

winlog.newtemplatecontent

winlog.newuacvalue

winlog.newvalue

winlog.objectclass

winlog.objectname

winlog.objectserver

winlog.objecttype

winlog.objectvaluename

winlog.olduacvalue

winlog.oldvalue

winlog.origin

winlog.originalfilename

winlog.packagefullname

winlog.packagepath

winlog.parentcommandline

winlog.parentimage

winlog.parentprocessid

winlog.parentuser

winlog.path

winlog.pipename

winlog.possiblecause

winlog.previouscreationutctime

winlog.privilegelist

winlog.processid

winlog.processname

winlog.processnamebuffer

winlog.processpath

winlog.product

winlog.properties

winlog.protocol

winlog.provider

winlog.providername

winlog.provider_name

winlog.qname

winlog.query

winlog.queryname

winlog.reason

winlog.relativetargetname

winlog.remotename

winlog.requestedpolicy

winlog.samaccountname

winlog.searchfilter

winlog.servername

winlog.service

winlog.servicefilename

winlog.servicename

winlog.serviceprincipalnames

winlog.servicestarttype

winlog.servicetype

winlog.sharename

winlog.sidhistory

winlog.sidlist

winlog.signature

winlog.signaturestatus

winlog.signed

winlog.sourceaddress

winlog.sourcecommandline

winlog.sourcefilename

winlog.sourcehostname

winlog.sourceimage

winlog.sourceip

winlog.sourcename

winlog.sourceparentimage

winlog.sourceport

winlog.startaddress

winlog.startfunction

winlog.startmodule

winlog.state

winlog.status

winlog.subcategoryguid

winlog.subjectdomainname

winlog.subjectlogonid

winlog.subjectusername

winlog.subjectusersid

winlog.targetfilename

winlog.targetimage

user.id

destination.user.name

winlog.targetparentimage

winlog.targetparentprocessid

winlog.targetservername

winlog.targetsid

winlog.targetusername

winlog.targetusersid

winlog.taskcontent

winlog.taskcontentnew

winlog.taskname

winlog.templatecontent

winlog.ticketencryptiontype

winlog.ticketoptions

winlog.type

winlog.user

winlog.username

winlog.value

winlog.workstation

winlog.workstationname

winlog.param1

winlog.param2

winlog.param3

winlog.payload

winlog.process

related.user

array

related.hash

array

related.ip

array

related.hosts

array

agent.type

text

log.type

text

observer.type

text

threatintel.days

int

threatintel.event_data

text

threatintel.malware.malware

text

threatintel.malware.timestamp

date/time

threatintel.tags

text

threatintel.white_list

text

threatintel.severity

text

message

asset.category

array

asset.rank

int

asset.type

array

destination.address

ip

destination.user.group.id

text

destination.user.group.name

text

destination.user_name

text

dns.answers

array

dns.response_code

text

event.channel

text

event.code

int

event.provider

text

group.domain

text

group.id

text

group.name

text

host.ip

ip

observer.product

text

observer.vendor

text

registry.hive

text

registry.key

text

service.name

text

service.state

text

service.type

text

user.target.domain

text

user.type

text

event.outcome

text

new fields to add

network.direction

winlog.exceptioncode

winlog.logonprocessname

winlog.authenticationpackagename

winlog.devicedescription

winlog.devicename

winlog.errorcode

winlog.source_name

winlog.hivename

winlog.imagename

winlog.new_value

winlog.old_value

winlog.objectname

package.path

winlog.filterorigin

winlog.scriptblocktext

winlog.description

winlog.targetname

winlog.targetoutboundusername

winlog.targetlogonid

source.domain

winlog.subjectname