Data Source: Windows Event Log Defender 1133

Date: 2025-02-21
ID: 63c97a9a-cc7f-46c5-b219-8be388666637
Author: Bhavin Patel, Splunk
Description

Data source object for Windows Event Log Defender 1133
Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`xmlwineventlog`
Separator	EventCode
Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)
Event Fields

+ Fields
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Detection_Time</span>
  
  <span class="pill kill-chain">Engine_Version</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">ID</span>
  
  <span class="pill kill-chain">Image_File_Name</span>
  
  <span class="pill kill-chain">Inhertiance_Flags</span>
  
  <span class="pill kill-chain">Involved_File</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Message</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Parent_Commandline</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Process_Name</span>
  
  <span class="pill kill-chain">Product_Name</span>
  
  <span class="pill kill-chain">Product_Version</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RenderingInfo_Xml</span>
  
  <span class="pill kill-chain">RuleType</span>
  
  <span class="pill kill-chain">Security_intelligence_Version</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">SubStatus</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Target_Commandline</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Unused</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">parent_process</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">service</span>
  
  <span class="pill kill-chain">service_id</span>
  
  <span class="pill kill-chain">service_name</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_pre_msg</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>
Source: GitHub | Version: 1