Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows¶
Version 9.0.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.
CIM Model Comparison for Versions 8.9.0 and 9.0.0¶
| Source | EventCode | Previous CIM Model | New CIM Model |
|---|---|---|---|
| WinEventLog:Security | 4706, 4713, 4876 | Change.All_Changes | |
| WinEventLog:Security | 4744, 4749, 4750, 4759 | Change.Account_Management | Change.All_Changes |
| Source | EventCode | Previous CIM Model | New CIM Model |
|---|---|---|---|
| XmlWinEventLog:Security | 4706, 4713, 4876 | Change.All_Changes | |
| XmlWinEventLog:Security | 4744, 4749, 4750, 4759 | Change.Account_Management | Change.All_Changes |
Field Changes¶
| Source Type | Event Code | Added Fields | Modified Fields | Removed Fields |
|---|---|---|---|---|
| WinEventLog | 4664, 4768, 5201, 6145, 5040, 1695, 7023, 4945, 5200, 1105, 109, 5025, 1101, 5030, etc. | eventtype | windows_ta_data | |
| WinEventLog | 4722, 4733, 4698, 4701, 4801, 4781, 4726, 4738, 4705, 4767, etc. | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 4103 | dest, signature, eventtype | windows_ta_data | |
| WinEventLog | 4104 | dest, signature, eventtype | windows_ta_data | |
| WinEventLog | 4706, 4713, 4744, 4749, 4750, 4759, 4794, 4876 | src_subject_security_id, Eventtype, action | windows_ta_data | |
| XmlWinEventLog | 4706, 4713, 4744,4749, 4750, 4759, 4794, 4876 | src_subject_user_id, Eventtype, action | windows_ta_data | |
| WinEventLog | 4658, 4611, 5059, 4656, 5137, 5058, 4817, 4912, 4699, 5449, etc. | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 4624 | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 4696, 4702, 4634, 4798, 4740, 4799, etc. | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 4753, 4793, 4717, 4739, 4662, 5142, 5447, 4826, 4627, etc. | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 5136, 4718, 4663, 4907, 4648, 4715, 4647, 4904, 4661, 4741, etc. | src_subject_security_id, eventtype | windows_ta_data | |
| WinEventLog | 4672 | src, user_id, src_subject_security_id, src_user, src_user_id, eventtype, src_nt_domain | windows_security_authentication, windows_ta_data | Domain_A, LOCAL |
CIM Model Comparison for Versions 8.8.0 and 8.9.0¶
Version 8.8.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its source WinEventLog:Security and XmlWinEventLog:Security. See the following sections for information on changes to the mapping of this information.
| Sourcetype | EventCode | Previous CIM model | New CIM model |
|---|---|---|---|
| WinEventLog/XmlWinEventLog | 4798 | Event_Signatures.Signatures | Change.Account_Management, Event_Signatures.Signatures |
| XmlWinEventLog | 17, 18, 19 | Event_Signatures.Signatures | Updates.Updates, Event_Signatures.Signatures |
Field Changes¶
| Source/Sourcetype | EventCode | Fields Added | Fields Removed |
|---|---|---|---|
| WinEventLog | 5156, 5157 | src_ip, protocol, protocol_version, dest_ip, direction, src, rule | NA |
| WinEventLog | 4798 | result, signature, User_Security_ID, object_category, user_name, change_type, User_Account_Name, object, command, object_id, src_user_name, name, object_attrs, subject, src, User_Account_Domain | NA |
| WinEventLog | 19 | file_name | NA |
| WinEventLog | 4624, 4658, 4703, 4648, 4663, 4656, 4689, 4657, 4673, 4661, 4660, 4907, 4985, 4696, 6417, 4670, 4674, 4904, 4799 | command | NA |
| WinEventLog | 5152 | direction | NA |
| WinEventLog | 6272, 6273 | User_Account_Name, User_Account_Domain, User_Security_ID | NA |
| WinEventLog | 4625 | Signature_mesage, package_title, package | NA |
| XmlWinEventLog / WinEventLog | 17, 18, 19 | Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | NA |
| XmlWinEventLog | 5156, 5157 | protocol_version, severity, process_id, rule, dest_ip, src_ip, severity_id, src_port, protocol, user, direction, src | NA |
| XmlWinEventLog | 1100, 1101, 1102, 1104, 1105, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4627, 4634, 4647, 4648, 4653, 4656, 4657, 4658, 4660, 4661, 4662, 4663, 4664, 4670, 4672, 4673, 4674, 4688, 4689, 4690, 4696, 4697, 4698, 4699, 4700, 4701, 4702, 4703, 4704, 4705, 4713, 4715, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4767, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4781, 4793, 4797, 4800, 4801, 4817, 4826, 4902, 4904, 4906, 4907, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5024, 5025, 5031, 5033, 5034, 5040, 5041, 5043, 5044, 5045, 5058, 5059, 5061, 5136, 5137, 5140, 5141, 5142, 5145, 5152, 5154, 5158, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 5478, 6144, 6145, 6272, 6416, 6417 | severity, severity_id | NA |
| XmlWinEventLog | 4799 | severity, severity_id, command | NA |
CIM Model and Field Mapping Changes for MSAD:NT6:DNS¶
See the following comparison tables for CIM model and field mapping changes for the MSAD:NT6:DNS sourcetype.
CIM Model Comparison for Versions 8.6.0 and 8.7.0¶
| Sourcetype | Previous CIM model | New CIM model |
|---|---|---|
| MSAD:NT6:DNS | Network Resolution (DNS) |
Field Changes¶
Sourcetype - MSAD:NT6:DNS Field Mapping Changes¶
| Sourcetype | Fields Added | Fields Removed | Fields Modified |
|---|---|---|---|
| [MSAD:NT6:DNS] | additional_answer_count, answer, answer_count, authority_answer_count, dest, message_type, name, query_count, query_type, record_type, reply_code_id, src, src_port, vendor_product, src_user, src_user_name, object_id, object, src | query, reply_code |
Version 8.1.2 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.
CIM Model and Field Mapping Changes for WinEventLog:Security¶
See the following comparison tables for CIM model and field mapping changes for the WinEventLog:Security sourcetype.
Field Mapping Comparison for Versions 8.7.0 and 8.8.0¶
| Sourcetype | EventCode | Fields Added | Fields Removed |
|---|---|---|---|
| [‘WinEventLog’] | 4798 | change_type, command, object, object_attrs, object_category, object_id, result, src |
CIM Model Comparison for Versions 4.8.4 and 8.1.2¶
| Sourcetype | EventCode | Previous CIM model | New CIM model |
|---|---|---|---|
| WinEventLog:Security | 4801, 4774, 4775 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 1102, 1100 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| WinEventLog:Security | 4768, 4769, 4624, 4625, 4648, 4771, 4777, 4776, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4717, 4718 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
| WinEventLog:Security | 5461 | Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4912, 4715, 4719, 1101, 1105, 1108 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
| WinEventLog:Security | 5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4767, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4742, 4758, 4756, 4754, 4755, 4753, 4750, 4798, 4757, 4797, 5379, 4741, 4740, 4729, 4728, 4743, 4720, 4727, 4726, 4725, 4724 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services |
Field mapping comparison for versions 4.8.4 and 8.1.2¶
| Sourcetype | EventCode | Fields added | Fields removed |
|---|---|---|---|
| wineventlog* | 5024, 5025, 5033, 5034, 5478 | Error_Code, category, service, service_name, ta_windows_action, vendor_product | src |
| wineventlog* | 5156, 5157 | Error_Code, category, dest_port, process_id, ta_windows_action, transport, vendor_product | src |
| wineventlog* | 4720, 4725, 4726, 4738, 4767 | Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
| wineventlog* | 4625 | Error_Code, category, process_id, ta_windows_action, ta_windows_status, vendor_product | src |
| wineventlog* | 4658, 4660, 4689, 4798, 4904, 4985, 6417 | Error_Code, category, process, process_name, ta_windows_action, vendor_product | src |
| wineventlog* | 5154, 5155, 5158 | Error_Code, category, process_id, ta_windows_action, transport, vendor_product | src |
| wineventlog* | 4907 | Error_Code, category, file_name, file_path, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product | src |
| wineventlog* | 5152 | Error_Code, category, dest_port, process_id, ta_windows_action, vendor_product | src |
| wineventlog* | 1100, 1102, 4945, 4946, 4947, 4948 | Error_Code, category, object_attrs, ta_windows_action, vendor_product | src |
| wineventlog* | 5461 | category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product | src |
| wineventlog* | 4769, 4770 | Error_Code, category, service, service_id, service_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4664, 5058, 5140, 5142, 5145 | Error_Code, category, file_name, file_path, ta_windows_action, vendor_product | src |
| wineventlog* | 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4757, 4758, 4764, 4781 | Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
| wineventlog* | 4688 | Error_Code, Token_Elevation_Type_id, category, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, ta_windows_action, vendor_product | src |
| wineventlog* | 1101, 1108, 4719 | Error_Code, category, change_type, object_attrs, object_category, ta_windows_action, vendor_product | src |
| wineventlog* | 4717, 4718 | Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product | src |
| wineventlog* | 4670 | Error_Code, category, process, process_name, registry_path, ta_windows_action, vendor_product | src |
| wineventlog* | 4776, 4777 | category, ta_windows_action, vendor_product | |
| wineventlog* | 4799 | Error_Code, category, object_attrs, process, process_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4741, 4742, 4743 | Error_Code, category, object_attrs, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
| wineventlog* | 4624, 4648, 4674, 4696, 4703 | Error_Code, category, process, process_id, process_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4756 | Error_Code, Group_Domain, Group_Name, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | src |
| wineventlog* | 4768 | Error_Code, category, service, service_id, service_name, ta_windows_action, user_id, vendor_product | |
| wineventlog* | 1104, 1105, 4608, 4610, 4611, 4614, 4622, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4774, 4775, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5379, 5441, 5442, 5444, 6144, 6272, 6273, 6416 | Error_Code, category, ta_windows_action, vendor_product | src |
| wineventlog* | 4697 | Error_Code, category, service, service_name, start_mode, ta_windows_action, vendor_product | src |
| wineventlog* | 4673 | Error_Code, category, process, process_name, service, service_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4657 | Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, registry_path, registry_value_name, registry_value_type, ta_windows_action, vendor_product | src |
| wineventlog* | 5030, 5035 | category, service, service_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4771 | Error_Code, category, service, service_name, ta_windows_action, vendor_product | |
| wineventlog* | 4616, 5446, 5447, 5448, 5449, 5450 | Error_Code, category, process_id, ta_windows_action, vendor_product | src |
| wineventlog* | 4724 | Error_Code, category, object_attrs, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
| wineventlog* | 6145 | category, ta_windows_action, vendor_product | src |
| wineventlog* | 4740, 4793 | Error_Code, category, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
| wineventlog* | 4656, 4661, 4663 | Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product | src |
| wineventlog* | 4778, 4779 | Error_Code, category, ta_windows_action, vendor_product | |
| wineventlog* | 4662, 4817 | Error_Code, category, object_file_name, object_file_path, ta_windows_action, vendor_product | src |
CIM model comparison for versions 7.0.0 and 8.1.2¶
| Source | EventCode | Previous CIM model | New CIM model |
|---|---|---|---|
| WinEventLog:Security | 4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 1102, 1100 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| WinEventLog:Security | 4912, 4739, 4743, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4715, 4718, 4719, 4738, 4742, 4758, 4756, 4757, 4754, 4755, 4753, 4750, 4798, 4767, 4797, 4717, 5379, 4741, 4733, 4740, 4729, 4728, 1105, 4720, 4727, 4726, 4725, 4724 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| WinEventLog:Security | 5461 | Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4769, 4624, 4625, 4648, 4771, 4774, 4775, 4777, 4776, 4768, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 1101, 1108 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
| WinEventLog:Security | 5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| WinEventLog:Security | 4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field mapping comparison for versions 7.0.0 and 8.1.2¶
| Sourcetype | EventCode | Fields added | Fields removed |
|---|---|---|---|
| wineventlog | 1101, 1108, 4719 | change_type, object_attrs, object_category, vendor_product | |
| wineventlog | 4768 | service, service_id, service_name, user_id, vendor_product | |
| wineventlog | 4741, 4742, 4743 | object_attrs, result, vendor_product | |
| wineventlog | 4717, 4718, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4781, 5461 | change_type, object_attrs, object_category, result, vendor_product | |
| wineventlog | 4697 | service, service_name, start_mode, vendor_product | |
| wineventlog | 4657 | object_file_name, object_file_path, process, process_name, registry_path, registry_value_name, registry_value_type, vendor_product | |
| wineventlog | 4656, 4661, 4663 | object_file_name, object_file_path, process, process_name, vendor_product | |
| wineventlog | 4662, 4817 | object_file_name, object_file_path, vendor_product | |
| wineventlog | 4673 | process, process_name, service, service_name, vendor_product | |
| wineventlog | 4670 | process, process_name, registry_path, vendor_product | |
| wineventlog | 4720, 4725, 4726, 4738, 4767 | result, vendor_product | |
| wineventlog | 4664, 5058, 5140, 5142, 5145 | file_name, file_path, vendor_product | |
| wineventlog | 4771, 5024, 5025, 5030, 5033, 5034, 5035, 5478 | service, service_name, vendor_product | |
| wineventlog | 4799 | object_attrs, process, process_name, vendor_product | |
| wineventlog | 4907 | file_name, file_path, object_file_name, object_file_path, process, process_name, vendor_product | |
| wineventlog | 5154, 5155, 5156, 5157, 5158 | transport, vendor_product | |
| wineventlog | 4624, 4648, 4658, 4660, 4674, 4689, 4696, 4703, 4798, 4904, 4985, 6417 | process, process_name, vendor_product | |
| wineventlog | 1100, 1102, 4724 | object_attrs, vendor_product | |
| wineventlog | 4688 | Token_Elevation_Type_id, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, vendor_product | |
| wineventlog | 4769, 4770 | service, service_id, service_name, vendor_product | |
| wineventlog* | 1104, 1105, 4608, 4610, 4611, 4614, 4616, 4622, 4625, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4740, 4774, 4775, 4776, 4777, 4778, 4779, 4793, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5152, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 6144, 6145, 6272, 6273, 6416 | vendor_product |
CIM model and Field Mapping Changes for XmlWineventlog:Security¶
See the following comparison tables for CIM model and field mapping changes for the XmlWineventlog:Security sourcetype.
Field mapping comparison for versions 8.7.0 and 8.8.0¶
| Sourcetype | EventCode | Fields added | Fields removed |
|---|---|---|---|
| [‘WinEventLog’] | 4798 | change_type, command, object, object_attrs, object_category, object_id, result, src, user_name, src_user_name |
CIM model comparison for versions 4.8.4 and 8.1.2¶
| Sourcetype | EventCode | Previous CIM model | New CIM model |
|---|---|---|---|
| XmlWinEventLog:Security | 4672, 4957, 4624, 4625, 4648, 4769, 4768, 4771, 4776, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 4719, 4715, 1108, 1105, 1101, 4912 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
| XmlWinEventLog:Security | 4781, 4718, 4717, 4729, 4728, 4723, 4722, 4720, 4727, 4726, 4725, 4724, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4741, 4740, 4743, 4742, 4753, 4750, 4756, 4757, 4754, 4755, 4767, 4764, 4758 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
| XmlWinEventLog:Security | 1100, 1102 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| XmlWinEventLog:Security | 4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field Mapping Comparison for versions 4.8.4 and 8.1.2¶
| Sourcetype | EventCode | Fields added | Fields removed |
|---|---|---|---|
| XmlWinEventLog* | 4720, 4722, 4725, 4726, 4738, 4740, 4767 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 4648 | Error_Code, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 1108 | Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4742, 4743 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 4657 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 5154 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product | |
| XmlWinEventLog* | 4723, 4724 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 5140 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 5152 | Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 1102 | Caller_User_Name, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, src_user, status, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4719 | Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4662, 4817 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4945, 4946, 4947, 4948, 4953, 4957 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 5034 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4739 | CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, severity, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
| XmlWinEventLog* | 4624 | Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 | CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 4768, 4769 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
| XmlWinEventLog* | 1100 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4797, 4798 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 4696 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | dest_nt_domain |
| XmlWinEventLog* | 4634 | Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 4688 | Error_Code, Process_Command_Line, Token_Elevation_Type_id, app, dest, dvc, dvc_nt_host, event_id, id, name, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | dest_nt_domain |
| XmlWinEventLog* | 5156, 5157 | Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product | |
| XmlWinEventLog* | 4625 | dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
| XmlWinEventLog* | 4627 | Error_Code, action, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 4799 | Error_Code, Group_Domain, Group_Name, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, , user_group, vendor_product | |
| XmlWinEventLog* | 4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4932, 4933, 4944, 4950, 4954, 4956, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5441, 5442, 5444, 6144, 6145, 6272 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4647, 4800, 4801 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 6417 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4673 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, service, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4741 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, status, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 1104, 1105 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4703 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 1101 | Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4727, 4731, 4735, 4737, 4750, 4754, 4755 | CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
| XmlWinEventLog* | 5158 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, src_port, subject, ta_windows_action, transport, vendor_product | |
| XmlWinEventLog* | 4793 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
| XmlWinEventLog* | 4664, 5058, 5142 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4697 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, start_mode, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4826, 5379, 6416 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4776 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
| XmlWinEventLog* | 4771 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
| XmlWinEventLog* | 4616, 4658, 4660, 4670, 4674, 4904, 4985 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4781 | CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
| XmlWinEventLog* | 5446, 5447, 5448, 5449, 5450 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4770 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
| XmlWinEventLog* | 4717, 4718 | Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4912, 4931, 5141 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4656, 4661, 4663 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4689 | app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, ta_windows_status, vendor_product | |
| XmlWinEventLog* | 4778 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, src, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 5024, 5025, 5033, 5478 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 5145 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product | |
| XmlWinEventLog* | 4907 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name |
CIM Model Comparison for Versions 7.0.0 and 8.1.2¶
| Sourcetype | EventCode | Previous CIM model | New CIM model |
|---|---|---|---|
| XmlWinEventLog:Security | 4625, 4672, 4771, 4776, 4957, 4624, 4648, 4769, 4768, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 1108, 1101 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
| XmlWinEventLog:Security | 4781, 4729, 4728, 4727, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4739, 4753, 4750, 4756, 4757, 4754, 4755, 4764, 4758 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
| XmlWinEventLog:Security | 1100, 1102 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| XmlWinEventLog:Security | 4912, 4718, 4719, 4717, 4715, 4738, 1105, 4741, 4740, 4743, 4742, 4723, 4722, 4720, 4726, 4725, 4724, 4767 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
| XmlWinEventLog:Security | 4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
| XmlWinEventLog:Security | 4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field mapping comparison for versions 7.0.0 and 8.1.2¶
| Sourcetype | EventCode | Fields added | Fields removed |
|---|---|---|---|
| XmlWinEventLog | 4727, 4731, 4735, 4737, 4739, 4750, 4754, 4755 | change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product | |
| XmlWinEventLog | 4616, 4658, 4660, 4670, 4674, 4904, 4985 | parent_process_id, process_name, process_path, vendor_product | |
| XmlWinEventLog | 4771 | service, service_name, vendor_product | Group_Name |
| XmlWinEventLog | 4781 | change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product | Group_Domain |
| XmlWinEventLog | 4703 | action, parent_process_id, process_name, process_path, status, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 5156, 5157 | transport, vendor_product | |
| XmlWinEventLog | 5152, 5446, 5447, 5448, 5449, 5450 | parent_process_id, vendor_product | |
| XmlWinEventLog | 5024, 5025, 5033, 5034, 5478 | service, service_name, vendor_product | |
| XmlWinEventLog | 4907 | file_name, file_path, object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product | |
| XmlWinEventLog | 4742, 4743 | object_attrs, result, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5141, 5441, 5442, 5444, 6144, 6145, 6272 | vendor_product | |
| XmlWinEventLog | 4719 | change_type, object_attrs, object_category, vendor_product | |
| XmlWinEventLog | 4740 | ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4793 | ta_windows_security_CategoryString, vendor_product | |
| XmlWinEventLog | 4634, 4647, 4800, 4801 | vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 1102 | Caller_User_Name, object_attrs, src_user, status, vendor_product | |
| XmlWinEventLog | 4776 | vendor_product | Group_Name |
| XmlWinEventLog | 4696 | parent_process_id, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 1101, 1108 | action, change_type, object_attrs, object_category, status, vendor_product | |
| XmlWinEventLog | 4657 | object_file_name, object_file_path, parent_process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, vendor_product | |
| XmlWinEventLog | 4723, 4724 | object_attrs, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4741 | object_attrs, result, status, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 5154 | parent_process_id, transport, vendor_product | |
| XmlWinEventLog | 4778 | src, vendor_product | |
| XmlWinEventLog | 4768, 4769, 4770 | service, service_id, service_name, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4627, 4797, 4798 | action, status, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4720, 4722, 4725, 4726, 4738, 4767 | result, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4697 | service, service_name, start_mode, vendor_product | |
| XmlWinEventLog | 4688 | Process_Command_Line, Token_Elevation_Type_id, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_name, process_path, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 5158 | parent_process_id, src_port, transport, vendor_product | |
| XmlWinEventLog | 4689, 6417 | action, parent_process_id, process_name, process_path, status, vendor_product | |
| XmlWinEventLog | 4656, 4661, 4663 | object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product | |
| XmlWinEventLog | 4624, 4625, 4648 | parent_process_id, process_name, process_path, vendor_product | Group_Domain, Group_Name |
| XmlWinEventLog | 4662, 4817 | object_file_name, object_file_path, vendor_product | |
| XmlWinEventLog | 4717, 4718 | change_type, object_attrs, object_category, result, vendor_product | |
| XmlWinEventLog | 4664, 5058, 5142, 5145 | file_name, file_path, vendor_product | |
| XmlWinEventLog | 4673 | parent_process_id, service, vendor_product | |
| XmlWinEventLog | 1100 | object_attrs, status, vendor_product | |
| XmlWinEventLog | 1104, 1105, 4799, 4826, 5379, 6416 | action, status, vendor_product | |
| XmlWinEventLog | 5140 | file_name, vendor_product | |
| XmlWinEventLog | 4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 | change_type, object_category, result, ta_windows_security_CategoryString, vendor_product |