circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

AgentX Windows field mappings

hashtag
Windows Security Auditing

Event ID: 4616

Windows Field

Logpoint Field

eventdata_newTime

new_ts

eventdata_previousTime

old_ts

Event ID: 4697

Windows Field

Logpoint Field

eventdata_serviceType

object_type

Event ID: 4698

Windows Field

Logpoint Field

eventdata_taskContent

task_content

Event ID: 4720

Windows Field

Logpoint Field

eventdata_allowedToDelegateTo

allowed_to_delegate

eventdata_homeDirectory

home_directory

eventdata_homePath

home_path

eventdata_profilePath

path

eventdata_scriptPath

script_path

eventdata_sidHistory

sid_history

eventdata_userParameters

parameter

eventdata_userWorkstations

workstation

Event ID: 4729

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4730

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4731

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4734

Windows Field

Logpoint Field

eventdata_groupTypeChange

group_type

Event ID: 4744

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4745

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4748

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4749

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4750

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4754

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4755

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4759

Windows Field

Logpoint Field

eventdata_sidHistory

sid_history

Event ID: 4760

Windows Field

LogPoint Field

eventdata_sidHistory

sid_history

Event ID: 4764

Windows Field

LogPoint Field

eventdata_groupTypeChange

group_type

Event ID: 4944

Windows Field

Logpoint Field

eventdata_groupPolicyApplied

policy

eventdata_logDroppedPacketsEnabled

log_dropped_packet

eventdata_logSuccessfulConnectionsEnabled

log_successful_connection

eventdata_multicastFlowsEnabled

multicast_flow

eventdata_operationMode

operation_mode

eventdata_profile

profile

eventdata_remoteAdminEnabled

remote_administration

Event ID: 4945

Windows Field

Logpoint Field

eventdata_profileUsed

profile

Event ID: 4953

Windows Field

Logpoint Field

eventdata_profile

profile

eventdata_reasonForRejection

reason

Event ID: 4956

Windows Field

Logpoint Field

eventdata_activeProfile

profile

hashtag
Windows Sysmon

Event ID: 1

Windows Field

Logpoint Field

eventdata_accountname

caller_user

eventdata_domain

caller_domain

eventdata_integrityLevel

integrity_level

eventdata_parentUser

parent_user

Event ID: 2

Windows Field

Logpoint Field

eventdata_previousCreationUtcTime

previous_creation_ts

Event ID: 3

Windows Field

Logpoint Field

eventdata_initiated

is_initiated

Event ID: 4

Windows Field

Logpoint Field

eventdata_schemaVersion

schema_version

eventdata_state

status

eventdata_version

version

Event ID: 6

Windows Field

Logpoint Field

eventdata_signed

is_signed

eventdata_signature

signature

eventdata_signatureStatus

status

eventdata_imageLoaded

image

Event ID: 7

Windows Field

Logpoint Field

eventdata_image

source_image

eventdata_imageLoaded

image

eventdata_signatureStatus

status

eventdata_signed

is_signed

eventdata_signature

signature

Event ID: 8

Windows Field

Logpoint Field

eventdata_newThreadId

new_thread_id

eventdata_sourceImage

source_image

eventdata_sourceProcessGuid

source_process_guid

eventdata_sourceProcessId

source_process_id

eventdata_targetImage

target_image

eventdata_targetProcessGuid

target_process_guid

eventdata_targetProcessId

target_process_id

eventdata_startAddress

start_address

eventdata_sourceUser

source_user

eventdata_targetUser

target_user

eventdata_startFunction

start_function

eventdata_startModule

start_module

Event ID: 9

Windows Field

Logpoint Field

eventdata_utcTime

utc_ts

eventdata_device

device

Event ID: 10

Windows Field

Logpoint Field

eventdata_sourceImage

source_image

eventdata_callTrace

call_trace

eventdata_grantedAccess

access

eventdata_targetImage

image

eventdata_sourceProcessGUID

source_process_guid

eventdata_sourceProcessId

source_process_id

eventdata_sourceThreadId

source_thread_id

eventdata_targetProcessGUID

target_process_guid

eventdata_targetProcessId

target_process_id

eventdata_sourceUser

source_user

eventdata_targetUser

target_user

Event ID: 12

Windows Field

Logpoint Field

eventdata_targetObject

target_object

Event ID: 13

Windows Field

Logpoint Field

eventdata_targetObject

target_object

eventdata_details

detail

Event ID: 14

Windows Field

Logpoint Field

eventdata_targetObject

target_object

eventdata_newName

new_value

Event ID: 15

Windows Field

Logpoint Field

eventdata_contents

contents

Event ID: 16

Windows Field

Logpoint Field

eventdata_configuration

file

Event ID: 17

Windows Field

Logpoint Field

eventdata_pipeName

pipe

Event ID: 18

Windows Field

Logpoint Field

eventdata_pipeName

pipe

Event ID: 19

Windows Field

Logpoint Field

eventdata_name

name

eventdata_query

query

eventdata_eventNamespace

event_namespace

Event ID: 20

Windows Field

Logpoint Field

eventdata_name

name

eventdata_destination

destination

Event ID: 21

Windows Field

Logpoint Field

eventdata_consumer

consumer

eventdata_filter

filter

Event ID: 22

Windows Field

Logpoint Field

eventdata_queryResults

result

Event ID: 23

Windows Field

Logpoint Field

eventdata_isExecutable

is_executable

eventdata_archived

is_archived

Event ID: 24

Windows Field

Logpoint Field

eventdata_archived

is_archived

eventdata_session

session

Event ID: 26

Windows Field

Logpoint Field

eventdata_isExecutable

is_executable

Event ID: 255

Windows Field

Logpoint Field

eventdata_iD

message_id

hashtag
File Integrity Monitoring

Windows Field

Logpoint Field

Author

author

Command

command

Data

data

Description

description

Duration

duration

Priority

priority

URI

url

UserId

user_id

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_name

agentx_agent

decoder_name

agentx_decoder

manager_name

agentx_manager

rule_firedtimes

rule_trigger_count

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

syscheck_arch

architecture

syscheck_attrs_after

attribute

syscheck_audit_process_id

process_id

syscheck_audit_process_name

process

syscheck_audit_user_id

user_id

syscheck_audit_user_name

user

syscheck_changed_attributes

changed_attribute

syscheck_diff

changed_content

syscheck_entry_type

registry_entry_type

syscheck_event

action

syscheck_gid_after

group_id

syscheck_gname_after

group

syscheck_inode_after

inode

syscheck_md5_after

hash

syscheck_md5_before

old_hash

syscheck_mode

mode

syscheck_mtime_after

modification_ts

syscheck_mtime_before

old_modification_ts

syscheck_path

path

syscheck_perm_after

permission

syscheck_sha1_after

hash_sha1

syscheck_sha1_before

old_hash_sha1

syscheck_sha256_after

hash_sha256

syscheck_sha256_before

old_hash_sha256

syscheck_size_after

datasize

syscheck_size_before

old_datasize

syscheck_uid_after

uid

syscheck_uname_after

owner

syscheck_value_name

registry_value_name

syscheck_value_type

registry_value_type

syscheck_win_perm_after

permission

syscheck_win_perm_before

old_permission

timestamp

event_received_ts

hashtag
DHCP Module

Windows Field

Logpoint Field

system_eventSourceName

source

agent_labels_os_name

agentx_agent_os

AllowHardTerminate

allow_hard_terminate

AllowStartOnDemand

allow_start_on_demand

Arguments

argument

Author

author

ClassId

class_id

Command

command

Count

restart_failure_count

Data

data

DataOffset

data_offset

Date

date

DaysInterval

days_interval

Deadline

deadline

Delay

delay

Description

description

DisallowStartIfOnBatteries

disallow_start_if_on_batteries

DisallowStartOnRemoteAppSession

disallow_start_on_remote_app_session

Duration

duration

Enabled

enabled

Exclusive

exclusive

ExecutionTimeLimit

execution_time_limit

GroupId

group_id

Hidden

hidden

Interval

restart_failure_interval

LogonType

logon_type

MultipleInstancesPolicy

multiple_instance_policy

Period

period

Priority

priority

RandomDelay

random_delay

RestartOnIdle

restart_on_idle

RunLevel

run_level

RunOnlyIfIdle

run_only_if_idle

RunOnlyIfNetworkAvailable

run_only_if_network_available

SecurityDescriptor

sd

Source

source

StartBoundary

start_ts

StartWhenAvailable

start_when_available

StateChange

state_change

StateName

state_name

StopAtDurationEnd

stop_at_duration_end

StopIfGoingOnBatteries

stop_if_going_on_batteries

StopOnIdleEnd

stop_on_idle_end

URI

url

UseUnifiedSchedulingEngine

use_unified_scheduling_engine

UserId

user_id

WaitTimeout

wait_timeout

WakeToRun

wake_to_run

access_list

access_list

action

action

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_name

agentx_agent

decoder_name

agentx_decoder

description

description

eventdata_accessMask

access_mask

eventdata_accessReason

reason

eventdata_accountDomain

domain

eventdata_accountExpires

account_expire

eventdata_accountName

user

eventdata_additionalInfo

additional_information

eventdata_additionalInfo2

additional_information_2

eventdata_algorithmName

cipher

eventdata_attributeLDAPDisplayName

ldap_display

eventdata_attributeSyntaxOID

attribute_id

eventdata_attributeValue

attribute_value

eventdata_authenticationPackageName

package

eventdata_callerProcessId

caller_process_id

eventdata_callerProcessName

caller_process

eventdata_clientAddress

source_address

eventdata_clientCreationTime

creation_ts

eventdata_clientName

workstation

eventdata_clientProcessId

process_id

eventdata_clientProcessStartKey

process_start_key

eventdata_commandLine

command

eventdata_countOfCredentialsReturned

credentials_returned_count

eventdata_dSName

service

eventdata_dSType

service_type

eventdata_displayName

display_name

eventdata_domainName

domain

eventdata_domainPolicyChanged

policy

eventdata_domainSid

domain_id

eventdata_elevatedToken

elevated_token

eventdata_eventCountTotal

event_count

eventdata_eventIdx

event_idx

eventdata_fQDN

fqdn

eventdata_failureId

failure_id

eventdata_failureReason

reason

eventdata_fileName

file

eventdata_flags

flag

eventdata_groupMembership

group_membership

eventdata_handleId

handle_id

eventdata_impersonationLevel

impersonation_level

eventdata_ipAddress

source_address

eventdata_ipPort

source_port

eventdata_keyFilePath

path

eventdata_keyLength

key_length

eventdata_keyName

key

eventdata_keyType

key_type

eventdata_linkName

link

eventdata_lmPackageName

lm_package

eventdata_lockoutThreshold

lockout_threshold

eventdata_logonGuid

logon_guid

eventdata_logonHours

logon_hour

eventdata_logonID

logon_id

eventdata_logonProcessName

logon_process

eventdata_logonType

logon_type

eventdata_mandatoryLabel

integrity_id

eventdata_masterKeyId

master_key_id

eventdata_memberName

member

eventdata_memberSid

target_id

eventdata_newProcessId

target_process_id

eventdata_newProcessName

new_process

eventdata_newSd

new_sd

eventdata_newState

new_value

eventdata_newUacValue

new_value

eventdata_newValue

new_value

eventdata_newValueType

new_value_type

eventdata_objectClass

class

eventdata_objectDN

object_dn

eventdata_objectGUID

service_guid

eventdata_objectName

object_name

eventdata_objectServer

object_server

eventdata_objectType

object_type

eventdata_objectValueName

object_value

eventdata_oldUacValue

old_value

eventdata_oldValue

old_value

eventdata_oldValueType

old_value_type

eventdata_opCorrelationID

operation_id

eventdata_operation

action

eventdata_operationType

operation_type

eventdata_packageName

package

eventdata_parentProcessId

parent_process_id

eventdata_parentProcessName

parent_process

eventdata_passwordLastSet

password_last_set_ts

eventdata_preAuthType

pre_authentication_type

eventdata_primaryGroupId

group_id

eventdata_privilegeList

privilege

eventdata_processCreationTime

process_creation_ts

eventdata_processId

process_id

eventdata_processName

process

eventdata_profileChanged

profile

eventdata_properties

properties

eventdata_providerName

provider

eventdata_readOperation

operation_type

eventdata_recoveryKeyId

recover_id

eventdata_recoveryReason

reason

eventdata_recoveryServer

server

eventdata_resourceManager

resource_manager

eventdata_restrictedAdminMode

restricted_admin_mode

eventdata_restrictedSidCount

restricted_id_count

eventdata_returnCode

status_code

eventdata_rpcCallClientLocality

rpc_call_client_locality

eventdata_ruleAttr

attribute

eventdata_ruleId

rule_id

eventdata_ruleName

rule_name

eventdata_samAccountName

sam_account_name

eventdata_service

service

eventdata_serviceAccount

service_account

eventdata_serviceFileName

file

eventdata_serviceName

service

eventdata_serviceSid

service_id

eventdata_serviceStartType

start_type

eventdata_serviceType

object_type

eventdata_sessionId

session_id

eventdata_sessionName

session

eventdata_shareLocalPath

share_path

eventdata_shareName

share_name

eventdata_status

status_code

eventdata_subStatus

sub_status_code

eventdata_subjectDomainName

domain

eventdata_subjectLogonId

logon_id

eventdata_subjectUserName

user

eventdata_subjectUserSid

user_id

eventdata_targetDomainName

target_domain

eventdata_targetInfo

information

eventdata_targetLinkedLogonId

target_linked_logon_id

eventdata_targetLogonGuid

target_logon_guid

eventdata_targetLogonId

target_logon_id

eventdata_targetName

target_name

eventdata_targetServerName

server

eventdata_targetSid

target_id

eventdata_targetUserName

target_user

eventdata_targetUserSid

target_id

eventdata_taskName

task

eventdata_ticketEncryptionType

encryption_type

eventdata_ticketOptions

ticket_option

eventdata_tokenElevationType

token_elevation_type

eventdata_transactionId

transaction_id

eventdata_transmittedServices

transmitted_service

eventdata_type

type

eventdata_userAccountControl

user_account_control

eventdata_userPrincipalName

user_principal_name

eventdata_virtualAccount

virtual_account

eventdata_workstation

workstation

eventdata_workstationName

workstation

eventdata_binary

binary_data

id

id

integrity_label

integrity_label

location

location

logon_category

logon_category

manager_name

agentx_manager

message

message

object

object

right

right

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

is_rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

system_channel

channel

system_computer

host

system_eventID

event_id

system_eventRecordID

record

system_keywords

keyword

system_level

severity

system_opcode

opcode_value

system_processID

execution_process_id

system_providerGuid

guid

system_providerName

event_source

system_severityValue

log_level

system_systemTime

log_ts

system_task

task_value

system_threadID

execution_thread_id

system_version

version

timestamp

event_received_ts

data_id

event_id

EventTime

event_ts

hashtag
DNS Module

Windows Field

Logpoint Field

EventReceivedTime

event_ts

SourceModuleName

source_module

SourceModuleType

source_type

EventTime

log_ts

ThreadId

thread_id

RemoteIP

source_address

QueryResponseIndicator

action

FlagsHex

flag

RecursionDesired

recursion_desired

RecursionAvailable

recursion_available

ResponseCode

status_code

QuestionType

record_type

QuestionName

domain

AuthoritativeAnswer

answer

SendReceiveIndicator

direction

Severity

log_level

SeverityValue

severity

AccessList

access

AccessMask

access_mask

AccessReason

reason

AccountDomain

domain

AccountExpires

account_expire

AccountName

user

AccountType

account_type

Account_name

account

Action

action

Activity

ID

ActivityID

activity_id

AdditionalInfo

additional_information

Address

source_address

AllowedToDelegateTo

allowed_to_delegate_to

AppCorrelationID

app_correlation_id

Application

application

AttributeLDAPDisplayName

ldap_display

AttributeSyntaxOID

attribute_Syntax_oid

AttributeValue

value

AuditPolicyChanges

policy

AuditSourceName

audit_source

AuthenticationPackageName

authentication_package

BufferSize

buffer_size

CallerIdentity

caller_identity

CallerProcessId

caller_process_id

CallerProcessName

caller_process

CalloutKey

callout_key

CalloutName

callout_name

Category

event_category

CategoryId

category_id

ChangeType

change_type

Channel

channel

ChannelID

channel_id

ClientAddress

source_address

ClientIP

source_address

ClientName

remote_user

ClientUserName

user

CommandLine

command

CommandName

command

CommandPath

command_path

CommandType

command_type

Command_Name

command

Computer

host

ComputerAccountChange

computer_account_change

Conditions

condition

ContentLength

content_length

ContextInfo

context_info

DCName

target_domain

DSName

ds_name

DSType

ds_type

DateAndTime

event_ts

DestAddress

destination_address

DestPort

destination_port

Details

detail

Direction

direction

DirtyPages

page_count

DisplayName

display_name

DnsHostName

dns_host

Domain

caller_domain

DomainName

domain

DomainPolicyChanged

domain_policy_changed

DomainSid

domain_id

ErrorCode

error_code

Event

event

EventData

event_data

EventID

event_id

EventId

event_id

EventRecordID

record_id

EventType

event_type

Event_ID

event_identifier

ExecutionProcessID

execution_process_id

ExecutionThreadID

execution_thread_id

FailureReason

reason

FileHash

hash

FileHashLength

file_hash_length

FileName

file

FilePath

path

FilePathLength

file_path_length

FilterId

filter_id

FilterKey

filter_key

FilterName

filter

FilterRTID

filter_rtid

FilterType

filter_type

Flags

flag

ForceLogoff

force_logoff

Fqdn

fqdn

FqdnLength

fqdn_length

GPOList

gpo

HTTPMethod

request_method

HandleId

handle_id

HiveName

hive

HiveNameLength

hive_length

HomeDirectory

home_directory

HomePath

home_path

HostApplication

application

HostId

host_id

Host_Application

application

Host_Name

host

Hostname

host

InterfaceIP

host_address

IpAddress

source_address

IpPort

source_port

KeyLength

key_length

KeysUpdated

key_count

Keywords

keyword

LayerId

layer_id

LayerKey

layer_key

LayerName

layer_name

LayerRTID

layer_rtid

LmPackageName

package

LocalPort

local_port

LockoutDuration

lockout_duration

LockoutObservationWindow

lockout_observation_window

LockoutThreshold

lockout_threshold

LogonGuid

logon_guid

LogonHours

logon_hour

LogonID

logon_id

LogonProcessName

logon_process

LogonType

logon_type

MachineAccountQuota

machine_account_quota

Machine_name

workstation

MappedName

mapped_name

MappingBy

authentication_package

MaxPasswordAge

maximum_password_age

MemberName

member

MemberSid

member_id

Message

message

MessageNumber

message_number

MessageTotal

message_total

Metric_Dimensions_DiagnosticCode

diagnostic_code

Metric_Dimensions_DiagnosticText

diagnostic

Metric_Dimensions_InstanceId

instance_id

Metric_Dimensions_UploadState

upload_state_code

Metric_Dimensions_UploadStateString

upload_state

Metric_Name

metric

MinPasswordAge

minimum_password_age

MinPasswordLength

minimum_password_length

MixedDomainMode

mixed_domain_mode

NewCommandState

command_state

NewEngineState

engine_state

NewProcessId

target_process_id

NewProcessName

new_process

NewProviderState

provider_state

NewSD

new_sd

NewSd

new_sd

NewState

new_state

NewTargetUserName

new_target_user

NewTime

new_ts

NewUacValue

new_value

NumberOfGroupPolicyObjects

gpo_count

ObjectClass

class

ObjectDN

object_dn

ObjectGUID

object_guid

ObjectName

object

ObjectServer

object_server

ObjectType

object_type

OldSD

old_sd

OldSd

old_sd

OldTargetUserName

old_target_user

OldTime

old_ts

OldUacValue

old_value

OpCorrelationID

op_correlation_id

Opcode

opcode

OpcodeValue

opcode_value

OperationType

type

PackageName

package

PacketData

packet_data

ParentProcessName

parent_process

PasswordHistoryLength

password_history_length

PasswordLastSet

password_last_set_ts

PasswordProperties

password_properties

PipelineId

pipeline_id

PolicyName

policy

PolicyNameLength

policy_length

Port

source_port

PreAuthType

pre_authentication_type

PreviousEngineState

old_engine_state

PrimaryGroupId

primary_group_id

PrivilegeList

privilege

ProcessID

process_id

ProcessId

process_id

ProcessName

process

Process_ID

event_process_id

Process_name

event_process

ProcessingMode

processing_mode

ProcessingTimeInMilliseconds

processing_time

ProfilePath

profile_path

Properties

properties

Protocol

protocol

ProviderGuid

provider_guid

ProviderKey

provider_key

ProviderName

provider

ProxyDNSname

proxy_dns

QNAME

domain

QTYPE

request_code

Querystring

query

RD

received_datasize

RecordNumber

record

RelativeTargetName

relative_target_name

RemoteMachineID

remote_machine_id

RemoteUserID

remote_user_id

RequestDetails

detail

RequestType

request_type

Request_URL

url

Request_path

path

ResourceManager

resource_manager

RestrictedSidCount

restricted_sid_count

RuleAttr

rule_attribute

RuleId

rule_id

RuleName

rule

RuleNameLength

rule_name_length

RuleSddl

rule_ssdl

RuleSddlLength

rule_ssdl_length

RunspaceId

runspace_id

SamAccountName

sam_account_name

ScriptBlockId

script_block_id

ScriptBlockText

script_block

ScriptBlock_ID

script_block_id

ScriptName

script

ScriptPath

script_path

SequenceNumber

sequence_number

Service

service

ServiceName

service

ServicePrincipalNames

service_principal_name

ServiceSid

service_id

SessionId

session_id

SessionName

session

ShareLocalPath

share_path

ShareName

share_name

SidHistory

sid_history

Source

source_address

SourceAddress

source_address

SourceHandleId

handle_id

SourceModuleType

source_module_type

SourceName

event_source

SourcePort

source_port

SourceProcessId

process_id

Source_Network_Address

source_address

Status

status

SubStatus

sub_status

SubcategoryGuid

sub_category_guid

SubcategoryId

sub_category_id

SubjectDomainName

domain

SubjectLogonId

logon_id

SubjectUserName

user

SubjectUserSid

user_id

TCP

tcp

TargetDomainName

target_domain

TargetInfo

target_information

TargetLogonGuid

target_logon_guid

TargetLogonId

target_logon_id

TargetProcessId

target_process_id

TargetServerName

target_server

TargetSid

target_id

TargetUser

target_user

TargetUserName

target_user

TargetUserSid

target_id

Targetedrelying

party

Task

event_task

TaskContentNew

task_content_new

TaskName

task

TaskValue

task_value

ThreadID

thread_id

Thread_ID

event_thread_id

Throughproxy

proxy

TicketEncryptionType

ticket_encryption_type

TicketOptions

ticket_option

TokenElevationType

token_elevation_type

TransactionId

transaction_id

TransmittedServices

transmitted_service

TreeDelete

tree_delete

UrlAbsolutePath

path

User

user

UserAccountControl

user_account_control

UserAgent

user_agent

UserData

user_data

UserID

user_id

UserId

user_id

UserName

user

UserParameters

user_parameter

UserPrincipalName

user_principal_name

UserSid

user_id

UserWorkstations

workstation

User_host_address

host_address

Version

version

VolumeGuid

volume_guid

VolumeName

volume

VolumeNameLength

volume_length

Workstation

workstation

WorkstationName

workstation

XID

exchange_id

client_request_id

request_id

agent_name

agentx_agent

agent_id

agentx_agent_id

decoder_name

agentx_decoder

manager_name

agentx_manager

agent_labels_os_name

agentx_agent_os

hostname

host

log_type

log_level

timestamp

event_received_ts

agent_ip

agentx_agent_address

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

is_rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

system_channel

channel

system_computer

host

system_eventID

event_id

system_eventRecordID

record_id

system_keywords

keyword

system_level

severity

system_message

message

system_opcode

opcode

system_processID

process_id

system_providerGuid

provider_guid

system_providerName

provider

system_severityValue

log_level

system_systemTime

log_ts

system_task

task

system_threadID

thread_id

system_version

version

timestamp

event_received_ts

eventdata_param1

param1

eventdata_param2

param2

eventdata_param3

param3

hashtag
DNS Module Request Type

Request Code

Request Code ID

Description

A

1

IPv4 address record

AAAA

28

IPv6 address record

AFSDB

18

For Afs Data Base Location

ANY

255

All cached records

APL

42

Address Prefix List

ATMA

34

ATM Address

AXFR

252

Transfer Of An Entire Zone

CAA

257

Certification Authority Restriction

CDNSKEY

60

DNSKEY(S) The Child Wants Reflected in DS

CDS

59

Child DS

CERT

37

Certificate record

CNAME

5

Canonical name record

CSYNC

62

Child-To-Parent Synchronization

DHCID

49

DHCP identifier

DLV

32769

DNSSEC Lookaside Validation

DNAME

39

Delegation name record

DNSKEY

48

DNS Key record

DOA

259

Unassigned Digital Object Architecture

DS

43

Delegation Signer

EID

31

Endpoint Identifier

EUI48

108

An EUI-48 Address

EUI64

109

An EUI-64 Address

GPOS

27

Geographical Position

HINFO

13

Host Information

HIP 55

Host

Identity Protocol

HTTPS

65

HTTPS Binding

IPSECKEY

45

IPsec Key

ISDN

20

For ISDN Address

IXFR

251

Incremental Transfer

KEY

25

For Security Key

KX

36

Key Exchanger

LOC

29

Location Information

MAILA

254

Mail Agent RRs

MAILB

253

Mailbox-Related RRs

MB

7

A Mailbox Domain Name

MD

3

A Mail Destination

MF

4

A Mail Forwarder

MG

8

A Mail Group Member

MINFO

14

Mailbox Or Mail List Information

MR

9

A Mail Rename Domain Name

MX

15

Mail exchange record

NAPTR

35

Naming Authority Pointer

NIMLOC

32

Nimrod Locator

NS

2

Name server record

NSAP

22

For NSAP address, NSAP Style A Record

NSAP-PTR

23

For Domain Name Pointer, NSAP Style

NSEC

47

Next Secure record

NSEC3

50

Next Secure record version 3

NSEC3PARAM

51

NSEC3 parameters

NULL

10

A Null RR

NXT

30

Next Domain

OPENPGPKEY

61

OPENPGP Key

PTR

12

Pointer record

PX

26

X.400 Mail Mapping Information

RP

17

For Responsible Person

RRSIG

46

DNSSEC signature

RT

21

For Route Through

SIG

24

Signature

SMIMEA

53

S/MIME Cert Association

SOA

6

Start of authority record

SRV

33

Service locator

SSHFP

44

SSH Key Fingerprint

SVCB

64

Service Binding

TA

32768

DNSSEC Trust Authorities

TALINK

58

Trust Anchor LINK

TKEY

249

Transaction Key

TSIG

250

Transaction Signature

TXT

16

Text record

URI

256

Uniform Resource Identifier

WKS

11

A Well Known Service Description

X25

19

For X.25 PSDN Address

ZONEMD

63

Message Digests for DNS Zones

hashtag
Windows Powershell

Event ID: 400

Windows Field

Logpoint Field

eventdata_NewEngineState

new_engine_status

eventdata_PreviousEngineState

old_engine_status

eventdata_SequenceNumber

sequence_number

eventdata_HostName

execution_host

eventdata_HostVersion

host_version

eventdata_HostId

host_id

eventdata_EngineVersion

engine_version

eventdata_RunspaceId

run_space_id

eventdata_HostApplication

host_application

Event ID: 403

Windows Field

Logpoint Field

eventdata_NewEngineState

new_engine_status

eventdata_PreviousEngineState

old_engine_status

eventdata_SequenceNumber

sequence_number

eventdata_HostName

execution_host

eventdata_HostVersion

host_version

eventdata_HostId

host_id

eventdata_EngineVersion

engine_version

eventdata_RunspaceId

run_space_id

eventdata_HostApplication

host_application

Event ID: 4100

Windows Field

Logpoint Field

eventdata_Script Name

script_path

eventdata_Severity

log_level

eventdata_Host Name

execution_host

eventdata_Host Version

host_version

eventdata_Host ID

host_id

eventdata_Host Application

host_application

eventdata_Engine Version

engine_version

eventdata_Runspace ID

run_space_id

eventdata_Pipeline ID

pipeline_id

eventdata_Command Name

command

eventdata_Command Type

command_type

eventdata_Sequence Number

sequence_number

eventdata_User

user

eventdata_Shell ID

shell_id

Event ID: 4103

Windows Field

Logpoint Field

eventdata_Severity

log_level

eventdata_Host Name

execution_host

eventdata_Host Version

host_version

eventdata_Host ID

host_id

eventdata_Host Application

host_application

eventdata_Engine Version

engine_version

eventdata_Runspace ID

run_space_id

eventdata_Pipeline ID

pipeline_id

eventdata_Command Name

command

eventdata_Command Type

command_type

eventdata_Sequence Number

sequence_number

eventdata_User

user

eventdata_Shell ID

shell_id

Event ID: 4104

Windows Field

Logpoint Field

eventdata_path

path

eventdata_messageNumber

message_number

eventdata_messageTotal

message_count

eventdata_scriptBlockText

script_block

eventdata_scriptBlockId

script_block_id

Event ID: 53504

Windows Field

Logpoint Field

eventdata_param1

process_id

eventdata_param2

application_domain

Event ID: 600

Windows Field

Logpoint Field

eventdata_ProviderName

provider

eventdata_NewProviderState

provider_status

eventdata_SequenceNumber

sequence_number

eventdata_HostName

execution_host

eventdata_HostVersion

host_version

eventdata_HostId

host_id

eventdata_HostApplication

host_application

Event ID: 800

Windows Field

Logpoint Field

eventdata_DetailSequence

detail_sequence

eventdata_DetailTotal

detail_count

eventdata_SequenceNumber

sequence_number

eventdata_UserId

user_id

eventdata_HostName

execution_host

eventdata_HostVersion

host_version

eventdata_HostId

host_id

eventdata_EngineVersion

engine_version

eventdata_RunspaceId

run_space_id

eventdata_PipelineId

pipeline_id

eventdata_CommandLine

command

eventdata_HostApplication

host_application

hashtag
Default Taxonomy of Powershell

Windows Field

Logpoint Field

eventdata_payload

payload

AllowHardTerminate

allow_hard_terminate

AllowStartOnDemand

allow_start_on_demand

Arguments

argument

Author

author

ClassId

class_id

Command

command

Count

restart_failure_count

Data

data

DataOffset

data_offset

Date

date

DaysInterval

days_interval

Deadline

deadline

Delay

delay

Description

description

DisallowStartIfOnBatteries

disallow_start_if_on_batteries

DisallowStartOnRemoteAppSession

disallow_start_on_remote_app_session

Duration

duration

Enabled

enabled

Exclusive

exclusive

ExecutionTimeLimit

execution_time_limit

GroupId

group_id

Hidden

hidden

Interval

restart_failure_interval

LogonType

logon_type

MultipleInstancesPolicy

multiple_instance_policy

Period

period

Priority

priority

RandomDelay

random_delay

RestartOnIdle

restart_on_idle

RunLevel

run_level

RunOnlyIfIdle

run_only_if_idle

RunOnlyIfNetworkAvailable

run_only_if_network_available

SecurityDescriptor

sd

Source

source

StartBoundary

start_ts

StartWhenAvailable

start_when_available

StateChange

state_change

StateName

state_name

StopAtDurationEnd

stop_at_duration_end

StopIfGoingOnBatteries

stop_if_going_on_batteries

StopOnIdleEnd

stop_on_idle_end

URI

url

UseUnifiedSchedulingEngine

use_unified_scheduling_engine

UserId

user_id

WaitTimeout

wait_timeout

WakeToRun

wake_to_run

access_list

access_list

action

action

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_name

agentx_agent

decoder_name

agentx_decoder

description

description

eventdata_accessMask

access_mask

eventdata_accessReason

reason

eventdata_accountDomain

domain

eventdata_accountExpires

account_expire

eventdata_accountName

user

eventdata_additionalInfo

additional_information

eventdata_additionalInfo2

additional_information_2

eventdata_algorithmName

cipher

eventdata_attributeLDAPDisplayName

ldap_display

eventdata_attributeSyntaxOID

attribute_id

eventdata_attributeValue

attribute_value

eventdata_authenticationPackageName

package

eventdata_callerProcessId

caller_process_id

eventdata_callerProcessName

caller_process

eventdata_clientAddress

source_address

eventdata_clientCreationTime

creation_ts

eventdata_clientName

workstation

eventdata_clientProcessId

process_id

eventdata_clientProcessStartKey

process_start_key

eventdata_commandLine

command

eventdata_countOfCredentialsReturned

credentials_returned_count

eventdata_dSName

service

eventdata_dSType

service_type

eventdata_displayName

display_name

eventdata_domainName

domain

eventdata_domainPolicyChanged

policy

eventdata_domainSid

domain_id

eventdata_elevatedToken

elevated_token

eventdata_eventCountTotal

event_count

eventdata_eventIdx

event_idx

eventdata_fQDN

fqdn

eventdata_failureId

failure_id

eventdata_failureReason

reason

eventdata_fileName

file

eventdata_flags

flag

eventdata_groupMembership

group_membership

eventdata_handleId

handle_id

eventdata_impersonationLevel

impersonation_level

eventdata_ipAddress

source_address

eventdata_ipPort

source_port

eventdata_keyFilePath

path

eventdata_keyLength

key_length

eventdata_keyName

key

eventdata_keyType

key_type

eventdata_linkName

link

eventdata_lmPackageName

lm_package

eventdata_lockoutThreshold

lockout_threshold

eventdata_logonGuid

logon_guid

eventdata_logonHours

logon_hour

eventdata_logonID

logon_id

eventdata_logonProcessName

logon_process

eventdata_logonType

logon_type

eventdata_mandatoryLabel

integrity_id

eventdata_masterKeyId

master_key_id

eventdata_memberName

member

eventdata_memberSid

target_id

eventdata_newProcessId

target_process_id

eventdata_newProcessName

new_process

eventdata_newSd

new_sd

eventdata_newState

new_value

eventdata_newUacValue

new_value

eventdata_newValue

new_value

eventdata_newValueType

new_value_type

eventdata_objectClass

class

eventdata_objectDN

object_dn

eventdata_objectGUID

service_guid

eventdata_objectName

object_name

eventdata_objectServer

object_server

eventdata_objectType

object_type

eventdata_objectValueName

object_value

eventdata_oldUacValue

old_value

eventdata_oldValue

old_value

eventdata_oldValueType

old_value_type

eventdata_opCorrelationID

operation_id

eventdata_operation

action

eventdata_operationType

operation_type

eventdata_packageName

package

eventdata_parentProcessId

parent_process_id

eventdata_parentProcessName

parent_process

eventdata_passwordLastSet

password_last_set_ts

eventdata_preAuthType

pre_authentication_type

eventdata_primaryGroupId

group_id

eventdata_privilegeList

privilege

eventdata_processCreationTime

process_creation_ts

eventdata_processId

process_id

eventdata_processName

process

eventdata_profileChanged

profile

eventdata_properties

properties

eventdata_providerName

provider

eventdata_readOperation

operation_type

eventdata_recoveryKeyId

recover_id

eventdata_recoveryReason

reason

eventdata_recoveryServer

server

eventdata_resourceManager

resource_manager

eventdata_restrictedAdminMode

restricted_admin_mode

eventdata_restrictedSidCount

restricted_id_count

eventdata_returnCode

status_code

eventdata_rpcCallClientLocality

rpc_call_client_locality

eventdata_ruleAttr

attribute

eventdata_ruleId

rule_id

eventdata_ruleName

rule_name

eventdata_samAccountName

sam_account_name

eventdata_service

service

eventdata_serviceAccount

service_account

eventdata_serviceFileName

file

eventdata_serviceName

service

eventdata_serviceSid

service_id

eventdata_serviceStartType

start_type

eventdata_sessionId

session_id

eventdata_sessionName

session

eventdata_shareLocalPath

share_path

eventdata_shareName

share_name

eventdata_status

status_code

eventdata_subStatus

sub_status_code

eventdata_subjectDomainName

domain

eventdata_subjectLogonId

logon_id

eventdata_subjectUserName

user

eventdata_subjectUserSid

user_id

eventdata_targetDomainName

target_domain

eventdata_targetInfo

information

eventdata_targetLinkedLogonId

target_linked_logon_id

eventdata_targetLogonGuid

target_logon_guid

eventdata_targetLogonId

target_logon_id

eventdata_targetName

target_name

eventdata_targetServerName

server

eventdata_targetSid

target_id

eventdata_targetUserName

target_user

eventdata_targetUserSid

target_id

eventdata_taskName

task

eventdata_ticketEncryptionType

encryption_type

eventdata_ticketOptions

ticket_option

eventdata_tokenElevationType

token_elevation_type

eventdata_transactionId

transaction_id

eventdata_transmittedServices

transmitted_service

eventdata_type

type

eventdata_userAccountControl

user_account_control

eventdata_userPrincipalName

user_principal_name

eventdata_virtualAccount

virtual_account

eventdata_workstation

workstation

eventdata_workstationName

workstation

id

id

integrity_label

integrity_label

location

location

logon_category

logon_category

manager_name

agentx_manager

message

message

object

object

right

right

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

is_rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

system_channel

channel

system_computer

host

system_eventID

event_id

system_eventRecordID

record

system_keywords

keyword

system_level

severity

system_opcode

opcode_value

system_processID

execution_process_id

system_providerGuid

guid

system_providerName

event_source

system_severityValue

log_level

system_systemTime

log_ts

system_task

task_value

system_threadID

execution_thread_id

system_version

version

timestamp

event_received_ts

hashtag
Security Configuration Assessment

Windows Field

Logpoint Field

Author

author

Command

command

Data

data

Description

description

Duration

duration

Priority

priority

URI

url

UserId

user_id

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_name

agentx_agent

check_compliance_gpg_13

check_compliance_gpg13

check_references

check_reference

check_rules

check_rule

data_sca_check_compliance_cis_csc

check_compliance_cis_csc

data_sca_check_compliance_hipaa

check_compliance_hipaa

data_sca_check_compliance_nist_800_53

check_compliance_nist_800_53

data_sca_check_compliance_pci_dss

check_compliance_pci_dss

data_sca_check_compliance_tsc

check_compliance_tsc

data_sca_check_description

check_description

data_sca_check_file

check_file

data_sca_check_id

check_id

data_sca_check_rationale

check_rationale

data_sca_check_reason

check_reason

data_sca_check_references

check_reference

data_sca_check_registry

check_registry

data_sca_check_remediation

check_remediation

data_sca_check_result

check_result

data_sca_check_status

check_status

data_sca_check_title

check_title

data_sca_description

policy_description

data_sca_failed

fail_count

data_sca_file

policy_file

data_sca_invalid

invalid_count

data_sca_passed

pass_count

data_sca_policy

policy

data_sca_policy_id

policy_id

data_sca_scan_id

scan_id

data_sca_score

scan_score

data_sca_total_checks

total_count

data_sca_type

scan_type

decoder_name

agentx_decoder

description

policy_description

end_time

end_ts

failed

fail_count

file

policy_file

invalid

invalid_count

manager_name

agentx_manager

name

policy

passed

pass_count

policies

policy_id

references

policy_reference

rule_cis

cis

rule_cis_csc

cis_csc

rule_firedtimes

rule_trigger_count

rule_gdpr

gdpr

rule_gdpr_IV

gdpr_iv

rule_gpg13

gpg13

rule_gpg_13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

score

scan_score

start_time

start_ts

timestamp

event_received_ts

total_checks

total_count

type

scan_type

hashtag
Default AgentX Taxonomy

Windows Field

Logpoint Field

AllowHardTerminate

allow_hard_terminate

AllowStartOnDemand

allow_start_on_demand

Arguments

argument

Author

author

ClassId

class_id

Command

command

Count

restart_failure_count

Data

data

DataOffset

data_offset

Date

date

DaysInterval

days_interval

Deadline

deadline

Delay

delay

Description

description

DisallowStartIfOnBatteries

disallow_start_if_on_batteries

DisallowStartOnRemoteAppSession

disallow_start_on_remote_app_session

Duration

duration

Enabled

enabled

Exclusive

exclusive

ExecutionTimeLimit

execution_time_limit

GroupId

group_id

Hidden

hidden

Interval

restart_failure_interval

LogonType

logon_type

MultipleInstancesPolicy

multiple_instance_policy

Period

period

Priority

priority

RandomDelay

random_delay

RestartOnIdle

restart_on_idle

RunLevel

run_level

RunOnlyIfIdle

run_only_if_idle

RunOnlyIfNetworkAvailable

run_only_if_network_available

SecurityDescriptor

sd

Source

source

StartBoundary

start_ts

StartWhenAvailable

start_when_available

StateChange

state_change

StateName

state_name

StopAtDurationEnd

stop_at_duration_end

StopIfGoingOnBatteries

stop_if_going_on_batteries

StopOnIdleEnd

stop_on_idle_end

URI

url

UseUnifiedSchedulingEngine

use_unified_scheduling_engine

UserId

user_id

WaitTimeout

wait_timeout

WakeToRun

wake_to_run

access_list

access_list

action

action

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_name

agentx_agent

decoder_name

agentx_decoder

description

description

eventdata_accessMask

access_mask

eventdata_accessReason

reason

eventdata_accountDomain

domain

eventdata_accountExpires

account_expire

eventdata_accountName

user

eventdata_additionalInfo

additional_information

eventdata_additionalInfo2

additional_information_2

eventdata_algorithmName

cipher

eventdata_attributeLDAPDisplayName

ldap_display

eventdata_attributeSyntaxOID

attribute_id

eventdata_attributeValue

attribute_value

eventdata_authenticationPackageName

package

eventdata_callerProcessId

caller_process_id

eventdata_callerProcessName

caller_process

eventdata_clientAddress

source_address

eventdata_clientCreationTime

creation_ts

eventdata_clientName

workstation

eventdata_clientProcessId

process_id

eventdata_clientProcessStartKey

process_start_key

eventdata_commandLine

command

eventdata_countOfCredentialsReturned

credentials_returned_count

eventdata_dSName

service

eventdata_dSType

service_type

eventdata_displayName

display_name

eventdata_domainName

domain

eventdata_domainPolicyChanged

policy

eventdata_domainSid

domain_id

eventdata_elevatedToken

elevated_token

eventdata_eventCountTotal

event_count

eventdata_eventIdx

event_idx

eventdata_fQDN

fqdn

eventdata_failureId

failure_id

eventdata_failureReason

reason

eventdata_fileName

file

eventdata_flags

flag

eventdata_groupMembership

group_membership

eventdata_handleId

handle_id

eventdata_impersonationLevel

impersonation_level

eventdata_ipAddress

source_address

eventdata_ipPort

source_port

eventdata_keyFilePath

path

eventdata_keyLength

key_length

eventdata_keyName

key

eventdata_keyType

key_type

eventdata_linkName

link

eventdata_lmPackageName

lm_package

eventdata_lockoutThreshold

lockout_threshold

eventdata_logonGuid

logon_guid

eventdata_logonHours

logon_hour

eventdata_logonID

logon_id

eventdata_logonProcessName

logon_process

eventdata_logonType

logon_type

eventdata_mandatoryLabel

integrity_id

eventdata_masterKeyId

master_key_id

eventdata_memberName

member

eventdata_memberSid

target_id

eventdata_newProcessId

target_process_id

eventdata_newProcessName

new_process

eventdata_newSd

new_sd

eventdata_newState

new_value

eventdata_newUacValue

new_value

eventdata_newValue

new_value

eventdata_newValueType

new_value_type

eventdata_objectClass

class

eventdata_objectDN

object_dn

eventdata_objectGUID

service_guid

eventdata_objectName

object_name

eventdata_objectServer

object_server

eventdata_objectType

object_type

eventdata_objectValueName

object_value

eventdata_oldUacValue

old_value

eventdata_oldValue

old_value

eventdata_oldValueType

old_value_type

eventdata_opCorrelationID

operation_id

eventdata_operation

action

eventdata_operationType

operation_type

eventdata_packageName

package

eventdata_parentProcessId

parent_process_id

eventdata_parentProcessName

parent_process

eventdata_passwordLastSet

password_last_set_ts

eventdata_preAuthType

pre_authentication_type

eventdata_primaryGroupId

group_id

eventdata_privilegeList

privilege

eventdata_processCreationTime

process_creation_ts

eventdata_processId

process_id

eventdata_processName

process

eventdata_profileChanged

profile

eventdata_properties

properties

eventdata_providerName

provider

eventdata_readOperation

operation_type

eventdata_recoveryKeyId

recover_id

eventdata_recoveryReason

reason

eventdata_recoveryServer

server

eventdata_resourceManager

resource_manager

eventdata_restrictedAdminMode

restricted_admin_mode

eventdata_restrictedSidCount

restricted_id_count

eventdata_returnCode

status_code

eventdata_rpcCallClientLocality

rpc_call_client_locality

eventdata_ruleAttr

attribute

eventdata_ruleId

rule_id

eventdata_ruleName

rule_name

eventdata_samAccountName

sam_account_name

eventdata_service

service

eventdata_serviceAccount

service_account

eventdata_serviceFileName

file

eventdata_serviceName

service

eventdata_serviceSid

service_id

eventdata_serviceStartType

start_type

eventdata_sessionId

session_id

eventdata_sessionName

session

eventdata_shareLocalPath

share_path

eventdata_shareName

share_name

eventdata_status

status_code

eventdata_subStatus

sub_status_code

eventdata_subjectDomainName

domain

eventdata_subjectLogonId

logon_id

eventdata_subjectUserName

user

eventdata_subjectUserSid

user_id

eventdata_targetDomainName

target_domain

eventdata_targetInfo

information

eventdata_targetLinkedLogonId

target_linked_logon_id

eventdata_targetLogonGuid

target_logon_guid

eventdata_targetLogonId

target_logon_id

eventdata_targetName

target_name

eventdata_targetServerName

server

eventdata_targetSid

target_id

eventdata_targetUserName

target_user

eventdata_targetUserSid

target_id

eventdata_taskName

task

eventdata_ticketEncryptionType

encryption_type

eventdata_ticketOptions

ticket_option

eventdata_tokenElevationType

token_elevation_type

eventdata_transactionId

transaction_id

eventdata_transmittedServices

transmitted_service

eventdata_type

type

eventdata_userAccountControl

user_account_control

eventdata_userPrincipalName

user_principal_name

eventdata_virtualAccount

virtual_account

eventdata_workstation

workstation

eventdata_workstationName

workstation

id

id

integrity_label

integrity_label

location

location

logon_category

logon_category

manager_name

agentx_manager

message

message

object

object

right

right

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

system_channel

channel

system_computer

host

system_eventID

event_id

system_eventRecordID

record

system_keywords

keyword

system_level

severity

system_opcode

opcode_value

system_processID

execution_process_id

system_providerGuid

guid

system_providerName

event_source

system_severityValue

log_level

system_systemTime

log_ts

system_task

task_value

system_threadID

execution_thread_id

system_version

version

timestamp

event_received_ts

hashtag
Active Response

Windows Field

Logpoint Field

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_labels_os_name

agentx_agent_os

agent_name

agentx_agent

data_parameters_program

program

data_parameters_keys

parameter_key

data_origin_module

origin_module

data_origin_name

origin

data_version

version

data_command

command

decoder_name

agentx_decoder

manager_name

agentx_manager

hostname

host

log_type

log_level

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

timestamp

event_received_ts

os_query

query

hashtag
OSQuery

Windows Field

Logpoint Field

agent_name

agentx_agent

decoder_name

agentx_decoder

manager_name

agentx_manager

agent_labels_os_name

agentx_agent_os

agent_ip

agentx_agent_address

agent_id

agentx_agent_id

rule_firedtimes

rule_trigger_count

rule_cis

cis

rule_cis_csc

cis_csc

rule_gdpr_IV

gdpr_iv

rule_gpg_13

gpg13

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

timestamp

event_received_ts

data_osquery_action

action

data_osquery_counter

record_counter

data_osquery_decorations_host_uuid

host_uuid

data_osquery_decorations_os_name

os

data_osquery_decorations_username

user

data_osquery_epoch

epoch

data_osquery_hostIdentifier

host_id

data_osquery_name

event_type

data_osquery_numerics

is_numeric

data_osquery_unixTime

log_ts

hashtag
Windows MSSQL Module

Windows Field

Logpoint Field

agent_id

agentx_agent_id

agent_ip

agentx_agent_address

agent_labels_os_name

agentx_agent_os

decoder_name

agentx_decoder

agent_name

agentx_agent

manager_name

agentx_manager

system_channel

channel

system_computer

host

system_eventID

event_id

system_eventRecordID

record

system_keywords

keyword

system_level

severity

system_opcode

opcode_value

system_processID

execution_process_id

system_providerGuid

guid

system_providerName

event_source

system_severityValue

log_level

system_systemTime

log_ts

system_task

task_value

system_threadID

execution_thread_id

system_version

version

rule_description

rule_description

rule_firedtimes

rule_trigger_count

rule_frequency

rule_frequency

rule_gdpr

gdpr

rule_gpg13

gpg13

rule_groups

rule_group

rule_hipaa

hipaa

rule_id

rule_trigger_id

rule_level

rule_level

rule_mail

is_rule_mail

rule_mitre_id

attack_id

rule_mitre_tactic

attack_category

rule_mitre_technique

attack_tag

rule_nist_800_53

nist_800_53

rule_pci_dss

pci_dss

rule_tsc

tsc

id

id

integrity_label

integrity_label

location

location

logon_category

logon_category

message

message

object

object

right

right

count

restart_failure_count

timestamp

event_received_ts

values

value

succeeded

is_succeeded

system_message

message

client_ip

source_address

duration_milliseconds

duration

host_name

host

event_time

event_ts

action

action

action_id

action_id

additional_information

additional_information

affected_rows

affected_rows

application_name

application

audit_schema_version

audit_schema_version

class_type

class_type

client_tls_version

source_tls_version

condition

condition

connection_id

connection_id

database_name

database

database_principal_id

database_principal_id

database_principal_name

database_principal_name

database_transaction_id

database_transaction_id

eventdata_binary

eventdata_binary

execution_thread_id

execution_thread_id

instance

instance

is_alert

is_alert

is_column_permission

is_column_permission

ledger_start_sequence_number

ledger_start_sequence_number

permission_bitmask

permission_bitmask

response_rows

response_rows

schema_name

schema_name

sequence_group_id

sequence_group_id

sequence_number

sequence_number

server_instance_name

server_instance

server_principal_id

server_principal_id

server_principal_name

server_principal_name

server_principal_sid

server_principal_sid

session

session

session_id

session_id

session_server_principal_name

session_server_principal_name

startup_type

startup_type

statement

statement

target_database_principal_id

target_database_principal_id

target_server_principal_id

target_server_principal_id

user_defined_event_id

user_defined_event_id

fields

field

table_name

table

hashtag
Windows IIS Module

Event ID: 29

Windows Field

Logpoint Field

eventdata_configuration

configuration

eventdata_editOperationType

edit_operation_type

eventdata_physicalPath

path

eventdata_configPath

configuration_path

Event ID: 50

Windows Field

Logpoint Field

eventdata_configPath

configuration_path

Last updated

Was this helpful?