Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows
Version 8.9.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.
CIM model comparison for versions 8.8.0 and 8.9.0
Version 8.8.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its source WinEventLog:Security and XmlWinEventLog:Security. See the following sections for information on changes to the mapping of this information.
Sourcetype | EventCode | Previous CIM model | New CIM model | |
---|---|---|---|---|
WinEventLog/ XmlWinEventLog
|
4798 | Event_Signatures.Signatures | Change.Account_Management, Event_Signatures.Signatures | |
XmlWinEventLog
|
17,18,19 | Event_Signatures.Signatures | Updates.Updates, Event_Signatures.Signatures |
Field Changes
Source/Sourcetype | EventCode | Fields added | Fields removed |
---|---|---|---|
WinEventLog
|
5156.5157 | src_ip, protocol, protocol_version, dest_ip, direction, src, rule | NA |
WinEventLog
|
4798 | result, signature, User_Security_ID, object_category, user_name, change_type, User_Account_Name, object, command, object_id, src_user_name, name, object_attrs, subject, src, User_Account_Domain | NA |
WinEventLog
|
19 | file_name | NA |
WinEventLog
|
4624, 4658, 4703, 4648, 4663, 4656, 4689, 4657, 4673, 4661, 4660, 4907, 4985, 4696, 6417, 4670, 4674, 4904, 4799 | command | NA |
WinEvrntLog
|
5152 | direction | NA |
WinEvrntLog
|
6272, 6273 | User_Account_Name, User_Account_Domain, User_Security_ID | |
WinEventLog
|
4625 | Signature_mesage, package_title, package | NA |
XmlWinEventLog / WinEventLog
|
17,18,19 | Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | NA |
XmlWinEventLog
|
5156, 5157 | protocol_version, severity, process_id, rule, dest_ip, src_ip, severity_id, src_port, protocol, user, direction, src | NA |
XmlWinEventLog
|
1100, 1101, 1102, 1104, 1105, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4627, 4634, 4647, 4648, 4653, 4656, 4657, 4658, 4660, 4661, 4662, 4663, 4664, 4670, 4672, 4673, 4674, 4688, 4689, 4690, 4696, 4697, 4698, 4699, 4700, 4701, 4702, 4703, 4704, 4705, 4713, 4715, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4767, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4781, 4793, 4797, 4800, 4801, 4817, 4826, 4902, 4904, 4906, 4907, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5024, 5025, 5031, 5033, 5034, 5040, 5041, 5043, 5044, 5045, 5058, 5059, 5061, 5136, 5137, 5140, 5141, 5142, 5145, 5152, 5154, 5158, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 5478, 6144, 6145, 6272, 6416, 6417 | severity, severity_id | NA |
XmlWinEventLog
|
4799 | severity, severity_id, command | NA |
CIM model and Field Mapping changes for MSAD:NT6:DNS
See the following comparison tables for CIM model and field mapping changes for the MSAD:NT6:DNS
sourcetype.
CIM model comparison for versions 8.6.0 and 8.7.0
Sourcetype | Previous CIM model | New CIM model |
---|---|---|
MSAD:NT6:DNS
|
Network Resolution (DNS) |
Field Changes
Sourcetype - MSAD:NT6:DNS field mapping changes
Source-type | Fields added | Fields removed | Fields modified
|
---|---|---|---|
[MSAD:NT6:DNS]
|
additional_answer_count, answer, answer_count, authority_answer_count, dest, message_type, name, query_count, query_type, record_type, reply_code_id, src, src_port, vendor_productsrc_user, src_user_name, object_id, object, src | query, reply_code |
Version 8.1.2 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.
CIM model and Field Mapping changes for Wineventlog:Security
See the following comparison tables for CIM model and field mapping changes for the Wineventlog:Security
sourcetype.
Field mapping comparison for versions 8.7.0 and 8.8.0
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
4798 | change_type, command,object, object_attrs, object_category, object_id, result, src |
CIM model comparison for versions 4.8.4 and 8.1.2
Sourcetype | EventCode | Previous CIM model | New CIM model |
---|---|---|---|
WinEventLog:Security
|
4801, 4774, 4775 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
1102, 1100 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
WinEventLog:Security
|
4768, 4769, 4624, 4625, 4648, 4771, 4777, 4776, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4717, 4718 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
WinEventLog:Security
|
5461 | Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4912, 4715, 4719, 1101, 1105, 1108 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
WinEventLog:Security
|
5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4767, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4742, 4758, 4756, 4754, 4755, 4753, 4750, 4798, 4757, 4797, 5379, 4741, 4740, 4729, 4728, 4743, 4720, 4727, 4726, 4725, 4724 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services |
Field mapping comparison for versions 4.8.4 and 8.1.2
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
wineventlog*
|
5024, 5025, 5033, 5034, 5478 | Error_Code, category, service, service_name, ta_windows_action, vendor_product | src |
wineventlog*
|
5156, 5157 | Error_Code, category, dest_port, process_id, ta_windows_action, transport, vendor_product | src |
wineventlog*
|
4720, 4725, 4726, 4738, 4767 | Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
wineventlog*
|
4625 | Error_Code, category, process_id, ta_windows_action, ta_windows_status, vendor_product | src |
wineventlog*
|
4658, 4660, 4689, 4798, 4904, 4985, 6417 | Error_Code, category, process, process_name, ta_windows_action, vendor_product | src |
wineventlog*
|
5154, 5155, 5158 | Error_Code, category, process_id, ta_windows_action, transport, vendor_product | src |
wineventlog*
|
4907 | Error_Code, category, file_name, file_path, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product | src |
wineventlog*
|
5152 | Error_Code, category, dest_port, process_id, ta_windows_action, vendor_product | src |
wineventlog*
|
1100, 1102, 4945, 4946, 4947, 4948 | Error_Code, category, object_attrs, ta_windows_action, vendor_product | src |
wineventlog*
|
5461 | category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product | src |
wineventlog*
|
4769, 4770 | Error_Code, category, service, service_id, service_name, ta_windows_action, vendor_product | |
wineventlog*
|
4664, 5058, 5140, 5142, 5145 | Error_Code, category, file_name, file_path, ta_windows_action, vendor_product | src |
wineventlog*
|
4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4757, 4758, 4764, 4781 | Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
wineventlog*
|
4688 | Error_Code, Token_Elevation_Type_id, category, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, ta_windows_action, vendor_product | src |
wineventlog*
|
1101, 1108, 4719 | Error_Code, category, change_type, object_attrs, object_category, ta_windows_action, vendor_product | src |
wineventlog*
|
4717, 4718 | Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product | src |
wineventlog*
|
4670 | Error_Code, category, process, process_name, registry_path, ta_windows_action, vendor_product | src |
wineventlog*
|
4776, 4777 | category, ta_windows_action, vendor_product | |
wineventlog*
|
4799 | Error_Code, category, object_attrs, process, process_name, ta_windows_action, vendor_product | src |
wineventlog*
|
4741, 4742, 4743 | Error_Code, category, object_attrs, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
wineventlog*
|
4624, 4648, 4674, 4696, 4703 | Error_Code, category, process, process_id, process_name, ta_windows_action, vendor_product | src |
wineventlog*
|
4756 | Error_Code, Group_Domain, Group_Name, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | src |
wineventlog*
|
4768 | Error_Code, category, service, service_id, service_name, ta_windows_action, user_id, vendor_product | |
wineventlog*
|
1104, 1105, 4608, 4610, 4611, 4614, 4622, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4774, 4775, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5379, 5441, 5442, 5444, 6144, 6272, 6273, 6416 | Error_Code, category, ta_windows_action, vendor_product | src |
wineventlog*
|
4697 | Error_Code, category, service, service_name, start_mode, ta_windows_action, vendor_product | src |
wineventlog*
|
4673 | Error_Code, category, process, process_name, service, service_name, ta_windows_action, vendor_product | src |
wineventlog*
|
4657 | Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, registry_path, registry_value_name, registry_value_type, ta_windows_action, vendor_product | src |
wineventlog*
|
5030, 5035 | category, service, service_name, ta_windows_action, vendor_product | src |
wineventlog*
|
4771 | Error_Code, category, service, service_name, ta_windows_action, vendor_product | |
wineventlog*
|
4616, 5446, 5447, 5448, 5449, 5450 | Error_Code, category, process_id, ta_windows_action, vendor_product | src |
wineventlog*
|
4724 | Error_Code, category, object_attrs, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
wineventlog*
|
6145 | category, ta_windows_action, vendor_product | src |
wineventlog*
|
4740, 4793 | Error_Code, category, ta_windows_action, ta_windows_security_CategoryString, vendor_product | src |
wineventlog*
|
4656, 4661, 4663 | Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product | src |
wineventlog*
|
4778, 4779 | Error_Code, category, ta_windows_action, vendor_product | |
wineventlog*
|
4662, 4817 | Error_Code, category, object_file_name, object_file_path, ta_windows_action, vendor_product | src |
CIM model comparison for versions 7.0.0 and 8.1.2
Source | EventCode | Previous CIM model | New CIM model |
---|---|---|---|
WinEventLog:Security
|
4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
1102, 1100 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
WinEventLog:Security
|
4912, 4739, 4743, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4715, 4718, 4719, 4738, 4742, 4758, 4756, 4757, 4754, 4755, 4753, 4750, 4798, 4767, 4797, 4717, 5379, 4741, 4733, 4740, 4729, 4728, 1105, 4720, 4727, 4726, 4725, 4724 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
WinEventLog:Security
|
5461 | Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4769, 4624, 4625, 4648, 4771, 4774, 4775, 4777, 4776, 4768, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
1101, 1108 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
WinEventLog:Security
|
5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
WinEventLog:Security
|
4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field mapping comparison for versions 7.0.0 and 8.1.2
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
wineventlog*
|
1101, 1108, 4719 | change_type, object_attrs, object_category, vendor_product | |
wineventlog*
|
4768 | service, service_id, service_name, user_id, vendor_product | |
wineventlog*
|
4741, 4742, 4743 | object_attrs, result, vendor_product | |
wineventlog*
|
4717, 4718, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4781, 5461 | change_type, object_attrs, object_category, result, vendor_product | |
wineventlog*
|
4697 | service, service_name, start_mode, vendor_product | |
wineventlog*
|
4657 | object_file_name, object_file_path, process, process_name, registry_path, registry_value_name, registry_value_type, vendor_product | |
wineventlog*
|
4656, 4661, 4663 | object_file_name, object_file_path, process, process_name, vendor_product | |
wineventlog*
|
4662, 4817 | object_file_name, object_file_path, vendor_product | |
wineventlog*
|
4673 | process, process_name, service, service_name, vendor_product | |
wineventlog*
|
4670 | process, process_name, registry_path, vendor_product | |
wineventlog*
|
4720, 4725, 4726, 4738, 4767 | result, vendor_product | |
wineventlog*
|
4664, 5058, 5140, 5142, 5145 | file_name, file_path, vendor_product | |
wineventlog*
|
4771, 5024, 5025, 5030, 5033, 5034, 5035, 5478 | service, service_name, vendor_product | |
wineventlog*
|
4799 | object_attrs, process, process_name, vendor_product | |
wineventlog*
|
4907 | file_name, file_path, object_file_name, object_file_path, process, process_name, vendor_product | |
wineventlog*
|
5154, 5155, 5156, 5157, 5158 | transport, vendor_product | |
wineventlog*
|
4624, 4648, 4658, 4660, 4674, 4689, 4696, 4703, 4798, 4904, 4985, 6417 | process, process_name, vendor_product | |
wineventlog*
|
1100, 1102, 4724 | object_attrs, vendor_product | |
wineventlog*
|
4688 | Token_Elevation_Type_id, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, vendor_product | |
wineventlog*
|
4769, 4770 | service, service_id, service_name, vendor_product | |
wineventlog*
|
1104, 1105, 4608, 4610, 4611, 4614, 4616, 4622, 4625, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4740, 4774, 4775, 4776, 4777, 4778, 4779, 4793, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5152, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 6144, 6145, 6272, 6273, 6416 | vendor_product |
CIM model and Field Mapping Changes for XmlWineventlog:Security
See the following comparison tables for CIM model and field mapping changes for the XmlWineventlog:Security
sourcetype.
Field mapping comparison for versions 8.7.0 and 8.8.0
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
4798 | change_type, command,object, object_attrs, object_category, object_id, result, src, user_name, src_user_name |
CIM model comparison for versions 4.8.4 and 8.1.2
Sourcetype | EventCode | Previous CIM model | New CIM model |
---|---|---|---|
XmlWinEventLog:Security
|
4672, 4957, 4624, 4625, 4648, 4769, 4768, 4771, 4776, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
4719, 4715, 1108, 1105, 1101, 4912 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
XmlWinEventLog:Security
|
4781, 4718, 4717, 4729, 4728, 4723, 4722, 4720, 4727, 4726, 4725, 4724, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4741, 4740, 4743, 4742, 4753, 4750, 4756, 4757, 4754, 4755, 4767, 4764, 4758 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
XmlWinEventLog:Security
|
1100, 1102 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
XmlWinEventLog:Security
|
4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field Mapping Comparison for versions 4.8.4 and 8.1.2
Sourcetype | EventCode | Fields added | Fields removed |
---|---|---|---|
xmlWinEventLog*
|
4720, 4722, 4725, 4726, 4738, 4740, 4767 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
4648 | Error_Code, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
1108 | Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4742, 4743 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
4657 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
5154 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product | |
xmlWinEventLog*
|
4723, 4724 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
5140 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
5152 | Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
1102 | Caller_User_Name, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, src_user, status, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4719 | Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4662, 4817 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4945, 4946, 4947, 4948, 4953, 4957 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
5034 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4739 | CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, severity, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
xmlWinEventLog*
|
4624 | Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 | CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
4768, 4769 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
xmlWinEventLog*
|
1100 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4797, 4798 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4696 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | dest_nt_domain |
xmlWinEventLog*
|
4634 | Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4688 | Error_Code, Process_Command_Line, Token_Elevation_Type_id, app, dest, dvc, dvc_nt_host, event_id, id, name, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | dest_nt_domain |
xmlWinEventLog*
|
5156, 5157 | Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product | |
xmlWinEventLog*
|
4625 | dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
xmlWinEventLog*
|
4627 | Error_Code, action, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4799 | Error_Code, Group_Domain, Group_Name, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4932, 4933, 4944, 4950, 4954, 4956, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5441, 5442, 5444, 6144, 6145, 6272 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4647, 4800, 4801 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
6417 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4673 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, service, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4741 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, status, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
1104, 1105 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4703 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
1101 | Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4727, 4731, 4735, 4737, 4750, 4754, 4755 | CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product | |
xmlWinEventLog*
|
5158 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, src_port, subject, ta_windows_action, transport, vendor_product | |
xmlWinEventLog*
|
4793 | CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
xmlWinEventLog*
|
4664, 5058, 5142 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4697 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, start_mode, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4826, 5379, 6416 | Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4776 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
xmlWinEventLog*
|
4771 | app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product | |
xmlWinEventLog*
|
4616, 4658, 4660, 4670, 4674, 4904, 4985 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4781 | CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product | |
xmlWinEventLog*
|
5446, 5447, 5448, 5449, 5450 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4770 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, user_group, vendor_product | |
xmlWinEventLog*
|
4717, 4718 | Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4912, 4931, 5141 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4656, 4661, 4663 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4689 | app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, ta_windows_status, vendor_product | |
xmlWinEventLog*
|
4778 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, src, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
5024, 5025, 5033, 5478 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
5145 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product | |
xmlWinEventLog*
|
4907 | Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product |
CIM model comparison for versions 7.0.0 and 8.1.2
Sourcetype | EventCode | Previous CIM model | New CIM model |
---|---|---|---|
XmlWinEventLog:Security
|
4625, 4672, 4771, 4776, 4957, 4624, 4648, 4769, 4768, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 | Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
1108, 1101 | Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures | |
XmlWinEventLog:Security
|
4781, 4729, 4728, 4727, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4739, 4753, 4750, 4756, 4757, 4754, 4755, 4764, 4758 | Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures | |
XmlWinEventLog:Security
|
1100, 1102 | Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
XmlWinEventLog:Security
|
4912, 4718, 4719, 4717, 4715, 4738, 1105, 4741, 4740, 4743, 4742, 4723, 4722, 4720, 4726, 4725, 4724, 4767 | Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services | |
XmlWinEventLog:Security
|
4657 | Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
5158 | Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem | |
XmlWinEventLog:Security
|
4801 | Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem |
Field mapping comparison for versions 7.0.0 and 8.1.2
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
xmlWinEventLog
|
4727, 4731, 4735, 4737, 4739, 4750, 4754, 4755 | change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product | |
xmlWinEventLog
|
4616, 4658, 4660, 4670, 4674, 4904, 4985 | parent_process_id, process_name, process_path, vendor_product | |
xmlWinEventLog
|
4771 | service, service_name, vendor_product | Group_Name |
xmlWinEventLog
|
4781 | change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product | Group_Domain |
xmlWinEventLog
|
4703 | action, parent_process_id, process_name, process_path, status, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
5156, 5157 | transport, vendor_product | |
xmlWinEventLog
|
5152, 5446, 5447, 5448, 5449, 5450 | parent_process_id, vendor_product | |
xmlWinEventLog
|
5024, 5025, 5033, 5034, 5478 | service, service_name, vendor_product | |
xmlWinEventLog
|
4907 | file_name, file_path, object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product | |
xmlWinEventLog
|
4742, 4743 | object_attrs, result, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5141, 5441, 5442, 5444, 6144, 6145, 6272 | vendor_product | |
xmlWinEventLog
|
4719 | change_type, object_attrs, object_category, vendor_product | |
xmlWinEventLog
|
4740 | ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4793 | ta_windows_security_CategoryString, vendor_product | |
xmlWinEventLog
|
4634, 4647, 4800, 4801 | vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
1102 | Caller_User_Name, object_attrs, src_user, status, vendor_product | |
xmlWinEventLog
|
4776 | vendor_product | Group_Name |
xmlWinEventLog
|
4696 | parent_process_id, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
1101, 1108 | action, change_type, object_attrs, object_category, status, vendor_product | |
xmlWinEventLog
|
4657 | object_file_name, object_file_path, parent_process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, vendor_product | |
xmlWinEventLog
|
4723, 4724 | object_attrs, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4741 | object_attrs, result, status, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
5154 | parent_process_id, transport, vendor_product | |
xmlWinEventLog
|
4778 | src, vendor_product | |
xmlWinEventLog
|
4768, 4769, 4770 | service, service_id, service_name, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4627, 4797, 4798 | action, status, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4720, 4722, 4725, 4726, 4738, 4767 | result, ta_windows_security_CategoryString, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4697 | service, service_name, start_mode, vendor_product | |
xmlWinEventLog
|
4688 | Process_Command_Line, Token_Elevation_Type_id, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_name, process_path, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
5158 | parent_process_id, src_port, transport, vendor_product | |
xmlWinEventLog
|
4689, 6417 | action, parent_process_id, process_name, process_path, status, vendor_product | |
xmlWinEventLog
|
4656, 4661, 4663 | object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product | |
xmlWinEventLog
|
4624, 4625, 4648 | parent_process_id, process_name, process_path, vendor_product | Group_Domain, Group_Name |
xmlWinEventLog
|
4662, 4817 | object_file_name, object_file_path, vendor_product | |
xmlWinEventLog
|
4717, 4718 | change_type, object_attrs, object_category, result, vendor_product | |
xmlWinEventLog
|
4664, 5058, 5142, 5145 | file_name, file_path, vendor_product | |
xmlWinEventLog
|
4673 | parent_process_id, service, vendor_product | |
xmlWinEventLog
|
1100 | object_attrs, status, vendor_product | |
xmlWinEventLog
|
1104, 1105, 4799, 4826, 5379, 6416 | action, status, vendor_product | |
xmlWinEventLog
|
5140 | file_name, vendor_product | |
xmlWinEventLog
|
4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 | change_type, object_category, result, ta_windows_security_CategoryString, vendor_product |
Performance reference for the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!