Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows

Version 8.9.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.

CIM model comparison for versions 8.8.0 and 8.9.0

Version 8.8.0 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its source WinEventLog:Security and XmlWinEventLog:Security. See the following sections for information on changes to the mapping of this information.

Sourcetype EventCode Previous CIM model New CIM model
WinEventLog/ XmlWinEventLog 4798 Event_Signatures.Signatures Change.Account_Management, Event_Signatures.Signatures
XmlWinEventLog 17,18,19 Event_Signatures.Signatures Updates.Updates, Event_Signatures.Signatures

Field Changes

Source/Sourcetype EventCode Fields added Fields removed
WinEventLog 5156.5157 src_ip, protocol, protocol_version, dest_ip, direction, src, rule NA
WinEventLog 4798 result, signature, User_Security_ID, object_category, user_name, change_type, User_Account_Name, object, command, object_id, src_user_name, name, object_attrs, subject, src, User_Account_Domain NA
WinEventLog 19 file_name NA
WinEventLog 4624, 4658, 4703, 4648, 4663, 4656, 4689, 4657, 4673, 4661, 4660, 4907, 4985, 4696, 6417, 4670, 4674, 4904, 4799 command NA
WinEvrntLog 5152 direction NA
WinEvrntLog 6272, 6273 User_Account_Name, User_Account_Domain, User_Security_ID
WinEventLog 4625 Signature_mesage, package_title, package NA
XmlWinEventLog / WinEventLog 17,18,19 Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product NA
XmlWinEventLog 5156, 5157 protocol_version, severity, process_id, rule, dest_ip, src_ip, severity_id, src_port, protocol, user, direction, src NA
XmlWinEventLog 1100, 1101, 1102, 1104, 1105, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4627, 4634, 4647, 4648, 4653, 4656, 4657, 4658, 4660, 4661, 4662, 4663, 4664, 4670, 4672, 4673, 4674, 4688, 4689, 4690, 4696, 4697, 4698, 4699, 4700, 4701, 4702, 4703, 4704, 4705, 4713, 4715, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4767, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4781, 4793, 4797, 4800, 4801, 4817, 4826, 4902, 4904, 4906, 4907, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5024, 5025, 5031, 5033, 5034, 5040, 5041, 5043, 5044, 5045, 5058, 5059, 5061, 5136, 5137, 5140, 5141, 5142, 5145, 5152, 5154, 5158, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 5478, 6144, 6145, 6272, 6416, 6417 severity, severity_id NA
XmlWinEventLog 4799 severity, severity_id, command NA

CIM model and Field Mapping changes for MSAD:NT6:DNS

See the following comparison tables for CIM model and field mapping changes for the MSAD:NT6:DNS sourcetype.

CIM model comparison for versions 8.6.0 and 8.7.0

Sourcetype Previous CIM model New CIM model
MSAD:NT6:DNS Network Resolution (DNS)


Field Changes

Sourcetype - MSAD:NT6:DNS field mapping changes

Source-type Fields added Fields removed Fields modified


[MSAD:NT6:DNS] additional_answer_count, answer, answer_count, authority_answer_count, dest, message_type, name, query_count, query_type, record_type, reply_code_id, src, src_port, vendor_productsrc_user, src_user_name, object_id, object, src query, reply_code


Version 8.1.2 of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the following sections for information on changes to the mapping of this information.

CIM model and Field Mapping changes for Wineventlog:Security

See the following comparison tables for CIM model and field mapping changes for the Wineventlog:Security sourcetype.

Field mapping comparison for versions 8.7.0 and 8.8.0

Source-type EventCode Fields added Fields removed


['WinEventLog'] 4798 change_type, command,object, object_attrs, object_category, object_id, result, src

CIM model comparison for versions 4.8.4 and 8.1.2

Sourcetype EventCode Previous CIM model New CIM model
WinEventLog:Security 4801, 4774, 4775 Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 1102, 1100 Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
WinEventLog:Security 4768, 4769, 4624, 4625, 4648, 4771, 4777, 4776, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4717, 4718 Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures
WinEventLog:Security 5461 Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4912, 4715, 4719, 1101, 1105, 1108 Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures
WinEventLog:Security 5158 Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4657 Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4767, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4742, 4758, 4756, 4754, 4755, 4753, 4750, 4798, 4757, 4797, 5379, 4741, 4740, 4729, 4728, 4743, 4720, 4727, 4726, 4725, 4724 Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services

Field mapping comparison for versions 4.8.4 and 8.1.2

Source-type EventCode Fields added Fields removed
wineventlog* 5024, 5025, 5033, 5034, 5478 Error_Code, category, service, service_name, ta_windows_action, vendor_product src
wineventlog* 5156, 5157 Error_Code, category, dest_port, process_id, ta_windows_action, transport, vendor_product src
wineventlog* 4720, 4725, 4726, 4738, 4767 Error_Code, category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product src
wineventlog* 4625 Error_Code, category, process_id, ta_windows_action, ta_windows_status, vendor_product src
wineventlog* 4658, 4660, 4689, 4798, 4904, 4985, 6417 Error_Code, category, process, process_name, ta_windows_action, vendor_product src
wineventlog* 5154, 5155, 5158 Error_Code, category, process_id, ta_windows_action, transport, vendor_product src
wineventlog* 4907 Error_Code, category, file_name, file_path, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product src
wineventlog* 5152 Error_Code, category, dest_port, process_id, ta_windows_action, vendor_product src
wineventlog* 1100, 1102, 4945, 4946, 4947, 4948 Error_Code, category, object_attrs, ta_windows_action, vendor_product src
wineventlog* 5461 category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product src
wineventlog* 4769, 4770 Error_Code, category, service, service_id, service_name, ta_windows_action, vendor_product
wineventlog* 4664, 5058, 5140, 5142, 5145 Error_Code, category, file_name, file_path, ta_windows_action, vendor_product src
wineventlog* 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4757, 4758, 4764, 4781 Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product src
wineventlog* 4688 Error_Code, Token_Elevation_Type_id, category, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, ta_windows_action, vendor_product src
wineventlog* 1101, 1108, 4719 Error_Code, category, change_type, object_attrs, object_category, ta_windows_action, vendor_product src
wineventlog* 4717, 4718 Error_Code, category, change_type, object_attrs, object_category, result, ta_windows_action, vendor_product src
wineventlog* 4670 Error_Code, category, process, process_name, registry_path, ta_windows_action, vendor_product src
wineventlog* 4776, 4777 category, ta_windows_action, vendor_product
wineventlog* 4799 Error_Code, category, object_attrs, process, process_name, ta_windows_action, vendor_product src
wineventlog* 4741, 4742, 4743 Error_Code, category, object_attrs, result, ta_windows_action, ta_windows_security_CategoryString, vendor_product src
wineventlog* 4624, 4648, 4674, 4696, 4703 Error_Code, category, process, process_id, process_name, ta_windows_action, vendor_product src
wineventlog* 4756 Error_Code, Group_Domain, Group_Name, category, change_type, object_attrs, object_category, result, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product src
wineventlog* 4768 Error_Code, category, service, service_id, service_name, ta_windows_action, user_id, vendor_product
wineventlog* 1104, 1105, 4608, 4610, 4611, 4614, 4622, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4774, 4775, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5379, 5441, 5442, 5444, 6144, 6272, 6273, 6416 Error_Code, category, ta_windows_action, vendor_product src
wineventlog* 4697 Error_Code, category, service, service_name, start_mode, ta_windows_action, vendor_product src
wineventlog* 4673 Error_Code, category, process, process_name, service, service_name, ta_windows_action, vendor_product src
wineventlog* 4657 Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, registry_path, registry_value_name, registry_value_type, ta_windows_action, vendor_product src
wineventlog* 5030, 5035 category, service, service_name, ta_windows_action, vendor_product src
wineventlog* 4771 Error_Code, category, service, service_name, ta_windows_action, vendor_product
wineventlog* 4616, 5446, 5447, 5448, 5449, 5450 Error_Code, category, process_id, ta_windows_action, vendor_product src
wineventlog* 4724 Error_Code, category, object_attrs, ta_windows_action, ta_windows_security_CategoryString, vendor_product src
wineventlog* 6145 category, ta_windows_action, vendor_product src
wineventlog* 4740, 4793 Error_Code, category, ta_windows_action, ta_windows_security_CategoryString, vendor_product src
wineventlog* 4656, 4661, 4663 Error_Code, category, object_file_name, object_file_path, process, process_id, process_name, ta_windows_action, vendor_product src
wineventlog* 4778, 4779 Error_Code, category, ta_windows_action, vendor_product
wineventlog* 4662, 4817 Error_Code, category, object_file_name, object_file_path, ta_windows_action, vendor_product src

CIM model comparison for versions 7.0.0 and 8.1.2

Source EventCode Previous CIM model New CIM model
WinEventLog:Security 4801 Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 1102, 1100 Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
WinEventLog:Security 4912, 4739, 4743, 4781, 4764, 4734, 4735, 4737, 4730, 4731, 4732, 4715, 4718, 4719, 4738, 4742, 4758, 4756, 4757, 4754, 4755, 4753, 4750, 4798, 4767, 4797, 4717, 5379, 4741, 4733, 4740, 4729, 4728, 1105, 4720, 4727, 4726, 4725, 4724 Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
WinEventLog:Security 5461 Change.Endpoint_Changes, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4769, 4624, 4625, 4648, 4771, 4774, 4775, 4777, 4776, 4768, 4672, 4957, 5025, 4627, 4622, 4713, 5157, 4932, 5155, 5154, 5152, 4933, 4907, 4906, 4904, 4902, 4634, 4985, 5444, 4701, 4700, 4703, 4702, 4705, 4704, 4931, 5449, 5446, 5478, 6417, 6416, 5448, 5137, 5136, 5030, 5031, 5033, 5034, 5035, 4946, 4889, 4608, 1104, 4800, 4688, 4689, 4963, 4662, 4663, 4660, 4661, 4664, 5058, 5059, 4616, 4614, 4611, 4610, 4697, 4696, 4817, 4690, 4950, 4698, 4826, 4954, 5156, 4670, 4673, 4674, 5041, 5040, 5043, 5045, 5044, 4947, 4699, 4945, 4944, 4948, 4647, 6145, 6144, 4770, 4778, 4779, 5447, 4956, 5441, 4953, 5442, 6273, 6272, 4653, 4799, 4656, 4793, 4658, 5061, 5024, 5450, 5140, 5142, 5145 Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 1101, 1108 Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures
WinEventLog:Security 5158 Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
WinEventLog:Security 4657 Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem


Field mapping comparison for versions 7.0.0 and 8.1.2

Source-type EventCode Fields added Fields removed
wineventlog* 1101, 1108, 4719 change_type, object_attrs, object_category, vendor_product
wineventlog* 4768 service, service_id, service_name, user_id, vendor_product
wineventlog* 4741, 4742, 4743 object_attrs, result, vendor_product
wineventlog* 4717, 4718, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4739, 4750, 4753, 4754, 4755, 4756, 4757, 4758, 4764, 4781, 5461 change_type, object_attrs, object_category, result, vendor_product
wineventlog* 4697 service, service_name, start_mode, vendor_product
wineventlog* 4657 object_file_name, object_file_path, process, process_name, registry_path, registry_value_name, registry_value_type, vendor_product
wineventlog* 4656, 4661, 4663 object_file_name, object_file_path, process, process_name, vendor_product
wineventlog* 4662, 4817 object_file_name, object_file_path, vendor_product
wineventlog* 4673 process, process_name, service, service_name, vendor_product
wineventlog* 4670 process, process_name, registry_path, vendor_product
wineventlog* 4720, 4725, 4726, 4738, 4767 result, vendor_product
wineventlog* 4664, 5058, 5140, 5142, 5145 file_name, file_path, vendor_product
wineventlog* 4771, 5024, 5025, 5030, 5033, 5034, 5035, 5478 service, service_name, vendor_product
wineventlog* 4799 object_attrs, process, process_name, vendor_product
wineventlog* 4907 file_name, file_path, object_file_name, object_file_path, process, process_name, vendor_product
wineventlog* 5154, 5155, 5156, 5157, 5158 transport, vendor_product
wineventlog* 4624, 4648, 4658, 4660, 4674, 4689, 4696, 4703, 4798, 4904, 4985, 6417 process, process_name, vendor_product
wineventlog* 1100, 1102, 4724 object_attrs, vendor_product
wineventlog* 4688 Token_Elevation_Type_id, new_process_name, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_name, process_path, vendor_product
wineventlog* 4769, 4770 service, service_id, service_name, vendor_product
wineventlog* 1104, 1105, 4608, 4610, 4611, 4614, 4616, 4622, 4625, 4627, 4634, 4647, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4740, 4774, 4775, 4776, 4777, 4778, 4779, 4793, 4797, 4800, 4801, 4826, 4889, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5152, 5379, 5441, 5442, 5444, 5446, 5447, 5448, 5449, 5450, 6144, 6145, 6272, 6273, 6416 vendor_product


CIM model and Field Mapping Changes for XmlWineventlog:Security

See the following comparison tables for CIM model and field mapping changes for the XmlWineventlog:Security sourcetype.

Field mapping comparison for versions 8.7.0 and 8.8.0

Source-type EventCode Fields added Fields removed


['WinEventLog'] 4798 change_type, command,object, object_attrs, object_category, object_id, result, src, user_name, src_user_name

CIM model comparison for versions 4.8.4 and 8.1.2

Sourcetype EventCode Previous CIM model New CIM model
XmlWinEventLog:Security 4672, 4957, 4624, 4625, 4648, 4769, 4768, 4771, 4776, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 4719, 4715, 1108, 1105, 1101, 4912 Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures
XmlWinEventLog:Security 4781, 4718, 4717, 4729, 4728, 4723, 4722, 4720, 4727, 4726, 4725, 4724, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4738, 4739, 4741, 4740, 4743, 4742, 4753, 4750, 4756, 4757, 4754, 4755, 4767, 4764, 4758 Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures
XmlWinEventLog:Security 1100, 1102 Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
XmlWinEventLog:Security 4657 Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 5158 Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 4801 Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem

Field Mapping Comparison for versions 4.8.4 and 8.1.2

Sourcetype EventCode Fields added Fields removed
xmlWinEventLog* 4720, 4722, 4725, 4726, 4738, 4740, 4767 CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 4648 Error_Code, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 1108 Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, signature, signature_id, status, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4742, 4743 CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 4657 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 5154 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product
xmlWinEventLog* 4723, 4724 CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 5140 Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product
xmlWinEventLog* 5152 Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 1102 Caller_User_Name, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, src_user, status, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4719 Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4662, 4817 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4945, 4946, 4947, 4948, 4953, 4957 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 5034 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4739 CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, severity, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product
xmlWinEventLog* 4624 Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 4768, 4769 app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product
xmlWinEventLog* 1100 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4797, 4798 Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4696 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product dest_nt_domain
xmlWinEventLog* 4634 Error_Code, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4688 Error_Code, Process_Command_Line, Token_Elevation_Type_id, app, dest, dvc, dvc_nt_host, event_id, id, name, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, user_group, vendor_product dest_nt_domain
xmlWinEventLog* 5156, 5157 Error_Code, app, dest, dest_port, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, transport, vendor_product
xmlWinEventLog* 4625 dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, src_ip, subject, ta_windows_action, ta_windows_status, user_group, vendor_product
xmlWinEventLog* 4627 Error_Code, action, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4799 Error_Code, Group_Domain, Group_Name, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4932, 4933, 4944, 4950, 4954, 4956, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5441, 5442, 5444, 6144, 6145, 6272 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4647, 4800, 4801 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 6417 Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, vendor_product
xmlWinEventLog* 4673 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, service, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4741 CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, process_id, result, signature, signature_id, status, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 1104, 1105 Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4703 Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, parent_process_id, process, process_id, process_name, process_path, signature_id, status, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 1101 Error_Code, action, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, signature, signature_id, status, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4727, 4731, 4735, 4737, 4750, 4754, 4755 CategoryString, Error_Code, Group_Domain, Group_Name, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, user_group, vendor_product
xmlWinEventLog* 5158 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, src_port, subject, ta_windows_action, transport, vendor_product
xmlWinEventLog* 4793 CategoryString, Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product
xmlWinEventLog* 4664, 5058, 5142 Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4697 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, start_mode, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4826, 5379, 6416 Error_Code, action, app, dest, dvc, dvc_nt_host, event_id, id, process_id, signature_id, status, ta_windows_action, vendor_product
xmlWinEventLog* 4776 app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product
xmlWinEventLog* 4771 app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, ta_windows_status, user_group, vendor_product
xmlWinEventLog* 4616, 4658, 4660, 4670, 4674, 4904, 4985 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4781 CategoryString, Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, ta_windows_security_CategoryString, vendor_product
xmlWinEventLog* 5446, 5447, 5448, 5449, 5450 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process_id, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4770 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_id, service_name, signature, signature_id, subject, ta_windows_action, user_group, vendor_product
xmlWinEventLog* 4717, 4718 Error_Code, app, change_type, dest, dvc, dvc_nt_host, event_id, id, name, object_attrs, object_category, process_id, result, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4912, 4931, 5141 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4656, 4661, 4663 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4689 app, dest, dvc, dvc_nt_host, event_id, id, name, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, ta_windows_status, vendor_product
xmlWinEventLog* 4778 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, signature, signature_id, src, subject, ta_windows_action, vendor_product
xmlWinEventLog* 5024, 5025, 5033, 5478 Error_Code, app, dest, dvc, dvc_nt_host, event_id, id, name, process_id, service, service_name, signature, signature_id, subject, ta_windows_action, vendor_product
xmlWinEventLog* 5145 Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, process_id, signature, signature_id, src_ip, subject, ta_windows_action, vendor_product
xmlWinEventLog* 4907 Error_Code, app, dest, dvc, dvc_nt_host, event_id, file_name, file_path, id, name, object_file_name, object_file_path, parent_process_id, process, process_id, process_name, process_path, signature, signature_id, subject, ta_windows_action, vendor_product

CIM model comparison for versions 7.0.0 and 8.1.2

Sourcetype EventCode Previous CIM model New CIM model
XmlWinEventLog:Security 4625, 4672, 4771, 4776, 4957, 4624, 4648, 4769, 4768, 4932, 4933, 4931, 4948, 4670, 4673, 4674, 4800, 4778, 4779, 4770, 5450, 4985, 4902, 4907, 4906, 4904, 4662, 4663, 4660, 4661, 4664, 4705, 4704, 4701, 4700, 4703, 4702, 5152, 5156, 5154, 5025, 5024, 5145, 5140, 5141, 5142, 5441, 4713, 4797, 4793, 4658, 4656, 4653, 4798, 4799, 5031, 5033, 5034, 6145, 6144, 5137, 5136, 5157, 5442, 5444, 5447, 5448, 4647, 5449, 4634, 4963, 5045, 5044, 5379, 5041, 5040, 5043, 6416, 1104, 4627, 4622, 5058, 5059, 6272, 6417, 4947, 4944, 4611, 4610, 4616, 4614, 5061, 4690, 4697, 4696, 4699, 4698, 4688, 4689, 4946, 4945, 5446, 4950, 4953, 4954, 4826, 4956, 4608, 4817, 5478 Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 1108, 1101 Endpoint.Services, Change.Auditing_Changes, Change.Endpoint_Changes, Endpoint.Filesystem, Endpoint.Processes, Event_Signatures.Signatures
XmlWinEventLog:Security 4781, 4729, 4728, 4727, 4734, 4735, 4737, 4730, 4731, 4732, 4733, 4739, 4753, 4750, 4756, 4757, 4754, 4755, 4764, 4758 Endpoint.Services, Change.Endpoint_Changes, Endpoint.Filesystem, Change.Account_Management, Endpoint.Processes, Event_Signatures.Signatures
XmlWinEventLog:Security 1100, 1102 Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
XmlWinEventLog:Security 4912, 4718, 4719, 4717, 4715, 4738, 1105, 4741, 4740, 4743, 4742, 4723, 4722, 4720, 4726, 4725, 4724, 4767 Change.Endpoint_Changes, Event_Signatures.Signatures, Endpoint.Processes, Endpoint.Filesystem, Endpoint.Services
XmlWinEventLog:Security 4657 Endpoint.Registry, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 5158 Endpoint.Ports, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem
XmlWinEventLog:Security 4801 Authentication, Endpoint.Processes, Event_Signatures.Signatures, Endpoint.Services, Endpoint.Filesystem

Field mapping comparison for versions 7.0.0 and 8.1.2

Source-type EventCode Fields added Fields removed
xmlWinEventLog 4727, 4731, 4735, 4737, 4739, 4750, 4754, 4755 change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product
xmlWinEventLog 4616, 4658, 4660, 4670, 4674, 4904, 4985 parent_process_id, process_name, process_path, vendor_product
xmlWinEventLog 4771 service, service_name, vendor_product Group_Name
xmlWinEventLog 4781 change_type, object_attrs, object_category, result, ta_windows_security_CategoryString, vendor_product Group_Domain
xmlWinEventLog 4703 action, parent_process_id, process_name, process_path, status, vendor_product Group_Domain, Group_Name
xmlWinEventLog 5156, 5157 transport, vendor_product
xmlWinEventLog 5152, 5446, 5447, 5448, 5449, 5450 parent_process_id, vendor_product
xmlWinEventLog 5024, 5025, 5033, 5034, 5478 service, service_name, vendor_product
xmlWinEventLog 4907 file_name, file_path, object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product
xmlWinEventLog 4742, 4743 object_attrs, result, ta_windows_security_CategoryString, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4608, 4610, 4611, 4614, 4622, 4653, 4672, 4690, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4713, 4715, 4779, 4902, 4906, 4912, 4931, 4932, 4933, 4944, 4945, 4946, 4947, 4948, 4950, 4953, 4954, 4956, 4957, 4963, 5031, 5040, 5041, 5043, 5044, 5045, 5059, 5061, 5136, 5137, 5141, 5441, 5442, 5444, 6144, 6145, 6272 vendor_product
xmlWinEventLog 4719 change_type, object_attrs, object_category, vendor_product
xmlWinEventLog 4740 ta_windows_security_CategoryString, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4793 ta_windows_security_CategoryString, vendor_product
xmlWinEventLog 4634, 4647, 4800, 4801 vendor_product Group_Domain, Group_Name
xmlWinEventLog 1102 Caller_User_Name, object_attrs, src_user, status, vendor_product
xmlWinEventLog 4776 vendor_product Group_Name
xmlWinEventLog 4696 parent_process_id, vendor_product Group_Domain, Group_Name
xmlWinEventLog 1101, 1108 action, change_type, object_attrs, object_category, status, vendor_product
xmlWinEventLog 4657 object_file_name, object_file_path, parent_process_id, process_name, process_path, registry_path, registry_value_name, registry_value_type, vendor_product
xmlWinEventLog 4723, 4724 object_attrs, ta_windows_security_CategoryString, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4741 object_attrs, result, status, ta_windows_security_CategoryString, vendor_product Group_Domain, Group_Name
xmlWinEventLog 5154 parent_process_id, transport, vendor_product
xmlWinEventLog 4778 src, vendor_product
xmlWinEventLog 4768, 4769, 4770 service, service_id, service_name, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4627, 4797, 4798 action, status, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4720, 4722, 4725, 4726, 4738, 4767 result, ta_windows_security_CategoryString, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4697 service, service_name, start_mode, vendor_product
xmlWinEventLog 4688 Process_Command_Line, Token_Elevation_Type_id, new_process, new_process_id, new_process_name, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_command_line_arguments, process_command_line_process, process_exec, process_name, process_path, vendor_product Group_Domain, Group_Name
xmlWinEventLog 5158 parent_process_id, src_port, transport, vendor_product
xmlWinEventLog 4689, 6417 action, parent_process_id, process_name, process_path, status, vendor_product
xmlWinEventLog 4656, 4661, 4663 object_file_name, object_file_path, parent_process_id, process_name, process_path, vendor_product
xmlWinEventLog 4624, 4625, 4648 parent_process_id, process_name, process_path, vendor_product Group_Domain, Group_Name
xmlWinEventLog 4662, 4817 object_file_name, object_file_path, vendor_product
xmlWinEventLog 4717, 4718 change_type, object_attrs, object_category, result, vendor_product
xmlWinEventLog 4664, 5058, 5142, 5145 file_name, file_path, vendor_product
xmlWinEventLog 4673 parent_process_id, service, vendor_product
xmlWinEventLog 1100 object_attrs, status, vendor_product
xmlWinEventLog 1104, 1105, 4799, 4826, 5379, 6416 action, status, vendor_product
xmlWinEventLog 5140 file_name, vendor_product
xmlWinEventLog 4728, 4729, 4730, 4732, 4733, 4734, 4753, 4756, 4757, 4758, 4764 change_type, object_category, result, ta_windows_security_CategoryString, vendor_product
Last modified on 15 July, 2024
Performance reference for the Splunk Add-on for Windows  

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters