我的书签
添加书签
移除书签Windows
The windows log type records events that happen in Windows applications, system services, and the Windows operating system.
The following code snippet contains all the raw_field and ecs mappings for this log type:
"mappings":[{"raw_field":"AccountName","ecs":"winlog.computerObject.name"},{"raw_field":"AuthenticationPackageName","ecs":"winlog.event_data.AuthenticationPackageName"},{"raw_field":"Channel","ecs":"winlog.channel"},{"raw_field":"Company","ecs":"winlog.event_data.Company"},{"raw_field":"ComputerName","ecs":"winlog.computer_name"},{"raw_field":"Description","ecs":"winlog.event_data.Description"},{"raw_field":"Details","ecs":"winlog.event_data.Detail"},{"raw_field":"Device","ecs":"winlog.event_data.Device"},{"raw_field":"FileName","ecs":"winlog.event_data.FileName"},{"raw_field":"FileVersion","ecs":"winlog.event_data.FileVersion"},{"raw_field":"IntegrityLevel","ecs":"winlog.event_data.IntegrityLevel"},{"raw_field":"IpAddress","ecs":"winlog.event_data.IpAddress"},{"raw_field":"KeyLength","ecs":"winlog.event_data.KeyLength"},{"raw_field":"Keywords","ecs":"winlog.keywords"},{"raw_field":"LogonId","ecs":"winlog.event_data.LogonId"},{"raw_field":"LogonProcessName","ecs":"winlog.event_data.LogonProcessName"},{"raw_field":"LogonType","ecs":"winlog.event_data.LogonType"},{"raw_field":"OriginalFilename","ecs":"winlog.event_data.OriginalFileName"},{"raw_field":"Path","ecs":"winlog.event_data.Path"},{"raw_field":"PrivilegeList","ecs":"winlog.event_data.PrivilegeList"},{"raw_field":"ProcessId","ecs":"winlog.event_data.ProcessId"},{"raw_field":"Product","ecs":"winlog.event_data.Product"},{"raw_field":"Provider","ecs":"winlog.provider_name"},{"raw_field":"ProviderName","ecs":"winlog.provider_name"},{"raw_field":"ScriptBlockText","ecs":"winlog.event_data.ScriptBlockText"},{"raw_field":"ServerName","ecs":"winlog.event_data.TargetServerName"},{"raw_field":"Service","ecs":"winlog.event_data.ServiceName"},{"raw_field":"Signed","ecs":"winlog.event_data.Signed"},{"raw_field":"State","ecs":"winlog.event_data.State"},{"raw_field":"Status","ecs":"winlog.event_data.Status"},{"raw_field":"SubjectDomainName","ecs":"winlog.event_data.SubjectDomainName"},{"raw_field":"SubjectLogonId","ecs":"winlog.event_data.SubjectLogonId"},{"raw_field":"SubjectUserName","ecs":"winlog.event_data.SubjectUserName"},{"raw_field":"SubjectUserSid","ecs":"winlog.event_data.SubjectUserSid"},{"raw_field":"TargetLogonId","ecs":"winlog.event_data.TargetLogonId"},{"raw_field":"TargetName","ecs":"winlog.event_data.TargetUserName"},{"raw_field":"TargetServerName","ecs":"winlog.event_data.TargetServerName"},{"raw_field":"TargetUserName","ecs":"winlog.event_data.TargetUserName"},{"raw_field":"TargetUserSid","ecs":"winlog.event_data.TargetUserSid"},{"raw_field":"TaskName","ecs":"winlog.task"},{"raw_field":"Type","ecs":"winlog.user.type"},{"raw_field":"User","ecs":"winlog.user.name"},{"raw_field":"UserName","ecs":"winlog.user.name"},{"raw_field":"Workstation","ecs":"winlog.event_data.Workstation"},{"raw_field":"WorkstationName","ecs":"winlog.event_data.Workstation"},{"raw_field":"event_uid","ecs":"winlog.event_id"},{"raw_field":"CommandLine","ecs":"process.command_line"},{"raw_field":"hostname","ecs":"host.hostname"},{"raw_field":"message","ecs":"windows.message"},{"raw_field":"Provider_Name","ecs":"winlog.provider_name"},{"raw_field":"EventId","ecs":"winlog.event_id"},{"raw_field":"processPath","ecs":"winlog.event_data.ProcessPath"},{"raw_field":"ProcessName","ecs":"winlog.event_data.ProcessName"},{"raw_field":"ObjectName","ecs":"winlog.computerObject.name"},{"raw_field":"param1","ecs":"winlog.event_data.param1"},{"raw_field":"param2","ecs":"winlog.event_data.param2"},{"raw_field":"creationTime","ecs":"timestamp"},{"raw_field":"Origin","ecs":"winlog.event_data.Origin"},{"raw_field":"ParentImage","ecs":"winlog.event_data.ParentImage"},{"raw_field":"TargetPort","ecs":"winlog.event_data.TargetPort"},{"raw_field":"Query","ecs":"winlog.event_data.Query"},{"raw_field":"DestinationPort","ecs":"destination.port"},{"raw_field":"StartAddress","ecs":"winlog.event_data.StartAddress"},{"raw_field":"TicketOptions","ecs":"winlog.event_data.TicketOptions"},{"raw_field":"ParentCommandLine","ecs":"winlog.event_data.ParentCommandLine"},{"raw_field":"AllowedToDelegateTo","ecs":"winlog.event_data.AllowedToDelegateTo"},{"raw_field":"HostApplication","ecs":"winlog.event_data.HostApplication"},{"raw_field":"AccessMask","ecs":"winlog.event_data.AccessMask"},{"raw_field":"Hashes","ecs":"winlog.event_data.Hashes"},{"raw_field":"SidHistory","ecs":"winlog.event_data.SidHistory"},{"raw_field":"Initiated","ecs":"winlog.event_data.Initiated"},{"raw_field":"DestinationIp","ecs":"destination.ip"},{"raw_field":"RelativeTargetName","ecs":"winlog.event_data.RelativeTargetName"},{"raw_field":"Source_Name","ecs":"winlog.event_data.Source_Name"},{"raw_field":"AttributeLDAPDisplayName","ecs":"winlog.event_data.AttributeLDAPDisplayName"},{"raw_field":"DeviceDescription","ecs":"winlog.event_data.DeviceDescription"},{"raw_field":"AttributeValue","ecs":"winlog.event_data.AttributeValue"},{"raw_field":"ObjectValueName","ecs":"winlog.event_data.ObjectValueName"},{"raw_field":"QueryStatus","ecs":"winlog.event_data.QueryStatus"},{"raw_field":"TargetParentProcessId","ecs":"winlog.event_data.TargetParentProcessId"},{"raw_field":"OldUacValue","ecs":"winlog.event_data.OldUacValue"},{"raw_field":"FailureCode","ecs":"winlog.event_data.FailureCode"},{"raw_field":"OldTargetUserName","ecs":"winlog.event_data.OldTargetUserName"},{"raw_field":"NewUacValue","ecs":"winlog.event_data.NewUacValue"},{"raw_field":"ServiceName","ecs":"winlog.event_data.ServiceName"},{"raw_field":"Imphash","ecs":"winlog.event_data.Imphash"},{"raw_field":"NewValue","ecs":"winlog.event_data.NewValue"},{"raw_field":"Action","ecs":"winlog.event_data.Action"},{"raw_field":"SourceImage","ecs":"winlog.event_data.SourceImage"},{"raw_field":"QNAME","ecs":"winlog.event_data.QNAME"},{"raw_field":"Properties","ecs":"winlog.event_data.Properties"},{"raw_field":"AuditPolicyChanges","ecs":"winlog.event_data.AuditPolicyChanges"},{"raw_field":"Accesses","ecs":"winlog.event_data.Accesses"},{"raw_field":"ClassName","ecs":"winlog.event_data.ClassName"},{"raw_field":"ObjectClass","ecs":"winlog.event_data.ObjectClass"},{"raw_field":"PipeName","ecs":"winlog.event_data.PipeName"},{"raw_field":"HiveName","ecs":"winlog.event_data.HiveName"},{"raw_field":"StartModule","ecs":"winlog.event_data.StartModule"},{"raw_field":"HostVersion","ecs":"winlog.event_data.HostVersion"},{"raw_field":"DestinationHostname","ecs":"winlog.event_data.DestinationHostname"},{"raw_field":"QueryName","ecs":"winlog.event_data.QueryName"},{"raw_field":"RemoteName","ecs":"winlog.event_data.RemoteName"},{"raw_field":"PasswordLastSet","ecs":"winlog.event_data.PasswordLastSet"},{"raw_field":"ErrorCode","ecs":"winlog.event_data.ErrorCode"},{"raw_field":"AccessList","ecs":"winlog.event_data.AccessList"},{"raw_field":"Address","ecs":"winlog.event_data.Address"},{"raw_field":"PossibleCause","ecs":"winlog.event_data.PossibleCause"},{"raw_field":"DestPort","ecs":"destination.port"},{"raw_field":"Image","ecs":"winlog.event_data.Image"},{"raw_field":"CertThumbprint","ecs":"winlog.event_data.CertThumbprint"},{"raw_field":"TicketEncryptionType","ecs":"winlog.event_data.TicketEncryptionType"},{"raw_field":"ServiceType","ecs":"winlog.event_data.ServiceType"},{"raw_field":"ObjectServer","ecs":"winlog.event_data.ObjectServer"},{"raw_field":"ImagePath","ecs":"winlog.event_data.ImagePath"},{"raw_field":"NewName","ecs":"winlog.event_data.NewName"},{"raw_field":"CallTrace","ecs":"winlog.event_data.CallTrace"},{"raw_field":"SamAccountName","ecs":"winlog.event_data.SamAccountName"},{"raw_field":"GrantedAccess","ecs":"winlog.event_data.GrantedAccess"},{"raw_field":"EngineVersion","ecs":"winlog.event_data.EngineVersion"},{"raw_field":"OriginalName","ecs":"winlog.event_data.OriginalName"},{"raw_field":"AuditSourceName","ecs":"winlog.event_data.AuditSourceName"},{"raw_field":"sha1","ecs":"hash.sha1"},{"raw_field":"SourceIp","ecs":"source.ip"},{"raw_field":"Payload","ecs":"winlog.event_data.Payload"},{"raw_field":"Level","ecs":"winlog.event_data.Level"},{"raw_field":"Application","ecs":"winlog.event_data.Application"},{"raw_field":"RemoteAddress","ecs":"winlog.event_data.RemoteAddress"},{"raw_field":"SearchFilter","ecs":"winlog.event_data.SearchFilter"},{"raw_field":"ApplicationPath","ecs":"winlog.event_data.ApplicationPath"},{"raw_field":"TargetFilename","ecs":"winlog.event_data.TargetFilename"},{"raw_field":"CurrentDirectory","ecs":"winlog.event_data.CurrentDirectory"},{"raw_field":"ObjectType","ecs":"winlog.event_data.ObjectType"},{"raw_field":"ServicePrincipalNames","ecs":"winlog.event_data.ServicePrincipalNames"},{"raw_field":"TemplateContent","ecs":"winlog.event_data.TemplateContent"},{"raw_field":"QueryResults","ecs":"winlog.event_data.QueryResults"},{"raw_field":"ServiceStartType","ecs":"winlog.event_data.ServiceStartType"},{"raw_field":"EventType","ecs":"winlog.event_data.EventType"},{"raw_field":"TargetSid","ecs":"winlog.event_data.TargetSid"},{"raw_field":"ParentUser","ecs":"winlog.event_data.ParentUser"},{"raw_field":"NewTargetUserName","ecs":"winlog.event_data.NewTargetUserName"},{"raw_field":"DestAddress","ecs":"winlog.event_data.DestAddress"},{"raw_field":"ContextInfo","ecs":"winlog.event_data.ContextInfo"},{"raw_field":"HostName","ecs":"host.name"},{"raw_field":"NewTemplateContent","ecs":"winlog.event_data.NewTemplateContent"},{"raw_field":"LayerRTID","ecs":"winlog.event_data.LayerRTID"},{"raw_field":"ImageFileName","ecs":"winlog.event_data.ImageFileName"},{"raw_field":"StartFunction","ecs":"winlog.event_data.StartFunction"},{"raw_field":"Value","ecs":"winlog.event_data.Value"},{"raw_field":"ModifyingApplication","ecs":"winlog.event_data.ModifyingApplication"},{"raw_field":"Destination","ecs":"winlog.event_data.Destination"},{"raw_field":"Commandline","ecs":"winlog.event_data.Commandline"},{"raw_field":"Message","ecs":"winlog.event_data.Message"},{"raw_field":"ShareName","ecs":"winlog.event_data.ShareName"},{"raw_field":"SourcePort","ecs":"source.port"},{"raw_field":"CallerProcessName","ecs":"winlog.event_data.CallerProcessName"},{"raw_field":"ServiceFileName","ecs":"winlog.event_data.ServiceFileName"},{"raw_field":"DestinationIsIpv6","ecs":"winlog.event_data.DestinationIsIpv6"},{"raw_field":"TargetImage","ecs":"winlog.event_data.TargetImage"},{"raw_field":"SourceAddress","ecs":"source.ip"},{"raw_field":"TargetObject","ecs":"winlog.event_data.TargetObject"},{"raw_field":"Caption","ecs":"winlog.event_data.Caption"},{"raw_field":"LocalName","ecs":"winlog.event_data.LocalName"},{"raw_field":"ImageLoaded","ecs":"winlog.event_data.ImageLoaded"},{"raw_field":"EventID","ecs":"winlog.event_id"},{"raw_field":"sha256","ecs":"hash.sha256"},{"raw_field":"ScriptBlockLogging","ecs":"winlog.event_data.ScriptBlockLogging"},{"raw_field":"SourceParentImage","ecs":"winlog.event_data.SourceParentImage"},{"raw_field":"SourceFilename","ecs":"winlog.event_data.SourceFilename"},{"raw_field":"Protocol","ecs":"winlog.event_data.Protocol"},{"raw_field":"ValidatedPolicy","ecs":"winlog.event_data.ValidatedPolicy"},{"raw_field":"ProcessPath","ecs":"winlog.event_data.ProcessPath"},{"raw_field":"OldValue","ecs":"winlog.event_data.OldValue"},{"raw_field":"ParentProcessId","ecs":"winlog.event_data.ParentProcessId"},{"raw_field":"TaskContentNew","ecs":"winlog.event_data.TaskContentNew"},{"raw_field":"Name","ecs":"winlog.event_data.Name"},{"raw_field":"payload","ecs":"winlog.event_data.payload"},{"raw_field":"SourceHostname","ecs":"winlog.event_data.SourceHostname"},{"raw_field":"ClientProcessId","ecs":"winlog.event_data.ClientProcessId"},{"raw_field":"TargetParentImage","ecs":"winlog.event_data.TargetParentImage"},{"raw_field":"ImpersonationLevel","ecs":"winlog.event_data.ImpersonationLevel"},{"raw_field":"ExceptionCode","ecs":"winlog.event_data.ExceptionCode"},{"raw_field":"FilterOrigin","ecs":"winlog.event_data.FilterOrigin"},{"raw_field":"PackagePath","ecs":"winlog.event_data.PackagePath"},{"raw_field":"SignatureStatus","ecs":"winlog.event_data.SignatureStatus"},{"raw_field":"Hash","ecs":"winlog.event_data.Hash"},{"raw_field":"AppID","ecs":"winlog.event_data.AppID"},{"raw_field":"SidList","ecs":"winlog.event_data.SidList"},{"raw_field":"ProcessNameBuffer","ecs":"winlog.event_data.ProcessNameBuffer"},{"raw_field":"PreviousCreationUtcTime","ecs":"winlog.event_data.PreviousCreationUtcTime"},{"raw_field":"Contents","ecs":"winlog.event_data.Contents"},{"raw_field":"TargetOutboundUserName","ecs":"winlog.event_data.TargetOutboundUserName"},{"raw_field":"ImageName","ecs":"winlog.event_data.ImageName"},{"raw_field":"md5","ecs":"hash.md5"},{"raw_field":"DeviceName","ecs":"winlog.event_data.DeviceName"},{"raw_field":"RequestedPolicy","ecs":"winlog.event_data.RequestedPolicy"},{"raw_field":"FileNameBuffer","ecs":"winlog.event_data.FileNameBuffer"},{"raw_field":"TaskContent","ecs":"winlog.event_data.TaskContent"},{"raw_field":"SourceCommandLine","ecs":"winlog.event_data.SourceCommandLine"},{"raw_field":"CreationUtcTime","ecs":"winlog.event_data.CreationUtcTime"},{"raw_field":"AppName","ecs":"winlog.event_data.AppName"},{"raw_field":"subjectName","ecs":"winlog.event_data.subjectName"},{"raw_field":"process","ecs":"winlog.event_data.process"},{"raw_field":"PackageFullName","ecs":"winlog.event_data.PackageFullName"},{"raw_field":"SourceName","ecs":"winlog.event_data.SourceName"},{"raw_field":"Data","ecs":"winlog.event_data.Data"},{"raw_field":"param3","ecs":"winlog.event_data.param3"},{"raw_field":"Signature","ecs":"winlog.event_data.Signature"}]
当前内容版权归 OpenSearch 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 OpenSearch .
