Supported data sources in behavioral analytics service
Note: This topic applies only to customers on the Splunk Cloud platform.
Behavioral analytics service uses data sources to generate anomalies.
The following table identifies the source types supported by universal forwarders:
| Data source | Sourcetype for universal forwarder |
|---|---|
| Windows security logs | XmlWinEventLog:Security |
Windows event IDs supported in Splunk Behavioral Analytics
The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.
| Event ID | Description | Supported for XmlWinEventLog |
|---|---|---|
| 4103 | Windows license activation failed | Yes |
| 4104 | PowerShell script block logging | Yes |
| 4624 | An account was successfully logged on | Yes |
| 4625 | An account failed to log on | Yes |
| 4661 | A handle to an object was requested | Yes |
| 4662 | An operation was performed on an object | Yes |
| 4663 | An attempt was made to access an object | Yes |
| 4673 | A privileged service was called | Yes |
| 4688 | A new process has been created | Yes |
| 4689 | A process has exited | Yes |
| 5145 | A network share object was checked to see whether client can be granted desired access | Yes |
Data source sample events and fields mappings
Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:
| Table column | Description |
|---|---|
| Raw event field name | The original value of the field in the raw event. |
| Behavioral analytics service token name | What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url. |
| Behavioral analytics service entity/field type | The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables. |
| Behavioral analytics service data model | Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries. |
XmlWinEventLog logs
Sample Event
Sample XmlWinEventLog events
4689
XML
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>5140
XML
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\Windows\System32\notepad.exe</Data>
</EventData>
</Event>5145
JSON
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
-
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>Fields and Mapping
Fields and mapping
4103
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Provider | source_name | Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS | Endpoint_Processes | |
| UserID | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| Payload | process | Endpoint_Processes | |
| Use constant value of "powershell.exe" | parent_process_name process_name | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Channel | log_name (extended) | ||
| EventID | signature_id (extended) |
4104
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Provider (Name attribute) | source_name | Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS | Endpoint_Processes | |
| Path | process_path extracted from script path process_name exgracted from script path | Endpoint_Processes | |
| Use constant value of "powershell.exe" | parent_process_name | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Channel | log_name (extended) | ||
| EventID | signature_id (extended) |
4624
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action
Note: This is a calculated field.
|
Authentication | |
| Static value: "An account was successfully logged on" | signature | Authentication | |
| EventID | signature_id | Authentication | |
| Computer | origin_device_domain | src_device/DNS | Authentication |
| FailureReason | reason | Authentication | |
| SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME | Authentication | |
| TargetUserName | src_user/WINDOWS_ACCOUNT_NAME | Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| AuthenticationPackageName | auth_pkg | Authentication | |
| LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
| LoginProcessName | authentication_method | Authentication | |
| ProcessName | app | Authentication | |
| WorkstationName | src_device/DNS | Authentication | |
| ipAddress | dest_device/IP, src_device/IP | Authentication | |
| Keywords | action
Note: This is a calculated field.
|
Endpoint_Processes | |
| Static value: "Microsoft WIndows" | vendor_product, os | Endpoint_Processes | |
| Computer | dest_devince/DNS endpoint_device/DNS | Endpoint_Processes | |
| SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name, process_exec, process_current_directory, process_path, process
Note: If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process
|
Endpoint_Processes | |
| WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
| ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | aosurce_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) |
4625
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action
Note: This is a calculated field.
|
Authentication | |
| Static value: "An account failed to log on" | signature | Authentication | |
| EventID | signature_id | Authentication | |
| Computer | origin_device_domain | src_device/DNS | Authentication |
| FailureReason | reason | Authentication | |
| SubjectUserName | src_user/WINDOWS_ACCOUNT_NAME | Authentication | |
| TargetUserName | src_user/WINDOWS_ACCOUNT_NAME | Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| AuthenticationPackageName | auth_pkg | Authentication | |
| LogonType | authentication_type, authentication_type_name (calculated field) | Authentication | |
| LoginProcessName | authentication_method | Authentication | |
| ProcessName | app | Authentication | |
| WorkstationName | src_device/DNS | Authentication | |
| ipAddress | dest_device/IP, src_device/IP | Authentication | |
| Status | event_return_code
Note: This is a alculated field.
|
Authentication | |
| ActiveDirectory (static value) | authentication_service | Authentication | |
| Keywords | action
Note: This is a calculated field.
|
Endpoint_Processes | |
| Static value: "Microsoft WIndows" | vendor_product, os | Endpoint_Processes | |
| Computer | dest_devince/DNS endpoint_device/DNS | Endpoint_Processes | |
| SubjectUserName | endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| TargetUserName | endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name, process_exec, process_current_directory, process_path, process
Note: If ProcessName is empty, the values of process_name and process_exec are extracted from Login Process
|
Endpoint_Processes | |
| WorkstationName | dest_device/DNS, endpoint_device/DNS | Endpoint_Processes | |
| ipAddress | dest_device/IP, endpoint_device/DNS | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | aosurce_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) |
4661
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| PrivilegeList | resource_operation_privileges | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| ProcessId | process_id | Endpoint_Process | |
| ProcessName | process_name process_path | Endpoint_Process | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS endpoint_device/DNS | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| TransactionId | resource_operation_transaction_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4662
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| Properties | resource_operation_properties | Endpoint_ResourceAccess | |
| RestrictedSidCount | resource_operation_restricted_sid_count | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| OperationType | resource_operation_type | Endpoint_ResourceAccess | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4663
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| ObjectName | resource_handle | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| HandleId | resource_handle_id | Endpoint_ResourceAccess | |
| AccessList | resource_operation_access | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| ProcessId | process_id | Endpoint_Process | |
| ProcessName | process_name process_path | Endpoint_Process | |
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Computer | dest_device/DNS endpoint_device/DNS | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess, Endpoint_Processes | |
| SubjectLogonId | logon_id | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| Computer | dest_nt_domain (extended) | Endpoint_ResourceAccess (v2) | |
| ObjectName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4688
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| CommandLine | process | Endpoint_Process | |
| Keywords | action
Note: This is a calculated field.
|
Endpoint_Processes | |
| NewProcessId | process_id | Endpoint_Processes | |
| NewProcessName | process_name process_exec process_current_directory process_path | Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| ParentProcessName | parent_process_name | Endpoint_Processes | |
| ProcessId | parent_process_id | Endpoint_Processes | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME endpoint_user/WINDOWS_ACCOUNT_NAME | Endpoint_Processes | |
| Computer | dest_device/DNS endpoint_device/DNS | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4689
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action
Note: This is a calculated field.
|
Endpoint_Processes | |
| Microsoft Windows (static value) | vendor_product, os | Endpoint_Processes | |
| Computer | dest_device/DNS | Endpoint_Processes | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME
Note: If SubjectUserName does not contain $ at the end, then dest_user is populated.
|
Endpoint_Processes | |
| ProcessId | process_id | Endpoint_Processes | |
| ProcessName | process_name process_exec process_current_directory process_path process | Endpoint_Processes | |
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| SubjectDomainName | account_domain (extended) | ||
| EventID | signature_id (extended) |
4768
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Status | action
Note: If the Status is 0x0, then the action is Successful. Otherwise, the action is Failed.
|
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS
Note: If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.
|
Authentication | |
| Status | reason
I If Status = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Status | event_return_code | Authentication | |
| Use the static value "A Kerberos authentication ticket (TGT) was requested." | signature | Authentication | |
| EventID | signature_id | Authentication | |
| Use the static value "ActiveDirectory". | app | Authentication | |
| IpPort | dest_port | Certificates | |
| CertThumbprint | ssl_hash | Certificates | |
| CertIssuerName | ssl_issuer | Certificates | |
| CertIssuerName | ssl_issuer_common_name | Certificates | |
| CertSerialNumber | ssl_serial | Certificates | |
| Status | ssl_is_valid
|
Certificates | |
| TicketEncryptionType | ssl_signature_algorithm
|
||
| Task | task_category (extended) | ||
| Provider (name attribute) | source_name (extended) | ||
| Channel | log_name (extended) | ||
| TargetDomainName | account_domain (extended) |
4769
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| Keywords | action
Note: If the Keywords is 0x8020000000000000, then the action is Successful. Otherwise, the action is Failed.
|
Authentication | |
| Use the static value "Kerberos" | authentication_method | Authentication | |
| Use the static value "ActiveDirectory" | authentication_service | Authentication | |
| Use the static value "Network" | authentication_type_name | Authentication | |
| Computer | origin_device_domain | origin_device/DNS | Authentication |
| Use the static value "A Kerberos service ticket was requested." | signature | Authentication | |
| EventID | signature_id | Authentication | |
| TargetUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS
Note: If TargetUserName contains a user, then dest_user is populated. If TargetUserName contains a device name, then dest_device is populated.
|
Authentication | |
| TargetDomainName | dest_nt_domain | Authentication | |
| IpAddress | dest_device/IP | Authentication | |
| Status | event_return_code, reason
I If Result Code = 0x18, 0xc0000064, or 0xc000006e, then reason is "Invalid Password"
|
Authentication | |
| Use the static value "ActiveDirectory". | app | Authentication |
5140
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Task | task_category | Endpoint_ResourceAccess | |
| Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| Channel | log_name | Endpoint_ResourceAccess | |
| ShareName | resource_handle | Endpoint_ResourceAccess | |
| SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
| IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
| IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_device/DNS | Endpoint_ResourceAccess | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME or dest_device/DNS
Note: If SubjectUserName contains a user name then dest_user is populated. If SubjectUserName contains a device then dest_device is populated.
|
Endpoint_ResourceAccess |
5145
| Raw event field name | Behavioral analytics service token name | Behavioral analytics service entity/field type | Behavioral analytics service data model |
|---|---|---|---|
| event_description (calculated field) | Endpoint_ResourceAccess | ||
| Task | task_category | Endpoint_ResourceAccess | |
| Provider (name attribute) | source_name | Endpoint_ResourceAccess | |
| AccessMask | resource_operation_access_mask | Endpoint_ResourceAccess | |
| AccessList | resource_operation_accesses | Endpoint_ResourceAccess | |
| ObjectType | resource_type | Endpoint_ResourceAccess | |
| Channel | log_name | Endpoint_ResourceAccess | |
| ShareName | resource_handle | Endpoint_ResourceAccess | |
| SubjectDomainName | account_domain | Endpoint_ResourceAccess | |
| Keywords | event_status | Endpoint_ResourceAccess | |
| RelativeTargetName | resource_handle_name (extended) | Endpoint_ResourceAccess (v2) | |
| ShareLocalPath | resource_handle_path (extended) | Endpoint_ResourceAccess (v2) | |
| EventID | signature_id (extended) | Endpoint_ResourceAccess (v2) | |
| IpAddress | source_address (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_nt_domain | Endpoint_ResourceAccess (v2) | |
| IpPort | source_port (extended) | Endpoint_ResourceAccess (v2) | |
| Computer | dest_device/DNS | Endpoint_ResourceAccess | |
| SubjectUserName | dest_user/WINDOWS_ACCOUNT_NAME | Endpoint_ResourceAccess |