Windows Resource
win_resource
The Windows resource object describes a resource object managed by Windows, such as mutant or timer.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Data | data | JSON | Additional data describing the resource. | ||
| Data Classification | data_classification | Data Classification | The Data Classification object includes information about data classification levels and data category types. | ||
| Details | details | String | The string detailing the attributes of the resource object. | ||
| Labels | labels | String | The list of labels/tags associated to a resource. | ||
| Name | name | String | The name of the resource object. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Service Name | svc_name | String | The Windows service acting as the object server for the resource object, such as Security or Security Account Manager. | ||
| Type | type | String | The type of the Windows resource object. | ||
| Type ID | type_id | Integer |
The normalized type identifier of the Windows resource object accessed.
|
||
| Unique ID | uid | String | The Windows provided handle identifier for the resource object | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
References
Referenced By
Context
JSON
{
"description": "The Windows resource object describes a resource object managed by Windows, such as mutant or timer.",
"caption": "Windows Resource",
"name": "win_resource",
"extends": "_resource",
"attributes": {
"name": {
"description": "The name of the resource object.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"details": {
"description": "The string detailing the attributes of the resource object.",
"requirement": "optional",
"caption": "Details",
"type": "string_t"
},
"svc_name": {
"description": "The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.",
"requirement": "optional",
"caption": "Service Name",
"type": "string_t"
},
"type": {
"description": "The type of the Windows resource object.",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"type_id": {
"description": "The normalized type identifier of the Windows resource object accessed.",
"enum": {
"99": {
"caption": "Other",
"description": "The resource object type is not mapped. See the <code>type</code> attribute, which may contain a data source specific value."
},
"0": {
"caption": "Unknown",
"description": "The resource object type is unknown."
},
"1": {
"caption": "Directory"
},
"2": {
"caption": "Event"
},
"3": {
"caption": "Timer"
},
"4": {
"caption": "Device"
},
"5": {
"caption": "Mutant"
},
"6": {
"caption": "Type"
},
"7": {
"caption": "File"
},
"8": {
"caption": "Token"
},
"9": {
"caption": "Thread"
},
"10": {
"caption": "Section"
},
"11": {
"caption": "WindowStation"
},
"12": {
"caption": "DebugObject"
},
"13": {
"caption": "FilterCommunicationPort"
},
"14": {
"caption": "EventPair"
},
"15": {
"caption": "Driver"
},
"16": {
"caption": "IoCompletion"
},
"17": {
"caption": "Controller"
},
"18": {
"caption": "SymbolicLink"
},
"19": {
"caption": "WmiGuid"
},
"20": {
"caption": "Process"
},
"21": {
"caption": "Profile"
},
"22": {
"caption": "Desktop"
},
"23": {
"caption": "KeyedEvent"
},
"24": {
"caption": "Adapter"
},
"25": {
"caption": "Key"
},
"26": {
"caption": "WaitablePort"
},
"27": {
"caption": "Callback"
},
"28": {
"caption": "Semaphore"
},
"29": {
"caption": "Job"
},
"30": {
"caption": "Port"
},
"31": {
"caption": "FilterConnectionPort"
},
"32": {
"caption": "ALPC Port"
},
"33": {
"caption": "SAM_ALIAS"
},
"34": {
"caption": "SAM_GROUP"
},
"35": {
"caption": "SAM_USER"
},
"36": {
"caption": "SAM_DOMAIN"
},
"37": {
"caption": "SAM_SERVER"
}
},
"sibling": "type",
"requirement": "required",
"type": "integer_t",
"caption": "Type ID"
},
"uid": {
"description": "The Windows provided handle identifier for the resource object",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"$include": [
"profiles/data_classification.json"
],
"data": {
"description": "Additional data describing the resource.",
"requirement": "optional",
"caption": "Data",
"type": "json_t"
},
"labels": {
"description": "The list of labels/tags associated to a resource.",
"requirement": "optional",
"caption": "Labels",
"type": "string_t",
"is_array": true
},
"data_classification": {
"group": "context",
"requirement": "recommended",
"caption": "Data Classification",
"description": "The Data Classification object includes information about data classification levels and data category types.",
"type": "data_classification"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"profiles": [
"data_classification"
],
"constraints": {
"at_least_one": [
"name",
"uid"
]
},
"extension": "windows"
}