Schema documentation for Win_Event_Log

This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.

The Windows_Event_Log object is intended to characterize entries in the Windows event log. Microsoft's Event schema is described at http://msdn.microsoft.com/en-us/library/aa385201 and the .NET API is described at http://msdn.microsoft.com/en-us/library/y80k1300.aspx.

<xs:element name="Windows_Event_Log" type="WinEventLogObj:WindowsEventLogObjectType">
  <xs:annotation>
    <xs:documentation>The Windows_Event_Log object is intended to characterize entries in the Windows event log. Microsoft's Event schema is described at http://msdn.microsoft.com/en-us/library/aa385201 and the .NET API is described at http://msdn.microsoft.com/en-us/library/y80k1300.aspx.</xs:documentation>
  </xs:annotation>
</xs:element>

The EID field specifies the ID of the event for which the event log entry was created.

<xs:element name="EID" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The EID field specifies the ID of the event for which the event log entry was created.</xs:documentation>
  </xs:annotation>
</xs:element>

The event type associated with the entry in the event log, e.g., warning, information, error.

<xs:element name="Type" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The event type associated with the entry in the event log, e.g., warning, information, error.</xs:documentation>
  </xs:annotation>
</xs:element>

The name of the log.

<xs:element name="Log" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The name of the log.</xs:documentation>
  </xs:annotation>
</xs:element>

The rendered message string for the event.

<xs:element name="Message" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The rendered message string for the event.</xs:documentation>
  </xs:annotation>
</xs:element>

The event entry's category number, as defined by the source.

<xs:element name="Category_Num" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The event entry's category number, as defined by the source.</xs:documentation>
  </xs:annotation>
</xs:element>

The text associated with Category_Num.

<xs:element name="Category" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The text associated with Category_Num.</xs:documentation>
  </xs:annotation>
</xs:element>

The Generation_Time field specifies the date/time the event was generated.

<xs:element name="Generation_Time" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Generation_Time field specifies the date/time the event was generated.</xs:documentation>
  </xs:annotation>
</xs:element>

What logged the event, typically the name of an application or sub-component.

<xs:element name="Source" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>What logged the event, typically the name of an application or sub-component.</xs:documentation>
  </xs:annotation>
</xs:element>

The name of the computer on which the event log entry was generated.

<xs:element name="Machine" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The name of the computer on which the event log entry was generated.</xs:documentation>
  </xs:annotation>
</xs:element>

The name of the user (the security ID) responsible for the event.

<xs:element name="User" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The name of the user (the security ID) responsible for the event.</xs:documentation>
  </xs:annotation>
</xs:element>

The event data as a binary blob.

<xs:element name="Blob" type="cyboxCommon:Base64BinaryObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The event data as a binary blob.</xs:documentation>
  </xs:annotation>
</xs:element>

A globally unique identifier that identifies the current activity.

<xs:element name="Correlation_Activity_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>A globally unique identifier that identifies the current activity.</xs:documentation>
  </xs:annotation>
</xs:element>

A globally unique identifier that identifies the activity to which control was transferred to.

<xs:element name="Correlation_Related_Activity_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>A globally unique identifier that identifies the activity to which control was transferred to.</xs:documentation>
  </xs:annotation>
</xs:element>

The Execution_Process_ID field specifies the Process ID (PID) of the process which created the event.

<xs:element name="Execution_Process_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Execution_Process_ID field specifies the Process ID (PID) of the process which created the event.</xs:documentation>
  </xs:annotation>
</xs:element>

The Execution_Thread_ID field specifies the Thread ID (TID) of the thread which created the event.

<xs:element name="Execution_Thread_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Execution_Thread_ID field specifies the Thread ID (TID) of the thread which created the event.</xs:documentation>
  </xs:annotation>
</xs:element>

The index of the event entry in the log.

<xs:element name="Index" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The index of the event entry in the log.</xs:documentation>
  </xs:annotation>
</xs:element>

A DWORD value that is always set to ELF_LOG_SIGNATURE (the value 0x654c664c), which is ASCII for eLfL.

<xs:element name="Reserved" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>A DWORD value that is always set to ELF_LOG_SIGNATURE (the value 0x654c664c), which is ASCII for eLfL.</xs:documentation>
  </xs:annotation>
</xs:element>

List of unformatted messages in the event log entry.

<xs:element name="Unformatted_Message_List" type="WinEventLogObj:UnformattedMessageListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>List of unformatted messages in the event log entry.</xs:documentation>
  </xs:annotation>
</xs:element>

A single unformatted message in the event log entry.

<xs:element name="Unformatted_Message" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>A single unformatted message in the event log entry.</xs:documentation>
  </xs:annotation>
</xs:element>

The Write_Time field specifies the date/time that the entry was written into the event log.

<xs:element name="Write_Time" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Write_Time field specifies the date/time that the entry was written into the event log.</xs:documentation>
  </xs:annotation>
</xs:element>

The WindowsEventLogObjectType type is intended to characterize entries in the Windows event log.

<xs:complexType name="WindowsEventLogObjectType" mixed="false">
  <xs:annotation>
    <xs:documentation>The WindowsEventLogObjectType type is intended to characterize entries in the Windows event log.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ObjectPropertiesType">
      <xs:sequence>
        <xs:element name="EID" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The EID field specifies the ID of the event for which the event log entry was created.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Type" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The event type associated with the entry in the event log, e.g., warning, information, error.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Log" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The name of the log.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Message" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The rendered message string for the event.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Category_Num" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The event entry's category number, as defined by the source.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Category" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The text associated with Category_Num.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Generation_Time" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Generation_Time field specifies the date/time the event was generated.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Source" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>What logged the event, typically the name of an application or sub-component.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Machine" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The name of the computer on which the event log entry was generated.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="User" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The name of the user (the security ID) responsible for the event.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Blob" type="cyboxCommon:Base64BinaryObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The event data as a binary blob.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Correlation_Activity_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>A globally unique identifier that identifies the current activity.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Correlation_Related_Activity_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>A globally unique identifier that identifies the activity to which control was transferred to.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Execution_Process_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Execution_Process_ID field specifies the Process ID (PID) of the process which created the event.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Execution_Thread_ID" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Execution_Thread_ID field specifies the Thread ID (TID) of the thread which created the event.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Index" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The index of the event entry in the log.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Reserved" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>A DWORD value that is always set to ELF_LOG_SIGNATURE (the value 0x654c664c), which is ASCII for eLfL.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Unformatted_Message_List" type="WinEventLogObj:UnformattedMessageListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>List of unformatted messages in the event log entry.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Write_Time" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Write_Time field specifies the date/time that the entry was written into the event log.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

The UnformattedMessageListType type is a list of unformatted messages in the event log entry.

<xs:complexType name="UnformattedMessageListType">
  <xs:annotation>
    <xs:documentation>The UnformattedMessageListType type is a list of unformatted messages in the event log entry.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Unformatted_Message" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>A single unformatted message in the event log entry.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>

XML Schema documentation generated by <oXygen/>^® XML Editor.

Showing: