diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 5a2add4ff4b..8794b2e3ba6 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -256,6 +256,7 @@
/packages/windows/data_stream/applocker_exe_and_dll @elastic/security-external-integrations
/packages/windows/data_stream/applocker_msi_and_script @elastic/security-external-integrations
/packages/windows/data_stream/applocker_packaged_app_deployment @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_packaged_app_execution @elastic/security-external-integrations
/packages/windows/data_stream/forwarded @elastic/security-external-integrations
/packages/windows/data_stream/perfmon @elastic/elastic-agent-data-plane
/packages/windows/data_stream/powershell @elastic/security-external-integrations
diff --git a/packages/windows/_dev/build/docs/README.md b/packages/windows/_dev/build/docs/README.md
index 5d655b29e63..e2e9ffaf049 100644
--- a/packages/windows/_dev/build/docs/README.md
+++ b/packages/windows/_dev/build/docs/README.md
@@ -109,6 +109,15 @@ The Windows `applocker_packaged_app_deployment` data stream provides events from
{{fields "applocker_packaged_app_deployment"}}
+### AppLocker/Packaged app-Execution
+
+The Windows `applocker_packaged_app_execution` data stream provides events from the Windows
+`Microsoft-Windows-AppLocker/Packaged app-Execution` event log.
+
+{{event "applocker_packaged_app_execution"}}
+
+{{fields "applocker_packaged_app_execution"}}
+
### Forwarded
The Windows `forwarded` data stream provides events from the Windows
diff --git a/packages/windows/_dev/deploy/docker/files/config.yml b/packages/windows/_dev/deploy/docker/files/config.yml
index 363ee86d238..d73b0c670d9 100644
--- a/packages/windows/_dev/deploy/docker/files/config.yml
+++ b/packages/windows/_dev/deploy/docker/files/config.yml
@@ -307,3 +307,47 @@ rules:
"splunk_server": "69819b6ce1bd"
}
}
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - post
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "802004000x20000000000000002986Microsoft-Windows-AppLocker/Packaged app-Executionel33t-b00k-14APPX{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}39(Default Rule) All signed packaged apps81D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\\\"*\\\\*\\\\*\\\",0}))))S-1-5-21-2707992022-4034939591-3454028951-10014186415MICROSOFT.TODOS116CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT.TODOS\\\\APPX\\\\2.100.61791.00",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index b7ca77f5d14..b03d93f9029 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "1.32.0"
+ changes:
+ - description: Add Windows AppLocker Packaged app-Execution data stream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/7446
- version: "1.31.0"
changes:
- description: Add Windows AppLocker Packaged app-Deployment data stream
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json
new file mode 100644
index 00000000000..fa81d402bc3
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json
@@ -0,0 +1,57 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-08-13T13:53:33.7067781Z",
+ "event": {
+ "code": "8020",
+ "kind": "event",
+ "provider": "Microsoft-Windows-AppLocker"
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "log": {
+ "level": "Information"
+ },
+ "message": "MICROSOFT.TODOS was allowed to run.",
+ "winlog": {
+ "activity_id": "",
+ "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
+ "computer_name": "el33t-b00k-1",
+ "user_data": {
+ "PolicyNameLength": "4",
+ "PolicyName": "APPX",
+ "RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
+ "RuleNameLength": "39",
+ "RuleName": "(Default Rule) All signed packaged apps",
+ "RuleSddlLength": "81",
+ "RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"*\\*\\*\",0}))))",
+ "TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001",
+ "TargetProcessId": "41864",
+ "PackageLength": "15",
+ "Package": "MICROSOFT.TODOS",
+ "FqbnLength": "116",
+ "Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00"
+ },
+ "event_id": "8020",
+ "level": "Information",
+ "opcode": "Info",
+ "process": {
+ "pid": 1672,
+ "thread": {
+ "id": 8384
+ }
+ },
+ "provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": "2986",
+ "time_created": "2023-08-13T13:53:33.7067781Z",
+ "user": {
+ "identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001",
+ "name": "Topsy"
+ },
+ "version": 0
+ }
+ }
+ ]
+}
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json
new file mode 100644
index 00000000000..c34ffc9331e
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json
@@ -0,0 +1,81 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-08-13T13:53:33.706Z",
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "8020",
+ "kind": "event",
+ "provider": "Microsoft-Windows-AppLocker",
+ "type": "start"
+ },
+ "file": {
+ "pe": {
+ "file_version": "2.100.61791.00",
+ "original_file_name": "APPX",
+ "product": "MICROSOFT.TODOS"
+ },
+ "x509": {
+ "subject": {
+ "common_name": "MICROSOFT CORPORATION",
+ "country": "US",
+ "locality": "REDMOND",
+ "organization": "MICROSOFT CORPORATION",
+ "state_or_province": "WASHINGTON"
+ }
+ }
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "log": {
+ "level": "Information"
+ },
+ "message": "MICROSOFT.TODOS was allowed to run.",
+ "user": {
+ "id": "S-1-5-21-2707992022-4034939591-3454028951-1001",
+ "name": "Topsy"
+ },
+ "winlog": {
+ "activity_id": "",
+ "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
+ "computer_name": "el33t-b00k-1",
+ "event_id": "8020",
+ "level": "Information",
+ "opcode": "Info",
+ "process": {
+ "pid": 1672,
+ "thread": {
+ "id": 8384
+ }
+ },
+ "provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": "2986",
+ "time_created": "2023-08-13T13:53:33.7067781Z",
+ "user": {
+ "identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "user_data": {
+ "Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00",
+ "FqbnLength": 116,
+ "Package": "MICROSOFT.TODOS",
+ "PackageLength": "15",
+ "PolicyName": "APPX",
+ "PolicyNameLength": 4,
+ "RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
+ "RuleName": "(Default Rule) All signed packaged apps",
+ "RuleNameLength": 39,
+ "RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026\u0026 ((APPID://FQBN) \u003e= ({\"*\\*\\*\",0}))))",
+ "RuleSddlLength": 81,
+ "TargetProcessId": 41864,
+ "TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "version": 0
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..4456a4f2583
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/system/test-default-config.yml
@@ -0,0 +1,10 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+ enable_request_tracer: true
+data_stream:
+ vars:
+ preserve_original_event: true
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/httpjson.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/httpjson.yml.hbs
new file mode 100644
index 00000000000..bf9a16da897
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,104 @@
+config_version: "2"
+interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- decode_json_fields:
+ fields: message
+ target: json
+ add_error_key: true
+- drop_event:
+ when:
+ not:
+ has_fields: ['json.result']
+- fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: "@metadata._id"
+- drop_fields:
+ fields: message
+- rename:
+ fields:
+ - from: json.result._raw
+ to: event.original
+ - from: json.result.host
+ to: host.name
+ - from: json.result.source
+ to: event.provider
+ ignore_missing: true
+ fail_on_error: false
+- drop_fields:
+ fields: json
+- decode_xml_wineventlog:
+ field: event.original
+ target_field: winlog
+ ignore_missing: true
+ ignore_failure: true
+ map_ecs_fields: true
+{{#if processors.length}}
+{{processors}}
+{{/if}}
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs
new file mode 100644
index 00000000000..59793979f37
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs
@@ -0,0 +1,31 @@
+name: Microsoft-Windows-AppLocker/Packaged app-Execution
+condition: ${host.platform} == 'windows'
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+processors:
+- translate_sid:
+ field: winlog.event_data.MemberSid
+ account_name_target: winlog.event_data._MemberUserName
+ domain_target: winlog.event_data._MemberDomain
+ account_type_target: winlog.event_data._MemberAccountType
+ ignore_missing: true
+ ignore_failure: true
+{{#if processors.length}}
+{{processors}}
+{{/if}}
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..1366576a6bc
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,174 @@
+---
+description: Pipeline for Microsoft-Windows-AppLocker/Packaged app-Execution events
+processors:
+ ## ECS and Event fields.
+
+ - set:
+ field: ecs.version
+ value: '8.9.0'
+ - set:
+ field: log.level
+ copy_from: winlog.level
+ ignore_empty_value: true
+ ignore_failure: true
+ if: ctx.winlog?.level != ""
+ - date:
+ field: winlog.time_created
+ tag: "time_created_date"
+ formats:
+ - ISO8601
+ if: ctx.winlog?.time_created != null
+ on_failure:
+ - remove:
+ field: winlog.time_created
+ ignore_failure: true
+ - append:
+ field: error.message
+ value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
+ - fail:
+ message: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}"
+
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.code
+ value: "{{{winlog.event_id}}}"
+ - set:
+ field: event.category
+ value: process
+ - set:
+ field: event.type
+ value: start
+ - convert:
+ field: winlog.record_id
+ type: string
+ ignore_failure: true
+ ignore_missing: true
+
+ ## User fields.
+ - set:
+ field: user.id
+ copy_from: winlog.user.identifier
+ ignore_failure: true
+ ignore_empty_value: true
+ - split:
+ field: winlog.event_data.User
+ target_field: "_temp.user_parts"
+ separator: '\\'
+ if: ctx.winlog?.event_data?.User != null
+ - set:
+ field: user.domain
+ value: "{{{_temp.user_parts.0}}}"
+ ignore_failure: true
+ ignore_empty_value: true
+ if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+ - set:
+ field: user.name
+ value: "{{{_temp.user_parts.1}}}"
+ ignore_failure: true
+ ignore_empty_value: true
+ if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+ - rename:
+ field: winlog.user.name
+ target_field: user.name
+ ignore_failure: true
+ ignore_missing: true
+ if: ctx.user?.name == null
+
+ ## User data fields.
+ - convert:
+ field: winlog.user_data.FileHashLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.FileHashLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.FilePathLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.FilePathLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.FqbnLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.FqbnLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.FullFilePathLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.FullFilePathLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.PolicyNameLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.PolicyNameLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.RuleNameLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.RuleNameLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.RuleSddlLength
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.RuleSddlLength
+ ignore_failure: true
+ - convert:
+ field: winlog.user_data.TargetProcessId
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: winlog.user_data.TargetProcessId
+ ignore_failure: true
+
+ ## Fully Qualified Binary Name (FQBN) / File Fields
+ - grok:
+ field: winlog.user_data.Fqbn
+ ignore_missing: true
+ patterns:
+ - '^CN=(?.*),%{SPACE}O=(?.*),%{SPACE}L=(?.*),%{SPACE}S=(?.*),%{SPACE}C=(?[^\\]*)\\(?[^\\]*)\\(?[^\\]*)\\(?.*)$'
+ - '^CN=(?.*),%{SPACE}O=(?.*),%{SPACE}L=(?.*),%{SPACE}C=(?[^\\]*)\\(?[^\\]*)\\(?[^\\]*)\\(?.*)$'
+ - '^CN=(?.*),%{SPACE}O=(?.*),%{SPACE}S=(?.*),%{SPACE}C=(?[^\\]*)\\(?[^\\]*)\\(?[^\\]*)\\(?.*)$'
+ if: ctx.winlog?.user_data?.Fqbn != "-"
+
+ - grok:
+ field: winlog.user_data.FullFilePath
+ ignore_missing: true
+ patterns:
+ - '(?([^\\]*$))'
+ if: ctx.winlog?.user_data?.FullFilePath != "-"
+
+ - set:
+ field: file.hash.sha256
+ copy_from: winlog.user_data.FileHash
+ ignore_empty_value: true
+ if: ctx.winlog?.user_data?.FileHash != "-"
+
+on_failure:
+ - set:
+ field: event.kind
+ value: pipeline_error
+ - append:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml
new file mode 100644
index 00000000000..da4e652c53b
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/base-fields.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/base-fields.yml
new file mode 100644
index 00000000000..f9de120ffcf
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/base-fields.yml
@@ -0,0 +1,34 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: dataset.type
+ type: constant_keyword
+ description: Dataset type.
+- name: dataset.name
+ type: constant_keyword
+ description: Dataset name.
+- name: dataset.namespace
+ type: constant_keyword
+ description: Dataset namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: windows
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: windows.applocker_packaged_app_execution
+- name: tags
+ description: List of keywords used to tag each event.
+ example: '["production", "env2"]'
+ ignore_above: 1024
+ type: keyword
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/beats.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/beats.yml
new file mode 100644
index 00000000000..3c48f1f224f
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/ecs.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/ecs.yml
new file mode 100644
index 00000000000..a691dcddd24
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/ecs.yml
@@ -0,0 +1,98 @@
+- external: ecs
+ name: destination.user.domain
+- external: ecs
+ name: destination.user.id
+- external: ecs
+ name: destination.user.name
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.code
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.sequence
+- external: ecs
+ name: event.type
+- external: ecs
+ name: file.directory
+- external: ecs
+ name: file.extension
+- external: ecs
+ name: file.hash.sha256
+- external: ecs
+ name: file.name
+- external: ecs
+ name: file.path
+- exernal: ecs
+ name: file.pe.file_version
+- exernal: ecs
+ name: file.pe.original_file_name
+- exernal: ecs
+ name: file.pe.product
+- external: ecs
+ name: file.x509.subject.common_name
+- external: ecs
+ name: file.x509.subject.country
+- external: ecs
+ name: file.x509.subject.locality
+- external: ecs
+ name: file.x509.subject.organization
+- external: ecs
+ name: file.x509.subject.state_or_province
+- external: ecs
+ name: host.name
+- external: ecs
+ name: log.level
+- external: ecs
+ name: message
+- external: ecs
+ name: process.args
+- external: ecs
+ name: process.args_count
+- external: ecs
+ name: process.command_line
+- external: ecs
+ name: process.entity_id
+- external: ecs
+ name: process.executable
+- external: ecs
+ name: process.name
+- external: ecs
+ name: process.pid
+- external: ecs
+ name: process.title
+- external: ecs
+ name: related.hash
+- external: ecs
+ name: related.hosts
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: source.user.domain
+- external: ecs
+ name: source.user.id
+- external: ecs
+ name: source.user.name
+- external: ecs
+ name: user.domain
+- external: ecs
+ name: user.id
+- external: ecs
+ name: user.name
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml
new file mode 100644
index 00000000000..805875a5f5f
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml
@@ -0,0 +1,416 @@
+- name: winlog
+ type: group
+ description: >
+ All fields specific to the Windows Event Log are defined here.
+
+ fields:
+ - name: api
+ required: true
+ type: keyword
+ description: >
+ The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
+
+ The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
+
+ - name: activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+ - name: computer_name
+ type: keyword
+ required: true
+ description: >
+ The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+ - name: event_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+ - name: event_data
+ type: group
+ description: >
+ This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+ fields:
+ - name: AuthenticationPackageName
+ type: keyword
+ - name: Binary
+ type: keyword
+ - name: BitlockerUserInputTime
+ type: keyword
+ - name: BootMode
+ type: keyword
+ - name: BootType
+ type: keyword
+ - name: BuildVersion
+ type: keyword
+ - name: Company
+ type: keyword
+ - name: CorruptionActionState
+ type: keyword
+ - name: CreationUtcTime
+ type: keyword
+ - name: Description
+ type: keyword
+ - name: Detail
+ type: keyword
+ - name: DeviceName
+ type: keyword
+ - name: DeviceNameLength
+ type: keyword
+ - name: DeviceTime
+ type: keyword
+ - name: DeviceVersionMajor
+ type: keyword
+ - name: DeviceVersionMinor
+ type: keyword
+ - name: DriveName
+ type: keyword
+ - name: DriverName
+ type: keyword
+ - name: DriverNameLength
+ type: keyword
+ - name: DwordVal
+ type: keyword
+ - name: EntryCount
+ type: keyword
+ - name: ExtraInfo
+ type: keyword
+ - name: FailureName
+ type: keyword
+ - name: FailureNameLength
+ type: keyword
+ - name: FileVersion
+ type: keyword
+ - name: FinalStatus
+ type: keyword
+ - name: Group
+ type: keyword
+ - name: IdleImplementation
+ type: keyword
+ - name: IdleStateCount
+ type: keyword
+ - name: ImpersonationLevel
+ type: keyword
+ - name: IntegrityLevel
+ type: keyword
+ - name: IpAddress
+ type: keyword
+ - name: IpPort
+ type: keyword
+ - name: KeyLength
+ type: keyword
+ - name: LastBootGood
+ type: keyword
+ - name: LastShutdownGood
+ type: keyword
+ - name: LmPackageName
+ type: keyword
+ - name: LogonGuid
+ type: keyword
+ - name: LogonId
+ type: keyword
+ - name: LogonProcessName
+ type: keyword
+ - name: LogonType
+ type: keyword
+ - name: MajorVersion
+ type: keyword
+ - name: MaximumPerformancePercent
+ type: keyword
+ - name: MemberName
+ type: keyword
+ - name: MemberSid
+ type: keyword
+ - name: MinimumPerformancePercent
+ type: keyword
+ - name: MinimumThrottlePercent
+ type: keyword
+ - name: MinorVersion
+ type: keyword
+ - name: NewProcessId
+ type: keyword
+ - name: NewProcessName
+ type: keyword
+ - name: NewSchemeGuid
+ type: keyword
+ - name: NewTime
+ type: keyword
+ - name: NominalFrequency
+ type: keyword
+ - name: Number
+ type: keyword
+ - name: OldSchemeGuid
+ type: keyword
+ - name: OldTime
+ type: keyword
+ - name: OriginalFileName
+ type: keyword
+ - name: Path
+ type: keyword
+ - name: PerformanceImplementation
+ type: keyword
+ - name: PreviousCreationUtcTime
+ type: keyword
+ - name: PreviousTime
+ type: keyword
+ - name: PrivilegeList
+ type: keyword
+ - name: ProcessId
+ type: keyword
+ - name: ProcessName
+ type: keyword
+ - name: ProcessPath
+ type: keyword
+ - name: ProcessPid
+ type: keyword
+ - name: Product
+ type: keyword
+ - name: PuaCount
+ type: keyword
+ - name: PuaPolicyId
+ type: keyword
+ - name: QfeVersion
+ type: keyword
+ - name: Reason
+ type: keyword
+ - name: SchemaVersion
+ type: keyword
+ - name: ScriptBlockText
+ type: keyword
+ - name: ServiceName
+ type: keyword
+ - name: ServiceVersion
+ type: keyword
+ - name: ShutdownActionType
+ type: keyword
+ - name: ShutdownEventCode
+ type: keyword
+ - name: ShutdownReason
+ type: keyword
+ - name: Signature
+ type: keyword
+ - name: SignatureStatus
+ type: keyword
+ - name: Signed
+ type: keyword
+ - name: StartTime
+ type: keyword
+ - name: State
+ type: keyword
+ - name: Status
+ type: keyword
+ - name: StopTime
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: TSId
+ type: keyword
+ - name: TargetDomainName
+ type: keyword
+ - name: TargetInfo
+ type: keyword
+ - name: TargetLogonGuid
+ type: keyword
+ - name: TargetLogonId
+ type: keyword
+ - name: TargetServerName
+ type: keyword
+ - name: TargetUserName
+ type: keyword
+ - name: TargetUserSid
+ type: keyword
+ - name: TerminalSessionId
+ type: keyword
+ - name: TokenElevationType
+ type: keyword
+ - name: TransmittedServices
+ type: keyword
+ - name: UserSid
+ type: keyword
+ - name: Version
+ type: keyword
+ - name: Workstation
+ type: keyword
+ - name: param1
+ type: keyword
+ - name: param2
+ type: keyword
+ - name: param3
+ type: keyword
+ - name: param4
+ type: keyword
+ - name: param5
+ type: keyword
+ - name: param6
+ type: keyword
+ - name: param7
+ type: keyword
+ - name: param8
+ type: keyword
+ - name: event_id
+ type: keyword
+ required: true
+ description: >
+ The event identifier. The value is specific to the source of the event.
+
+ - name: keywords
+ type: keyword
+ required: false
+ description: >
+ The keywords are used to classify an event.
+
+ - name: channel
+ type: keyword
+ required: true
+ description: >
+ The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+ - name: record_id
+ type: keyword
+ required: true
+ description: >
+ The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
+
+ - name: related_activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+ - name: opcode
+ type: keyword
+ required: false
+ description: >
+ The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+ - name: provider_guid
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the provider that logged the event.
+
+ - name: process.pid
+ type: long
+ required: false
+ description: >
+ The process_id of the Client Server Runtime Process.
+
+ - name: provider_name
+ type: keyword
+ required: true
+ description: >
+ The source of the event log record (the application or service that logged the record).
+
+ - name: task
+ type: keyword
+ required: false
+ description: >
+ The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+ - name: level
+ type: keyword
+ description: >
+ The level assigned to the event such as Information, Warning, or Critical.
+
+ - name: process.thread.id
+ type: long
+ required: false
+ - name: time_created
+ type: date
+ description: The time the event was created.
+ - name: user_data
+ type: object
+ object_type: keyword
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ - name: user_data
+ type: group
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ fields:
+ - name: FilePath
+ type: keyword
+ - name: FileHashLength
+ type: long
+ - name: RuleNameLength
+ type: long
+ - name: FullFilePath
+ type: keyword
+ - name: FilePathLength
+ type: long
+ - name: xml_name
+ type: keyword
+ - name: RuleSddl
+ type: keyword
+ - name: Fqbn
+ type: keyword
+ - name: PolicyName
+ type: keyword
+ - name: RuleName
+ type: keyword
+ - name: RuleSddlLength
+ type: long
+ - name: FqbnLength
+ type: long
+ - name: FullFilePathLength
+ type: long
+ - name: RuleId
+ type: keyword
+ - name: PolicyNameLength
+ type: long
+ - name: TargetUser
+ type: keyword
+ - name: TargetLogonId
+ type: keyword
+ - name: TargetProcessId
+ type: long
+ - name: FileHash
+ type: keyword
+ - name: Package
+ type: keyword
+ - name: PackageLength
+ type: keyword
+ - name: user.identifier
+ type: keyword
+ required: false
+ example: S-1-5-21-3541430928-2051711210-1391384369-1001
+ description: >
+ The Windows security identifier (SID) of the account associated with this event.
+
+ If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+ - name: user.name
+ type: keyword
+ description: >
+ Name of the user associated with this event.
+
+ - name: user.domain
+ type: keyword
+ required: false
+ description: >
+ The domain that the account associated with this event is a member of.
+
+ - name: user.type
+ type: keyword
+ required: false
+ description: >
+ The type of account associated with this event.
+
+ - name: version
+ type: long
+ required: false
+ description: The version number of the event's definition.
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml b/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml
new file mode 100644
index 00000000000..af81e4e892c
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml
@@ -0,0 +1,99 @@
+type: logs
+title: 'Windows AppLocker/Packaged app-Execution logs'
+streams:
+ - input: winlog
+ enabled: false
+ template_path: winlog.yml.hbs
+ title: Packaged app-Execution
+ description: 'Microsoft-Windows-AppLocker/Packaged app-Execution channel'
+ vars:
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: >-
+ Preserves a raw copy of the original XML event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: event_id
+ type: text
+ title: Event ID
+ description: >-
+ A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.
+ required: false
+ show_user: false
+ default:
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ - name: language
+ type: text
+ title: Language ID
+ description: >-
+ The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US
+ required: false
+ show_user: false
+ default: 0
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: httpjson
+ title: Windows AppLocker/Packaged app-Execution Events via Splunk Enterprise REST API
+ description: Collect AppLocker Packaged app-Execution Events via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: false
+ required: true
+ default: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution"'
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/sample_event.json b/packages/windows/data_stream/applocker_packaged_app_execution/sample_event.json
new file mode 100644
index 00000000000..601a895ce87
--- /dev/null
+++ b/packages/windows/data_stream/applocker_packaged_app_execution/sample_event.json
@@ -0,0 +1,105 @@
+{
+ "@timestamp": "2023-08-13T13:53:33.706Z",
+ "agent": {
+ "ephemeral_id": "b26295a5-6dd5-4ff4-9102-98ebdf4f097c",
+ "id": "a2f04e82-dbc6-4eae-b003-e7cd21a975ef",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.7.1"
+ },
+ "data_stream": {
+ "dataset": "windows.applocker_packaged_app_execution",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "elastic_agent": {
+ "id": "a2f04e82-dbc6-4eae-b003-e7cd21a975ef",
+ "snapshot": false,
+ "version": "8.7.1"
+ },
+ "event": {
+ "action": "None",
+ "agent_id_status": "verified",
+ "category": "process",
+ "code": "8020",
+ "created": "2023-08-17T14:13:22.965Z",
+ "dataset": "windows.applocker_packaged_app_execution",
+ "ingested": "2023-08-17T14:13:26Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/\u003e\u003cEventID\u003e8020\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e0\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x2000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2023-08-13T13:53:33.7067781Z'/\u003e\u003cEventRecordID\u003e2986\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1672' ThreadID='8384'/\u003e\u003cChannel\u003eMicrosoft-Windows-AppLocker/Packaged app-Execution\u003c/Channel\u003e\u003cComputer\u003eel33t-b00k-1\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-2707992022-4034939591-3454028951-1001'/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cRuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'\u003e\u003cPolicyNameLength\u003e4\u003c/PolicyNameLength\u003e\u003cPolicyName\u003eAPPX\u003c/PolicyName\u003e\u003cRuleId\u003e{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}\u003c/RuleId\u003e\u003cRuleNameLength\u003e39\u003c/RuleNameLength\u003e\u003cRuleName\u003e(Default Rule) All signed packaged apps\u003c/RuleName\u003e\u003cRuleSddlLength\u003e81\u003c/RuleSddlLength\u003e\u003cRuleSddl\u003eD:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026amp;\u0026amp; ((APPID://FQBN) \u0026gt;= ({\"*\\*\\*\",0}))))\u003c/RuleSddl\u003e\u003cTargetUser\u003eS-1-5-21-2707992022-4034939591-3454028951-1001\u003c/TargetUser\u003e\u003cTargetProcessId\u003e41864\u003c/TargetProcessId\u003e\u003cPackageLength\u003e15\u003c/PackageLength\u003e\u003cPackage\u003eMICROSOFT.TODOS\u003c/Package\u003e\u003cFqbnLength\u003e116\u003c/FqbnLength\u003e\u003cFqbn\u003eCN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00\u003c/Fqbn\u003e\u003c/RuleAndFileData\u003e\u003c/UserData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-AppLocker",
+ "type": "start"
+ },
+ "file": {
+ "pe": {
+ "file_version": "2.100.61791.00",
+ "original_file_name": "APPX",
+ "product": "MICROSOFT.TODOS"
+ },
+ "x509": {
+ "subject": {
+ "common_name": "MICROSOFT CORPORATION",
+ "country": "US",
+ "locality": "REDMOND",
+ "organization": "MICROSOFT CORPORATION",
+ "state_or_province": "WASHINGTON"
+ }
+ }
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "user": {
+ "id": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "winlog": {
+ "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
+ "computer_name": "el33t-b00k-1",
+ "event_id": "8020",
+ "level": "information",
+ "opcode": "Info",
+ "process": {
+ "pid": 1672,
+ "thread": {
+ "id": 8384
+ }
+ },
+ "provider_guid": "{cbda4dbf-8d5d-4f69-9578-be14aa540d22}",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": "2986",
+ "task": "None",
+ "time_created": "2023-08-13T13:53:33.706Z",
+ "user": {
+ "identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "user_data": {
+ "Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00",
+ "FqbnLength": 116,
+ "Package": "MICROSOFT.TODOS",
+ "PackageLength": "15",
+ "PolicyName": "APPX",
+ "PolicyNameLength": 4,
+ "RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
+ "RuleName": "(Default Rule) All signed packaged apps",
+ "RuleNameLength": 39,
+ "RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026\u0026 ((APPID://FQBN) \u003e= ({\"*\\*\\*\",0}))))",
+ "RuleSddlLength": 81,
+ "TargetProcessId": 41864,
+ "TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001",
+ "xml_name": "RuleAndFileData"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md
index 36a8f8902d8..797aa20db7a 100644
--- a/packages/windows/docs/README.md
+++ b/packages/windows/docs/README.md
@@ -1212,6 +1212,379 @@ An example event for `applocker_packaged_app_deployment` looks as following:
| winlog.version | The version number of the event's definition. | long |
+### AppLocker/Packaged app-Execution
+
+The Windows `applocker_packaged_app_execution` data stream provides events from the Windows
+`Microsoft-Windows-AppLocker/Packaged app-Execution` event log.
+
+An example event for `applocker_packaged_app_execution` looks as following:
+
+```json
+{
+ "@timestamp": "2023-08-13T13:53:33.706Z",
+ "agent": {
+ "ephemeral_id": "b26295a5-6dd5-4ff4-9102-98ebdf4f097c",
+ "id": "a2f04e82-dbc6-4eae-b003-e7cd21a975ef",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.7.1"
+ },
+ "data_stream": {
+ "dataset": "windows.applocker_packaged_app_execution",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.9.0"
+ },
+ "elastic_agent": {
+ "id": "a2f04e82-dbc6-4eae-b003-e7cd21a975ef",
+ "snapshot": false,
+ "version": "8.7.1"
+ },
+ "event": {
+ "action": "None",
+ "agent_id_status": "verified",
+ "category": "process",
+ "code": "8020",
+ "created": "2023-08-17T14:13:22.965Z",
+ "dataset": "windows.applocker_packaged_app_execution",
+ "ingested": "2023-08-17T14:13:26Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/\u003e\u003cEventID\u003e8020\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e0\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x2000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2023-08-13T13:53:33.7067781Z'/\u003e\u003cEventRecordID\u003e2986\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1672' ThreadID='8384'/\u003e\u003cChannel\u003eMicrosoft-Windows-AppLocker/Packaged app-Execution\u003c/Channel\u003e\u003cComputer\u003eel33t-b00k-1\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-2707992022-4034939591-3454028951-1001'/\u003e\u003c/System\u003e\u003cUserData\u003e\u003cRuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'\u003e\u003cPolicyNameLength\u003e4\u003c/PolicyNameLength\u003e\u003cPolicyName\u003eAPPX\u003c/PolicyName\u003e\u003cRuleId\u003e{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}\u003c/RuleId\u003e\u003cRuleNameLength\u003e39\u003c/RuleNameLength\u003e\u003cRuleName\u003e(Default Rule) All signed packaged apps\u003c/RuleName\u003e\u003cRuleSddlLength\u003e81\u003c/RuleSddlLength\u003e\u003cRuleSddl\u003eD:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026amp;\u0026amp; ((APPID://FQBN) \u0026gt;= ({\"*\\*\\*\",0}))))\u003c/RuleSddl\u003e\u003cTargetUser\u003eS-1-5-21-2707992022-4034939591-3454028951-1001\u003c/TargetUser\u003e\u003cTargetProcessId\u003e41864\u003c/TargetProcessId\u003e\u003cPackageLength\u003e15\u003c/PackageLength\u003e\u003cPackage\u003eMICROSOFT.TODOS\u003c/Package\u003e\u003cFqbnLength\u003e116\u003c/FqbnLength\u003e\u003cFqbn\u003eCN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00\u003c/Fqbn\u003e\u003c/RuleAndFileData\u003e\u003c/UserData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-AppLocker",
+ "type": "start"
+ },
+ "file": {
+ "pe": {
+ "file_version": "2.100.61791.00",
+ "original_file_name": "APPX",
+ "product": "MICROSOFT.TODOS"
+ },
+ "x509": {
+ "subject": {
+ "common_name": "MICROSOFT CORPORATION",
+ "country": "US",
+ "locality": "REDMOND",
+ "organization": "MICROSOFT CORPORATION",
+ "state_or_province": "WASHINGTON"
+ }
+ }
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "user": {
+ "id": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "winlog": {
+ "channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
+ "computer_name": "el33t-b00k-1",
+ "event_id": "8020",
+ "level": "information",
+ "opcode": "Info",
+ "process": {
+ "pid": 1672,
+ "thread": {
+ "id": 8384
+ }
+ },
+ "provider_guid": "{cbda4dbf-8d5d-4f69-9578-be14aa540d22}",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": "2986",
+ "task": "None",
+ "time_created": "2023-08-13T13:53:33.706Z",
+ "user": {
+ "identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001"
+ },
+ "user_data": {
+ "Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00",
+ "FqbnLength": 116,
+ "Package": "MICROSOFT.TODOS",
+ "PackageLength": "15",
+ "PolicyName": "APPX",
+ "PolicyNameLength": 4,
+ "RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
+ "RuleName": "(Default Rule) All signed packaged apps",
+ "RuleNameLength": 39,
+ "RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026\u0026 ((APPID://FQBN) \u003e= ({\"*\\*\\*\",0}))))",
+ "RuleSddlLength": 81,
+ "TargetProcessId": 41864,
+ "TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001",
+ "xml_name": "RuleAndFileData"
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.pe.file_version | | |
+| file.pe.original_file_name | | |
+| file.pe.product | | |
+| file.x509.subject.common_name | List of common names (CN) of subject. | keyword |
+| file.x509.subject.country | List of country (C) code | keyword |
+| file.x509.subject.locality | List of locality names (L) | keyword |
+| file.x509.subject.organization | List of organizations (O) of subject. | keyword |
+| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword |
+| process.title.text | Multi-field of `process.title`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
+| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
+| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
+| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword |
+| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
+| winlog.event_data.AuthenticationPackageName | | keyword |
+| winlog.event_data.Binary | | keyword |
+| winlog.event_data.BitlockerUserInputTime | | keyword |
+| winlog.event_data.BootMode | | keyword |
+| winlog.event_data.BootType | | keyword |
+| winlog.event_data.BuildVersion | | keyword |
+| winlog.event_data.Company | | keyword |
+| winlog.event_data.CorruptionActionState | | keyword |
+| winlog.event_data.CreationUtcTime | | keyword |
+| winlog.event_data.Description | | keyword |
+| winlog.event_data.Detail | | keyword |
+| winlog.event_data.DeviceName | | keyword |
+| winlog.event_data.DeviceNameLength | | keyword |
+| winlog.event_data.DeviceTime | | keyword |
+| winlog.event_data.DeviceVersionMajor | | keyword |
+| winlog.event_data.DeviceVersionMinor | | keyword |
+| winlog.event_data.DriveName | | keyword |
+| winlog.event_data.DriverName | | keyword |
+| winlog.event_data.DriverNameLength | | keyword |
+| winlog.event_data.DwordVal | | keyword |
+| winlog.event_data.EntryCount | | keyword |
+| winlog.event_data.ExtraInfo | | keyword |
+| winlog.event_data.FailureName | | keyword |
+| winlog.event_data.FailureNameLength | | keyword |
+| winlog.event_data.FileVersion | | keyword |
+| winlog.event_data.FinalStatus | | keyword |
+| winlog.event_data.Group | | keyword |
+| winlog.event_data.IdleImplementation | | keyword |
+| winlog.event_data.IdleStateCount | | keyword |
+| winlog.event_data.ImpersonationLevel | | keyword |
+| winlog.event_data.IntegrityLevel | | keyword |
+| winlog.event_data.IpAddress | | keyword |
+| winlog.event_data.IpPort | | keyword |
+| winlog.event_data.KeyLength | | keyword |
+| winlog.event_data.LastBootGood | | keyword |
+| winlog.event_data.LastShutdownGood | | keyword |
+| winlog.event_data.LmPackageName | | keyword |
+| winlog.event_data.LogonGuid | | keyword |
+| winlog.event_data.LogonId | | keyword |
+| winlog.event_data.LogonProcessName | | keyword |
+| winlog.event_data.LogonType | | keyword |
+| winlog.event_data.MajorVersion | | keyword |
+| winlog.event_data.MaximumPerformancePercent | | keyword |
+| winlog.event_data.MemberName | | keyword |
+| winlog.event_data.MemberSid | | keyword |
+| winlog.event_data.MinimumPerformancePercent | | keyword |
+| winlog.event_data.MinimumThrottlePercent | | keyword |
+| winlog.event_data.MinorVersion | | keyword |
+| winlog.event_data.NewProcessId | | keyword |
+| winlog.event_data.NewProcessName | | keyword |
+| winlog.event_data.NewSchemeGuid | | keyword |
+| winlog.event_data.NewTime | | keyword |
+| winlog.event_data.NominalFrequency | | keyword |
+| winlog.event_data.Number | | keyword |
+| winlog.event_data.OldSchemeGuid | | keyword |
+| winlog.event_data.OldTime | | keyword |
+| winlog.event_data.OriginalFileName | | keyword |
+| winlog.event_data.Path | | keyword |
+| winlog.event_data.PerformanceImplementation | | keyword |
+| winlog.event_data.PreviousCreationUtcTime | | keyword |
+| winlog.event_data.PreviousTime | | keyword |
+| winlog.event_data.PrivilegeList | | keyword |
+| winlog.event_data.ProcessId | | keyword |
+| winlog.event_data.ProcessName | | keyword |
+| winlog.event_data.ProcessPath | | keyword |
+| winlog.event_data.ProcessPid | | keyword |
+| winlog.event_data.Product | | keyword |
+| winlog.event_data.PuaCount | | keyword |
+| winlog.event_data.PuaPolicyId | | keyword |
+| winlog.event_data.QfeVersion | | keyword |
+| winlog.event_data.Reason | | keyword |
+| winlog.event_data.SchemaVersion | | keyword |
+| winlog.event_data.ScriptBlockText | | keyword |
+| winlog.event_data.ServiceName | | keyword |
+| winlog.event_data.ServiceVersion | | keyword |
+| winlog.event_data.ShutdownActionType | | keyword |
+| winlog.event_data.ShutdownEventCode | | keyword |
+| winlog.event_data.ShutdownReason | | keyword |
+| winlog.event_data.Signature | | keyword |
+| winlog.event_data.SignatureStatus | | keyword |
+| winlog.event_data.Signed | | keyword |
+| winlog.event_data.StartTime | | keyword |
+| winlog.event_data.State | | keyword |
+| winlog.event_data.Status | | keyword |
+| winlog.event_data.StopTime | | keyword |
+| winlog.event_data.SubjectDomainName | | keyword |
+| winlog.event_data.SubjectLogonId | | keyword |
+| winlog.event_data.SubjectUserName | | keyword |
+| winlog.event_data.SubjectUserSid | | keyword |
+| winlog.event_data.TSId | | keyword |
+| winlog.event_data.TargetDomainName | | keyword |
+| winlog.event_data.TargetInfo | | keyword |
+| winlog.event_data.TargetLogonGuid | | keyword |
+| winlog.event_data.TargetLogonId | | keyword |
+| winlog.event_data.TargetServerName | | keyword |
+| winlog.event_data.TargetUserName | | keyword |
+| winlog.event_data.TargetUserSid | | keyword |
+| winlog.event_data.TerminalSessionId | | keyword |
+| winlog.event_data.TokenElevationType | | keyword |
+| winlog.event_data.TransmittedServices | | keyword |
+| winlog.event_data.UserSid | | keyword |
+| winlog.event_data.Version | | keyword |
+| winlog.event_data.Workstation | | keyword |
+| winlog.event_data.param1 | | keyword |
+| winlog.event_data.param2 | | keyword |
+| winlog.event_data.param3 | | keyword |
+| winlog.event_data.param4 | | keyword |
+| winlog.event_data.param5 | | keyword |
+| winlog.event_data.param6 | | keyword |
+| winlog.event_data.param7 | | keyword |
+| winlog.event_data.param8 | | keyword |
+| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
+| winlog.keywords | The keywords are used to classify an event. | keyword |
+| winlog.level | The level assigned to the event such as Information, Warning, or Critical. | keyword |
+| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
+| winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
+| winlog.process.thread.id | | long |
+| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
+| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
+| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
+| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword |
+| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
+| winlog.time_created | The time the event was created. | date |
+| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
+| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
+| winlog.user.name | Name of the user associated with this event. | keyword |
+| winlog.user.type | The type of account associated with this event. | keyword |
+| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object |
+| winlog.user_data.FileHash | | keyword |
+| winlog.user_data.FileHashLength | | long |
+| winlog.user_data.FilePath | | keyword |
+| winlog.user_data.FilePathLength | | long |
+| winlog.user_data.Fqbn | | keyword |
+| winlog.user_data.FqbnLength | | long |
+| winlog.user_data.FullFilePath | | keyword |
+| winlog.user_data.FullFilePathLength | | long |
+| winlog.user_data.Package | | keyword |
+| winlog.user_data.PackageLength | | keyword |
+| winlog.user_data.PolicyName | | keyword |
+| winlog.user_data.PolicyNameLength | | long |
+| winlog.user_data.RuleId | | keyword |
+| winlog.user_data.RuleName | | keyword |
+| winlog.user_data.RuleNameLength | | long |
+| winlog.user_data.RuleSddl | | keyword |
+| winlog.user_data.RuleSddlLength | | long |
+| winlog.user_data.TargetLogonId | | keyword |
+| winlog.user_data.TargetProcessId | | long |
+| winlog.user_data.TargetUser | | keyword |
+| winlog.user_data.xml_name | | keyword |
+| winlog.version | The version number of the event's definition. | long |
+
+
### Forwarded
The Windows `forwarded` data stream provides events from the Windows
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 07833b513f8..a6bed9746df 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
name: windows
title: Windows
-version: 1.31.0
+version: 1.32.0
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories: