From f3d617aa63bc25bc179850806b8bbaccb9a48d43 Mon Sep 17 00:00:00 2001 From: Frank Xu Date: Mon, 25 Jan 2021 16:29:46 -0500 Subject: [PATCH] add stix --- STIX_external_reference/readme.md | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/STIX_external_reference/readme.md b/STIX_external_reference/readme.md index 37323e7..f61fbee 100644 --- a/STIX_external_reference/readme.md +++ b/STIX_external_reference/readme.md @@ -17,3 +17,45 @@ | insider-disgruntled-harassing | | | illegal-possessor | An individual that owns, produces, distributes illegal information and device | | online- predators | An individual that makes sexual advances to minors. | + +## Windows Security Event Object + +**Type Name:** windows-security-evt + +## Properties + +| Property Name | Type | Description | +| --------------- | ---------- | -------------------------------------------------------- | +| type (required) | string | The value of this property MUST be windows-security-evt. | +| id | identifier | The ID of a secuity type | +| level | integer | | +| task | integer | | +| opcode | integer | | +| created | timestamp | | +| record | integer | | +| process | integer | | +| thread | integer | | +| computer | string | The ID of the computer | +| user | string | The security user ID | + +## Relationships + +| Embedded Relationships | | +| ---------------------- | ---------- | +| created_by_ref | identifier | + +```json +{ + "type": "windows-security-evt", + "spec_version": "2.1", + "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:00.000Z", + "level": 0, + "opcode": 0, + "record": 1101704, + "proces": 58, + "thread": 511, + "Computer": "DC01.contoso.local" +} +```