Windows Resource

win_resource

The Windows resource object describes a resource object managed by Windows, such as mutant or timer.

Attributes

Caption	Name	Type	Description
Data	`data`	JSON	Additional data describing the resource.
Data Classification	`data_classification`	Data Classification[]	Group:`context` The Data Classification object includes information about data classification levels and data category types. 🚧 WARNING: DEPRECATED Data Classification has been deprecated since 1.4.0. Use the attribute `data_classifications` instead
Data Classification	`data_classifications`	Data Classification[]	Group:`context` A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier.
Details	`details`	String	The string detailing the attributes of the resource object.
Labels	`labels`	String[]	The list of labels associated to the resource.
Name	`name`	String	The name of the resource object.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Service Name	`svc_name`	String	The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.
Tags	`tags`	Key:Value object[]	The list of tags; `{key:value}` pairs associated to the resource.
Type	`type`	String	The type of the Windows resource object.
Type ID	`type_id`	Integer	The normalized type identifier of the Windows resource object accessed. `0`: Unknown (`UNKNOWN`) `1`: Directory (`DIRECTORY`) `10`: Section (`SECTION`) `11`: WindowStation (`WINDOWSTATION`) `12`: DebugObject (`DEBUGOBJECT`) `13`: FilterCommunicationPort (`FILTERCOMMUNICATIONPORT`) `14`: EventPair (`EVENTPAIR`) `15`: Driver (`DRIVER`) `16`: IoCompletion (`IOCOMPLETION`) `17`: Controller (`CONTROLLER`) `18`: SymbolicLink (`SYMBOLICLINK`) `19`: WmiGuid (`WMIGUID`) `2`: Event (`EVENT`) `20`: Process (`PROCESS`) `21`: Profile (`PROFILE`) `22`: Desktop (`DESKTOP`) `23`: KeyedEvent (`KEYEDEVENT`) `24`: Adapter (`ADAPTER`) `25`: Key (`KEY`) `26`: WaitablePort (`WAITABLEPORT`) `27`: Callback (`CALLBACK`) `28`: Semaphore (`SEMAPHORE`) `29`: Job (`JOB`) `3`: Timer (`TIMER`) `30`: Port (`PORT`) `31`: FilterConnectionPort (`FILTERCONNECTIONPORT`) `32`: ALPC Port (`ALPC_PORT`) `33`: SAM_ALIAS (`SAM_ALIAS`) `34`: SAM_GROUP (`SAM_GROUP`) `35`: SAM_USER (`SAM_USER`) `36`: SAM_DOMAIN (`SAM_DOMAIN`) `37`: SAM_SERVER (`SAM_SERVER`) `4`: Device (`DEVICE`) `5`: Mutant (`MUTANT`) `6`: Type (`TYPE`) `7`: File (`FILE`) `8`: Token (`TOKEN`) `9`: Thread (`THREAD`) `99`: Other (`OTHER`)
Unique ID	`uid`	Resource UID	Entity:`RESOURCE_UID` The Windows provided handle identifier for the resource object
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Windows Resource in their attributes:

Windows Resource Activity

Outbound Relationships

Windows Resource references the following objects and events in its attributes:

This page describes ocsf-1.4.0