Guides

Windows Resource

Suggest Edits

win_resource

The Windows resource object describes a resource object managed by Windows, such as mutant or timer.

Attributes

CaptionNameTypeDescription
Data data JSON Additional data describing the resource.
Data Classification data_classification Data Classification[] Group:context
The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead
Data Classification data_classifications Data Classification[] Group:context
A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier.
Details details String The string detailing the attributes of the resource object.
Labels labels String[] The list of labels associated to the resource.
Name name String The name of the resource object.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Service Name svc_name String The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.
Tags tags Key:Value object[] The list of tags; {key:value} pairs associated to the resource.
Type type String The type of the Windows resource object.
Type ID type_id Integer The normalized type identifier of the Windows resource object accessed.
  • 0: Unknown (UNKNOWN)
  • 1: Directory (DIRECTORY)
  • 10: Section (SECTION)
  • 11: WindowStation (WINDOWSTATION)
  • 12: DebugObject (DEBUGOBJECT)
  • 13: FilterCommunicationPort (FILTERCOMMUNICATIONPORT)
  • 14: EventPair (EVENTPAIR)
  • 15: Driver (DRIVER)
  • 16: IoCompletion (IOCOMPLETION)
  • 17: Controller (CONTROLLER)
  • 18: SymbolicLink (SYMBOLICLINK)
  • 19: WmiGuid (WMIGUID)
  • 2: Event (EVENT)
  • 20: Process (PROCESS)
  • 21: Profile (PROFILE)
  • 22: Desktop (DESKTOP)
  • 23: KeyedEvent (KEYEDEVENT)
  • 24: Adapter (ADAPTER)
  • 25: Key (KEY)
  • 26: WaitablePort (WAITABLEPORT)
  • 27: Callback (CALLBACK)
  • 28: Semaphore (SEMAPHORE)
  • 29: Job (JOB)
  • 3: Timer (TIMER)
  • 30: Port (PORT)
  • 31: FilterConnectionPort (FILTERCONNECTIONPORT)
  • 32: ALPC Port (ALPC_PORT)
  • 33: SAM_ALIAS (SAM_ALIAS)
  • 34: SAM_GROUP (SAM_GROUP)
  • 35: SAM_USER (SAM_USER)
  • 36: SAM_DOMAIN (SAM_DOMAIN)
  • 37: SAM_SERVER (SAM_SERVER)
  • 4: Device (DEVICE)
  • 5: Mutant (MUTANT)
  • 6: Type (TYPE)
  • 7: File (FILE)
  • 8: Token (TOKEN)
  • 9: Thread (THREAD)
  • 99: Other (OTHER)
Unique ID uid Resource UID Entity:RESOURCE_UID
The Windows provided handle identifier for the resource object
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Windows Resource shown in context

Inbound Relationships

These objects and events reference Windows Resource in their attributes:

Outbound Relationships

Windows Resource references the following objects and events in its attributes:

This page describes ocsf-1.4.0

Updated 3 days ago