windows_event_replay_attack
SCHEMA
| authentication_package | string | The name of the authentication package which was used for the logon |
| description | string | Plugin description text |
| eventid | int | The Windows event ID |
| logon_process | string | The name of the trusted logon process that was used for the logon attempt |
| name | string | Name of the registry value entry |
| provider_name | string | The Windows event provider |
| request_type | string | The request type |
| source | string | The Windows event source |
| subject_domain | string | The domain or computer name for the account that reported the logon |
| subject_username | string | The account that reported the logon |
| target_domain | string | The domain or computer name for the account specified |
| target_username | string | The name of the account that was specified in the logon attempt |
| transmitted_services | string | The list of transmitted services |
-- windows_event_replay_attack INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, authentication_package, description, eventid, logon_process, name, provider_name, request_type, source, subject_domain, subject_username, target_domain, target_username, transmitted_services, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_event_replay_attack'
