<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">AccountName</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">Error_Code</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">EventSourceName</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">ImagePath</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">Qualifiers</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">ServiceName</span>
<span class="pill kill-chain">ServiceType</span>
<span class="pill kill-chain">StartType</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">service</span>
<span class="pill kill-chain">service_name</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">start_mode</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Windows Event Log System 7045
Description
Logs the successful installation of a new Windows service, including details about the service name, executable path, and service type.
Details
| Property | Value |
|---|---|
| Source | XmlWinEventLog:System |
| Sourcetype | XmlWinEventLog |
| Separator | EventCode |
Related Detections
Supported Apps
- Splunk Add-on for Microsoft Windows (version 9.1.2)
Event Fields
Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7045</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-03-04T10:11:25.483986000Z'/><EventRecordID>168145</EventRecordID><Correlation/><Execution ProcessID='592' ThreadID='1712'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data Name='ServiceName'>KrbSCM</Data><Data Name='ImagePath'>powershell.exe -WindowStyle Hiddenestno'
Required Output Fields
- dest
Source: GitHub | Version: 3