Collect Microsoft Windows Event data
This document describes the deployment architecture, installation steps, and required configuration that produce logs supported by the Google Security Operations parser for Windows events. This document also includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations .
To ingest Windows event logs to Google Security Operations, you can use the BindPlane Agent or Google Cloud built-in ingestion. For more information regarding built-in ingestion, see Ingest Google Cloud data to Google Security Operations .
Information in this document applies to the parser with the WINEVTLOG ingestion label.
The ingestion label identifies which parser normalizes raw log data to structured UDM format.
Before you begin
Review the recommended deployment architecture
If your deployment includes a Windows server on Google Cloud, then we recommend that you use Google Cloud built-in ingestion. Otherwise, you can use the BindPlane Agent.
Google Cloud built-in ingestion architecture
If the Windows events have the Provider value Microsoft-Windows-Security-Auditing
, then the WINEVTLOG parser supports Google Cloud built-in ingestion.
Deploy a Windows server in Google Cloud.
Configure an Ops Agent on Windows Server .
Install the Cloud Logging agent on Windows Server .
Enable the following export filter in the Google Security Operations instance: (log_id("winevt.raw") OR log_id("windows_event_log"))
. For more information, see Ingest Google Cloud data to Google Security Operations .
Collect the Windows Event logs by using the BindPlane Agent. After installation, the BindPlane Agent service appears as the observerIQ
service in the list of Windows services.
Install and configure the Windows servers. For more information about configuring the Windows servers, see Configure Windows server overview .
Install the BindPlane Agent on the collector that is running on a Windows server. For more information about installing the BindPlane Agent,
see the BindPlane Agent installation instructions .
Create a configuration file for the BindPlane agent with the following contents.
receivers:
windowseventlog/dfsn_serv:
channel: Microsoft-Windows-DFSN-Server/Admin
raw: true
windowseventlog/operational:
channel: Microsoft-Windows-Forwarding/Operational
raw: true
windowseventlog/source0__application:
channel: application
raw: true
windowseventlog/source0__security:
channel: security
raw: true
windowseventlog/source0__system:
channel: system
raw: true
processors:
batch:
exporters:
chronicle/winevtlog:
endpoint: https://malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": `PRIVATE_KEY_ID `,
"private_key": `PRIVATE_KEY `,
"client_email":"`SERVICE_ACCOUNT_NAME `@malachite-`PROJECT_ID `.iam.gserviceaccount.com",
"client_id": `CLIENT_ID `,
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME `%40malachite-`PROJECT_ID `.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'WINEVTLOG'
override_log_type: false
raw_log_field: body
customer_id: `CUSTOMER_ID `
service:
pipelines:
logs/winevtlog:
receivers:
- windowseventlog/source0__application
- windowseventlog/source0__security
- windowseventlog/source0__system
- windowseventlog/dfsn_serv
- windowseventlog/operational
processors: [batch]
exporters: [chronicle/winevtlog]
Replace the PRIVATE_KEY_ID
, PRIVATE_KEY
SERVICSERVICE_ACCOUNT_NAME
,PROJECT_ID
, CLIENT_ID
and CUSTOMER_ID
with the respective values from the service account JSON file which you can download from Google Cloud Platform. For more information about service account keys, see Create and delete service account keys documentation .
To start the observerIQ agent service, select Services > Extended > observerIQ Service >
start .
NXLog forwarder ingestion deployment architecture
This diagram illustrates the recommended foundational components in a deployment
architecture to collect and send Microsoft Windows Event data to Google Security Operations.
Compare this information with your environment to be sure these components are
installed. Each customer deployment will differ from this representation and may be more complex.
The following is required:
Review the supported devices and versions
The Google Security Operations parser supports logs from the following Microsoft Windows server versions.
Microsoft Windows server is released with the following editions: Foundation, Essentials,
Standard, and Datacenter. The event schema of logs generated by each edition do
not differ.
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Google Security Operations parser supports logs from Microsoft Windows 10 and higher client
systems.
Google Security Operations parser supports logs collected by NXLog Community or Enterprise
Edition.
Review the supported log types
The Google Security Operations parser supports the following log types generated by Microsoft Windows
systems. For more information about these log types, see the
Microsoft Windows Event Log documentation .
It supports logs generated with English language text and is not supported with
logs generated in non-English languages.
Log Type
Notes
Security
Security audit and event logs.
Application
Events logged by applications or programs. If the manifest isn't installed
locally, application logs will have missing / hex values.
System
Events logged by Microsoft Windows system components.
Configure the Microsoft Windows servers, endpoints, and domain controllers
Install and configure the servers, endpoints, and domain controllers.
Configure all systems with the UTC time zone.
Configure devices to forward logs to a collector Microsoft Windows server.
Configure a Source Initiated Subscription on Microsoft Windows server (Collector).
For information, see
Setting up a Source Initiated Subscription .
Enable WinRM on Microsoft Windows servers and clients. For information, see
Installation and configuration for Microsoft Windows Remote Management .
Set up a collector Microsoft Windows server to collect from systems.
Configure the system with the UTC time zone.
Install NXLog. Follow the
NXLog documentation .
Create a configuration file for NXLog. Use
im_msvistalog input module for Microsoft Windows server security channel logs.
Replace <hostname>
and <port>
values with information about the central
Microsoft Windows or Linux server. See the NXLog documentation for information about
the om_tcp module .
define ROOT C:\Program Files (x86)\nxlog
define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname>
define WINEVTLOG_OUTPUT_DESTINATION_PORT <port>
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast False
SavePos False
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINEVTLOG_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route>
Start the NXLog service.
See the Installing and configuring the forwarder on Linux
or Installing and configuring the forwarder on Microsoft Windows
for information about installing and configuring the forwarder.
Configure the system with the UTC time zone.
Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server.
Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an
example forwarder configuration.
- syslog:
common:
enabled: true
data_type: WINEVTLOG
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:10518
connection_timeout_sec: 60
Field mapping reference: Common device event fields to UDM fields
Deprecated: The following labels
fields for UDM nouns are deprecated: about.labels
, intermediary.labels
, observer.labels
, principal.labels
, src.labels
, security_result.about.labels
, and target.labels
. For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key/value additional.fields
UDM fields. For new parsers, the key/value settings in additional.fields
UDM fields are used instead of the deprecated labels
UDM fields. We recommend that you update the existing rules to use the key/value settings in the additional.fields
UDM fields instead of the deprecated labels
UDM fields.
The following fields are common across multiple Event IDs and are mapped the
same way.
Note: The % values (e.g. %1, %2, %3, %{Category}) are variable placeholders.
NXLog field
UDM field
EventTime
metadata.event_timestamp
Hostname
principal.hostname
principal.asset.hostname
EventID
product_event_type
is set to "%{EventID}"
security_result.rule_name
is set to "EventID: %{EventID}"
SourceName
metadata.product_name
is set to "%25%7BSourceName}"
metadata.vendor_name
is set to "Microsoft"
Category
about.labels.key/value
additional.fields.key
additional.fields.value.string_value
Channel
about.labels.key/value
additional.fields.key
additional.fields.value.string_value
Severity
Values mapped to security_result.severity
field as follows:
Original value 0 (None) , is set to UNKNOWN_SEVERITY
Original value 1 (Critical) is set to INFORMATIONAL
Original value 2 (Error) is set to ERROR
Original value 3 (Warning) is set to ERROR
Original value 4 (Informational) is set to INFORMATIONAL
Original value 5 (Verbose) is set to INFORMATIONAL
UserID
principal.user.windows_sid
ExecutionProcessID
principal.process.pid
ProcessID
principal.process.pid
ProviderGuid
metadata.product_deployment_id
RecordNumber
metadata.product_log_id
SourceModuleName
observer.labels.key/value
additional.fields.key
additional.fields.value.string_value
SourceModuleType
observer.application
Opcode
about.labels.key/value
additional.fields.key
additional.fields.value.string_value
Keywords
additional.fields.key
additional.fields.value.string_value
ActivityID
security_result.detection_fields.key/value
Field mapping reference: device event field to UDM field by EventID
The following section describes how NXlog/EventViewer fields are mapped
to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.
The section heading identifies the Event Id, plus version (e.g. version 0) and
operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more
than one section for an Event ID when the map for a specific version or
operating system is different.
Note: The % values (e.g. %1, %2, %3, %{Category}) are variable placeholders.
Event ID 0
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Provider: gupdate
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: hcmon
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
target_resource_name set to target.resource.name
Provider: edgeupdate
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Event ID 1
Provider: Microsoft-Windows-FilterManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
version 0 / Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
version 1 / Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Reason
Data/Reason
security_result.description
ProcessName
Data/ProcessName
principal.process.command_line
ProcessID
Data/ProcessID
principal.process.pid
Provider: Microsoft-Windows-Sysmon
NXLog field
Event Viewer field
UDM field
metadata.event_type = PROCESS_LAUNCH
If EventLevelName
contains "Information" then security_result.severity
= INFORMATIONAL
EventData.Hashes
Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
EventData.User
Domain set to principal.administrative_domain
Username set to principal.user.userid
Description
metadata.description
CommandLine
target.process.command_line
Image
target.process.file.full_path
ParentCommandLine
target.process.parent_process.command_line
ParentImage
target.process.parent_process.file.full_path
ParentProcessId
target.process.parent_process.pid
ProcessId
target.process.pid
EventOriginId
target.process.product_specific_process_id
set to "sysmon:%{EventOriginId}"
Provider: SecurityCenter
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
SourceName
Not available
target.application
Provider: telegraf
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data
security_result.description
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Context
Data/Context
security_result.description
Event ID 2
Provider: MEIx64
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Provider: SecurityCenter
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
SourceName
Not available
target.application
Provider: vmci
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Provider: Microsoft-Windows-WHEA-Logger
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 3
version 3 / Provider: Microsoft-Windows-Power-Troubleshooter
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_STARTUP
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
SleepTime
Data/SleepTime
target.resource.attribute.labels.key
target.resource.attribute.labels.value
WakeTime
Data/WakeTime
target.resource.attribute.labels.key
target.resource.attribute.labels.value
WakeSourceType
Data/WakeSourceType
target.resource.attribute.labels.key
target.resource.attribute.labels.value
WakeSourceText
Data/WakeSourceText
target.resource.attribute.labels.key
target.resource.attribute.labels.value
Provider: Microsoft-Windows-Security-Kerberos
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
File
target.file.full_path
Provider: Virtual Disk Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Provider: vmci
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
jobTitle
target.resource.name
processPath
target.process.file.full_path
Event ID 4
Provider: Microsoft-Windows-Security-Kerberos
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Server
target.hostname
Provider: Virtual Disk Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
name
target.resource.name
Id
target.resource.product_object_id
url
target.url
fileLength
target.file.size
Event ID 5
Provider: iScsiPrt
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Provider: McAfee Service Controller
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Provider: Microsoft-Windows-Search-ProfileNotify
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_MODIFICATION
SourceName
target.application
User
Data/User
target.user.userid
Event ID 6
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
ErrorCode
security_result.summary
Format:
%{ErrorCode}-%{ErrorMsg}
ErrorMsg
security_result.summary
Format:
%{ErrorCode}-%{ErrorMsg}
Context
target.application
Provider: Microsoft-Windows-FilterManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 7
Provider: AdmPwd
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Format:
"Error: %{Data}"
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 8
Provider: CylanceSvc
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Provider: WSH
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data_1
principal.labels.key/value
additional.fields.key
additional.fields.value.string_value
Data_2
principal.labels.key/value
additional.fields.key
additional.fields.value.string_value
Data_3
principal.process.command_line
Message
metadata.description
Event ID 9
Provider: volsnap
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
VolumeName
target.file.full_path
Event ID 10
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 11
Provider: Microsoft-Windows-Hyper-V-Netvsc
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
MiniportName
target.resource.name
AccountType
principal.user.attribute.roles.name
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Error
Data/Error
security_result.summary
is set to "ErrorCode: %{Error}"
Provider: Microsoft-Windows-Wininit
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 12
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_STARTUP
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Provider: Microsoft-Windows-Sysmon
NXLog field
Event Viewer field
UDM field
metadata.event_type = REGISTRY_CREATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
EventOriginId
target.process.product_specific_process_id
set to "sysmon: %{EventOriginId}"
EventData/EventType
target.registry.registry_key
EventData/TargetObject
target.registry.registry_value_name
ProcessId
principal.process.pid
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-UserModePowerService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ProcessPath
target.process.file.full_path
NewSchemeGuid
target.resource.product_object_id
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 13
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
Provider: Microsoft-Windows-Sysmon
NXLog field
Event Viewer field
UDM field
metadata.event_type = REGISTRY_MODIFICATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
ProcessId
principal.process.pid
EventOriginId
target.process.product_specific_process_id
set to "sysmon: %{EventOriginId}"
EventData/EventType
target.registry.registry_key
EventData/Details
target.registry.registry_value_data
Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
principal.administrative_domain
AccountName
principal.user.userid
AccountType
principal.user.attribute.roles.name
Message
metadata.description
UserID
principal.user.windows_sid
CA
about.labels.key/value
additional.fields.key
additional.fields.value.string_value
ErrorCode
security_result.summary
Format:
security_result.summary
is set to %{error_code} - %{error_message}
Provider: NPS
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data
target.ip
Event ID 14
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
ClientName
principal.asset.attribute.labels.key/value
Target
target.application
Account
target.hostname
Provider: Microsoft-Windows-Wininit
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Error
Data/Error
security_result.description
Format:
Error - %{value}
Provider:TPM
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID
Security/UseID
principal.user.windows_sid
Event ID 15
Provider: Disk
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target_hostname set to target.hostname
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = REGISTRY_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
NewSize
Data/NewSize
target.file.size
HiveName
Data/HiveName
target.registry.registry_key
AccountType
principal.user.attribute.roles.name
Provider: SecurityCenter
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Provider:TPM
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID
Security/UseID
principal.user.windows_sid
Event ID 16
Provider: Microsoft-Windows-HAL
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
ClientName
principal.asset.attribute.labels.key/value
Target
target.application
Account
target.hostname
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = REGISTRY_MODIFICATION
Domain
System/Domain
principal.administrative_domain
ProcessID
System/ProcessID
principal.process.pid
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
HiveName
Data/HiveName
target.registry.registry_key
AccountType
principal.user.attribute.roles.name
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to metadata.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
version 0 / Provider: Microsoft-Windows-HAL
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 17
Provider: Microsoft-Windows-WHEA-Logger
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details
Message
set to metadata.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 18
Provider: BTHUSB
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: TPM
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 19
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Category
Data/Category
security_result.category_details
Provider: Intel-SST-OED
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
Category
security_result.summary
Provider: Microsoft-Windows-WHEA-Logger
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Event ID 20
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
updateRevisionNumber
target.resource.attribute.labels.key
target.resource.attribute.labels.value
updateTitle
target.resource.name
updateGuid
target.resource.product_object_id
Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 21
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Event ID 22
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details
Message
set to metadata.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
updatelist
security_result.description
Provider: Microsoft-Windows-UserModePowerService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 23
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Event ID 24
Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
version 0 / Provider: Microsoft-Windows-Kernel-General
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorMessage
Data/ErrorMessage
security_result.description
DomainPeer
Data/DomainPeer
target.administrative_domain
Provider:TPM
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID
Security/UseID
principal.user.windows_sid
Event ID 25
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 26
Provider: Application Popup
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Caption
security_result.summary
Provider: Microsoft-Windows-CertificationAuthority
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
target.application = "Active Directory Certificate Services"
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DCName
Data/DCName
target.administrative_domain
CACommonName
Data/CACommonName
target.user.userid
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Target
target.hostname
Name
target.user.userid
Event ID 27
version 0 / Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
NewLogFilePath
Data/NewLogFilePath
target.file.full_path
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to metadata.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 28
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to metadata.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 29
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Event ID 30
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 31
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Event ID 32
Provider: e1iexpress
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 33
Provider: volsnap
NXLog field
Event Viewer field
UDM field
metadata.event_type = FILE_UNCATEGORIZED
VolumeName
target.file.full_path
DeviceName
target.resource.name
Event ID 34
Provider: Oracle.xstore
NXLog field
Event Viewer field
UDM field
metadata.event_type = RESOURCE_READ
DBID
additional.fields.key/value
ProcessId
principal.process.pid
SourceName
principal.application
DATABASE_USER
principal.user.uerid
ACTION
target.process.command_line
Event ID 35
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 36
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: NPS
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_CONNECTION
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Message
Ip set to target.ip
Event ID 37
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
ClientName
principal.asset.attribute.labels.key/value
ServerName
target.hostname
Provider: Microsoft-Windows-Kernel-Processor-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Number
Data/Number
target.resource.attribute.labels.key
target.resource.attribute.labels.value
CapDurationInSeconds
Data/CapDurationInSeconds
target.resource.attribute.labels.key
target.resource.attribute.labels.value
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 38
Provider: Microsoft-Windows-CertificationAuthority
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
target.application = "Active Directory Certificate Services"
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
CACommonName
Data/CACommonName
target.user.userid
Event ID 40
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Event ID 42
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
version 2 Windows 10 client /
NXLog field
Event Viewer field
UDM field
Reason
Data/Reason
security_result.description
Event ID 43
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
updateRevisionNumber
Data/updateRevisionNumber
target.resource.attribute.labels.key
target.resource.attribute.labels.value
updateTitle
Data/updateTitle
target.resource.name
updateGuid
Data/updateGuid
target.resource.product_object_id
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 44
version 0 Windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
AccountType
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Category
Data/Category
security_result.category_details
Event ID 45
Provider: Symantec AntiVirus
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
Data
security_result.summary
Event ID 47
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ErrorMessage
security_result.description
ManualPeer
target.ip
Provider: Microsoft-Windows-WHEA-Logger
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 49
Provider: Microsoft-Windows-Hyper-V-Netvsc
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Status
Data/Status
security_result.summary
Event ID 50
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 51
Provider: Disk
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target_hostname set to target.hostname
Event ID 55
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Outcome
security_result.summary
Event ID 57
Provider: hpqilo3
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Event ID 58
Provider: partmgr
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to metadata.description
Provider: volsnap
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to metadata.description
Event ID 59
Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
name
target.resource.name
Id
target.resource.product_object_id
url
target.url
fileLength
target.file.size
Event ID 60
Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
name
target.resource.name
url
target.url
fileLength
target.file.size
Event ID 61
Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
name
target.resource.name
Id
target.resource.product_object_id
url
target.url
fileLength
target.file.size
Event ID 64
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Context
target.application
Event ID 75
Provider: Microsoft-Windows-CertificationAuthority
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services"
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
ErrorMessageText
security_result.summary
Event ID 77
Provider: Microsoft-Windows-CertificationAuthority
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services"
WarningMessage
security_result.description
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 80
Provider: ocz10xx
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data
target.hostname
Event ID 81
Provider: hpqilo2
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-FailoverClustering-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
Event ID 98
Provider: Microsoft-Windows-Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_HEARTBEAT
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
DeviceName
Data/DeviceName
principal.hostname
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 100
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
TaskName
Data/TaskName
target.resource.name
InstanceId
Data/InstanceId
target.resource.product_object_id
UserContext
target.user.user_display_name
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 101
Provider: Application Management Group Policy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
security_result.description" set to "ErrorCode - %{error_code}"
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 102
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Message
Extract PID and map it to UDM field target.process.pid
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ProcessID
Data/ProcessID
principal.process.pid
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
AccountType
System/AccountType
principal.user.attribute.roles.description
TaskName
Data/TaskName
target.resource.name
InstanceId
Data/InstanceId
target.resource.product_object_id
Event ID 103
Provider: Application Management Group Policy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
security_result.description" set to "ErrorCode - %{error_code}"
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Message
System/Message
Extract PID and map it to UDM field target.process.pid
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Reason
Data/Reason
security_result.description
Provider: ocz10xx
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data
target.hostname
Event ID 104
Windows 10 client / Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
Message
metadata.description
UserID
System/UserID
principal.user.windows_sid
Windows Server 2019 /
NXLog field
Event Viewer field
UDM field
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-Forwarding
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
UserID
System/UserID
principal.user.windows_sid
SubscriptionManagerAddress
Data/SubscriptionManagerAddress
target.url
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 105
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Channel
Data/Channel
security_result.description
BackupPath
Data/BackupPath
target.file.full_path
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
Provider: VMTools
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
SourceName
Not available
target.application
Provider: WudfUsbccidDriver
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 106
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 107
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
TaskName
Data/TaskName
target.resource.name
InstanceId
Data/InstanceId
target.resource.product_object_id
Event ID 108
Provider: Application Management Group Policy
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
security_result.description" set to "ErrorCode - %{error_code}"
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: VMTools
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
SourceName
Not available
target.application
Event ID 109
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ProcessID
Data/ProcessID
principal.process.pid
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
ShutdownReason
Data/ShutdownReason
security_result.description
Event ID 110
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 111
version 0/ Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
version 0/ Provider: Microsoft-Windows-AppReadiness
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Result
Data/Result
security_result.summary
Event ID 112
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 115
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Event ID 129
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Priority
Data/Priority
security_result.priority_details
Path
Data/Path
target.process.file.full_path
ProcessID
Data/ProcessID
target.process.pid
TaskName
Data/TaskName
target.resource.name
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ErrorMessage
Data/ErrorMessage
security_result.description
Event ID 130
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorMessage
Data/ErrorMessage
security_result.description
DomainPeer
Data/DomainPeer
target.administrative_domain
Event ID 131
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ErrorMessage
Data/ErrorMessage
security_result.description
DomainPeer
Data/DomainPeer
target.administrative_domain
Event ID 132
Provider: Microsoft-Windows-WinRM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
principal.administrative_domain
AccountName
principal.user.userid
AccountType
principal.user.attribute.roles.name
Event ID 134
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ErrorMessage
Data/ErrorMessage
security_result.description
DomainPeer
Data/DomainPeer
target.administrative_domain
Event ID 137
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 138
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DomainPeer
Data/DomainPeer
target.administrative_domain
Event ID 139
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 140
Provider: Microsoft-Windows-Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
DeviceName
principal.hostname
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_MODIFICATION
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
TaskName
Data/TaskName
target.resource.name
UserName
Data/UserName
target.user..user_display_name
Event ID 142
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Message
set to security_result.summary
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-WinRM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
errorCode
security_result.summary
Domain
principal.administrative_domain
AccountName
principal.user.userid
AccountType
principal.user.attribute.roles.name
Event ID 143
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 145
Provider: Microsoft-Windows-WinRM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
resourceUrl
target.url
AccountName
principal.user.userid
AccountType
principal.user.attribute.roles.name
Domain
principal.administrative_domain
Event ID 146
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Message
set to security_result.summary
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 153
Provider: Disk
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Event ID 156
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 157
Provider: disk
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
Event ID 158
Provider: Disk
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
set to security_result.summary
target_url set to target.url
Provider: Microsoft-Windows-Time-Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
TimeProvider
target.resource.name
Event ID 159
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 160
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 161
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Event ID 163
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 164
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 165
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 167
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 169
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Status
Data/Status
security_result.summary
Event ID 170
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 171
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Version
Data/Version/
principal.asset.software.version
Event ID 172
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Reason
Data/Reason
security_result.description
AccountType
principal.user.attribute.roles.name
Event ID 173
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Event ID 181
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = status_update
Status
Data/Status
security_result.summary
Event ID 185
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Status
Data/Status
security_result.summary
Event ID 187
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
ApiCallerName
principal.process.file.full_path
Event ID 195
Provider: Microsoft-Windows-USB-USBHUB3
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 196
Provider: Microsoft-Windows-USB-USBHUB3
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 200
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
TaskName
Data/TaskName
target.resource.name
TaskInstanceId
Data/TaskInstanceId
target.resource.product_object_id
Event ID 201
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
TaskName
Data/TaskName
target.resource.name
TaskInstanceId
Data/TaskInstanceId
target.resource.product_object_id
Event ID 202
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 203
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 204
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Security-Kerberos
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Event ID 205
version 0 Windows Server 2019 / Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
version 1 / Windows 10 client /
NXLog field
Event Viewer field
UDM field
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
DomainName
Data/DomainName
target.administrative_domain
version 2 / Windows 10 client /
NXLog field
Event Viewer field
UDM field
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
DomainName
Data/DomainName
target.administrative_domain
Event ID 216
version 1 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 219
Provider: Microsoft-Windows-Kernel-PnP
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DriverName
target.hostname
FailureName
target.resource.name
Event ID 218
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 221
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 225
Provider: Microsoft-Windows-Kernel-PnP
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DeviceInstance
target.hostname
ProcessName
target.process.file.full_path
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 233
Provider: Microsoft-Windows-Hyper-V-VmSwitch
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
Event ID 231
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Code
Data/Code
security_result.summary
set to "Code - %{Code}"
Event ID 234
Provider: Microsoft-Windows-Hyper-V-VmSwitch
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
Event ID 238
Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
System/Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
version 1 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 258
Provider: VMUpgradeHelper
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
SourceName
Not available
target.application
Event ID 260
Provider: VMUpgradeHelper
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
SourceName
Not available
target.application
Event ID 263
version 0 / Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 271
Provider: VMUpgradeHelper
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
SourceName
Not available
target.application
Event ID 272
Provider: VMUpgradeHelper
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
SourceName
Not available
target.application
Event ID 299
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 300
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it to target.process.pid
Event ID 301
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it to target.process.pid
Event ID 302
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it to target.process.pid
Event ID 304
version 0 / Provider: Microsoft-Windows-Ntfs
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Status
Data/Status
security_result.summary
Event ID 313
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode
Data/ErrorCode
security_result.summary
is set to "ErrorCode: %{ErrorCode}"
Event ID 325
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it target.process.pid
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK
TaskName
target.resource.name
QueuedTaskInstanceId
target.resource.product_object_id
Domain
principal.administrative_domain
AccountName
principal.user.attribute.roles.name
UserID
principal.user.windows_sid
AccountType
principal.user.roles.description
Event ID 326
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it to target.process.pid
Event ID 400
Provider: PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data_2
Extract HostName from Data_2
HostName is set to target.hostname
version 1 /Provider: PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
NewEngineState
additional.fields.key
additional.fields.value.string_value
PreviousEngineState
additional.fields.key
additional.fields.value.string_value
HostName
additional.fields.key
additional.fields.value.string_value
HostVersion
additional.fields.key
additional.fields.value.string_value
HostId
additional.fields.key
additional.fields.value.string_value
HostApplication
principal.process.command_line
EngineVersion
additional.fields.key
additional.fields.value.string_value
RunspaceId
additional.fields.key
additional.fields.value.string_value
PipelineId
additional.fields.key
additional.fields.value.string_value
CommandName
additional.fields.key
additional.fields.value.string_value
CommandType
additional.fields.key
additional.fields.value.string_value
ScriptName
target.file.name
CommandPath
target.process.file.full_path
NewEngineState
target.process.command_line
Event ID 403
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data_9
network.http.user_agent
Domain
System/Domain
principal.administrative_domain
Data_8
principal.ip
Data_7
principal.port
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Data_3
target.ip
Data_5
target.url
Event ID 404
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Data_3
security_description set to %{Data_3}: %{Data_4}
Data_4
security_description set to %{Data_3}: %{Data_4}
Event ID 405
Provider: ADSync
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
principal.administrative_domain
Data_1
principal.user.userid
Event ID 410
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data_4
network.http.user_agent
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Data_10
target.ip
Data_8
target.url
Event ID 412
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 424
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
client_certificate_serial set to network.tls.client.certificate.serial
client_certificate_subject set to network.tls.client.certificate.subject
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 500
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 501
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 506
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
security_result.description
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
Event ID 507
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
reason_description set to security_result.description
Domain
System/Domain
principal.administrative_domain
Reason
security_result.description
AccountName
System/AccountName
principal.user.userid
version 10 / Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Reason
Data/Reason
security_result.description
Event ID 508
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID and map it to target.process.pid
Event ID 510
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data_1
Data_1.Host set to target.hostname
Data_1.User-Agent set to network.http.user_agent
Data_1.X-MS-Endpoint-Absolute-Path set to target.url
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 517
Provider: Microsoft-Windows-DFSN-Server
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID
principal.user.windows_sid
DfsNamespace
target.resource.name
Event ID 521
Provider: Security
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 529
Provider: Security
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
security_result.action = BLOCK
security_result.category = AUTH_VIOLATION
LogonType
Not available
extensions.auth.mechanism
Message
Not available
username set to target.user.userid
domain set to target.administrative_domain
target_workstation set to target.hostname
Event ID 566
Provider: Microsoft-Windows-Kernel-Power
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Reason
Data/Reason
security_result.description
Event ID 600
Provider: PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Category
metadata.description
SourceName
principal.application
HostApplication
target.file.full_path
ProviderName
target.resource.name
Event ID 601
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
metadata.description = Attempt to install a service
SubjectUserName
principal.user.userid
Summary
security_result.summary
ServiceName
target.process.command_line
ServiceFileName
target.process.file.full_path
Event ID 642
Provider: ESENT
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Extract PID map it to target.process.pid
Event ID 653
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Event ID 654
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Event ID 663
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Event ID 700
Provider: NTDS ISAM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
MessageSourceAddress
principal.ip
Event ID 701
Provider: NTDS ISAM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
MessageSourceAddress
principal.ip
Event ID 719
Provider: Microsoft-Windows-TaskScheduler
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Category
Data/Category
security_result.category_details
Event ID 781
Provider: Microsoft-Windows-Complus
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
param1
Data/param1
additional.fields.key
additional.fields.value.string_value
param2
Data/param2
additional.fields.key
additional.fields.value.string_value
param3
Data/param3
target.registry.registry_key
Event ID 800
Provider: PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
metadata.description set to "Pipeline execution"
security_result.summary
set to "Pipeline execution details for command line"
SourceName
principal.application
UserId
principal.user.userid
HostApplication
principal.process.command_line
DetailSequence
additional.fields.key
additional.fields.value.string_value
DetailTotal
additional.fields.key
additional.fields.value.string_value
SequenceNumber
additional.fields.key
additional.fields.value.string_value
HostName
additional.fields.key
additional.fields.value.string_value
HostVersion
additional.fields.key
additional.fields.value.string_value
HostId
additional.fields.key
additional.fields.value.string_value
EngineVersion
additional.fields.key
additional.fields.value.string_value
RunspaceId
additional.fields.key
additional.fields.value.string_value
PipelineId
additional.fields.key
additional.fields.value.string_value
ScriptName
target.file.full_path
CommandLine
target.process.command_line
Details
additional.fields.key
additional.fields.value.string_value
Event ID 888
Provider: top_5
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 900
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = SERVICE_START
target.application = "Software Protection"
Event ID 902
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = SERVICE_START
target.application = "Software Protection"
Event ID 903
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = SERVICE_STOP
target.application = "Software Protection"
Event ID 904
Provider: Directory Synchronization
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data
security_result.summary
Event ID 1000
Provider: Microsoft-Windows-SCPNP
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ReaderName
Data/ReaderName
target.resource.name
ErrorCode
Data/ErrorCode
security_result.summary
is set to "ErrorCode: %{ErrorCode}"
Provider: Microsoft-Windows-LoadPerf
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AccountName
principal.user.attribute.roles.name
AccountType
principal.user.attribute.roles.description
UserID
principal.user.windows_sid
Event ID 1001
Provider: Microsoft Antimalware
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
target_resource_product_object_id set to target.resource.product_object_id
Provider: Microsoft-Windows-WER-SystemErrorReporting
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
param2
target.file.full_path
Provider: SNMP
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Provider: Windows Error Reporting
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-LoadPerf
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AccountName
principal.user.attribute.roles.name
AccountType
principal.user.attribute.roles.description
UserID
principal.user.windows_sid
Event ID 1003
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
Category
Data/Category
target.application
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1004
Provider: IPMIDRV
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data
target.hostname
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_MODIFICATION
Reason
Data/Reason
security_result.description
Category
Data/Category
target.application
Provider: SNMP
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: TdIca
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip
target_port set to target_port
Event ID 1005
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_MODIFICATION
Category
Data/Category
target.application
Event ID 1007
Provider: TdIca
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip
target_port set to target_port
Event ID 1008
Provider: Microsoft-Windows-Perflib
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
EventXML.param1
target.application
EventXML.param2
target.file.full_path
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
Reason
Data/Reason
security_result.description
Category
Data/Category
target.application
Event ID 1010
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_MODIFICATION
Category
Data/Category
target.application
Event ID 1013
Provider: Microsoft-Windows-Search
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
Category
Data/Category
target.application
Event ID 1014
Provider: Microsoft-Windows-DNS-Client
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_DNS
network.ip_protocol is set to "DNS"
QueryName
network.dns.questions.name
Event ID 1016
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Event ID 1023
Provider: Microsoft-Windows-Perflib
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Library
Data/Library
target.file.full_path
Event ID 1025
Provider: Microsoft-Windows-TPM-WMI
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1026
Provider: Microsoft-Windows-TPM-WMI
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode
Data/ErrorCode
security_result.summary
is set to "ErrorCode: %{ErrorCode}
Event ID 1027
Provider: Microsoft-Windows-TPM-WMI
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1030
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
security_result.description
ErrorCode
security_result.summary
Format:
ErrorCode - %{ErrorCode}
DCName
target.administrative_domain
Provider: Microsoft-Windows-Kernel-PnP
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Device
Data/Device
target.hostname
Event ID 1031
Provider: Microsoft-Windows-Kernel-PnP
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Device
Data/Device
target.hostname
Event ID 1033
Provider: MsiInstaller
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Extract product_name and map to target.application
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Event ID 1034
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Event ID 1037
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1040
Provider: MsiInstaller
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Extract process_id and map it to target.process.pid
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Event ID 1042
Provider: MsiInstaller
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Extract process_id and map it to target.process.pid
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
AccountType
principal.user.attribute.roles.name
Event ID 1053
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
Event ID 1054
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
Event ID 1055
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
ErrorCode
Data/ErrorCode
security_result.summary
Format:
ErrorCode - %{ErrorCode}
Event ID 1056
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
server_certificate_subject set to network.tls.server.certificate.subject
Event ID 1057
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target.resource_resource_type = DATABASE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 1058
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
DCName
Data/DCName
target.administrative_domain
FilePath
Data/FilePath
target.file.full_path
Event ID 1064
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
security_result.summary
Event ID 1066
Provider: Microsoft-Windows-Security-SPP
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Event ID 1067
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1068
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
DCName
EventData.DCName
target.administrative_domain
SupportInfo1
additional.fields.key
additional.fields.value.string_value
SupportInfo2
additional.fields.key
additional.fields.value.string_value
ProcessingMode
additional.fields.key
additional.fields.value.string_value
ProcessingTimeInMilliseconds
additional.fields.key
additional.fields.value.string_value
Event ID 1069
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ResourceGroup
target.group.group_display_name
ResourceName
target.resource.name
Event ID 1073
Provider: User32
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
param1
Data/param1
target.hostname
param2
Data/param2
target.user.userid
Event ID 1074
Provider: User32
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
Provider: USER32
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
target_process_file_full_path set to target.process.file.full_path
target_hostname set to target.hostname
Provider: User32
NXLog field
Event Viewer field
UDM field
Domain
principal.administrative_domain
Provider: USER32
NXLog field
Event Viewer field
UDM field
Domain
System/Domain
principal.administrative_domain
Provider: User32
NXLog field
Event Viewer field
UDM field
param2
Data/param2
principal.hostname
param4
Data/param4
additional.fields.key
additional.fields.value.string_value
param5
Data/param5
additional.fields.key
additional.fields.value.string_value
param1
Data/param1
principal.process.file.full_path
AccountName
principal.user.attribute.roles.name
AccountType
principal.user.attribute.roles.name
Provider: USER32
NXLog field
Event Viewer field
UDM field
AccountName
System/AccountName
principal.user.userid
Provider: User32
NXLog field
Event Viewer field
UDM field
UserID
principal.user.windows_sid
param3
Data/param3
security_result.description
param7
Data/param7
target.user.userid
Event ID 1076
Provider: User32
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 1085
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
ErrorCode
Data/ErrorCode
security_result.summary
Format:
ErrorCode - %{value}
DCName
Data/DCName
target.administrative_domain
Event ID 1096
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
ErrorCode
security_result.summary
Format:
ErrorCode - %{ErrorCode}
ErrorDescription
security_result.description
SupportInfo1
additional.fields.key
additional.fields.value.string_value
SupportInfo2
additional.fields.key
additional.fields.value.string_value
ProcessingMode
additional.fields.key
additional.fields.value.string_value
ProcessingTimeInMilliseconds
additional.fields.key
additional.fields.value.string_value
DCName
target.administrative_domain
FilePath
principal.process.file.full_path
Event ID 1100
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
target.application = "Event Logging Service"
Message
security_result.description
Event ID 1101
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1102
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip
target_url set to target.url
client_certificate_serial set to network.tls.client.certificate.serial
client_certificate_subject set to network.tls.client.certificate.subject
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: DFS Replication
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
SubjectDomainName
principal.administrative_domain
SubjectUserName
principal.user.userid
SubjectUserSid
principal.user.windows_sid
Event ID 1103
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1104
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1105
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AutoBackup.BackupPath
Data/BackupPath
target.file.full_path
Event ID 1106
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Reason
Data/Reason
security_result.description
Event ID 1107
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service"
ProcessID
Data/ProcessID
principal.process.pid
ErrorCode
Data/ErrorCode
security_result.summary
Format:
Error Code: %{value}
Event ID 1108
Provider: Microsoft-Windows-Eventlog
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 1112
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
security_result.description
ErrorCode
security_result.summary
Format:
ErrorCode - %{ErrorCode}
DCName
target.administrative_domain
ExtensionName
target.resource.name
ExtensionId
target.resource.product_object_id
Event ID 1126
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_1
security_result.summary
set to "Error: %{Data_1} - %{Data_2}"
Data_2
security_result.summary
set to "Error: %{Data_1} - %{Data_2}"
Event ID 1127
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
ErrorCode
security_result.summary
Format:
ErrorCode - %{ErrorCode}
ErrorDescription
security_result.description
DCName
target.administrative_domain
SupportInfo1
additional.fields.key
additional.fields.value.string_value
SupportInfo2
additional.fields.key
additional.fields.value.string_value
ProcessingMode
additional.fields.key
additional.fields.value.string_value
ProcessingTimeInMilliseconds
additional.fields.key
additional.fields.value.string_value
Event ID 1128
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ExtensionName
target.resource.name
ExtensionId
target.resource.product_object_id
Event ID 1129
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ErrorDescription
Data/ErrorDescription
security_result.description
Event ID 1130
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode
Data/ErrorCode
security_result.summary
Format:
ErrorCode - %{value}
ErrorDescription
Data/ErrorDescription
security_result.description
GPOFileSystemPath
Data/GPOFileSystemPath
target.file.full_path
Event ID 1134
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1150
Provider: Microsoft Antimalware
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
platform_version set to principal.asset.platform_software.platform_version
Event ID 1162
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1173
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1196
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
StatusString
security_result.summary
ResourceName
target.resource.name
Event ID 1200
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
Message
metadata.description
UserID
target.user.windows_sid
Event ID 1201
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
Message
metadata.description
UserID
target.user.windows_sid
Event ID 1202
Provider: SceCli
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Message
security_result.summary
Format:
summary is set to 0x%{error_code} - %{error_message}
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
Message
metadata.description
"SERVICE"
extensions.auth.mechanism
"SSO"
extensions.auth.typ
UserID
target.user.windows_sid
Event ID 1203
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
Message
metadata.description
"SERVICE"
extensions.auth.mechanism
"SSO"
extensions.auth.typ
UserID
target.user.windows_sid
Event ID 1204
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_CHANGE_PASSWORD
Message
metadata.description
Event ID 1205
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ResourceGroup
target.group.group_display_name
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_CHANGE_PASSWORD
Message
metadata.description
Event ID 1206
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGOUT
Message
metadata.description
UserID
target.user.windows_sid
Event ID 1207
Provider: AD FS Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGOUT
Message
metadata.description
UserID
target.user.windows_sid
Event ID 1213
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Event ID 1216
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Data_3
security_result.description
Data
security_result.summary
Format:
"Error Code - %{Data}"
Event ID 1226
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1254
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ResourceGroup
target.group.group_display_name
Event ID 1257
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
DNSZone
about.labels.key/value
additional.fields.key
additional.fields.value.string_value
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ResourceGroup
target.group.group_display_name
Event ID 1282
Provider: Microsoft-Windows-TPM-WMI
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 1307
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1311
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1317
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Event ID 1500
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
DCName
Data/DCName
target.administrative_domain
Event ID 1501
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 1502
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
DCName
Data/DCName
target.administrative_domain
Event ID 1503
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
DCName
Data/DCName
target.administrative_domain
Event ID 1531
Provider: Microsoft-Windows-User Profiles Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
Domain
Not available
principal.administrative_domain
AccountName
Not available
principal.user.userid
UserID
Not available
principal.user.windows_sid
SourceName
Not available
target.application
Event ID 1532
Provider: Microsoft-Windows-User Profiles Service
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
Domain
Not available
principal.administrative_domain
AccountName
Not available
principal.user.userid
UserID
Not available
principal.user.windows_sid
SourceName
Not available
target.application
Event ID 1535
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data
security_result.description
Event ID 1564
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = RESOURCE_READ
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ShareName
target.resource.name
Event ID 1566
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1573
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 1593
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = RESOURCE_READ
target.resource_resource_type = DATABASE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DatabaseFilePath
target.file.full_path
Event ID 1643
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1644
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1645
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1653
Provider: Microsoft-Windows-FailoverClustering
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 1699
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_4
security_result.summary
set to "Error Code - %{Data_4}"
Event ID 1704
Provider: SceCli
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
ProcessId
principal.process.pid
Message
security_result.summary
Event ID 1865
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1925
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 1955
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2000
Provider: Microsoft Antimalware
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
current_signature_version set to target.resource.attribute.labels.key/value
previous_signature_version set to target.resource.attribute.labels.key/value
Event ID 2001
Provider: Microsoft Antimalware
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data_14
security_result.summary
Data_17
target.url
Provider: NTDS ISAM
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
MessageSourceAddress
principal.ip
Event ID 2004
Provider: Microsoft-Windows-Resource-Exhaustion-Detector
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 2041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Event ID 2042
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2053
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2065
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2085
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
MessageSourceAddress
principal.ip
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2089
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2108
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_3
security_result.summary
set to "Error: %{Data_4} - %{Data_3}"
Data_4
security_result.summary
set to "Error: %{Data_4} - %{Data_3}"
Event ID 2811
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2887
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2889
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Message
principal_ip
is set to principal.ip
principal_port
is set to principal.port
principal_user_id
is set to principal.user.userid
Event ID 2896
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_1
security_result.summary
set to "Error: %{Data_1} - %{Data_2}"
Data_2
security_result.summary
set to "Error: %{Data_1} - %{Data_2}"
Event ID 2904
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2946
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 2947
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
Data_2
principal.ip
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_3
security_result.summary
set to "Error: %{Data_3}"
Event ID 2974
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Data_2
security_result.summary
set to "Error Code - %{Data_2}"
Event ID 3005
Provider: LogRhythm Agent
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
security_result.description
Event ID 3006
Provider: LogRhythm Agent
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
Message
Message
is set to security_result.description
ip is set to target.ip
port is set to target.port
Event ID 3040
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 3041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
If required fields for above mentioned metadata.event_type
are not present, then set metadata.event_type
to STATUS_UPDATE
.
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.name
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Event ID 3072
Provider: Foundation Agents
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 3096
Provider: NETLOGON
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Event ID 3260
Provider: Workstation
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 3261
Provider: Workstation
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4000
version 0 Windows 10 client / Provider: Microsoft-Windows-Diagnostics-Networking
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 4001
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 4003
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
ErrorCode
Data/ErrorCode
security_result.summary
Format:
%{ErrorCode}-%{ErrorMsg}
Event ID 4005
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.name
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
ReasonForSyncProcessing
Data/ReasonForSyncProcessing
security_result.summary
PrincipalSamName
Data/PrincipalSamName
target.hostname
PolicyActivityId
Data/PolicyActivityId
target.resource.product_object_id
Event ID 4006
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
PrincipalSamName
Data/PrincipalSamName
target.hostname
PolicyActivityId
Data/PolicyActivityId
target.resource.product_object_id
Event ID 4016
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
DescriptionString
Data/DescriptionString
security_result.description
CSEExtensionName
Data/CSEExtensionName
target.resource.name
CSEExtensionId
Data/CSEExtensionId
target.resource.product_object_id
Event ID 4017
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
OperationDescription
Data/OperationDescription
security_result.description
Event ID 4096
Provider: NetJoin
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_CONNECTION
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
DomainName
Data/DomainName
target.administrative_domain
ComputerName
Data/ComputerName
target.hostname
Event ID 4097
Provider: Microsoft-Windows-CAPI2
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Provider: NetJoin
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_CONNECTION
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
NetStatusCode
Data/NetStatusCode
security_result.description
DomainName
Data/DomainName
target.administrative_domain
ComputerName
Data/ComputerName
target.hostname
Event ID 4100
Provider: Microsoft-Windows-Diagnostics-Networking
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Provider: Microsoft-Windows-PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4101
Provider: Display
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Event ID 4103
version 1 / Provider: Microsoft-Windows-PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = PROCESS_LAUNCH
Domain
principal.administrative_domain
AccountType
principal.user.attribute.roles.description
AccountName
principal.user.userid
UserID
principal.user.windows_sid
Category
security_result.summary
CommandName
additional.fields.key
additional.fields.value.string_value
ScriptName
target.file.full_path
HostApplication
target.process.command_line
HostName
additional.fields.key
additional.fields.value.string_value
HostVersion
additional.fields.key
additional.fields.value.string_value
HostId
additional.fields.key
additional.fields.value.string_value
EngineVersion
additional.fields.key
additional.fields.value.string_value
RunspaceId
additional.fields.key
additional.fields.value.string_value
CommandType
additional.fields.key
additional.fields.value.string_value
PipelineID
additional.fields.key
additional.fields.value.string_value
Payload
additional.fields.key
additional.fields.value.string_value
Event ID 4104
Provider: Microsoft-Windows-PowerShell
NXLog field
Event Viewer field
UDM field
metadata.event_type = PROCESS_LAUNCH
metadata.description = Script block logging
Domain
principal.administrative_domain
MessageNumber
additional.fields.key
additional.fields.value.string_value
MessageTotal
additional.fields.key
additional.fields.value.string_value
ScriptBlockText
Data/ScriptBlockText
target.process.command_line
ScriptBlockId
principal.resource.product_object_id
UserID
principal.user.windows_sid
Category
security_result.summary
Message
security_result.description
SourceName
target.application
ScriptBlockId
principal.resource.product_object_id
Event ID 4108
Provider: Microsoft-Windows-CAPI2
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Extract information from Message
field and map it to network.tls.client.certificate
Event ID 4109
Provider: Microsoft-Windows-CAPI2
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Extract information from Message
field and map it to network.tls.client.certificate
Event ID 4111
Provider: Microsoft-Windows-MSDTC
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_STOP
SourceName
Not available
target.application
Event ID 4112
Provider: Microsoft-Windows-CAPI2
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Event ID 4113
Provider: Microsoft-Windows-CAPI2
NXLog field
Event Viewer field
UDM field
Not available
metadata.event_type = STATUS_UPDATE
Event ID 4115
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 4116
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.userid
UserID
System/UserID
principal.user.windows_sid
Event ID 4117
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 4124
Provider: Microsoft-Windows-BitLocker-API
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4125
Provider: Microsoft-Windows-BitLocker-API
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data
Data/Data
security_result.description
Format:
Error - %{value}
Event ID 4126
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 4127
Provider: Microsoft-Windows-BitLocker-API
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data
Data/Data
security_result.description
Event ID 4133
Provider: Microsoft-Windows-BitLocker-API
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4199
Provider: Tcpip
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Data
Data/Data
principal.ip
Data_1
Data/Data_1
target.mac
Event ID 4200
Provider: Microsoft-Windows-Iphlpsvc
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountName
System/AccountName
principal.user.userid
Interface
target_resource_product_object_id set to target.resource.product_object_id
Address
target.ip
Event ID 4202
Provider: Microsoft-Windows-MSDTC 2
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
SourceName
Not available
target.application
param1
Data/param1
additional.fields.key
additional.fields.value.string_value
param2
Data/param2
additional.fields.key
additional.fields.value.string_value
param3
Data/param3
additional.fields.key
additional.fields.value.string_value
param4
Data/param4
additional.fields.key
additional.fields.value.string_value
param5
Data/param5
additional.fields.key
additional.fields.value.string_value
param6
Data/param6
additional.fields.key
additional.fields.value.string_value
param7
Data/param7
additional.fields.key
additional.fields.value.string_value
param9
Data/param9
target.user.userid
Event ID 4227
Provider: Tcpip
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Message
set to security_result.summary
Event ID 4230
Provider: Tcpip
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4257
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 4319
Provider: NetBT
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Event ID 4321
Provider: NetBT
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_CONNECTION
Data
Data/Data
principal.hostname and principal.port
Data_1
Data/Data_1
principal.ip
Data_2
Data/Data_2
target.ip
Event ID 4326
Provider: Microsoft-Windows-GroupPolicy
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
Domain
System/Domain
principal.administrative_domain
AccountType
System/AccountType
principal.user.attribute.roles.description
AccountName
System/AccountName
principal.user.attribute.roles.name
UserID
System/UserID
principal.user.windows_sid
Event ID 4400
Provider: NPS
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UNCATEGORIZED
Data_1
principal.administrative_domain
Event ID 4608
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_STARTUP
Event ID 4609
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_SHUTDOWN
Event ID 4610
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AuthenticationPackageName
Data/AuthenticationPackageName
target.resource.name
Event ID 4611
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = PROCESS_UNCATEGORIZED
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
LogonProcessName
Data/LogonProcessName
target.process.command_line
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
Event ID 4612
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
AuditsDiscarded
about.labels.key
about.labels.value
Event ID 4614
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
NotificationPackageName
Data/NotificationPackageName
target.resource.name
Event ID 4615
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ProcessName
Data/ProcessName
principal.process.command_line
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
Event ID 4616
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
version 1 /
NXLog field
Event Viewer field
UDM field
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
NewDate
Data/NewDate
target.resource.attribute.labels.key/value
NewTime
Data/NewTime
target.resource.attribute.labels.key/value
PreviousDate
Data/PreviousDate
target.resource.attribute.labels.key/value
PreviousTime
Data/PreviousTime
target.resource.attribute.labels.key/value
Event ID 4618
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
TargetUserDomain
Data/TargetUserDomain
target.administrative_domain
ComputerName
Data/ComputerName
target.hostname
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
TargetLogonId
Data/TargetLogonId
additional.fields.key
additional.fields.value.string_value
Event ID 4621
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
CrashOnAuditFailValue
Data/CrashOnAuditFailValue
security_result.summary
Event ID 4622
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
SecurityPackageName
Data/SecurityPackageName
target.resource.name
Event ID 4624
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
security_result.action
set to "ALLOW"
LogonType
Data/LogonType
extensions.auth.mechanism and extensions.auth.details
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
TargetLogonId
Data/TargetLogonId
target.labels.key/value
additional.fields.key
additional.fields.value.string_value
WorkstationName
Data/WorkstationName
principal.labels.key/value
principal.asset_id
ProcessName
Data/ProcessName
principal.process.command_line
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
AuthenticationPackageName
Data/AuthenticationPackageName
security_result.about.resource.name
ElevatedToken
Data/ElevatedToken
security_result.detection_fields.labels.key/value
IpAddress
Data/IpAddress
src.ip
IpPort
Data/IpPort
src.port
TargetDomainName
Data/TargetDomainName
target.administrative_domain
LogonProcessName
Data/LogonProcessName
target.process.file.full_path
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
KeyLength
Data/KeyLength
target.labels.key/value
LmPackageName
Data/LmPackageName
target.labels.key/value
version 1 /
NXLog field
Event Viewer field
UDM field
ImpersonationLevel
about.labels.key/value
version 2 /
NXLog field
Event Viewer field
UDM field
TargetOutboundUserName
Data/TargetOutboundUserName
target.user.user_display_name
RestrictedAdminMode
about.labels.key/value
TargetLinkedLogonId
about.labels.key/value
Event ID 4625
Provider: Microsoft-Windows-EventSystem
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
param1
Data/param1
additional.fields.key
additional.fields.value.string_value
param2
Data/param2
additional.fields.key
additional.fields.value.string_value
param3
Data/param3
about.registry.registry_key
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
security_result.category = AUTH_VIOLATION
security_result.action = BLOCK
extensions.auth.type set to MACHINE
FailureReason
security_result.about.labels.key
security_result.about.labels.value
LogonType
Data/LogonType
extensions.auth.mechanism
and extensions.auth.details
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
additional.fields.key
additional.fields.value.string_value
WorkstationName
Data/WorkstationName
principal.labels.key/value
principal.asset_id
ProcessName
Data/ProcessName
principal.process.command_line
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
AuthenticationPackageName
Data/AuthenticationPackageName
security_result.about.resource.name
Status
Data/Status
security_result.summary
Populate description corresponding to the status codes. Format: Status(%{Status}): %{status_description}.
If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'
SubStatus
Data/SubStatus
security_result.description
Populate description corresponding to the substatus codes. Format: SubStatus(%{SubStatus}): %{sub_status_description}
If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'
IpAddress
Data/IpAddress
src.ip
IpPort
Data/IpPort
src.port
TargetDomainName
Data/TargetDomainName
target.administrative_domain
LogonProcessName
Data/LogonProcessName
target.process.file.full_path
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
Event ID 4626
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
LogonType
Data/LogonType
extensions.auth.mechanism and extensions.auth.details
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
TargetDomainName
Data/TargetDomainName
target.administrative_domain
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
TargetLogonId
Data/TargetLogonId
additional.fields.key
additional.fields.value.string_value
Event ID 4627
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = GROUP_UNCATEGORIZED
LogonType
Data/LogonType
extensions.auth.mechanism and extensions.auth.details
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
TargetDomainName
Data/TargetDomainName
target.administrative_domain
GroupMembership
Data/GroupMembership
target.user.group_identifiers
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
TargetLogonId
Data/TargetLogonId
additional.fields.key
additional.fields.value.string_value
Event ID 4634
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGOUT
security_result.action = ALLOW
LogonType
Data/LogonType
extensions.auth.mechanism and extensions.auth.details
TargetDomainName
Data/TargetDomainName
target.administrative_domain
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
TargetLogonId
Data/TargetLogonId
target.labels.key/value
additional.fields.key
additional.fields.value.string_value
Event ID 4646
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_START
Event ID 4647
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGOUT
TargetDomainName
Data/TargetDomainName
target.administrative_domain
TargetUserName
Data/TargetUserName
target.user.userid
TargetUserSid
Data/TargetUserSid
target.user.windows_sid
TargetLogonId
Data/TargetLogonId
target.labels.key/value
additional.fields.key
additional.fields.value.string_value
Event ID 4648
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
security_result.action
set to "ALLOW"
extensions.auth.mechanism set to "USERNAME_PASSWORD"
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
TargetServerName
target.hostname
TargetInfo
target.labels.key
target.labels.value
ProcessName
Data/ProcessName
principal.process.command_line
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
IpAddress
Data/IpAddress
src.ip
IpPort
Data/IpPort
src.port
TargetDomainName
Data/TargetDomainName
target.administrative_domain
TargetUserName
Data/TargetUserName
target.user.userid
TargetLogonId
Data/TargetLogonId
additional.fields.key
additional.fields.value.string_value
Event ID 4649
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
LogonProcessName
Data/LogonProcessName
principal.process.command_line
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
TargetDomainName
Data/TargetDomainName
target.administrative_domain
WorkstationName
Data/WorkstationName
principal.labels.key/value
principal.asset_id
ProcessName
Data/ProcessName
target.process.command_line
ProcessId
Data/ProcessId
target.process.pid
TargetUserName
Data/TargetUserName
target.user.userid
Event ID 4650
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMPrincipalName
Data/LocalMMPrincipalName
principal.hostname
LocalAddress
Data/LocalAddress
principal.ip
LocalKeyModPort
Data/LocalKeyModPort
principal.port
RemoteMMPrincipalName
Data/RemoteMMPrincipalName
target.hostname
RemoteAddress
Data/RemoteAddress
target.ip
RemoteKeyModPort
Data/RemoteKeyModPort
target.port
Event ID 4651
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMIssuingCA
Data/LocalMMIssuingCA
network.tls.client.certificate.issuer
RemoteMMIssuingCA
Data/RemoteMMIssuingCA
network.tls.server.certificate.issuer
LocalMMPrincipalName
Data/LocalMMPrincipalName
principal.hostname
LocalAddress
Data/LocalAddress
principal.ip
LocalKeyModPort
Data/LocalKeyModPort
principal.port
RemoteMMPrincipalName
Data/RemoteMMPrincipalName
target.hostname
RemoteAddress
Data/RemoteAddress
target.ip
RemoteKeyModPort
Data/RemoteKeyModPort
target.port
Event ID 4652
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMIssuingCA
Data/LocalMMIssuingCA
network.tls.client.certificate.issuer
RemoteMMIssuingCA
Data/RemoteMMIssuingCA
network.tls.server.certificate.issuer
LocalMMPrincipalName
Data/LocalMMPrincipalName
principal.hostname
LocalAddress
Data/LocalAddress
principal.ip
LocalKeyModPort
Data/LocalKeyModPort
principal.port
RemoteMMPrincipalName
Data/RemoteMMPrincipalName
target.hostname
RemoteAddress
Data/RemoteAddress
target.ip
RemoteKeyModPort
Data/RemoteKeyModPort
target.port
Event ID 4653
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
LocalAddress
Data/LocalAddress
principal.ip
LocalKeyModPort
Data/LocalKeyModPort
principal.port
FailureReason
Data/FailureReason
security_result.summary
RemoteAddress
Data/RemoteAddress
target.ip
RemoteKeyModPort
Data/RemoteKeyModPort
target.port
Event ID 4654
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
Protocol
Data/Protocol
network.ip_protocol
LocalAddress
Data/LocalAddress
principal.ip
LocalPort
Data/LocalPort
principal.port
FailureReason
Data/FailureReason
security_result.summary
RemoteAddress
Data/RemoteAddress
target.ip
RemotePort
Data/RemotePort
target.port
Event ID 4655
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = NETWORK_UNCATEGORIZED
LocalAddress
Data/LocalAddress
principal.ip
RemoteAddress
Data/RemoteAddress
target.ip
Event ID 4656
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
HandleId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
TransactionId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
RestrictedSidCount
target.resource.attribute.labels.key
target.resource.attribute.labels.value
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
ObjectName
Data/ObjectName
target.file.full_path
(when ObjectType = "File")
target.process.command_line
(when ObjectType = "Process")
AccessList
Data/AccessList
target.resource.attribute.permissions.name
PrivilegeList
Data/PrivilegeList
target.user.attribute.permissions.name
ObjectType
Data/ObjectType
target.resource.resource_subtype
ObjectServer
target.resource.attribute.labels.key
target.resource.attribute.labels.value
AccessMask
Data/AccessMask
principal.process.access_mask
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
Event ID 4657
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = REGISTRY_MODIFICATION
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
OperationType
target.labels.key
target.labels.value
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
ObjectName
Data/ObjectName
target.registry.registry_key
OldValueType
target.labels.key
target.labels.value
OldValue
target.labels.key
target.labels.value
NewValueType
target.labels.key
target.labels.value
NewValue
Data/NewValue
target.registry.registry_value_data
ObjectValueName
Data/ObjectValueName
target.registry.registry_value_name
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
HandleId
target.labels.key/value
Event ID 4658
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
HandleId
target.labels.key/value
SubjectUserName
Data/SubjectUserName
principal.user.userid
ObjectServer
target.labels.key
target.labels.value
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
Event ID 4659
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
ObjectName
Data/ObjectName
target.file.full_path
(when ObjectType = "File")
target.process.command_line
(when ObjectType = "Process")
AccessList
Data/AccessList
target.resource.attribute.permissions.name
PrivilegeList
Data/PrivilegeList
target.user.attribute.permissions.name
Event ID 4660
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_DELETION
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
HandleId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
TransactionId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ObjectServer
target.resource.attribute.labels.key
target.resource.attribute.labels.value
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
Event ID 4661
event version 1 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
AccessReason
Data/AccessReason
security_result.description
RestrictedSidCount
target.labels.key
target.labels.value
version 0 /
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ObjectType
target.labels.key/value
ProcessName
Data/ProcessName
principal.process.file.full_path
HandleId
target.labels.key/value
TransactionId
target.labels.key
target.labels.value
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
ObjectName
Data/ObjectName
target.group.group_display_name
(when ObjectType is SAM_ALIAS, SAM_GROUP)
target.user.userid
(when ObjectType is SAM_USER)
target.administrative_domain
(when ObjectType is SAM_DOMAIN)
target.hostname
(when ObjectType is SAM_SERVER)
AccessList
Data/AccessList
target.resource.attribute.permissions.name
PrivilegeList
Data/PrivilegeList
target.user.attribute.permissions.name
ObjectServer
target.labels.key
target.labels.value
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
Event ID 4662
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
HandleId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
SubjectUserName
Data/SubjectUserName
principal.user.userid
ObjectType
target.resource.resource_subtype
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
additional.fields.key
additional.fields.value.string_value
AdditionalInfo
Data/AdditionalInfo
security_result.description
AdditionalInfo2
security_result.detection_fields.key/value
Properties
Data/Properties
security_result.detection_fields.key/value
AccessMask
Data/AccessMask
principal.process.access_mask
principal.resource.attribute.permissions
ObjectName
Data/ObjectName
target.resource.name
ObjectServer
Data/ObjectServer
target.resource.parent
Event ID 4663
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type =
FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event)
ObjectName
Data/ObjectName
Object Type | UDM Field
--------------------------+------------------------------------
File, SymbolicLink | target.file.full_path
Key | target.registry.registry_key
Process | target.process.file.full_path
Event | target.resource.name
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
ObjectType
target.resource.resource_subtype
HandleId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
AccessList
Data/AccessList
target.resource.attribute.permissions.name
ObjectServer
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ResourceAttributes
target.resource.attribute.labels.key
target.resource.attribute.labels.value
AccessMask
Data/AccessMask
principal.process.access_mask
principal.resource.attribute.permissions
Event ID 4664
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = FILE_CREATION
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
FileName
Data/FileName
target.file.full_path
TransactionId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
LinkName
Data/LinkName
target.resource.name
Event ID 4665
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = RESOURCE_CREATION
ClientDomain
Data/ClientDomain
principal.administrative_domain
ClientName
Data/ClientName
principal.labels.key/value
AppName
Data/AppName
target.application
AppInstance
Data/AppInstance
target.resource.product_object_id
Event ID 4666
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_RESOURCE_ACCESS
ClientDomain
Data/ClientDomain
principal.administrative_domain
AppInstance
target.resource.product_object_id
ClientName
Data/ClientName
principal.labels.key/value
AppName
Data/AppName
target.application
ObjectName
Data/ObjectName
target.resource.name
Event ID 4667
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = RESOURCE_DELETION
ClientDomain
Data/ClientDomain
principal.administrative_domain
AppInstance
target.resource.product_object_id
ClientName
Data/ClientName
principal.labels.key/value
AppName
Data/AppName
target.application
Event ID 4668
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
ClientDomain
Data/ClientDomain
principal.administrative_domain
ClientName
Data/ClientName
principal.labels.key/value
AppInstance
target.resource.product_object_id
AppName
Data/AppName
target.application
Event ID 4670
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type =
FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event)
ObjectName
Data/ObjectName
Object Type | UDM Field
--------------------------+------------------------------------
File, SymbolicLink | target.file.full_path
Key | target.registry.registry_key
Process | target.process.file.full_path
Event | target.resource.name
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
HandleId
target.resource.attribute.labels.key
target.resource.attribute.labels.value
ProcessName
Data/ProcessName
principal.process.file.full_path
ProcessId
Data/ProcessId
principal.process.pid
SubjectUserName
Data/SubjectUserName
principal.user.userid
SubjectUserSid
Data/SubjectUserSid
principal.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
ObjectServer
target.resource.attribute.labels.key
target.resource.attribute.labels.value
OldSd
Data/OldSd
security_result.detection_fields.key/value
NewSd
Data/NewSd
security_result.detection_fields.key/value
ObjectType
target.resource.resource_subtype
Event ID 4671
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = STATUS_UPDATE
security_result.action = BLOCK
CallerDomainName
Data/CallerDomainName
principal.administrative_domain
CallerUserName
Data/CallerUserName
principal.user.userid
CallerUserSid
Data/CallerUserSid
principal.user.windows_sid
Event ID 4672
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = USER_LOGIN
SubjectDomainName
Data/SubjectDomainName
target.administrative_domain
PrivilegeList
Data/PrivilegeList
target.user.attribute.permissions.name
SubjectUserName
Data/SubjectUserName
target.user.userid
SubjectUserSid
Data/SubjectUserSid
target.user.windows_sid
SubjectLogonId
Data/SubjectLogonId
principal.labels.key/value
Event ID 4673
Provider: Microsoft-Windows-Security-Auditing
NXLog field
Event Viewer field
UDM field
metadata.event_type = SERVICE_UNSPECIFIED
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to GENERIC_EVENT.
SubjectDomainName
Data/SubjectDomainName
principal.administrative_domain
Service
target.application
SubjectUserName
Data/SubjectUserName
principal.user.us