Collect Microsoft Windows Event data

This document:

describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Chronicle parser for Windows events. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields.

Information in this document applies to the parser with the WINEVTLOG ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

Review the recommended deployment architecture

This diagram illustrates the recommended foundational components in a deployment architecture to collect and send Microsoft Windows Event data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

Systems in the deployment architecture are configured with the UTC time zone.
NXLog is installed on the collector Microsoft Windows server.
The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
Microsoft Windows systems in the deployment architecture use.
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service is enabled for remote system management.
NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.
Chronicle forwarder is installed on the collector Microsoft Windows or Linux server.

Note: If you choose to deploy the Chronicle Linux forwarder, the central Linux server and collector Microsoft Windows server will be different systems. If you choose to deploy the Chronicle forwarder for Microsoft Windows, the central Microsoft Windows server and collector Microsoft Windows server can be the same system.

Review the supported devices and versions

The Chronicle parser supports logs from the following Microsoft Windows server versions. Microsoft Windows server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition do not differ.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Chronicle parser supports logs from Microsoft Windows 10 and higher client systems.

Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Chronicle parser supports the following log types generated by Microsoft Windows systems. For more information about these log types, see the Microsoft Windows Event Log documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type	Notes
Security	Security audit and event logs.
Application	Events logged by applications or programs. If the manifest isn't installed locally, application logs will have missing / hex values.
System	Events logged by Microsoft Windows system components.

Configure the Microsoft Windows servers, endpoints, and domain controllers

Install and configure the servers, endpoints, and domain controllers.
Configure all systems with the UTC time zone.
Configure devices to forward logs to a collector Microsoft Windows server.
Configure a Source Initiated Subscription on Microsoft Windows server (Collector). For information, see Setting up a Source Initiated Subscription.
Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.

Configure the Microsoft Windows collector server

Set up a collector Microsoft Windows server to collect from systems.

Configure the system with the UTC time zone.
Install NXLog. Follow the NXLog documentation.

Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace <hostname> and <port> values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.

  define ROOT     C:\Program Files (x86)\nxlog
  define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname>
  define WINEVTLOG_OUTPUT_DESTINATION_PORT <port>
  define CERTDIR  %ROOT%\cert
  define CONFDIR  %ROOT%\conf
  define LOGDIR   %ROOT%\data
  define LOGFILE  %LOGDIR%\nxlog.log
  LogFile %LOGFILE%
  Moduledir %ROOT%\modules
  CacheDir  %ROOT%\data
  Pidfile   %ROOT%\data\nxlog.pid
  SpoolDir  %ROOT%\data
  <Extension _json>
      Module      xm_json
  </Extension>
  <Input windows_security_eventlog>
      Module  im_msvistalog
      <QueryXML>
          <QueryList>
              <Query Id="0">
                  <Select Path="Application">*</Select>
                  <Select Path="System">*</Select>
                  <Select Path="Security">*</Select>
              </Query>
          </QueryList>
      </QueryXML>
      ReadFromLast  False
      SavePos  False
  </Input>
  <Output out_chronicle_windevents>
      Module      om_tcp
      Host        %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
      Port        %WINEVTLOG_OUTPUT_DESTINATION_PORT%
      Exec        $EventTime = integer($EventTime) / 1000;
      Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
      Exec        to_json();
  </Output>
  <Route r2>
      Path    windows_security_eventlog => out_chronicle_windevents
  </Route>

Start the NXLog service.

Configure the central Microsoft Windows or Linux server

See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

Configure the system with the UTC time zone.
Install the Chronicle forwarder on the central Microsoft Windows or Linux server.

Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.

  - syslog:
      common:
        enabled: true
        data_type: WINEVTLOG
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Field mapping reference: Common device event fields to UDM fields

The following fields are common across multiple Event IDs and are mapped the same way.

NXLog field	UDM field
EventTime	metadata.event_timestamp
Hostname	principal.hostname
EventID	product_event_type is set to "%{EventID}" security_result.rule_name is set to "EventID: %{EventID}"
SourceName	metadata.product_name is set to "%25%7BSourceName}" metadata.vendor is set to "Microsoft"
Category	about.labels.key/value
Channel	about.labels.key/value
Severity	Values mapped to security_result.severity field as follows: Original value 0 (None), is set to UNKNOWN_SEVERITY Original value 1 (Critical) is set to INFORMATIONAL Original value 2 (Error) is set to ERROR Original value 3 (Warning) is set to ERROR Original value 4 (Informational) is set to INFORMATIONAL Original value 5 (Verbose) is set to INFORMATIONAL
UserID	principal.user.windows_sid
ExecutionProcessID	principal.process.pid
ProcessID	principal.process.pid
ProviderGuid	metadata.product_deployment_id
RecordNumber	metadata.product_log_id
SourceModuleName	observer.labels.key/value
SourceModuleType	observer.application
Opcode	about.labels.key/value
ActivityID	security_result.detection_fields.key/value

Field mapping reference: device event field to UDM field by EventID

The following section describes how NXlog/EventViewer fields are mapped to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.

The section heading identifies the Event Id, plus version (e.g. version 0) and operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more than one section for an Event ID when the map for a specific version or operating system is different.

Event ID 0

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Provider: gupdate

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: hcmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

target_resource_name set to target.resource.name

Provider: edgeupdate

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Event ID 1

Provider: Microsoft-Windows-FilterManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

version 1 / Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description
ProcessName	Data/ProcessName	principal.process.command_line
ProcessID	Data/ProcessID	principal.process.pid

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_LAUNCH If EventLevelName contains "Information" then security_result.severity = INFORMATIONAL
EventData.Hashes		Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1
EventData.User		Domain set to principal.administrative_domain Username set to principal.user.userid
Description		metadata.description
CommandLine		target.process.command_line
Image		target.process.file.full_path
ParentCommandLine		target.process.parent_process.command_line
ParentImage		target.process.parent_process.file.full_path
ParentProcessId		target.process.parent_process.pid
ProcessId		target.process.pid
EventOriginId		target.process.product_specific_process_id set to "sysmon:%{EventOriginId}"

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
SourceName	Not available	target.application

Provider: telegraf

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		security_result.description

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Context	Data/Context	security_result.description

Event ID 2

Provider: MEIx64

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
SourceName	Not available	target.application

Provider: vmci

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 3

version 3 / Provider: Microsoft-Windows-Power-Troubleshooter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_STARTUP
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
SleepTime	Data/SleepTime	target.resource.attribute.labels.key/value
WakeTime	Data/WakeTime	target.resource.attribute.labels.key/value
WakeSourceType	Data/WakeSourceType	target.resource.attribute.labels.key/value
WakeSourceText	Data/WakeSourceText	target.resource.attribute.labels.key/value

Provider: Microsoft-Windows-Security-Kerberos

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
File		target.file.full_path

Provider: Virtual Disk Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Provider: vmci

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
jobTitle		target.resource.name
processPath		target.process.file.full_path

Event ID 4

Provider: Microsoft-Windows-Security-Kerberos

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Server		target.hostname

Provider: Virtual Disk Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
name		target.resource.name
Id		target.resource.product_object_id
url		target.url
fileLength		target.file.size

Event ID 5

Provider: iScsiPrt

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: McAfee Service Controller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Search-ProfileNotify

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
SourceName		target.application
User	Data/User	target.user.userid

Event ID 6

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ErrorCode		security_result.summary Format: %{ErrorCode}-%{ErrorMsg}
ErrorMsg		security_result.summary Format: %{ErrorCode}-%{ErrorMsg}
Context		target.application

Provider: Microsoft-Windows-FilterManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 7

Provider: AdmPwd

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Format:

"Error: %{Data}"

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 8

Provider: CylanceSvc

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Provider: WSH

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Data_1		principal.labels
Data_2		principal.labels
Data_3		principal.process.command_line
Message		metadata.description

Event ID 9

Provider: volsnap

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
VolumeName		target.file.full_path

Event ID 10

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 11

Provider: Microsoft-Windows-Hyper-V-Netvsc

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
MiniportName		target.resource.name

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Error

Data/Error

security_result.summary is set to "ErrorCode: %{Error}"

Provider: Microsoft-Windows-Wininit

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 12

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_STARTUP
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_CREATION If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
EventOriginId		target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"
EventData/EventType		target.registry.registry_key
EventData/TargetObject		target.registry.registry_value_name

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-UserModePowerService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ProcessPath		target.process.file.full_path
NewSchemeGuid		target.resource.product_object_id

Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 13

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_MODIFICATION If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
EventOriginId		target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"
EventData/EventType		target.registry.registry_key
EventData/Details		target.registry.registry_value_data

Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain		principal.administrative_domain
AccountName		principal.user.userid
AccountType		principal.user.attribute.roles.name
Message		metadata.description
UserID		principal.user.windows_sid
CA		about.labels.key/value
ErrorCode		security_result.summary Format: summary => %{error_code} - %{error_message}

Provider: NPS

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Data		target.ip

Event ID 14

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
ClientName		principal.asset.hostname
Target		target.application
Account		target.hostname

Provider: Microsoft-Windows-Wininit

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Error

Data/Error

security_result.description

Format:

Error - %{value}

Provider:TPM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID	Security/UseID	principal.user.windows_sid

Event ID 15

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
NewSize	Data/NewSize	target.file.size
HiveName	Data/HiveName	target.registry.registry_key

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Provider:TPM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID	Security/UseID	principal.user.windows_sid

Event ID 16

Provider: Microsoft-Windows-HAL

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
ClientName		principal.asset.hostname
Target		target.application
Account		target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_MODIFICATION
Domain	System/Domain	principal.administrative_domain
ProcessID	System/ProcessID	principal.process.pid
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
HiveName	Data/HiveName	target.registry.registry_key

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-HAL

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 17

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 18

Provider: BTHUSB

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: TPM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 19

version 0 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Provider: Intel-SST-OED

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
Category		security_result.summary

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Event ID 20

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
updateRevisionNumber		target.resource.attribute.labels.key/value
updateTitle		target.resource.name
updateGuid		target.resource.product_object_id

Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 21

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 22

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
updatelist		security_result.description

Provider: Microsoft-Windows-UserModePowerService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 23

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 24

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Provider:TPM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID	Security/UseID	principal.user.windows_sid

Event ID 25

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 26

Provider: Application Popup

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Caption		security_result.summary

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START target.application = "Active Directory Certificate Services"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DCName	Data/DCName	target.administrative_domain
CACommonName	Data/CACommonName	target.user.userid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Target		target.hostname
Name		target.user.userid

Event ID 27

version 0 / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}
NewLogFilePath	Data/NewLogFilePath	target.file.full_path

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 28

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 29

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 30

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 31

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 32

Provider: e1iexpress

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 33

Provider: volsnap

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_UNCATEGORIZED
VolumeName		target.file.full_path
DeviceName		target.resource.name

Event ID 34

Provider: Oracle.xstore

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_READ
DBID		additional.fields.key/value
SourceName		principal.application
DATABASE_USER		principal.user.uerid
ACTION		target.process.command_line

Event ID 35

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 36

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: NPS

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

Ip set to target.ip

Event ID 37

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
ClientName		principal.asset.hostname
ServerName		target.hostname

Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Number	Data/Number	target.resource.attribute.labels.key/value
CapDurationInSeconds	Data/CapDurationInSeconds	target.resource.attribute.labels.key/value

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 38

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP target.application = "Active Directory Certificate Services"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
CACommonName	Data/CACommonName	target.user.userid

Event ID 40

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 42

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

version 2 Windows 10 client /

NXLog field	Event Viewer field	UDM field
Reason	Data/Reason	security_result.description

Event ID 43

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
updateRevisionNumber	Data/updateRevisionNumber	target.resource.attribute.labels.key/value
updateTitle	Data/updateTitle	target.resource.name
updateGuid	Data/updateGuid	target.resource.product_object_id

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 44

version 0 Windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Event ID 45

Provider: Symantec AntiVirus

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
Data		security_result.summary

Event ID 47

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage		security_result.description
ManualPeer		target.ip

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 49

Provider: Microsoft-Windows-Hyper-V-Netvsc

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Status	Data/Status	security_result.summary

Event ID 50

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 51

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Event ID 55

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Outcome		security_result.summary

Event ID 57

Provider: hpqilo3

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 58

Provider: partmgr

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to metadata.description

Provider: volsnap

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Event ID 59

Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
name		target.resource.name
Id		target.resource.product_object_id
url		target.url
fileLength		target.file.size

Event ID 60

Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
name		target.resource.name
url		target.url
fileLength		target.file.size

Event ID 61

Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
name		target.resource.name
Id		target.resource.product_object_id
url		target.url
fileLength		target.file.size

Event ID 64

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Context		target.application

Event ID 75

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application set to "Active Directory Certificate Services"
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
ErrorMessageText		security_result.summary

Event ID 77

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application set to "Active Directory Certificate Services"
WarningMessage		security_result.description
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 80

Provider: ocz10xx

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Event ID 81

Provider: hpqilo2

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-FailoverClustering-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Event ID 98

Provider: Microsoft-Windows-Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_HEARTBEAT
Domain	System/Domain	principal.administrative_domain
DeviceName	Data/DeviceName	principal.hostname
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
InstanceId	Data/InstanceId	target.resource.product_object_id

Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 101

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 102

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
AccountType	System/AccountType	principal.user.attribute.roles.description
TaskName	Data/TaskName	target.resource.name
InstanceId	Data/InstanceId	target.resource.product_object_id

Event ID 103

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

System/Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Provider: ocz10xx

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Event ID 104

Windows 10 client / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Windows Server 2019 /

NXLog field	Event Viewer field	UDM field
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Forwarding

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
UserID	System/UserID	principal.user.windows_sid
SubscriptionManagerAddress	Data/SubscriptionManagerAddress	target.url

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 105

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Channel	Data/Channel	security_result.description
BackupPath	Data/BackupPath	target.file.full_path

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Provider: VMTools

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
SourceName	Not available	target.application

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 106

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 107

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
InstanceId	Data/InstanceId	target.resource.product_object_id

Event ID 108

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: VMTools

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
SourceName	Not available	target.application

Event ID 109

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN
ShutdownReason	Data/ShutdownReason	security_result.description

Event ID 110

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 111

version 0/ Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

version 0/ Provider: Microsoft-Windows-AppReadiness

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Result	Data/Result	security_result.summary

Event ID 112

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 115

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 129

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
Priority	Data/Priority	security_result.priority_details
Path	Data/Path	target.process.file.full_path
ProcessID	Data/ProcessID	target.process.pid
TaskName	Data/TaskName	target.resource.name

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description

Event ID 130

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 131

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 132

Provider: Microsoft-Windows-WinRM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain		principal.administrative_domain
AccountName		principal.user.userid
AccountType		principal.user.attribute.roles.name

Event ID 134

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 137

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 138

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 139

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 140

Provider: Microsoft-Windows-Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
DeviceName		principal.hostname
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_MODIFICATION target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
UserName	Data/UserName	target.user..user_display_name

Event ID 142

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WinRM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
errorCode		security_result.summary
Domain		principal.administrative_domain
AccountName		principal.user.userid
AccountType		principal.user.attribute.roles.name

Event ID 143

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 145

Provider: Microsoft-Windows-WinRM

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
resourceUrl		target.url
AccountName		principal.user.userid
AccountType		principal.user.attribute.roles.name
Domain		principal.administrative_domain

Event ID 146

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 153

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 156

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 157

Provider: disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 158

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

target_url set to target.url

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
TimeProvider		target.resource.name

Event ID 159

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 160

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 161

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Event ID 163

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 164

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 165

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 167

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 169

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Status	Data/Status	security_result.summary

Event ID 170

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 171

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Version	Data/Version/	principal.asset.software.version

Event ID 172

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Reason	Data/Reason	security_result.description

Event ID 173

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Event ID 181

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = status_update
Status	Data/Status	security_result.summary

Event ID 185

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Status	Data/Status	security_result.summary

Event ID 187

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ApiCallerName		principal.process.file.full_path

Event ID 195

Provider: Microsoft-Windows-USB-USBHUB3

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 196

Provider: Microsoft-Windows-USB-USBHUB3

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 200

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
TaskInstanceId	Data/TaskInstanceId	target.resource.product_object_id

Event ID 201

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
TaskInstanceId	Data/TaskInstanceId	target.resource.product_object_id

Event ID 202

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 203

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 204

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Security-Kerberos

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Event ID 205

version 0 Windows Server 2019 / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

version 1 / Windows 10 client /

NXLog field	Event Viewer field	UDM field
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
DomainName	Data/DomainName	target.administrative_domain

version 2 / Windows 10 client /

NXLog field	Event Viewer field	UDM field
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
DomainName	Data/DomainName	target.administrative_domain

Event ID 216

version 1 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 219

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DriverName		target.hostname
FailureName		target.resource.name

Event ID 218

version 0 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 221

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 225

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DeviceInstance		target.hostname
ProcessName		target.process.file.full_path

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 233

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid

Event ID 231

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Code	Data/Code	security_result.summary set to "Code - %{Code}"

Event ID 234

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid

Event ID 238

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

version 1 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 258

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 260

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 263

version 0 / Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 271

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 272

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 299

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 300

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to target.process.pid

Event ID 301

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to target.process.pid

Event ID 302

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to target.process.pid

Event ID 304

version 0 / Provider: Microsoft-Windows-Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Status	Data/Status	security_result.summary

Event ID 313

version 0 / Provider: Microsoft-Windows-Bits-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode	Data/ErrorCode	security_result.summary => "ErrorCode: %{ErrorCode}"

Event ID 325

Provider: ESENT

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it target.process.pid

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK
TaskName		target.resource.name
QueuedTaskInstanceId		target.resource.product_object_id
Domain		principal.administrative_domain
AccountName		principal.user.attribute.roles.name
UserID		principal.user.windows_sid
AccountType		principal.user.roles.description

Event ID 326

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to target.process.pid

Event ID 400

Provider: PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data_2

Extract HostName from Data_2

HostName => target.hostname

Event ID 403

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_9		network.http.user_agent
Domain	System/Domain	principal.administrative_domain
Data_8		principal.ip
Data_7		principal.port
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_3		target.ip
Data_5		target.url

Event ID 404

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_3		security_description set to %{Data_3}: %{Data_4}
Data_4		security_description set to %{Data_3}: %{Data_4}

Event ID 405

Provider: ADSync

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Data		principal.administrative_domain
Data_1		principal.user.userid

Event ID 410

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_4		network.http.user_agent
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_10		target.ip
Data_8		target.url

Event ID 412

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 424

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 500

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 501

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 506

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE security_result.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Event ID 507

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE reason_description set to security_result.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

version 10 / Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Event ID 508

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to target.process.pid

Event ID 510

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_1		Data_1.Host set to target.hostname Data_1.User-Agent set to network.http.user_agent Data_1.X-MS-Endpoint-Absolute-Path set to target.url
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 517

Provider: Microsoft-Windows-DFSN-Server

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID		principal.user.windows_sid
DfsNamespace		target.resource.name

Event ID 521

Provider: Security

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 529

Provider: Security

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN security_result.action = BLOCK security_result.category = AUTH_VIOLATION
LogonType	Not available	extensions.auth.mechanism
Message	Not available	username set to target.user.userid domain set to target.administrative_domain target_workstation set to target.hostname

Event ID 566

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Event ID 600

Provider: PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Category		metadata.description
SourceName		principal.application
HostApplication		target.file.full_path
ProviderName		target.resource.name

Event ID 601

Provider: Directory Synchronization

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. metadata.description = Attempt to install a service
SubjectUserName		principal.user.userid
Summary		security_result.summary
ServiceName		target.process.command_line
ServiceFileName		target.process.file.full_path

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Event ID 781

Provider: Microsoft-Windows-Complus

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
param3	Data/param3	target.registry.registry_key

Event ID 800

Provider: PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE metadata.description set to "Pipeline execution" security_result.summary set to "Pipeline execution details for command line"
SourceName		principal.application
UserId		principal.user.userid
HostApplication		target.file.full_path

Event ID 888

Provider: top_5

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 900

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 902

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 903

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_STOP

target.application = "Software Protection"

Event ID 904

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 1000

Provider: Microsoft-Windows-SCPNP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ReaderName	Data/ReaderName	target.resource.name
ErrorCode	Data/ErrorCode	security_result.summary => "ErrorCode: %{ErrorCode}"

Provider: Microsoft-Windows-LoadPerf

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AccountName		principal.user.attribute.roles.name
AccountType		principal.user.attribute.roles.description
UserID		principal.user.windows_sid

Event ID 1001

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

target_resource_product_object_id set to target.resource.product_object_id

Provider: Microsoft-Windows-WER-SystemErrorReporting

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
param2		target.file.full_path

Provider: SNMP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Windows Error Reporting

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-LoadPerf

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AccountName		principal.user.attribute.roles.name
AccountType		principal.user.attribute.roles.description
UserID		principal.user.windows_sid

Event ID 1003

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Category	Data/Category	target.application

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1004

Provider: IPMIDRV

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Reason	Data/Reason	security_result.description
Category	Data/Category	target.application

Provider: SNMP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1005

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Category	Data/Category	target.application

Event ID 1007

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1008

Provider: Microsoft-Windows-Perflib

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
EventXML.param1		target.application
EventXML.param2		target.file.full_path

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Reason	Data/Reason	security_result.description
Category	Data/Category	target.application

Event ID 1010

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Category	Data/Category	target.application

Event ID 1013

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
Category	Data/Category	target.application

Event ID 1014

Provider: Microsoft-Windows-DNS-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_DNS

network.ip_protocol is set to "DNS"

QueryName

network.dns.questions.name

Event ID 1016

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1023

Provider: Microsoft-Windows-Perflib

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Library	Data/Library	target.file.full_path

Event ID 1025

Provider: Microsoft-Windows-TPM-WMI

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1026

Provider: Microsoft-Windows-TPM-WMI

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode	Data/ErrorCode	security_result.summary => "ErrorCode: %{ErrorCode}

Event ID 1027

Provider: Microsoft-Windows-TPM-WMI

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1030

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription		security_result.description
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
DCName		target.administrative_domain

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Device	Data/Device	target.hostname

Event ID 1031

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Device	Data/Device	target.hostname

Event ID 1033

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract product_name and map to target.application
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1034

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1037

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1040

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1042

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1053

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1054

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1055

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
ErrorCode	Data/ErrorCode	security_result.summary Format: ErrorCode - %{ErrorCode}

Event ID 1056

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

server_certificate_subject set to network.tls.server.certificate.subject

Event ID 1057

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED target.resource_resource_type = DATABASE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1058

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
DCName	Data/DCName	target.administrative_domain
FilePath	Data/FilePath	target.file.full_path

Event ID 1064

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

security_result.summary

Event ID 1066

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1067

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1068

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
DCName	EventData.DCName	target.administrative_domain

Event ID 1069

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name
ResourceName		target.resource.name

Event ID 1073

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
param1	Data/param1	target.hostname
param2	Data/param2	target.user.userid

Event ID 1074

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN

Provider: USER32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

target_process_file_full_path set to target.process.file.full_path

target_hostname set to target.hostname

Provider: User32

NXLog field	Event Viewer field	UDM field
Domain		principal.administrative_domain

Provider: USER32

NXLog field	Event Viewer field	UDM field
Domain	System/Domain	principal.administrative_domain

Provider: User32

NXLog field	Event Viewer field	UDM field
param2	Data/param2	principal.hostname
param1	Data/param1	principal.process.file.full_path
AccountType		principal.user.attribute.roles.name

Provider: USER32

NXLog field	Event Viewer field	UDM field
AccountName	System/AccountName	principal.user.userid

Provider: User32

NXLog field	Event Viewer field	UDM field
UserID		principal.user.windows_sid
param3	Data/param3	security_result.description
param7	Data/param7	target.user.userid

Event ID 1076

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1085

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
ErrorCode	Data/ErrorCode	security_result.summary Format: ErrorCode - %{value}
DCName	Data/DCName	target.administrative_domain

Event ID 1096

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
ErrorDescription		security_result.description
DCName		target.administrative_domain
FilePath		principal.process.file.full_path

Event ID 1100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

target.application = "Event Logging Service"

Message

security_result.description

Event ID 1101

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1102

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED target_ip set to target.ip target_url set to target.url client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: DFS Replication

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
	SubjectDomainName	principal.administrative_domain
	SubjectUserName	principal.user.userid
	SubjectUserSid	principal.user.windows_sid

Event ID 1103

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1104

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1105

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AutoBackup.BackupPath	Data/BackupPath	target.file.full_path

Event ID 1106

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Event ID 1107

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Event ID 1108

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1112

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription		security_result.description
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
DCName		target.administrative_domain
ExtensionName		target.resource.name
ExtensionId		target.resource.product_object_id

Event ID 1126

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_1		security_result.summary set to "Error: %{Data_1} - %{Data_2}"
Data_2		security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Event ID 1127

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
ErrorDescription		security_result.description
DCName		target.administrative_domain

Event ID 1128

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ExtensionName		target.resource.name
ExtensionId		target.resource.product_object_id

Event ID 1129

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.description
AccountName	System/AccountName	principal.user.attribute.roles.name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1130

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
ErrorCode	Data/ErrorCode	security_result.summary Format: ErrorCode - %{value}
ErrorDescription	Data/ErrorDescription	security_result.description
GPOFileSystemPath	Data/GPOFileSystemPath	target.file.full_path

Event ID 1134

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1150

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

platform_version set to principal.asset.platform_software.platform_version

Event ID 1162

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1173

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1196

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
StatusString		security_result.summary
ResourceName		target.resource.name

Event ID 1200

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
Message		metadata.description
UserID		target.user.windows_sid

Event ID 1201

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
Message		metadata.description
UserID		target.user.windows_sid

Event ID 1202

Provider: SceCli

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message

security_result.summary

Format:

summary => 0x%{error_code} - %{error_message}

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
Message		metadata.description
"SERVICE"		extensions.auth.mechanism
"SSO"		extensions.auth.typ
UserID		target.user.windows_sid

Event ID 1203

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
Message		metadata.description
"SERVICE"		extensions.auth.mechanism
"SSO"		extensions.auth.typ
UserID		target.user.windows_sid

Event ID 1204

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_CHANGE_PASSWORD
Message		metadata.description

Event ID 1205

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_CHANGE_PASSWORD
Message		metadata.description

Event ID 1206

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGOUT
Message		metadata.description
UserID		target.user.windows_sid

Event ID 1207

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGOUT
Message		metadata.description
UserID		target.user.windows_sid

Event ID 1213

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Event ID 1216

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Data_3		security_result.description
Data		security_result.summary Format: "Error Code - %{Data}"

Event ID 1226

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1254

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Event ID 1257

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
DNSZone		about.labels.key/value
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Event ID 1282

Provider: Microsoft-Windows-TPM-WMI

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 1307

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName