Collect Microsoft Windows Event data

Supported in:

This document describes the deployment architecture, installation steps, and required configuration that produce logs supported by the Google Security Operations parser for Windows events. This document also includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations.

To ingest Windows event logs to Google Security Operations, you can use the BindPlane Agent or Google Cloud built-in ingestion. For more information regarding built-in ingestion, see Ingest Google Cloud data to Google Security Operations.

Information in this document applies to the parser with the WINEVTLOG ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

If your deployment includes a Windows server on Google Cloud, then we recommend that you use Google Cloud built-in ingestion. Otherwise, you can use the BindPlane Agent.

Google Cloud built-in ingestion architecture

If the Windows events have the Provider value Microsoft-Windows-Security-Auditing, then the WINEVTLOG parser supports Google Cloud built-in ingestion.

Configure Ops Agent to ingest Microsoft Windows Event logs into Google Security Operations

  1. Deploy a Windows server in Google Cloud.
  2. Configure an Ops Agent on Windows Server.
  3. Install the Cloud Logging agent on Windows Server.
  4. Enable the following export filter in the Google Security Operations instance: (log_id("winevt.raw") OR log_id("windows_event_log")). For more information, see Ingest Google Cloud data to Google Security Operations.

Configure the BindPlane Agent to ingest Microsoft Windows Event logs into Google Security Operations

Collect the Windows Event logs by using the BindPlane Agent. After installation, the BindPlane Agent service appears as the observerIQ service in the list of Windows services.

  1. Install and configure the Windows servers. For more information about configuring the Windows servers, see Configure Windows server overview.

  2. Install the BindPlane Agent on the collector that is running on a Windows server. For more information about installing the BindPlane Agent, see the BindPlane Agent installation instructions.

  3. Create a configuration file for the BindPlane agent with the following contents.

    receivers:
      windowseventlog/dfsn_serv:
          channel: Microsoft-Windows-DFSN-Server/Admin
          raw: true
      windowseventlog/operational:
          channel: Microsoft-Windows-Forwarding/Operational
          raw: true
      windowseventlog/source0__application:
          channel: application
          raw: true
      windowseventlog/source0__security:
          channel: security
          raw: true
      windowseventlog/source0__system:
          channel: system
          raw: true
    processors:
      batch:
    
    exporters:
      chronicle/winevtlog:
        endpoint: https://malachiteingestion-pa.googleapis.com
        creds: '{
        "type": "service_account",
        "project_id": "malachite-projectname",
        "private_key_id": `PRIVATE_KEY_ID`,
        "private_key": `PRIVATE_KEY`,
        "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "client_id": `CLIENT_ID`,
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "universe_domain": "googleapis.com"
        }'
      log_type: 'WINEVTLOG'
      override_log_type: false
      raw_log_field: body
      customer_id: `CUSTOMER_ID`
    
    service:
      pipelines:
        logs/winevtlog:
          receivers:
            - windowseventlog/source0__application
            - windowseventlog/source0__security
            - windowseventlog/source0__system
            - windowseventlog/dfsn_serv
            - windowseventlog/operational
        processors: [batch]
        exporters: [chronicle/winevtlog]
    
  4. Replace the PRIVATE_KEY_ID, PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME,PROJECT_ID, CLIENT_ID and CUSTOMER_ID with the respective values from the service account JSON file which you can download from Google Cloud Platform. For more information about service account keys, see Create and delete service account keys documentation.

  5. To start the observerIQ agent service, select Services > Extended > observerIQ Service > start.

NXLog forwarder ingestion deployment architecture

This diagram illustrates the recommended foundational components in a deployment architecture to collect and send Microsoft Windows Event data to Google Security Operations. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

  • Systems in the deployment architecture are configured with the UTC time zone.
  • NXLog is installed on the collector Microsoft Windows server.
  • The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
  • Microsoft Windows systems in the deployment architecture use.
    • Source Initiated Subscriptions to collect events across multiple devices.
    • WinRM service is enabled for remote system management.
  • NXLog is installed on the collector Window server to forward logs to Google Security Operations forwarder.
  • Google Security Operations forwarder is installed on the collector Microsoft Windows or Linux server.

    Deployment architecture

Review the supported devices and versions

The Google Security Operations parser supports logs from the following Microsoft Windows server versions. Microsoft Windows server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition do not differ.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Google Security Operations parser supports logs from Microsoft Windows 10 and higher client systems.

Google Security Operations parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Google Security Operations parser supports the following log types generated by Microsoft Windows systems. For more information about these log types, see the Microsoft Windows Event Log documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type Notes
Security Security audit and event logs.
Application Events logged by applications or programs. If the manifest isn't installed locally, application logs will have missing / hex values.
System Events logged by Microsoft Windows system components.

Configure the Microsoft Windows servers, endpoints, and domain controllers

  1. Install and configure the servers, endpoints, and domain controllers.
  2. Configure all systems with the UTC time zone.
  3. Configure devices to forward logs to a collector Microsoft Windows server.
  4. Configure a Source Initiated Subscription on Microsoft Windows server (Collector). For information, see Setting up a Source Initiated Subscription.
  5. Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.

Configure the Microsoft Windows collector server

Set up a collector Microsoft Windows server to collect from systems.

  1. Configure the system with the UTC time zone.
  2. Install NXLog. Follow the NXLog documentation.
  3. Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace <hostname> and <port> values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.

      define ROOT     C:\Program Files (x86)\nxlog
      define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname>
      define WINEVTLOG_OUTPUT_DESTINATION_PORT <port>
      define CERTDIR  %ROOT%\cert
      define CONFDIR  %ROOT%\conf
      define LOGDIR   %ROOT%\data
      define LOGFILE  %LOGDIR%\nxlog.log
      LogFile %LOGFILE%
      Moduledir %ROOT%\modules
      CacheDir  %ROOT%\data
      Pidfile   %ROOT%\data\nxlog.pid
      SpoolDir  %ROOT%\data
      <Extension _json>
          Module      xm_json
      </Extension>
      <Input windows_security_eventlog>
          Module  im_msvistalog
          <QueryXML>
              <QueryList>
                  <Query Id="0">
                      <Select Path="Application">*</Select>
                      <Select Path="System">*</Select>
                      <Select Path="Security">*</Select>
                  </Query>
              </QueryList>
          </QueryXML>
          ReadFromLast  False
          SavePos  False
      </Input>
      <Output out_chronicle_windevents>
          Module      om_tcp
          Host        %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
          Port        %WINEVTLOG_OUTPUT_DESTINATION_PORT%
          Exec        $EventTime = integer($EventTime) / 1000;
          Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
          Exec        to_json();
      </Output>
      <Route r2>
          Path    windows_security_eventlog => out_chronicle_windevents
      </Route>
    
  4. Start the NXLog service.

Configure the central Microsoft Windows or Linux server

See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

  1. Configure the system with the UTC time zone.
  2. Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server.
  3. Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an example forwarder configuration.

      - syslog:
          common:
            enabled: true
            data_type: WINEVTLOG
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

Field mapping reference: Common device event fields to UDM fields

The following fields are common across multiple Event IDs and are mapped the same way.

NXLog field UDM field
EventTime metadata.event_timestamp
Hostname principal.hostname principal.asset.hostname
EventID product_event_type is set to "%{EventID}"
security_result.rule_name is set to "EventID: %{EventID}"
SourceName metadata.product_name is set to "%25%7BSourceName}"

metadata.vendor_name is set to "Microsoft"

Category

about.labels.key/value

additional.fields.key

additional.fields.value.string_value

Channel

about.labels.key/value

additional.fields.key

additional.fields.value.string_value

Severity Values mapped to security_result.severity field as follows:
Original value 0 (None), is set to UNKNOWN_SEVERITY
Original value 1 (Critical) is set to INFORMATIONAL
Original value 2 (Error) is set to ERROR
Original value 3 (Warning) is set to ERROR
Original value 4 (Informational) is set to INFORMATIONAL
Original value 5 (Verbose) is set to INFORMATIONAL
UserID principal.user.windows_sid
ExecutionProcessID principal.process.pid
ProcessID principal.process.pid
ProviderGuid metadata.product_deployment_id
RecordNumber metadata.product_log_id
SourceModuleName

observer.labels.key/value

additional.fields.key

additional.fields.value.string_value

SourceModuleType observer.application

Opcode

about.labels.key/value

additional.fields.key

additional.fields.value.string_value

Keywords

additional.fields.key

additional.fields.value.string_value

ActivityID security_result.detection_fields.key/value

Field mapping reference: device event field to UDM field by EventID

The following section describes how NXlog/EventViewer fields are mapped to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.

The section heading identifies the Event Id, plus version (e.g. version 0) and operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more than one section for an Event ID when the map for a specific version or operating system is different.

Event ID 0

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Provider: gupdate

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: hcmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

target_resource_name set to target.resource.name

Provider: edgeupdate

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Event ID 1

Provider: Microsoft-Windows-FilterManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

version 1 / Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Reason

Data/Reason

security_result.description

ProcessName

Data/ProcessName

principal.process.command_line

ProcessID

Data/ProcessID

principal.process.pid

Provider: Microsoft-Windows-Sysmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = PROCESS_LAUNCH

If EventLevelName contains "Information" then security_result.severity = INFORMATIONAL

EventData.Hashes

Based on Hash algorithm.

MD5 set to target.process.file.md5

SHA256 set to target.process.file.sha256

SHA1 set to target.process.file.sha1

EventData.User

Domain set to principal.administrative_domain

Username set to principal.user.userid

Description

metadata.description

CommandLine

target.process.command_line

Image

target.process.file.full_path

ParentCommandLine

target.process.parent_process.command_line

ParentImage

target.process.parent_process.file.full_path

ParentProcessId

target.process.parent_process.pid

ProcessId

target.process.pid

EventOriginId

target.process.product_specific_process_id set to "sysmon:%{EventOriginId}"

Provider: SecurityCenter

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

SourceName

Not available

target.application

Provider: telegraf

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data

security_result.description

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Context

Data/Context

security_result.description

Event ID 2

Provider: MEIx64

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: SecurityCenter

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

SourceName

Not available

target.application

Provider: vmci

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Microsoft-Windows-WHEA-Logger

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 3

version 3 / Provider: Microsoft-Windows-Power-Troubleshooter

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_STARTUP

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

SleepTime

Data/SleepTime

target.resource.attribute.labels.key

target.resource.attribute.labels.value

WakeTime

Data/WakeTime

target.resource.attribute.labels.key

target.resource.attribute.labels.value

WakeSourceType

Data/WakeSourceType

target.resource.attribute.labels.key

target.resource.attribute.labels.value

WakeSourceText

Data/WakeSourceText

target.resource.attribute.labels.key

target.resource.attribute.labels.value

Provider: Microsoft-Windows-Security-Kerberos

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

File

target.file.full_path

Provider: Virtual Disk Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Provider: vmci

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

jobTitle

target.resource.name

processPath

target.process.file.full_path

Event ID 4

Provider: Microsoft-Windows-Security-Kerberos

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Server

target.hostname

Provider: Virtual Disk Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

name

target.resource.name

Id

target.resource.product_object_id

url

target.url

fileLength

target.file.size

Event ID 5

Provider: iScsiPrt

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: McAfee Service Controller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Search-ProfileNotify

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_MODIFICATION

SourceName

target.application

User

Data/User

target.user.userid

Event ID 6

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

ErrorCode

security_result.summary

Format:

%{ErrorCode}-%{ErrorMsg}

ErrorMsg

security_result.summary

Format:

%{ErrorCode}-%{ErrorMsg}

Context

target.application

Provider: Microsoft-Windows-FilterManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 7

Provider: AdmPwd

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Format:

"Error: %{Data}"

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 8

Provider: CylanceSvc

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Provider: WSH

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data_1

principal.labels.key/value

additional.fields.key

additional.fields.value.string_value

Data_2

principal.labels.key/value

additional.fields.key

additional.fields.value.string_value

Data_3

principal.process.command_line

Message

metadata.description

Event ID 9

Provider: volsnap

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

VolumeName

target.file.full_path

Event ID 10

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 11

Provider: Microsoft-Windows-Hyper-V-Netvsc

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

MiniportName

target.resource.name

AccountType

principal.user.attribute.roles.name

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Error

Data/Error

security_result.summary is set to "ErrorCode: %{Error}"

Provider: Microsoft-Windows-Wininit

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 12

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_STARTUP

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Provider: Microsoft-Windows-Sysmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = REGISTRY_CREATION

If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL

EventOriginId

target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"

EventData/EventType

target.registry.registry_key

EventData/TargetObject

target.registry.registry_value_name

ProcessId

principal.process.pid

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-UserModePowerService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ProcessPath

target.process.file.full_path

NewSchemeGuid

target.resource.product_object_id

Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 13

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

Provider: Microsoft-Windows-Sysmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = REGISTRY_MODIFICATION

If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL

ProcessId

principal.process.pid

EventOriginId

target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"

EventData/EventType

target.registry.registry_key

EventData/Details

target.registry.registry_value_data

Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

principal.administrative_domain

AccountName

principal.user.userid

AccountType

principal.user.attribute.roles.name

Message

metadata.description

UserID

principal.user.windows_sid

CA

about.labels.key/value

additional.fields.key

additional.fields.value.string_value

ErrorCode

security_result.summary

Format: security_result.summary is set to %{error_code} - %{error_message}

Provider: NPS

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data

target.ip

Event ID 14

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

ClientName

principal.asset.attribute.labels.key/value

Target

target.application

Account

target.hostname

Provider: Microsoft-Windows-Wininit

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Error

Data/Error

security_result.description

Format:

Error - %{value}

Provider:TPM

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

UserID

Security/UseID

principal.user.windows_sid

Event ID 15

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = REGISTRY_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

NewSize

Data/NewSize

target.file.size

HiveName

Data/HiveName

target.registry.registry_key

AccountType

principal.user.attribute.roles.name

Provider: SecurityCenter

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Provider:TPM

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

UserID

Security/UseID

principal.user.windows_sid

Event ID 16

Provider: Microsoft-Windows-HAL

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

ClientName

principal.asset.attribute.labels.key/value

Target

target.application

Account

target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = REGISTRY_MODIFICATION

Domain

System/Domain

principal.administrative_domain

ProcessID

System/ProcessID

principal.process.pid

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

HiveName

Data/HiveName

target.registry.registry_key

AccountType

principal.user.attribute.roles.name

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-HAL

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 17

Provider: Microsoft-Windows-WHEA-Logger

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Category set to security_result.category_details

Message set to metadata.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 18

Provider: BTHUSB

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: TPM

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 19

version 0 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Category

Data/Category

security_result.category_details

Provider: Intel-SST-OED

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

Category

security_result.summary

Provider: Microsoft-Windows-WHEA-Logger

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Event ID 20

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

updateRevisionNumber

target.resource.attribute.labels.key

target.resource.attribute.labels.value

updateTitle

target.resource.name

updateGuid

target.resource.product_object_id

Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 21

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 22

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Category set to security_result.category_details

Message set to metadata.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

updatelist

security_result.description

Provider: Microsoft-Windows-UserModePowerService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 23

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 24

Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

version 0 / Provider: Microsoft-Windows-Kernel-General

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ErrorMessage

Data/ErrorMessage

security_result.description

DomainPeer

Data/DomainPeer

target.administrative_domain

Provider:TPM

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

UserID

Security/UseID

principal.user.windows_sid

Event ID 25

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 26

Provider: Application Popup

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Caption

security_result.summary

Provider: Microsoft-Windows-CertificationAuthority

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

target.application = "Active Directory Certificate Services"

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DCName

Data/DCName

target.administrative_domain

CACommonName

Data/CACommonName

target.user.userid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Target

target.hostname

Name

target.user.userid

Event ID 27

version 0 / Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

NewLogFilePath

Data/NewLogFilePath

target.file.full_path

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 28

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 29

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 30

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 31

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 32

Provider: e1iexpress

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 33

Provider: volsnap

NXLog field

Event Viewer field

UDM field

metadata.event_type = FILE_UNCATEGORIZED

VolumeName

target.file.full_path

DeviceName

target.resource.name

Event ID 34

Provider: Oracle.xstore

NXLog field

Event Viewer field

UDM field

metadata.event_type = RESOURCE_READ

DBID

additional.fields.key/value

ProcessId

principal.process.pid

SourceName

principal.application

DATABASE_USER

principal.user.uerid

ACTION

target.process.command_line

Event ID 35

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 36

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: NPS

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

Ip set to target.ip

Event ID 37

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

ClientName

principal.asset.attribute.labels.key/value

ServerName

target.hostname

Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Number

Data/Number

target.resource.attribute.labels.key

target.resource.attribute.labels.value

CapDurationInSeconds

Data/CapDurationInSeconds

target.resource.attribute.labels.key

target.resource.attribute.labels.value

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 38

Provider: Microsoft-Windows-CertificationAuthority

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

target.application = "Active Directory Certificate Services"

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

CACommonName

Data/CACommonName

target.user.userid

Event ID 40

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 42

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

version 2 Windows 10 client /

NXLog field

Event Viewer field

UDM field

Reason

Data/Reason

security_result.description

Event ID 43

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

updateRevisionNumber

Data/updateRevisionNumber

target.resource.attribute.labels.key

target.resource.attribute.labels.value

updateTitle

Data/updateTitle

target.resource.name

updateGuid

Data/updateGuid

target.resource.product_object_id

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 44

version 0 Windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

AccountType

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Category

Data/Category

security_result.category_details

Event ID 45

Provider: Symantec AntiVirus

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

Data

security_result.summary

Event ID 47

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ErrorMessage

security_result.description

ManualPeer

target.ip

Provider: Microsoft-Windows-WHEA-Logger

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 49

Provider: Microsoft-Windows-Hyper-V-Netvsc

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Status

Data/Status

security_result.summary

Event ID 50

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 51

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Event ID 55

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Outcome

security_result.summary

Event ID 57

Provider: hpqilo3

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 58

Provider: partmgr

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to metadata.description

Provider: volsnap

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Event ID 59

Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

name

target.resource.name

Id

target.resource.product_object_id

url

target.url

fileLength

target.file.size

Event ID 60

Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

name

target.resource.name

url

target.url

fileLength

target.file.size

Event ID 61

Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

name

target.resource.name

Id

target.resource.product_object_id

url

target.url

fileLength

target.file.size

Event ID 64

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Context

target.application

Event ID 75

Provider: Microsoft-Windows-CertificationAuthority

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application set to "Active Directory Certificate Services"

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

ErrorMessageText

security_result.summary

Event ID 77

Provider: Microsoft-Windows-CertificationAuthority

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application set to "Active Directory Certificate Services"

WarningMessage

security_result.description

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 80

Provider: ocz10xx

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data

target.hostname

Event ID 81

Provider: hpqilo2

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-FailoverClustering-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

Event ID 98

Provider: Microsoft-Windows-Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type =  STATUS_HEARTBEAT

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

DeviceName

Data/DeviceName

principal.hostname

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_ENABLE

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

TaskName

Data/TaskName

target.resource.name

InstanceId

Data/InstanceId

target.resource.product_object_id

UserContext

target.user.user_display_name

Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 101

Provider: Application Management Group Policy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

security_result.description" set to "ErrorCode - %{error_code}"

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 102

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ProcessID

Data/ProcessID

principal.process.pid

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

AccountType

System/AccountType

principal.user.attribute.roles.description

TaskName

Data/TaskName

target.resource.name

InstanceId

Data/InstanceId

target.resource.product_object_id

Event ID 103

Provider: Application Management Group Policy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

security_result.description" set to "ErrorCode - %{error_code}"

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Message

System/Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Reason

Data/Reason

security_result.description

Provider: ocz10xx

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data

target.hostname

Event ID 104

Windows 10 client / Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_WIPE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

Message

metadata.description

UserID

System/UserID

principal.user.windows_sid

Windows Server 2019 /

NXLog field

Event Viewer field

UDM field

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-Forwarding

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

UserID

System/UserID

principal.user.windows_sid

SubscriptionManagerAddress

Data/SubscriptionManagerAddress

target.url

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 105

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Channel

Data/Channel

security_result.description

BackupPath

Data/BackupPath

target.file.full_path

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

Provider: VMTools

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

SourceName

Not available

target.application

Provider: WudfUsbccidDriver

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 106

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 107

version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_ENABLE

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

TaskName

Data/TaskName

target.resource.name

InstanceId

Data/InstanceId

target.resource.product_object_id

Event ID 108

Provider: Application Management Group Policy

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

security_result.description" set to "ErrorCode - %{error_code}"

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: VMTools

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

SourceName

Not available

target.application

Event ID 109

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ProcessID

Data/ProcessID

principal.process.pid

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

ShutdownReason

Data/ShutdownReason

security_result.description

Event ID 110

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 111

version 0/ Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

version 0/ Provider: Microsoft-Windows-AppReadiness

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Result

Data/Result

security_result.summary

Event ID 112

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 115

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 129

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_ENABLE

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Priority

Data/Priority

security_result.priority_details

Path

Data/Path

target.process.file.full_path

ProcessID

Data/ProcessID

target.process.pid

TaskName

Data/TaskName

target.resource.name

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ErrorMessage

Data/ErrorMessage

security_result.description

Event ID 130

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ErrorMessage

Data/ErrorMessage

security_result.description

DomainPeer

Data/DomainPeer

target.administrative_domain

Event ID 131

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ErrorMessage

Data/ErrorMessage

security_result.description

DomainPeer

Data/DomainPeer

target.administrative_domain

Event ID 132

Provider: Microsoft-Windows-WinRM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

principal.administrative_domain

AccountName

principal.user.userid

AccountType

principal.user.attribute.roles.name

Event ID 134

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ErrorMessage

Data/ErrorMessage

security_result.description

DomainPeer

Data/DomainPeer

target.administrative_domain

Event ID 137

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 138

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DomainPeer

Data/DomainPeer

target.administrative_domain

Event ID 139

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 140

Provider: Microsoft-Windows-Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

DeviceName

principal.hostname

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_MODIFICATION

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

TaskName

Data/TaskName

target.resource.name

UserName

Data/UserName

target.user..user_display_name

Event ID 142

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Message set to security_result.summary

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-WinRM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

errorCode

security_result.summary

Domain

principal.administrative_domain

AccountName

principal.user.userid

AccountType

principal.user.attribute.roles.name

Event ID 143

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 145

Provider: Microsoft-Windows-WinRM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

resourceUrl

target.url

AccountName

principal.user.userid

AccountType

principal.user.attribute.roles.name

Domain

principal.administrative_domain

Event ID 146

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Message set to security_result.summary

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 153

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Event ID 156

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 157

Provider: disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 158

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

target_url set to target.url

Provider: Microsoft-Windows-Time-Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

TimeProvider

target.resource.name

Event ID 159

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 160

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 161

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Event ID 163

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 164

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 165

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 167

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 169

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Status

Data/Status

security_result.summary

Event ID 170

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 171

version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Version

Data/Version/

principal.asset.software.version

Event ID 172

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Reason

Data/Reason

security_result.description

AccountType

principal.user.attribute.roles.name

Event ID 173

Provider: Microsoft-Windows-Hyper-V-Hypervisor

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Event ID 181

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = status_update

Status

Data/Status

security_result.summary

Event ID 185

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Status

Data/Status

security_result.summary

Event ID 187

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

ApiCallerName

principal.process.file.full_path

Event ID 195

Provider: Microsoft-Windows-USB-USBHUB3

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 196

Provider: Microsoft-Windows-USB-USBHUB3

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 200

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_ENABLE

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

TaskName

Data/TaskName

target.resource.name

TaskInstanceId

Data/TaskInstanceId

target.resource.product_object_id

Event ID 201

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED

target.resource.resource_type = TASK

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

TaskName

Data/TaskName

target.resource.name

TaskInstanceId

Data/TaskInstanceId

target.resource.product_object_id

Event ID 202

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 203

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 204

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Security-Kerberos

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Event ID 205

version 0 Windows Server 2019 / Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

version 1 / Windows 10 client /

NXLog field

Event Viewer field

UDM field

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

DomainName

Data/DomainName

target.administrative_domain

version 2 / Windows 10 client /

NXLog field

Event Viewer field

UDM field

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

DomainName

Data/DomainName

target.administrative_domain

Event ID 216

version 1 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 219

Provider: Microsoft-Windows-Kernel-PnP

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DriverName

target.hostname

FailureName

target.resource.name

Event ID 218

version 0 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 221

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 225

Provider: Microsoft-Windows-Kernel-PnP

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DeviceInstance

target.hostname

ProcessName

target.process.file.full_path

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 233

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

Event ID 231

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Code

Data/Code

security_result.summary set to "Code - %{Code}"

Event ID 234

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

Event ID 238

Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

System/Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

version 0 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

version 1 / Provider: Microsoft-Windows-Kernel-Boot

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 258

Provider: VMUpgradeHelper

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

SourceName

Not available

target.application

Event ID 260

Provider: VMUpgradeHelper

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

SourceName

Not available

target.application

Event ID 263

version 0 / Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 271

Provider: VMUpgradeHelper

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

SourceName

Not available

target.application

Event ID 272

Provider: VMUpgradeHelper

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

SourceName

Not available

target.application

Event ID 299

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 300

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to  target.process.pid

Event ID 301

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to  target.process.pid

Event ID 302

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to  target.process.pid

Event ID 304

version 0 / Provider: Microsoft-Windows-Ntfs

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Status

Data/Status

security_result.summary

Event ID 313

version 0 / Provider: Microsoft-Windows-Bits-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ErrorCode

Data/ErrorCode

security_result.summary is set to "ErrorCode: %{ErrorCode}"

Event ID 325

Provider: ESENT

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it target.process.pid

NXLog field

Event Viewer field

UDM field

metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED

target.resource.resource_type = TASK

TaskName

target.resource.name

QueuedTaskInstanceId

target.resource.product_object_id

Domain

principal.administrative_domain

AccountName

principal.user.attribute.roles.name

UserID

principal.user.windows_sid

AccountType

principal.user.roles.description

Event ID 326

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to  target.process.pid

Event ID 400

Provider: PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data_2

Extract HostName from Data_2

HostName is set to target.hostname

version 1 /Provider: PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

NewEngineState

additional.fields.key

additional.fields.value.string_value

PreviousEngineState

additional.fields.key

additional.fields.value.string_value

HostName

additional.fields.key

additional.fields.value.string_value

HostVersion

additional.fields.key

additional.fields.value.string_value

HostId

additional.fields.key

additional.fields.value.string_value

HostApplication

principal.process.command_line

EngineVersion

additional.fields.key

additional.fields.value.string_value

RunspaceId

additional.fields.key

additional.fields.value.string_value

PipelineId

additional.fields.key

additional.fields.value.string_value

CommandName

additional.fields.key

additional.fields.value.string_value

CommandType

additional.fields.key

additional.fields.value.string_value

ScriptName

target.file.name

CommandPath

target.process.file.full_path

NewEngineState

target.process.command_line

Event ID 403

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data_9

network.http.user_agent

Domain

System/Domain

principal.administrative_domain

Data_8

principal.ip

Data_7

principal.port

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Data_3

target.ip

Data_5

target.url

Event ID 404

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Data_3

security_description set to %{Data_3}: %{Data_4}

Data_4

security_description set to %{Data_3}: %{Data_4}

Event ID 405

Provider: ADSync

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

principal.administrative_domain

Data_1

principal.user.userid

Event ID 410

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data_4

network.http.user_agent

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Data_10

target.ip

Data_8

target.url

Event ID 412

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 424

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

client_certificate_serial set to network.tls.client.certificate.serial

client_certificate_subject set to network.tls.client.certificate.subject

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 500

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 501

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 506

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

security_result.description

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

Event ID 507

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

reason_description set to security_result.description

Domain

System/Domain

principal.administrative_domain

Reason

security_result.description

AccountName

System/AccountName

principal.user.userid

version 10 / Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Reason

Data/Reason

security_result.description

Event ID 508

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID and map it to  target.process.pid

Event ID 510

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data_1

Data_1.Host set to target.hostname

Data_1.User-Agent set to network.http.user_agent

Data_1.X-MS-Endpoint-Absolute-Path set to target.url

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 517

Provider: Microsoft-Windows-DFSN-Server

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

UserID

principal.user.windows_sid

DfsNamespace

target.resource.name

Event ID 521

Provider: Security

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 529

Provider: Security

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

security_result.action = BLOCK

security_result.category = AUTH_VIOLATION

LogonType

Not available

extensions.auth.mechanism

Message

Not available

username set to target.user.userid

domain set to target.administrative_domain

target_workstation set to target.hostname

Event ID 566

Provider: Microsoft-Windows-Kernel-Power

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Reason

Data/Reason

security_result.description

Event ID 600

Provider: PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Category

metadata.description

SourceName

principal.application

HostApplication

target.file.full_path

ProviderName

target.resource.name

Event ID 601

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

metadata.description = Attempt to install a service

SubjectUserName

principal.user.userid

Summary

security_result.summary

ServiceName

target.process.command_line

ServiceFileName

target.process.file.full_path

Event ID 642

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Extract PID map it to target.process.pid

Event ID 653

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 654

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 663

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 700

Provider: NTDS ISAM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

MessageSourceAddress

principal.ip

Event ID 701

Provider: NTDS ISAM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

MessageSourceAddress

principal.ip

Event ID 719

Provider: Microsoft-Windows-TaskScheduler

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Category

Data/Category

security_result.category_details

Event ID 781

Provider: Microsoft-Windows-Complus

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

param1

Data/param1

additional.fields.key

additional.fields.value.string_value

param2

Data/param2

additional.fields.key

additional.fields.value.string_value

param3

Data/param3

target.registry.registry_key

Event ID 800

Provider: PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

metadata.description set to "Pipeline execution"

security_result.summary set to "Pipeline execution details for command line"

SourceName

principal.application

UserId

principal.user.userid

HostApplication

principal.process.command_line

DetailSequence

additional.fields.key

additional.fields.value.string_value

DetailTotal

additional.fields.key

additional.fields.value.string_value

SequenceNumber

additional.fields.key

additional.fields.value.string_value

HostName

additional.fields.key

additional.fields.value.string_value

HostVersion

additional.fields.key

additional.fields.value.string_value

HostId

additional.fields.key

additional.fields.value.string_value

EngineVersion

additional.fields.key

additional.fields.value.string_value

RunspaceId

additional.fields.key

additional.fields.value.string_value

PipelineId

additional.fields.key

additional.fields.value.string_value

ScriptName

target.file.full_path

CommandLine

target.process.command_line

Details

additional.fields.key

additional.fields.value.string_value

Event ID 888

Provider: top_5

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 900

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 902

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 903

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_STOP

target.application = "Software Protection"

Event ID 904

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data

security_result.summary

Event ID 1000

Provider: Microsoft-Windows-SCPNP

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ReaderName

Data/ReaderName

target.resource.name

ErrorCode

Data/ErrorCode

security_result.summary is set to "ErrorCode: %{ErrorCode}"

Provider: Microsoft-Windows-LoadPerf

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AccountName

principal.user.attribute.roles.name

AccountType

principal.user.attribute.roles.description

UserID

principal.user.windows_sid

Event ID 1001

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

target_resource_product_object_id set to target.resource.product_object_id

Provider: Microsoft-Windows-WER-SystemErrorReporting

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

param2

target.file.full_path

Provider: SNMP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Windows Error Reporting

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-LoadPerf

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AccountName

principal.user.attribute.roles.name

AccountType

principal.user.attribute.roles.description

UserID

principal.user.windows_sid

Event ID 1003

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

Category

Data/Category

target.application

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1004

Provider: IPMIDRV

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data

target.hostname

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_MODIFICATION

Reason

Data/Reason

security_result.description

Category

Data/Category

target.application

Provider: SNMP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1005

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_MODIFICATION

Category

Data/Category

target.application

Event ID 1007

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1008

Provider: Microsoft-Windows-Perflib

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

EventXML.param1

target.application

EventXML.param2

target.file.full_path

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

Reason

Data/Reason

security_result.description

Category

Data/Category

target.application

Event ID 1010

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_MODIFICATION

Category

Data/Category

target.application

Event ID 1013

Provider: Microsoft-Windows-Search

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

Category

Data/Category

target.application

Event ID 1014

Provider: Microsoft-Windows-DNS-Client

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_DNS

network.ip_protocol is set to "DNS"

QueryName

network.dns.questions.name

Event ID 1016

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Event ID 1023

Provider: Microsoft-Windows-Perflib

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Library

Data/Library

target.file.full_path

Event ID 1025

Provider: Microsoft-Windows-TPM-WMI

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1026

Provider: Microsoft-Windows-TPM-WMI

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ErrorCode

Data/ErrorCode

security_result.summary is set to "ErrorCode: %{ErrorCode}

Event ID 1027

Provider: Microsoft-Windows-TPM-WMI

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1030

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

security_result.description

ErrorCode

security_result.summary

Format:

ErrorCode - %{ErrorCode}

DCName

target.administrative_domain

Provider: Microsoft-Windows-Kernel-PnP

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Device

Data/Device

target.hostname

Event ID 1031

Provider: Microsoft-Windows-Kernel-PnP

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Device

Data/Device

target.hostname

Event ID 1033

Provider: MsiInstaller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Extract product_name and map to target.application

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Event ID 1034

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Event ID 1037

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1040

Provider: MsiInstaller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Extract process_id and map it to target.process.pid

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Event ID 1042

Provider: MsiInstaller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Extract process_id and map it to target.process.pid

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

AccountType

principal.user.attribute.roles.name

Event ID 1053

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

Event ID 1054

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

Event ID 1055

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

ErrorCode

Data/ErrorCode

security_result.summary

Format:

ErrorCode - %{ErrorCode}

Event ID 1056

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

server_certificate_subject set to network.tls.server.certificate.subject

Event ID 1057

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target.resource_resource_type = DATABASE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 1058

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

DCName

Data/DCName

target.administrative_domain

FilePath

Data/FilePath

target.file.full_path

Event ID 1064

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

security_result.summary

Event ID 1066

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Event ID 1067

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1068

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

DCName

EventData.DCName

target.administrative_domain

SupportInfo1

additional.fields.key

additional.fields.value.string_value

SupportInfo2

additional.fields.key

additional.fields.value.string_value

ProcessingMode

additional.fields.key

additional.fields.value.string_value

ProcessingTimeInMilliseconds

additional.fields.key

additional.fields.value.string_value

Event ID 1069

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ResourceGroup

target.group.group_display_name

ResourceName

target.resource.name

Event ID 1073

Provider: User32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

param1

Data/param1

target.hostname

param2

Data/param2

target.user.userid

Event ID 1074

Provider: User32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

Provider: USER32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

target_process_file_full_path set to target.process.file.full_path

target_hostname set to target.hostname

Provider: User32

NXLog field

Event Viewer field

UDM field

Domain

principal.administrative_domain

Provider: USER32

NXLog field

Event Viewer field

UDM field

Domain

System/Domain

principal.administrative_domain

Provider: User32

NXLog field

Event Viewer field

UDM field

param2

Data/param2

principal.hostname

param4

Data/param4

additional.fields.key

additional.fields.value.string_value

param5

Data/param5

additional.fields.key

additional.fields.value.string_value

param1

Data/param1

principal.process.file.full_path

AccountName

principal.user.attribute.roles.name

AccountType

principal.user.attribute.roles.name

Provider: USER32

NXLog field

Event Viewer field

UDM field

AccountName

System/AccountName

principal.user.userid

Provider: User32

NXLog field

Event Viewer field

UDM field

UserID

principal.user.windows_sid

param3

Data/param3

security_result.description

param7

Data/param7

target.user.userid

Event ID 1076

Provider: User32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 1085

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

ErrorCode

Data/ErrorCode

security_result.summary

Format:

ErrorCode - %{value}

DCName

Data/DCName

target.administrative_domain

Event ID 1096

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

ErrorCode

security_result.summary

Format:

ErrorCode - %{ErrorCode}


ErrorDescription

security_result.description

SupportInfo1

additional.fields.key

additional.fields.value.string_value

SupportInfo2

additional.fields.key

additional.fields.value.string_value

ProcessingMode

additional.fields.key

additional.fields.value.string_value

ProcessingTimeInMilliseconds

additional.fields.key

additional.fields.value.string_value

DCName

target.administrative_domain

FilePath

principal.process.file.full_path

Event ID 1100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

target.application = "Event Logging Service"

Message

security_result.description

Event ID 1101

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1102

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to  target.ip

target_url set to target.url

client_certificate_serial set to network.tls.client.certificate.serial

client_certificate_subject set to network.tls.client.certificate.subject

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: DFS Replication

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_WIPE

SubjectDomainName

principal.administrative_domain

SubjectUserName

principal.user.userid

SubjectUserSid

principal.user.windows_sid

Event ID 1103

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1104

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1105

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AutoBackup.BackupPath

Data/BackupPath

target.file.full_path

Event ID 1106

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Reason

Data/Reason

security_result.description

Event ID 1107

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ProcessID

Data/ProcessID

principal.process.pid

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 1108

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 1112

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

security_result.description

ErrorCode

security_result.summary

Format:

ErrorCode - %{ErrorCode}

DCName

target.administrative_domain

ExtensionName

target.resource.name

ExtensionId

target.resource.product_object_id

Event ID 1126

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_1

security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Data_2

security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Event ID 1127

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

ErrorCode

security_result.summary

Format:

ErrorCode - %{ErrorCode}

ErrorDescription

security_result.description

DCName

target.administrative_domain

SupportInfo1

additional.fields.key

additional.fields.value.string_value

SupportInfo2

additional.fields.key

additional.fields.value.string_value

ProcessingMode

additional.fields.key

additional.fields.value.string_value

ProcessingTimeInMilliseconds

additional.fields.key

additional.fields.value.string_value

Event ID 1128

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ExtensionName

target.resource.name

ExtensionId

target.resource.product_object_id

Event ID 1129

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ErrorDescription

Data/ErrorDescription

security_result.description

Event ID 1130

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

ErrorCode

Data/ErrorCode

security_result.summary

Format:

ErrorCode - %{value}

ErrorDescription

Data/ErrorDescription

security_result.description

GPOFileSystemPath

Data/GPOFileSystemPath

target.file.full_path

Event ID 1134

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1150

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

platform_version set to principal.asset.platform_software.platform_version

Event ID 1162

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1173

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1196

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

StatusString

security_result.summary

ResourceName

target.resource.name

Event ID 1200

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

Message

metadata.description

UserID

target.user.windows_sid

Event ID 1201

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

Message

metadata.description

UserID

target.user.windows_sid

Event ID 1202

Provider: SceCli

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message

security_result.summary

Format:

summary is set to 0x%{error_code} - %{error_message}

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

Message

metadata.description

"SERVICE"

extensions.auth.mechanism

"SSO"

extensions.auth.typ

UserID

target.user.windows_sid

Event ID 1203

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

Message

metadata.description

"SERVICE"

extensions.auth.mechanism

"SSO"

extensions.auth.typ

UserID

target.user.windows_sid

Event ID 1204

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_CHANGE_PASSWORD

Message

metadata.description

Event ID 1205

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ResourceGroup

target.group.group_display_name

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_CHANGE_PASSWORD

Message

metadata.description

Event ID 1206

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGOUT

Message

metadata.description

UserID

target.user.windows_sid

Event ID 1207

Provider: AD FS Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGOUT

Message

metadata.description

UserID

target.user.windows_sid

Event ID 1213

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Event ID 1216

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Data_3

security_result.description

Data

security_result.summary

Format:

 "Error Code - %{Data}"

Event ID 1226

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1254

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ResourceGroup

target.group.group_display_name

Event ID 1257

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

DNSZone

about.labels.key/value

additional.fields.key

additional.fields.value.string_value

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ResourceGroup

target.group.group_display_name

Event ID 1282

Provider: Microsoft-Windows-TPM-WMI

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 1307

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1311

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1317

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Event ID 1500

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

DCName

Data/DCName

target.administrative_domain

Event ID 1501

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 1502

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

DCName

Data/DCName

target.administrative_domain

Event ID 1503

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

DCName

Data/DCName

target.administrative_domain

Event ID 1531

Provider: Microsoft-Windows-User Profiles Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

Domain

Not available

principal.administrative_domain

AccountName

Not available

principal.user.userid

UserID

Not available

principal.user.windows_sid

SourceName

Not available

target.application

Event ID 1532

Provider: Microsoft-Windows-User Profiles Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

Domain

Not available

principal.administrative_domain

AccountName

Not available

principal.user.userid

UserID

Not available

principal.user.windows_sid

SourceName

Not available

target.application

Event ID 1535

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data

security_result.description

Event ID 1564

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = RESOURCE_READ

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ShareName

target.resource.name

Event ID 1566

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1573

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 1593

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = RESOURCE_READ

target.resource_resource_type = DATABASE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DatabaseFilePath

target.file.full_path

Event ID 1643

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1644

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1645

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1653

Provider: Microsoft-Windows-FailoverClustering

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 1699

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_4

security_result.summary set to "Error Code - %{Data_4}"

Event ID 1704

Provider: SceCli

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

ProcessId

principal.process.pid

Message

security_result.summary

Event ID 1865

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1925

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 1955

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2000

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

current_signature_version set to target.resource.attribute.labels.key/value

previous_signature_version set to target.resource.attribute.labels.key/value

Event ID 2001

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data_14

security_result.summary

Data_17

target.url

Provider: NTDS ISAM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

MessageSourceAddress

principal.ip

Event ID 2004

Provider: Microsoft-Windows-Resource-Exhaustion-Detector

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 2041

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Event ID 2042

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2053

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2065

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2085

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

MessageSourceAddress

principal.ip

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2089

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2108

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_3

security_result.summary set to "Error: %{Data_4} - %{Data_3}"

Data_4

security_result.summary set to "Error: %{Data_4} - %{Data_3}"

Event ID 2811

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2887

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2889

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Message

principal_ip is set to principal.ip

principal_port is set to principal.port

principal_user_id is set to principal.user.userid

Event ID 2896

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_1

security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Data_2

security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Event ID 2904

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2946

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 2947

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

Data_2

principal.ip

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_3

security_result.summary set to "Error: %{Data_3}"

Event ID 2974

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Data_2

security_result.summary set to "Error Code - %{Data_2}"

Event ID 3005

Provider: LogRhythm Agent

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message

security_result.description

Event ID 3006

Provider: LogRhythm Agent

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

Message

Message is set to security_result.description

ip is set to target.ip

port is set to target.port

Event ID 3040

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 3041

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.name

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Event ID 3072

Provider: Foundation Agents

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 3096

Provider: NETLOGON

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Event ID 3260

Provider: Workstation

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 3261

Provider: Workstation

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4000

version 0 Windows 10 client / Provider: Microsoft-Windows-Diagnostics-Networking

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-WLAN-AutoConfig

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 4001

Provider: Microsoft-Windows-WLAN-AutoConfig

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 4003

Provider: Microsoft-Windows-WLAN-AutoConfig

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

ErrorCode

Data/ErrorCode

security_result.summary

Format:

%{ErrorCode}-%{ErrorMsg}

Event ID 4005

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.name

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

ReasonForSyncProcessing

Data/ReasonForSyncProcessing

security_result.summary

PrincipalSamName

Data/PrincipalSamName

target.hostname

PolicyActivityId

Data/PolicyActivityId

target.resource.product_object_id

Event ID 4006

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

PrincipalSamName

Data/PrincipalSamName

target.hostname

PolicyActivityId

Data/PolicyActivityId

target.resource.product_object_id

Event ID 4016

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

DescriptionString

Data/DescriptionString

security_result.description

CSEExtensionName

Data/CSEExtensionName

target.resource.name

CSEExtensionId

Data/CSEExtensionId

target.resource.product_object_id

Event ID 4017

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

OperationDescription

Data/OperationDescription

security_result.description

Event ID 4096

Provider: NetJoin

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

DomainName

Data/DomainName

target.administrative_domain

ComputerName

Data/ComputerName

target.hostname

Event ID 4097

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Provider: NetJoin

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

NetStatusCode

Data/NetStatusCode

security_result.description

DomainName

Data/DomainName

target.administrative_domain

ComputerName

Data/ComputerName

target.hostname

Event ID 4100

Provider: Microsoft-Windows-Diagnostics-Networking

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Provider: Microsoft-Windows-PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4101

Provider: Display

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 4103

version 1 / Provider: Microsoft-Windows-PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = PROCESS_LAUNCH

Domain

principal.administrative_domain

AccountType

principal.user.attribute.roles.description

AccountName

principal.user.userid

UserID

principal.user.windows_sid

Category

security_result.summary

CommandName

additional.fields.key

additional.fields.value.string_value

ScriptName

target.file.full_path

HostApplication

target.process.command_line

HostName

additional.fields.key

additional.fields.value.string_value

HostVersion

additional.fields.key

additional.fields.value.string_value

HostId

additional.fields.key

additional.fields.value.string_value

EngineVersion

additional.fields.key

additional.fields.value.string_value

RunspaceId

additional.fields.key

additional.fields.value.string_value

CommandType

additional.fields.key

additional.fields.value.string_value

PipelineID

additional.fields.key

additional.fields.value.string_value

Payload

additional.fields.key

additional.fields.value.string_value

Event ID 4104

Provider: Microsoft-Windows-PowerShell

NXLog field

Event Viewer field

UDM field

metadata.event_type = PROCESS_LAUNCH

metadata.description = Script block logging

Domain

principal.administrative_domain

MessageNumber

additional.fields.key

additional.fields.value.string_value

MessageTotal

additional.fields.key

additional.fields.value.string_value

ScriptBlockText

Data/ScriptBlockText

target.process.command_line

ScriptBlockId

principal.resource.product_object_id

UserID

principal.user.windows_sid

Category

security_result.summary

Message

security_result.description

SourceName

target.application

ScriptBlockId

principal.resource.product_object_id

Event ID 4108

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Extract information from Message field and map it to network.tls.client.certificate

Event ID 4109

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Extract information from Message field and map it to network.tls.client.certificate

Event ID 4111

Provider: Microsoft-Windows-MSDTC

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

SourceName

Not available

target.application

Event ID 4112

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Event ID 4113

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Event ID 4115

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 4116

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.userid

UserID

System/UserID

principal.user.windows_sid

Event ID 4117

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 4124

Provider: Microsoft-Windows-BitLocker-API

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4125

Provider: Microsoft-Windows-BitLocker-API

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data

Data/Data

security_result.description

Format:

Error - %{value}

Event ID 4126

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 4127

Provider: Microsoft-Windows-BitLocker-API

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data

Data/Data

security_result.description

Event ID 4133

Provider: Microsoft-Windows-BitLocker-API

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4199

Provider: Tcpip

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Data

Data/Data

principal.ip

Data_1

Data/Data_1

target.mac

Event ID 4200

Provider: Microsoft-Windows-Iphlpsvc

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountName

System/AccountName

principal.user.userid

Interface

target_resource_product_object_id set to target.resource.product_object_id

Address

target.ip

Event ID 4202

Provider: Microsoft-Windows-MSDTC 2

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

SourceName

Not available

target.application

param1

Data/param1

additional.fields.key

additional.fields.value.string_value

param2

Data/param2

additional.fields.key

additional.fields.value.string_value

param3

Data/param3

additional.fields.key

additional.fields.value.string_value

param4

Data/param4

additional.fields.key

additional.fields.value.string_value

param5

Data/param5

additional.fields.key

additional.fields.value.string_value

param6

Data/param6

additional.fields.key

additional.fields.value.string_value

param7

Data/param7

additional.fields.key

additional.fields.value.string_value

param9

Data/param9

target.user.userid

Event ID 4227

Provider: Tcpip

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Event ID 4230

Provider: Tcpip

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4257

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 4319

Provider: NetBT

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Event ID 4321

Provider: NetBT

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

Data

Data/Data

principal.hostname and principal.port

Data_1

Data/Data_1

principal.ip

Data_2

Data/Data_2

target.ip

Event ID 4326

Provider: Microsoft-Windows-GroupPolicy

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Domain

System/Domain

principal.administrative_domain

AccountType

System/AccountType

principal.user.attribute.roles.description

AccountName

System/AccountName

principal.user.attribute.roles.name

UserID

System/UserID

principal.user.windows_sid

Event ID 4400

Provider: NPS

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Data_1

principal.administrative_domain

Event ID 4608

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_STARTUP

Event ID 4609

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

Event ID 4610

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AuthenticationPackageName

Data/AuthenticationPackageName

target.resource.name

Event ID 4611

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type =  PROCESS_UNCATEGORIZED

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

LogonProcessName

Data/LogonProcessName

target.process.command_line

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

Event ID 4612

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

AuditsDiscarded

about.labels.key

about.labels.value

Event ID 4614

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

NotificationPackageName

Data/NotificationPackageName

target.resource.name

Event ID 4615

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ProcessName

Data/ProcessName

principal.process.command_line

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

Event ID 4616

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SETTING_MODIFICATION

target.resource.resource_type set to SETTING

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

version 1 /

NXLog field

Event Viewer field

UDM field

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

NewDate

Data/NewDate

target.resource.attribute.labels.key/value

NewTime

Data/NewTime

target.resource.attribute.labels.key/value

PreviousDate

Data/PreviousDate

target.resource.attribute.labels.key/value

PreviousTime

Data/PreviousTime

target.resource.attribute.labels.key/value

Event ID 4618

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

TargetUserDomain

Data/TargetUserDomain

target.administrative_domain

ComputerName

Data/ComputerName

target.hostname

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

TargetLogonId

Data/TargetLogonId

additional.fields.key

additional.fields.value.string_value

Event ID 4621

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

CrashOnAuditFailValue

Data/CrashOnAuditFailValue

security_result.summary

Event ID 4622

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

SecurityPackageName

Data/SecurityPackageName

target.resource.name

Event ID 4624

version  0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

security_result.action set to "ALLOW"

LogonType

Data/LogonType

extensions.auth.mechanism and extensions.auth.details

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

TargetLogonId

Data/TargetLogonId

target.labels.key/value

additional.fields.key

additional.fields.value.string_value

WorkstationName

Data/WorkstationName

principal.labels.key/value

principal.asset_id

ProcessName

Data/ProcessName

principal.process.command_line

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

AuthenticationPackageName

Data/AuthenticationPackageName

security_result.about.resource.name

ElevatedToken

Data/ElevatedToken

security_result.detection_fields.labels.key/value

IpAddress

Data/IpAddress

src.ip

IpPort

Data/IpPort

src.port

TargetDomainName

Data/TargetDomainName

target.administrative_domain

LogonProcessName

Data/LogonProcessName

target.process.file.full_path

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

KeyLength

Data/KeyLength

target.labels.key/value

LmPackageName

Data/LmPackageName

target.labels.key/value

version 1 /

NXLog field

Event Viewer field

UDM field

ImpersonationLevel

about.labels.key/value

version 2 /

NXLog field

Event Viewer field

UDM field

TargetOutboundUserName

Data/TargetOutboundUserName

target.user.user_display_name

RestrictedAdminMode

about.labels.key/value

TargetLinkedLogonId

about.labels.key/value

Event ID 4625

Provider: Microsoft-Windows-EventSystem

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

param1

Data/param1

additional.fields.key

additional.fields.value.string_value

param2

Data/param2

additional.fields.key

additional.fields.value.string_value

param3

Data/param3

about.registry.registry_key

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

security_result.category = AUTH_VIOLATION

security_result.action = BLOCK

extensions.auth.type set to MACHINE

FailureReason

security_result.about.labels.key

security_result.about.labels.value

LogonType

Data/LogonType

extensions.auth.mechanism and extensions.auth.details

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

additional.fields.key

additional.fields.value.string_value

WorkstationName

Data/WorkstationName

principal.labels.key/value

principal.asset_id

ProcessName

Data/ProcessName

principal.process.command_line

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

AuthenticationPackageName

Data/AuthenticationPackageName

security_result.about.resource.name

Status

Data/Status

security_result.summary

Populate description corresponding to the status codes. Format: Status(%{Status}): %{status_description}. If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'

SubStatus

Data/SubStatus

security_result.description

Populate description corresponding to the substatus codes. Format: SubStatus(%{SubStatus}): %{sub_status_description} If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'

IpAddress

Data/IpAddress

src.ip

IpPort

Data/IpPort

src.port

TargetDomainName

Data/TargetDomainName

target.administrative_domain

LogonProcessName

Data/LogonProcessName

target.process.file.full_path

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

Event ID 4626

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

LogonType

Data/LogonType

extensions.auth.mechanism and extensions.auth.details

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

TargetDomainName

Data/TargetDomainName

target.administrative_domain

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

TargetLogonId

Data/TargetLogonId

additional.fields.key

additional.fields.value.string_value

Event ID 4627

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = GROUP_UNCATEGORIZED

LogonType

Data/LogonType

extensions.auth.mechanism and extensions.auth.details

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

TargetDomainName

Data/TargetDomainName

target.administrative_domain

GroupMembership

Data/GroupMembership

target.user.group_identifiers

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

TargetLogonId

Data/TargetLogonId

additional.fields.key

additional.fields.value.string_value

Event ID 4634

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGOUT

security_result.action = ALLOW

LogonType

Data/LogonType

extensions.auth.mechanism and extensions.auth.details

TargetDomainName

Data/TargetDomainName

target.administrative_domain

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

TargetLogonId

Data/TargetLogonId

target.labels.key/value

additional.fields.key

additional.fields.value.string_value

Event ID 4646

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_START

Event ID 4647

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGOUT

TargetDomainName

Data/TargetDomainName

target.administrative_domain

TargetUserName

Data/TargetUserName

target.user.userid

TargetUserSid

Data/TargetUserSid

target.user.windows_sid

TargetLogonId

Data/TargetLogonId

target.labels.key/value

additional.fields.key

additional.fields.value.string_value

Event ID 4648

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

security_result.action set to "ALLOW"

extensions.auth.mechanism set to "USERNAME_PASSWORD"

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

TargetServerName

target.hostname

TargetInfo

target.labels.key

target.labels.value

ProcessName

Data/ProcessName

principal.process.command_line

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

IpAddress

Data/IpAddress

src.ip

IpPort

Data/IpPort

src.port

TargetDomainName

Data/TargetDomainName

target.administrative_domain

TargetUserName

Data/TargetUserName

target.user.userid

TargetLogonId

Data/TargetLogonId

additional.fields.key

additional.fields.value.string_value

Event ID 4649

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

LogonProcessName

Data/LogonProcessName

principal.process.command_line

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

TargetDomainName

Data/TargetDomainName

target.administrative_domain

WorkstationName

Data/WorkstationName

principal.labels.key/value

principal.asset_id

ProcessName

Data/ProcessName

target.process.command_line

ProcessId

Data/ProcessId

target.process.pid

TargetUserName

Data/TargetUserName

target.user.userid

Event ID 4650

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

LocalMMPrincipalName

Data/LocalMMPrincipalName

principal.hostname

LocalAddress

Data/LocalAddress

principal.ip

LocalKeyModPort

Data/LocalKeyModPort

principal.port

RemoteMMPrincipalName

Data/RemoteMMPrincipalName

target.hostname

RemoteAddress

Data/RemoteAddress

target.ip

RemoteKeyModPort

Data/RemoteKeyModPort

target.port

Event ID 4651

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

LocalMMIssuingCA

Data/LocalMMIssuingCA

network.tls.client.certificate.issuer

RemoteMMIssuingCA

Data/RemoteMMIssuingCA

network.tls.server.certificate.issuer

LocalMMPrincipalName

Data/LocalMMPrincipalName

principal.hostname

LocalAddress

Data/LocalAddress

principal.ip

LocalKeyModPort

Data/LocalKeyModPort

principal.port

RemoteMMPrincipalName

Data/RemoteMMPrincipalName

target.hostname

RemoteAddress

Data/RemoteAddress

target.ip

RemoteKeyModPort

Data/RemoteKeyModPort

target.port

Event ID 4652

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

LocalMMIssuingCA

Data/LocalMMIssuingCA

network.tls.client.certificate.issuer

RemoteMMIssuingCA

Data/RemoteMMIssuingCA

network.tls.server.certificate.issuer

LocalMMPrincipalName

Data/LocalMMPrincipalName

principal.hostname

LocalAddress

Data/LocalAddress

principal.ip

LocalKeyModPort

Data/LocalKeyModPort

principal.port

RemoteMMPrincipalName

Data/RemoteMMPrincipalName

target.hostname

RemoteAddress

Data/RemoteAddress

target.ip

RemoteKeyModPort

Data/RemoteKeyModPort

target.port

Event ID 4653

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

LocalAddress

Data/LocalAddress

principal.ip

LocalKeyModPort

Data/LocalKeyModPort

principal.port

FailureReason

Data/FailureReason

security_result.summary

RemoteAddress

Data/RemoteAddress

target.ip

RemoteKeyModPort

Data/RemoteKeyModPort

target.port

Event ID 4654

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

Protocol

Data/Protocol

network.ip_protocol

LocalAddress

Data/LocalAddress

principal.ip

LocalPort

Data/LocalPort

principal.port

FailureReason

Data/FailureReason

security_result.summary

RemoteAddress

Data/RemoteAddress

target.ip

RemotePort

Data/RemotePort

target.port

Event ID 4655

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_UNCATEGORIZED

LocalAddress

Data/LocalAddress

principal.ip

RemoteAddress

Data/RemoteAddress

target.ip

Event ID 4656

version  0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

HandleId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

TransactionId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

RestrictedSidCount

target.resource.attribute.labels.key

target.resource.attribute.labels.value

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

ObjectName

Data/ObjectName

target.file.full_path (when ObjectType = "File")

target.process.command_line (when ObjectType = "Process")

AccessList

Data/AccessList

target.resource.attribute.permissions.name

PrivilegeList

Data/PrivilegeList

target.user.attribute.permissions.name

ObjectType

Data/ObjectType

target.resource.resource_subtype

ObjectServer

target.resource.attribute.labels.key

target.resource.attribute.labels.value

AccessMask

Data/AccessMask

principal.process.access_mask

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

Event ID 4657

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = REGISTRY_MODIFICATION

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

OperationType

target.labels.key

target.labels.value

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

ObjectName

Data/ObjectName

target.registry.registry_key

OldValueType

target.labels.key

target.labels.value

OldValue

target.labels.key

target.labels.value

NewValueType

target.labels.key

target.labels.value

NewValue

Data/NewValue

target.registry.registry_value_data

ObjectValueName

Data/ObjectValueName

target.registry.registry_value_name

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

HandleId

target.labels.key/value

Event ID 4658

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

HandleId

target.labels.key/value

SubjectUserName

Data/SubjectUserName

principal.user.userid

ObjectServer

target.labels.key target.labels.value

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

Event ID 4659

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

ObjectName

Data/ObjectName

target.file.full_path (when ObjectType = "File")

target.process.command_line (when ObjectType = "Process")

AccessList

Data/AccessList

target.resource.attribute.permissions.name

PrivilegeList

Data/PrivilegeList

target.user.attribute.permissions.name

Event ID 4660

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_DELETION

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

HandleId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

TransactionId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ObjectServer

target.resource.attribute.labels.key

target.resource.attribute.labels.value

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

Event ID 4661

event version 1 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

AccessReason

Data/AccessReason

security_result.description

RestrictedSidCount

target.labels.key

target.labels.value

version 0 /

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ObjectType

target.labels.key/value

ProcessName

Data/ProcessName

principal.process.file.full_path

HandleId

target.labels.key/value

TransactionId

target.labels.key

target.labels.value

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

ObjectName

Data/ObjectName

target.group.group_display_name (when ObjectType is SAM_ALIAS, SAM_GROUP)

target.user.userid (when ObjectType is SAM_USER)

target.administrative_domain (when ObjectType is SAM_DOMAIN)

target.hostname (when ObjectType is SAM_SERVER)

AccessList

Data/AccessList

target.resource.attribute.permissions.name

PrivilegeList

Data/PrivilegeList

target.user.attribute.permissions.name

ObjectServer

target.labels.key target.labels.value

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

Event ID 4662

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

HandleId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

SubjectUserName

Data/SubjectUserName

principal.user.userid

ObjectType

target.resource.resource_subtype

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

additional.fields.key

additional.fields.value.string_value

AdditionalInfo

Data/AdditionalInfo

security_result.description

AdditionalInfo2

security_result.detection_fields.key/value

Properties

Data/Properties

security_result.detection_fields.key/value

AccessMask

Data/AccessMask

principal.process.access_mask principal.resource.attribute.permissions

ObjectName

Data/ObjectName

target.resource.name

ObjectServer

Data/ObjectServer

target.resource.parent

Event ID 4663

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type =

FILE_OPEN (ObjectType = File, SymbolicLink)

REGISTRY_UNCATEGORIZED (ObjectType = Key)

PROCESS_OPEN (ObjectType = Process)

USER_RESOURCE_ACCESS (ObjectType = Event)

ObjectName

Data/ObjectName

Object Type              | UDM Field

--------------------------+------------------------------------

File, SymbolicLink    | target.file.full_path

Key                             | target.registry.registry_key

Process                      | target.process.file.full_path

Event                          | target.resource.name

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

ObjectType

target.resource.resource_subtype

HandleId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

AccessList

Data/AccessList

target.resource.attribute.permissions.name

ObjectServer

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ResourceAttributes

target.resource.attribute.labels.key

target.resource.attribute.labels.value

AccessMask

Data/AccessMask

principal.process.access_mask

principal.resource.attribute.permissions

Event ID 4664

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = FILE_CREATION

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

FileName

Data/FileName

target.file.full_path

TransactionId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

LinkName

Data/LinkName

target.resource.name

Event ID 4665

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = RESOURCE_CREATION

ClientDomain

Data/ClientDomain

principal.administrative_domain

ClientName

Data/ClientName

principal.labels.key/value

AppName

Data/AppName

target.application

AppInstance

Data/AppInstance

target.resource.product_object_id

Event ID 4666

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_RESOURCE_ACCESS

ClientDomain

Data/ClientDomain

principal.administrative_domain

AppInstance

target.resource.product_object_id

ClientName

Data/ClientName

principal.labels.key/value

AppName

Data/AppName

target.application

ObjectName

Data/ObjectName

target.resource.name

Event ID 4667

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = RESOURCE_DELETION

ClientDomain

Data/ClientDomain

principal.administrative_domain

AppInstance

target.resource.product_object_id

ClientName

Data/ClientName

principal.labels.key/value

AppName

Data/AppName

target.application

Event ID 4668

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

ClientDomain

Data/ClientDomain

principal.administrative_domain

ClientName

Data/ClientName

principal.labels.key/value

AppInstance

target.resource.product_object_id

AppName

Data/AppName

target.application

Event ID 4670

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type =

FILE_OPEN (ObjectType = File, SymbolicLink)

REGISTRY_UNCATEGORIZED (ObjectType = Key)

PROCESS_OPEN (ObjectType = Process)

USER_RESOURCE_ACCESS (ObjectType = Event)

ObjectName

Data/ObjectName

Object Type              | UDM Field

--------------------------+------------------------------------

File, SymbolicLink    | target.file.full_path

Key                             | target.registry.registry_key

Process                      | target.process.file.full_path

Event                          | target.resource.name

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

HandleId

target.resource.attribute.labels.key

target.resource.attribute.labels.value

ProcessName

Data/ProcessName

principal.process.file.full_path

ProcessId

Data/ProcessId

principal.process.pid

SubjectUserName

Data/SubjectUserName

principal.user.userid

SubjectUserSid

Data/SubjectUserSid

principal.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

ObjectServer

target.resource.attribute.labels.key

target.resource.attribute.labels.value

OldSd

Data/OldSd

security_result.detection_fields.key/value

NewSd

Data/NewSd

security_result.detection_fields.key/value

ObjectType

target.resource.resource_subtype

Event ID 4671

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

security_result.action = BLOCK

CallerDomainName

Data/CallerDomainName

principal.administrative_domain

CallerUserName

Data/CallerUserName

principal.user.userid

CallerUserSid

Data/CallerUserSid

principal.user.windows_sid

Event ID 4672

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = USER_LOGIN

SubjectDomainName

Data/SubjectDomainName

target.administrative_domain

PrivilegeList

Data/PrivilegeList

target.user.attribute.permissions.name

SubjectUserName

Data/SubjectUserName

target.user.userid

SubjectUserSid

Data/SubjectUserSid

target.user.windows_sid

SubjectLogonId

Data/SubjectLogonId

principal.labels.key/value

Event ID 4673

Provider: Microsoft-Windows-Security-Auditing

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to GENERIC_EVENT.

SubjectDomainName

Data/SubjectDomainName

principal.administrative_domain

Service

target.application

SubjectUserName

Data/SubjectUserName

principal.user.us