Collect Microsoft Windows Event data
This document describes the deployment architecture, installation steps, and required configuration that produce logs supported by the Google Security Operations parser for Windows events. This document also includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations.
To ingest Windows event logs to Google Security Operations, you can use NXLog forwarder ingestion or Google Cloud native ingestion. For more information, regarding native ingestion see Ingest Google Cloud data to Google Security Operations.
Information in this document applies to the parser with the WINEVTLOG ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.
Before you begin
Review the recommended deployment architecture
If your deployment includes a Windows server on Google Cloud, then we recommended that you use Google Cloud native ingestion. Otherwise, you can use NXLog forwarder ingestion.
Google Cloud native ingestion architecture
If the Windows events have the Provider value Microsoft-Windows-Security-Auditing
, then the WINEVTLOG parser supports Google Cloud native ingestion.
Configure Ops Agent to ingest Microsoft Windows Event logs into Google Security Operations
- Deploy a Windows server in Google Cloud.
- Configure an Ops Agent on Windows Server.
- Install the Cloud Logging agent on Windows Server.
- Enable the following export filter in the Google Security Operations instance:
(log_id("winevt.raw") OR log_id("windows_event_log"))
. For more information, see Ingest Google Cloud data to Google Security Operations.
NXLog forwarder ingestion deployment architecture
This diagram illustrates the recommended foundational components in a deployment architecture to collect and send Microsoft Windows Event data to Google Security Operations. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:
- Systems in the deployment architecture are configured with the UTC time zone.
- NXLog is installed on the collector Microsoft Windows server.
- The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
- Microsoft Windows systems in the deployment architecture use.
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service is enabled for remote system management.
- NXLog is installed on the collector Window server to forward logs to Google Security Operations forwarder.
Google Security Operations forwarder is installed on the collector Microsoft Windows or Linux server.
Review the supported devices and versions
The Google Security Operations parser supports logs from the following Microsoft Windows server versions. Microsoft Windows server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition do not differ.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Google Security Operations parser supports logs from Microsoft Windows 10 and higher client systems.
Google Security Operations parser supports logs collected by NXLog Community or Enterprise Edition.
Review the supported log types
The Google Security Operations parser supports the following log types generated by Microsoft Windows systems. For more information about these log types, see the Microsoft Windows Event Log documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.
Log Type | Notes |
---|---|
Security | Security audit and event logs. |
Application | Events logged by applications or programs. If the manifest isn't installed locally, application logs will have missing / hex values. |
System | Events logged by Microsoft Windows system components. |
Configure the Microsoft Windows servers, endpoints, and domain controllers
- Install and configure the servers, endpoints, and domain controllers.
- Configure all systems with the UTC time zone.
- Configure devices to forward logs to a collector Microsoft Windows server.
- Configure a Source Initiated Subscription on Microsoft Windows server (Collector). For information, see Setting up a Source Initiated Subscription.
- Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.
Configure the Microsoft Windows collector server
Set up a collector Microsoft Windows server to collect from systems.
- Configure the system with the UTC time zone.
- Install NXLog. Follow the NXLog documentation.
Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace
<hostname>
and<port>
values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.define ROOT C:\Program Files (x86)\nxlog define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname> define WINEVTLOG_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_windevents> Module om_tcp Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS% Port %WINEVTLOG_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route>
Start the NXLog service.
Configure the central Microsoft Windows or Linux server
See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.
- Configure the system with the UTC time zone.
- Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server.
Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an example forwarder configuration.
- syslog: common: enabled: true data_type: WINEVTLOG batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Field mapping reference: Common device event fields to UDM fields
The following fields are common across multiple Event IDs and are mapped the same way.
NXLog field | UDM field |
---|---|
EventTime | metadata.event_timestamp |
Hostname | principal.hostname |
EventID | product_event_type is set to "%{EventID}" security_result.rule_name is set to "EventID: %{EventID}" |
SourceName | metadata.product_name is set to "%25%7BSourceName}" metadata.vendor is set to "Microsoft" |
Category |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Channel |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Severity | Values mapped to security_result.severity field as follows: Original value 0 (None), is set to UNKNOWN_SEVERITY Original value 1 (Critical) is set to INFORMATIONAL Original value 2 (Error) is set to ERROR Original value 3 (Warning) is set to ERROR Original value 4 (Informational) is set to INFORMATIONAL Original value 5 (Verbose) is set to INFORMATIONAL |
UserID | principal.user.windows_sid |
ExecutionProcessID | principal.process.pid |
ProcessID | principal.process.pid |
ProviderGuid | metadata.product_deployment_id |
RecordNumber | metadata.product_log_id |
SourceModuleName |
observer.labels.key/value additional.fields.key additional.fields.value.string_value |
SourceModuleType | observer.application |
Opcode |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
ActivityID | security_result.detection_fields.key/value |
Field mapping reference: device event field to UDM field by EventID
The following section describes how NXlog/EventViewer fields are mapped to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.
The section heading identifies the Event Id, plus version (e.g. version 0) and operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more than one section for an Event ID when the map for a specific version or operating system is different.
Event ID 0
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Provider: gupdate
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: hcmon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
Provider: edgeupdate
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 1
Provider: Microsoft-Windows-FilterManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 1 / Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessID |
Data/ProcessID |
principal.process.pid
|
Provider: Microsoft-Windows-Sysmon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = PROCESS_LAUNCH
If EventLevelName contains "Information" then security_result.severity = INFORMATIONAL |
EventData.Hashes |
|
Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
EventData.User |
|
Domain set to principal.administrative_domain
Username set to principal.user.userid |
Description |
|
metadata.description |
CommandLine |
|
target.process.command_line |
Image |
|
target.process.file.full_path |
ParentCommandLine |
|
target.process.parent_process.command_line |
ParentImage |
|
target.process.parent_process.file.full_path |
ParentProcessId |
|
target.process.parent_process.pid |
ProcessId |
|
target.process.pid |
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon:%{EventOriginId}" |
Provider: SecurityCenter
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
SourceName |
Not available |
target.application |
Provider: telegraf
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data |
|
security_result.description |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Context |
Data/Context |
security_result.description |
Event ID 2
Provider: MEIx64
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Provider: SecurityCenter
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
Not available |
target.application |
Provider: vmci
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Provider: Microsoft-Windows-WHEA-Logger
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 3
version 3 / Provider: Microsoft-Windows-Power-Troubleshooter
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_STARTUP |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
SleepTime |
Data/SleepTime |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
WakeTime |
Data/WakeTime |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
WakeSourceType |
Data/WakeSourceType |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
WakeSourceText |
Data/WakeSourceText |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Provider: Microsoft-Windows-Security-Kerberos
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
File |
|
target.file.full_path |
Provider: Virtual Disk Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Provider: vmci
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
jobTitle |
|
target.resource.name |
processPath |
|
target.process.file.full_path |
Event ID 4
Provider: Microsoft-Windows-Security-Kerberos
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Server |
|
target.hostname |
Provider: Virtual Disk Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
name |
|
target.resource.name |
Id |
|
target.resource.product_object_id |
url |
|
target.url |
fileLength |
|
target.file.size |
Event ID 5
Provider: iScsiPrt
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: McAfee Service Controller
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Search-ProfileNotify
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
SourceName |
|
target.application |
User |
Data/User |
target.user.userid |
Event ID 6
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
|
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
ErrorMsg |
|
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
Context |
|
target.application |
Provider: Microsoft-Windows-FilterManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 7
Provider: AdmPwd
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary
Format: "Error: %{Data}" |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 8
Provider: CylanceSvc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Provider: WSH
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data_1 |
|
principal.labels additional.fields.key additional.fields.value.string_value |
Data_2 |
principal.labels additional.fields.key additional.fields.value.string_value |
|
Data_3 |
principal.process.command_line | |
Message |
metadata.description |
Event ID 9
Provider: volsnap
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
VolumeName |
|
target.file.full_path |
Event ID 10
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 11
Provider: Microsoft-Windows-Hyper-V-Netvsc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
MiniportName |
|
target.resource.name |
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary is set to "ErrorCode: %{Error}"
|
Provider: Microsoft-Windows-Wininit
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 12
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_STARTUP |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Sysmon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_CREATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL |
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon: %{EventOriginId}" |
EventData/EventType |
|
target.registry.registry_key |
EventData/TargetObject |
|
target.registry.registry_value_name |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-UserModePowerService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ProcessPath |
|
target.process.file.full_path |
NewSchemeGuid |
|
target.resource.product_object_id |
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 13
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN |
Provider: Microsoft-Windows-Sysmon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_MODIFICATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL |
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon: %{EventOriginId}" |
EventData/EventType |
|
target.registry.registry_key |
EventData/Details |
|
target.registry.registry_value_data |
Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
|
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
AccountType |
|
principal.user.attribute.roles.name |
Message |
|
metadata.description |
UserID |
|
principal.user.windows_sid |
CA |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
ErrorCode |
|
security_result.summary Format: summary is set to %{error_code} - %{error_message} |
Provider: NPS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
|
target.ip |
Event ID 14
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
ClientName |
|
principal.asset.hostname |
Target |
|
target.application |
Account |
|
target.hostname |
Provider: Microsoft-Windows-Wininit
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Error |
Data/Error |
security_result.description Format: Error - %{value} |
Provider:TPM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 15
Provider: Disk
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_hostname set to target.hostname |
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
NewSize |
Data/NewSize |
target.file.size |
HiveName |
Data/HiveName |
target.registry.registry_key |
Provider: SecurityCenter
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider:TPM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 16
Provider: Microsoft-Windows-HAL
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
ClientName |
|
principal.asset.hostname |
Target |
|
target.application |
Account |
|
target.hostname |
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_MODIFICATION |
Domain |
System/Domain |
principal.administrative_domain |
ProcessID |
System/ProcessID |
principal.process.pid |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
HiveName |
Data/HiveName |
target.registry.registry_key |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-HAL
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 17
Provider: Microsoft-Windows-WHEA-Logger
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details Message set to metadata.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 18
Provider: BTHUSB
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: TPM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 19
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Category |
Data/Category |
security_result.category_details |
Provider: Intel-SST-OED
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Category |
|
security_result.summary |
Provider: Microsoft-Windows-WHEA-Logger
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 20
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
updateRevisionNumber |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
updateTitle |
|
target.resource.name |
updateGuid |
|
target.resource.product_object_id |
Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 21
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 22
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details Message set to metadata.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
updatelist |
|
security_result.description |
Provider: Microsoft-Windows-UserModePowerService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 23
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 24
Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-General
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Provider:TPM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 25
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 26
Provider: Application Popup
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Caption |
|
security_result.summary |
Provider: Microsoft-Windows-CertificationAuthority
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application = "Active Directory Certificate Services" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DCName |
Data/DCName |
target.administrative_domain |
CACommonName |
Data/CACommonName |
target.user.userid |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Target |
|
target.hostname |
Name |
|
target.user.userid |
Event ID 27
version 0 / Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
NewLogFilePath |
Data/NewLogFilePath |
target.file.full_path |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 28
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 29
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 30
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 31
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 32
Provider: e1iexpress
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 33
Provider: volsnap
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
VolumeName |
|
target.file.full_path |
DeviceName |
|
target.resource.name |
Event ID 34
Provider: Oracle.xstore
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_READ |
DBID |
|
additional.fields.key/value |
SourceName |
|
principal.application |
DATABASE_USER |
|
principal.user.uerid |
ACTION |
|
target.process.command_line |
Event ID 35
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: NPS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Message |
|
Ip set to target.ip |
Event ID 37
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
ClientName |
|
principal.asset.hostname |
ServerName |
|
target.hostname |
Provider: Microsoft-Windows-Kernel-Processor-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Number |
Data/Number |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
CapDurationInSeconds |
Data/CapDurationInSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 38
Provider: Microsoft-Windows-CertificationAuthority
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "Active Directory Certificate Services" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
CACommonName |
Data/CACommonName |
target.user.userid |
Event ID 40
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 42
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
version 2 Windows 10 client /
NXLog field |
Event Viewer field |
UDM field |
Reason |
Data/Reason |
security_result.description |
Event ID 43
Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
updateRevisionNumber |
Data/updateRevisionNumber |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
updateTitle |
Data/updateTitle |
target.resource.name |
updateGuid |
Data/updateGuid |
target.resource.product_object_id |
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 44
version 0 Windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Category |
Data/Category |
security_result.category_details |
Event ID 45
Provider: Symantec AntiVirus
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
Data |
|
security_result.summary |
Event ID 47
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorMessage |
|
security_result.description |
ManualPeer |
|
target.ip |
Provider: Microsoft-Windows-WHEA-Logger
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 49
Provider: Microsoft-Windows-Hyper-V-Netvsc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Status |
Data/Status |
security_result.summary |
Event ID 50
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 51
Provider: Disk
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_hostname set to target.hostname |
Event ID 55
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Outcome |
|
security_result.summary |
Event ID 57
Provider: hpqilo3
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 58
Provider: partmgr
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to metadata.description |
Provider: volsnap
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
Event ID 59
Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
name |
|
target.resource.name |
Id |
|
target.resource.product_object_id |
url |
|
target.url |
fileLength |
|
target.file.size |
Event ID 60
Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
name |
|
target.resource.name |
url |
|
target.url |
fileLength |
|
target.file.size |
Event ID 61
Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
name |
|
target.resource.name |
Id |
|
target.resource.product_object_id |
url |
|
target.url |
fileLength |
|
target.file.size |
Event ID 64
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Context |
|
target.application |
Event ID 75
Provider: Microsoft-Windows-CertificationAuthority
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services" |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
ErrorMessageText |
|
security_result.summary |
Event ID 77
Provider: Microsoft-Windows-CertificationAuthority
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services" |
WarningMessage |
|
security_result.description |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 80
Provider: ocz10xx
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data |
|
target.hostname |
Event ID 81
Provider: hpqilo2
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-FailoverClustering-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Event ID 98
Provider: Microsoft-Windows-Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_HEARTBEAT |
Domain |
System/Domain |
principal.administrative_domain |
DeviceName |
Data/DeviceName |
principal.hostname |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 100
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
|
Event ID 101
Provider: Application Management Group Policy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 102
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Message |
|
Extract PID and map it to UDM field target.process.pid |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ProcessID |
Data/ProcessID |
principal.process.pid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
TaskName |
Data/TaskName |
target.resource.name |
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Event ID 103
Provider: Application Management Group Policy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Message |
System/Message |
Extract PID and map it to UDM field target.process.pid |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
Provider: ocz10xx
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data |
|
target.hostname |
Event ID 104
Windows 10 client / Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Windows Server 2019 /
NXLog field |
Event Viewer field |
UDM field |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Forwarding
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
UserID |
System/UserID |
principal.user.windows_sid |
SubscriptionManagerAddress |
Data/SubscriptionManagerAddress |
target.url |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 105
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Channel |
Data/Channel |
security_result.description |
BackupPath |
Data/BackupPath |
target.file.full_path |
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Provider: VMTools
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
SourceName |
Not available |
target.application |
Provider: WudfUsbccidDriver
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 106
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 107
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Event ID 108
Provider: Application Management Group Policy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: VMTools
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
Not available |
target.application |
Event ID 109
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ProcessID |
Data/ProcessID |
principal.process.pid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN |
ShutdownReason |
Data/ShutdownReason |
security_result.description |
Event ID 110
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 111
version 0/ Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
version 0/ Provider: Microsoft-Windows-AppReadiness
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Result |
Data/Result |
security_result.summary |
Event ID 112
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 115
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Event ID 129
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Priority |
Data/Priority |
security_result.priority_details |
Path |
Data/Path |
target.process.file.full_path |
ProcessID |
Data/ProcessID |
target.process.pid |
TaskName |
Data/TaskName |
target.resource.name |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
Event ID 130
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 131
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 132
Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 134
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 137
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 138
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 139
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 140
Provider: Microsoft-Windows-Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
DeviceName |
|
principal.hostname |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_MODIFICATION
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
UserName |
Data/UserName |
target.user..user_display_name |
Event ID 142
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Message set to security_result.summary |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
errorCode |
|
security_result.summary |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 143
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 145
Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
resourceUrl |
|
target.url |
AccountName |
|
principal.user.userid |
AccountType |
|
principal.user.attribute.roles.name |
Domain |
|
principal.administrative_domain |
Event ID 146
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 153
Provider: Disk
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 156
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 157
Provider: disk
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Event ID 158
Provider: Disk
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary target_url set to target.url |
Provider: Microsoft-Windows-Time-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
TimeProvider |
|
target.resource.name |
Event ID 159
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 160
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 161
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 163
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 164
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 165
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 167
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 169
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Status |
Data/Status |
security_result.summary |
Event ID 170
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 171
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Version |
Data/Version/ |
principal.asset.software.version |
Event ID 172
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Reason |
Data/Reason |
security_result.description |
Event ID 173
Provider: Microsoft-Windows-Hyper-V-Hypervisor
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 181
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = status_update |
Status |
Data/Status |
security_result.summary |
Event ID 185
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Status |
Data/Status |
security_result.summary |
Event ID 187
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ApiCallerName |
|
principal.process.file.full_path |
Event ID 195
Provider: Microsoft-Windows-USB-USBHUB3
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 196
Provider: Microsoft-Windows-USB-USBHUB3
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 200
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
TaskInstanceId |
Data/TaskInstanceId |
target.resource.product_object_id |
Event ID 201
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
TaskInstanceId |
Data/TaskInstanceId |
target.resource.product_object_id |
Event ID 202
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 203
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 204
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Security-Kerberos
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 205
version 0 Windows Server 2019 / Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
version 1 / Windows 10 client /
NXLog field |
Event Viewer field |
UDM field |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
version 2 / Windows 10 client /
NXLog field |
Event Viewer field |
UDM field |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 216
version 1 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 219
Provider: Microsoft-Windows-Kernel-PnP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DriverName |
|
target.hostname |
FailureName |
|
target.resource.name |
Event ID 218
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 221
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 225
Provider: Microsoft-Windows-Kernel-PnP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DeviceInstance |
|
target.hostname |
ProcessName |
|
target.process.file.full_path |
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 233
Provider: Microsoft-Windows-Hyper-V-VmSwitch
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
Event ID 231
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Code |
Data/Code |
security_result.summary set to "Code - %{Code}" |
Event ID 234
Provider: Microsoft-Windows-Hyper-V-VmSwitch
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
Event ID 238
Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
version 1 / Provider: Microsoft-Windows-Kernel-Boot
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 258
Provider: VMUpgradeHelper
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceName |
Not available |
target.application |
Event ID 260
Provider: VMUpgradeHelper
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceName |
Not available |
target.application |
Event ID 263
version 0 / Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 271
Provider: VMUpgradeHelper
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceName |
Not available |
target.application |
Event ID 272
Provider: VMUpgradeHelper
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceName |
Not available |
target.application |
Event ID 299
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 300
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 301
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 302
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 304
version 0 / Provider: Microsoft-Windows-Ntfs
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Status |
Data/Status |
security_result.summary |
Event ID 313
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Event ID 325
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
||
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it target.process.pid |
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
TaskName
|
|
target.resource.name |
QueuedTaskInstanceId
|
|
target.resource.product_object_id |
Domain
|
|
principal.administrative_domain |
AccountName
|
|
principal.user.attribute.roles.name |
UserID
|
|
principal.user.windows_sid |
AccountType
|
|
principal.user.roles.description |
Event ID 326
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 400
Provider: PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data_2 |
|
Extract HostName from Data_2 HostName is set to target.hostname |
Event ID 403
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_9 |
|
network.http.user_agent |
Domain |
System/Domain |
principal.administrative_domain |
Data_8 |
|
principal.ip |
Data_7 |
|
principal.port |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Data_3 |
|
target.ip |
Data_5 |
|
target.url |
Event ID 404
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Data_3 |
|
security_description set to %{Data_3}: %{Data_4} |
Data_4 |
|
security_description set to %{Data_3}: %{Data_4} |
Event ID 405
Provider: ADSync
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
principal.administrative_domain |
Data_1 |
|
principal.user.userid |
Event ID 410
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_4 |
|
network.http.user_agent |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Data_10 |
|
target.ip |
Data_8 |
|
target.url |
Event ID 412
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 424
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 500
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 501
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 506
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Event ID 507
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE reason_description set to security_result.description |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
version 10 / Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
Event ID 508
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. Extract PID and map it to target.process.pid |
Event ID 510
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_1 |
|
Data_1.Host set to target.hostname Data_1.User-Agent set to network.http.user_agent Data_1.X-MS-Endpoint-Absolute-Path set to target.url |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 517
Provider: Microsoft-Windows-DFSN-Server
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
UserID |
|
principal.user.windows_sid |
DfsNamespace |
|
target.resource.name |
Event ID 521
Provider: Security
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 529
Provider: Security
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN
security_result.action = BLOCK security_result.category = AUTH_VIOLATION |
LogonType |
Not available |
extensions.auth.mechanism |
Message |
Not available |
username set to target.user.userid domain set to target.administrative_domain target_workstation set to target.hostname |
Event ID 566
Provider: Microsoft-Windows-Kernel-Power
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
Event ID 600
Provider: PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Category |
|
metadata.description |
SourceName |
|
principal.application |
HostApplication |
|
target.file.full_path |
ProviderName |
|
target.resource.name |
Event ID 601
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. metadata.description = Attempt to install a service |
SubjectUserName |
|
principal.user.userid |
Summary |
|
security_result.summary |
ServiceName |
|
target.process.command_line |
ServiceFileName |
|
target.process.file.full_path |
Event ID 642
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID map it to target.process.pid |
Event ID 653
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Event ID 654
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Event ID 663
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Event ID 700
Provider: NTDS ISAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
MessageSourceAddress |
|
principal.ip |
Event ID 701
Provider: NTDS ISAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
MessageSourceAddress |
|
principal.ip |
Event ID 719
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Category |
Data/Category |
security_result.category_details |
Event ID 781
Provider: Microsoft-Windows-Complus
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
param3 |
Data/param3 |
target.registry.registry_key |
Event ID 800
Provider: PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
metadata.description set to "Pipeline execution"
security_result.summary set to "Pipeline execution details for command line" |
SourceName |
|
principal.application |
UserId |
|
principal.user.userid |
HostApplication |
|
target.file.full_path |
Event ID 888
Provider: top_5
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 900
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
Event ID 902
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
Event ID 903
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = SERVICE_STOP
target.application = "Software Protection" |
Event ID 904
Provider: Directory Synchronization
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.summary |
Event ID 1000
Provider: Microsoft-Windows-SCPNP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ReaderName |
Data/ReaderName |
target.resource.name |
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Provider: Microsoft-Windows-LoadPerf
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AccountName |
|
principal.user.attribute.roles.name |
AccountType |
|
principal.user.attribute.roles.description |
UserID |
|
principal.user.windows_sid |
Event ID 1001
Provider: Microsoft Antimalware
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED target_resource_product_object_id set to target.resource.product_object_id |
Provider: Microsoft-Windows-WER-SystemErrorReporting
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
param2 |
|
target.file.full_path |
Provider: SNMP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: Windows Error Reporting
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-LoadPerf
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AccountName |
|
principal.user.attribute.roles.name |
AccountType |
|
principal.user.attribute.roles.description |
UserID |
|
principal.user.windows_sid |
Event ID 1003
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Category |
Data/Category |
target.application |
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1004
Provider: IPMIDRV
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data |
|
target.hostname |
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
Reason |
Data/Reason |
security_result.description |
Category |
Data/Category |
target.application |
Provider: SNMP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: TdIca
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip target_port set to target_port |
Event ID 1005
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
Category |
Data/Category |
target.application |
Event ID 1007
Provider: TdIca
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip target_port set to target_port |
Event ID 1008
Provider: Microsoft-Windows-Perflib
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
EventXML.param1 |
|
target.application |
EventXML.param2 |
|
target.file.full_path |
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Reason |
Data/Reason |
security_result.description |
Category |
Data/Category |
target.application |
Event ID 1010
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
Category |
Data/Category |
target.application |
Event ID 1013
Provider: Microsoft-Windows-Search
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
Category |
Data/Category |
target.application |
Event ID 1014
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_DNS network.ip_protocol is set to "DNS" |
QueryName |
|
network.dns.questions.name |
Event ID 1016
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1023
Provider: Microsoft-Windows-Perflib
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Library |
Data/Library |
target.file.full_path |
Event ID 1025
Provider: Microsoft-Windows-TPM-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1026
Provider: Microsoft-Windows-TPM-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode} |
Event ID 1027
Provider: Microsoft-Windows-TPM-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1030
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
|
security_result.description |
ErrorCode |
|
security_result.summary
Format: ErrorCode - %{ErrorCode} |
DCName |
|
target.administrative_domain |
Provider: Microsoft-Windows-Kernel-PnP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Device |
Data/Device |
target.hostname |
Event ID 1031
Provider: Microsoft-Windows-Kernel-PnP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Device |
Data/Device |
target.hostname |
Event ID 1033
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Extract product_name and map to target.application |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1034
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1037
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1040
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1042
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1053
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1054
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1055
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{ErrorCode} |
Event ID 1056
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE server_certificate_subject set to network.tls.server.certificate.subject |
Event ID 1057
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target.resource_resource_type = DATABASE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1058
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
DCName |
Data/DCName |
target.administrative_domain |
FilePath |
Data/FilePath |
target.file.full_path |
Event ID 1064
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.summary |
Event ID 1066
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1067
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1068
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
DCName |
EventData.DCName |
target.administrative_domain |
Event ID 1069
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ResourceGroup |
|
target.group.group_display_name |
ResourceName |
|
target.resource.name |
Event ID 1073
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param1 |
Data/param1 |
target.hostname |
param2 |
Data/param2 |
target.user.userid |
Event ID 1074
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN |
Provider: USER32
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN
target_process_file_full_path set to target.process.file.full_path target_hostname set to target.hostname |
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
Domain |
|
principal.administrative_domain |
Provider: USER32
NXLog field |
Event Viewer field |
UDM field |
Domain |
System/Domain |
principal.administrative_domain |
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
param2 |
Data/param2 |
principal.hostname |
param1 |
Data/param1 |
principal.process.file.full_path |
AccountType |
|
principal.user.attribute.roles.name |
Provider: USER32
NXLog field |
Event Viewer field |
UDM field |
AccountName |
System/AccountName |
principal.user.userid |
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
UserID |
|
principal.user.windows_sid |
param3 |
Data/param3 |
security_result.description |
param7 |
Data/param7 |
target.user.userid |
Event ID 1076
Provider: User32
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1085
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1096
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
|
security_result.summary Format: ErrorCode - %{ErrorCode} |
ErrorDescription |
|
security_result.description |
DCName |
|
target.administrative_domain |
FilePath |
|
principal.process.file.full_path |
Event ID 1100
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "Event Logging Service" |
|
Message |
security_result.description |
Event ID 1101
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1102
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip
target_url set to target.url
client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: DFS Replication
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE |
|
SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
principal.user.windows_sid |
Event ID 1103
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1104
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1105
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AutoBackup.BackupPath |
Data/BackupPath |
target.file.full_path |
Event ID 1106
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
Event ID 1107
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
ProcessID |
Data/ProcessID |
principal.process.pid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 1108
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1112
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
|
security_result.description |
ErrorCode |
|
security_result.summary
Format: ErrorCode - %{ErrorCode} |
DCName |
|
target.administrative_domain |
ExtensionName |
|
target.resource.name |
ExtensionId |
|
target.resource.product_object_id |
Event ID 1126
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_1 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Data_2 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Event ID 1127
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
|
security_result.summary Format: ErrorCode - %{ErrorCode} |
ErrorDescription |
|
security_result.description |
DCName |
|
target.administrative_domain |
Event ID 1128
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ExtensionName |
|
target.resource.name |
ExtensionId |
|
target.resource.product_object_id |
Event ID 1129
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1130
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
ErrorDescription |
Data/ErrorDescription |
security_result.description |
GPOFileSystemPath |
Data/GPOFileSystemPath |
target.file.full_path |
Event ID 1134
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1150
Provider: Microsoft Antimalware
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED platform_version set to principal.asset.platform_software.platform_version |
Event ID 1162
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1173
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1196
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
StatusString |
|
security_result.summary |
ResourceName |
|
target.resource.name |
Event ID 1200
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1201
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1202
Provider: SceCli
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Message |
|
security_result.summary Format: summary is set to 0x%{error_code} - %{error_message} |
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
Message |
|
metadata.description |
"SERVICE" |
extensions.auth.mechanism |
|
"SSO" |
extensions.auth.typ |
|
UserID |
target.user.windows_sid |
Event ID 1203
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
Message |
|
metadata.description |
"SERVICE" |
extensions.auth.mechanism |
|
"SSO" |
extensions.auth.typ |
|
UserID |
target.user.windows_sid |
Event ID 1204
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
Message |
|
metadata.description |
Event ID 1205
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ResourceGroup |
|
target.group.group_display_name |
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
Message |
|
metadata.description |
Event ID 1206
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGOUT |
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1207
Provider: AD FS Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGOUT |
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1213
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 1216
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data_3 |
|
security_result.description |
Data |
|
security_result.summary
Format: "Error Code - %{Data}" |
Event ID 1226
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1254
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ResourceGroup |
|
target.group.group_display_name |
Event ID 1257
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
DNSZone |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ResourceGroup |
|
target.group.group_display_name |
Event ID 1282
Provider: Microsoft-Windows-TPM-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 1307
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1311
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1317
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 1500
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1501
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1502
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1503
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1531
Provider: Microsoft-Windows-User Profiles Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Domain |
Not available |
principal.administrative_domain |
AccountName |
Not available |
principal.user.userid |
UserID |
Not available |
principal.user.windows_sid |
SourceName |
Not available |
target.application |
Event ID 1532
Provider: Microsoft-Windows-User Profiles Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
Domain |
Not available |
principal.administrative_domain |
AccountName |
Not available |
principal.user.userid |
UserID |
Not available |
principal.user.windows_sid |
SourceName |
Not available |
target.application |
Event ID 1535
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data |
|
security_result.description |
Event ID 1564
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_READ |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ShareName |
|
target.resource.name |
Event ID 1566
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1573
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1593
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_READ
target.resource_resource_type = DATABASE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DatabaseFilePath |
|
target.file.full_path |
Event ID 1643
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1644
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1645
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1653
Provider: Microsoft-Windows-FailoverClustering
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1699
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_4 |
|
security_result.summary set to "Error Code - %{Data_4}" |
Event ID 1704
Provider: SceCli
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
ProcessId |
|
principal.process.pid |
Message |
|
security_result.summary |
Event ID 1865
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1925
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 1955
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2000
Provider: Microsoft Antimalware
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
current_signature_version set to target.resource.attribute.labels.key/value previous_signature_version set to target.resource.attribute.labels.key/value |
Event ID 2001
Provider: Microsoft Antimalware
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_14 |
|
security_result.summary |
Data_17 |
|
target.url |
Provider: NTDS ISAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
MessageSourceAddress |
|
principal.ip |
Event ID 2004
Provider: Microsoft-Windows-Resource-Exhaustion-Detector
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 2041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 2042
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2053
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2065
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2085
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
MessageSourceAddress |
|
principal.ip |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2089
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2108
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_3 |
|
security_result.summary set to "Error: %{Data_4} - %{Data_3}" |
Data_4 |
|
security_result.summary set to "Error: %{Data_4} - %{Data_3}" |
Event ID 2811
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2887
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2889
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Message |
|
principal_ip is set to principal.ip principal_port is set to principal.port principal_user_id is set to principal.user.userid |
Event ID 2896
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_1 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Data_2 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Event ID 2904
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2946
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 2947
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
Data_2 |
|
principal.ip |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_3 |
|
security_result.summary set to "Error: %{Data_3}" |
Event ID 2974
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Data_2 |
|
security_result.summary set to "Error Code - %{Data_2}" |
Event ID 3005
Provider: LogRhythm Agent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Message |
|
security_result.description |
Event ID 3006
Provider: LogRhythm Agent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
Message |
|
Message is set to security_result.description ip is set to target.ip port is set to target.port |
Event ID 3040
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 3041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
Event ID 3072
Provider: Foundation Agents
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3096
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Event ID 3260
Provider: Workstation
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3261
Provider: Workstation
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4000
version 0 Windows 10 client / Provider: Microsoft-Windows-Diagnostics-Networking
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4001
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4003
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
Event ID 4005
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ReasonForSyncProcessing |
Data/ReasonForSyncProcessing |
security_result.summary |
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
PolicyActivityId |
Data/PolicyActivityId |
target.resource.product_object_id |
Event ID 4006
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
PolicyActivityId |
Data/PolicyActivityId |
target.resource.product_object_id |
Event ID 4016
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DescriptionString |
Data/DescriptionString |
security_result.description |
CSEExtensionName |
Data/CSEExtensionName |
target.resource.name |
CSEExtensionId |
Data/CSEExtensionId |
target.resource.product_object_id |
Event ID 4017
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
OperationDescription |
Data/OperationDescription |
security_result.description |
Event ID 4096
Provider: NetJoin
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
ComputerName |
Data/ComputerName |
target.hostname |
Event ID 4097
Provider: Microsoft-Windows-CAPI2
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider: NetJoin
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
NetStatusCode |
Data/NetStatusCode |
security_result.description |
DomainName |
Data/DomainName |
target.administrative_domain |
ComputerName |
Data/ComputerName |
target.hostname |
Event ID 4100
Provider: Microsoft-Windows-Diagnostics-Networking
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4101
Provider: Display
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4103
version 1 / Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.description |
AccountName |
|
principal.user.attribute.roles.name |
UserID |
|
principal.user.windows_sid |
Category |
|
security_result.summary |
CommandName |
|
target.application |
ScriptName |
|
target.file.full_path |
HostApplication |
|
target.process.command_line target.process.file.full_path |
Event ID 4104
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Domain |
|
principal.administrative_domain |
ScriptBlockText |
Data/ScriptBlockText |
principal.process.command_line |
UserID |
|
principal.user.windows_sid |
Category |
|
security_result.summary |
Message |
|
security_result.description |
SourceName |
|
target.application |
Event ID 4108
Provider: Microsoft-Windows-CAPI2
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE
Extract information from Message field and map it to network.tls.client.certificate |
Event ID 4109
Provider: Microsoft-Windows-CAPI2
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE
Extract information from Message field and map it to network.tls.client.certificate |
Event ID 4111
Provider: Microsoft-Windows-MSDTC
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
Not available |
target.application |
Event ID 4112
Provider: Microsoft-Windows-CAPI2
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 4113
Provider: Microsoft-Windows-CAPI2
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 4115
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4116
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4117
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4124
Provider: Microsoft-Windows-BitLocker-API
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4125
Provider: Microsoft-Windows-BitLocker-API
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
Data/Data |
security_result.description Format: Error - %{value} |
Event ID 4126
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4127
Provider: Microsoft-Windows-BitLocker-API
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
Data/Data |
security_result.description |
Event ID 4133
Provider: Microsoft-Windows-BitLocker-API
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4199
Provider: Tcpip
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
Data/Data |
principal.ip |
Data_1 |
Data/Data_1 |
target.mac |
Event ID 4200
Provider: Microsoft-Windows-Iphlpsvc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Interface |
|
target_resource_product_object_id set to target.resource.product_object_id |
Address |
|
target.ip |
Event ID 4202
Provider: Microsoft-Windows-MSDTC 2
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
SourceName |
Not available |
target.application |
param9 |
Data/param9 |
target.user.userid |
Event ID 4227
Provider: Tcpip
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Event ID 4230
Provider: Tcpip
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4257
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4319
Provider: NetBT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4321
Provider: NetBT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION |
Data |
Data/Data |
principal.hostname and principal.port |
Data_1 |
Data/Data_1 |
principal.ip |
Data_2 |
Data/Data_2 |
target.ip |
Event ID 4326
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4400
Provider: NPS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_1 |
|
principal.administrative_domain |
Event ID 4608
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_STARTUP |
Event ID 4609
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_SHUTDOWN |
Event ID 4610
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AuthenticationPackageName |
Data/AuthenticationPackageName |
target.resource.name |
Event ID 4611
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = PROCESS_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
LogonProcessName |
Data/LogonProcessName |
target.process.command_line |
Event ID 4612
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4614
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
NotificationPackageName |
Data/NotificationPackageName |
target.resource.name |
Event ID 4615
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4616
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
NewDate |
Data/NewDate |
target.resource.attribute.labels.key = "NewDate" value in target.resource.attribute.labels.value |
NewTime |
Data/NewTime |
target.resource.attribute.labels.key = "NewTime" value in target.resource.attribute.labels.value |
PreviousDate |
Data/PreviousDate |
target.resource.attribute.labels.key = "PreviousDate" value in target.resource.attribute.labels.value |
PreviousTime |
Data/PreviousTime |
target.resource.attribute.labels.key = "PreviousTime" value in target.resource.attribute.labels.value |
Event ID 4618
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TargetUserDomain |
Data/TargetUserDomain |
target.administrative_domain |
ComputerName |
Data/ComputerName |
target.hostname |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4621
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
CrashOnAuditFailValue |
Data/CrashOnAuditFailValue |
security_result.summary |
Event ID 4622
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SecurityPackageName |
Data/SecurityPackageName |
target.resource.name |
Event ID 4624
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN security_result.action set to "ALLOW" |
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
TargetLogonId |
Data/TargetLogonId |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AuthenticationPackageName |
Data/AuthenticationPackageName |
security_result.about.resource.name |
ElevatedToken |
Data/ElevatedToken |
security_result.detection_fields.labels.key/value |
IpAddress |
Data/IpAddress |
src.ip |
IpPort |
Data/IpPort |
src.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
LogonProcessName |
Data/LogonProcessName |
target.process.file.full_path |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
version 2 /
NXLog field |
Event Viewer field |
UDM field |
TargetOutboundUserName |
Data/TargetOutboundUserName |
target.user.user_display_name |
Event ID 4625
Provider: Microsoft-Windows-EventSystem
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
param3 |
Data/param3 |
about.registry.registry_key |
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN
security_result.category = AUTH_VIOLATION
security_result.action = BLOCK
extensions.auth.type set to MACHINE |
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AuthenticationPackageName |
Data/AuthenticationPackageName |
security_result.about.resource.name |
Status |
Data/Status |
security_result.summary
Populate description corresponding to the status codes. Format: Status(%{Status}): %{status_description}. If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.' |
SubStatus |
Data/SubStatus |
security_result.description Populate description corresponding to the substatus codes. Format: SubStatus(%{SubStatus}): %{sub_status_description} If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.' |
IpAddress |
Data/IpAddress |
src.ip |
IpPort |
Data/IpPort |
src.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
LogonProcessName |
Data/LogonProcessName |
target.process.file.full_path |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4626
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4627
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
GroupMembership |
Data/GroupMembership |
target.user.group_identifiers |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4634
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGOUT
security_result.action = ALLOW |
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4646
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Event ID 4647
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGOUT |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4648
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN
security_result.action set to "ALLOW"
extensions.auth.mechanism set to "USERNAME_PASSWORD" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
IpAddress |
Data/IpAddress |
src.ip |
IpPort |
Data/IpPort |
src.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4649
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
LogonProcessName |
Data/LogonProcessName |
principal.process.command_line |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
ProcessName |
Data/ProcessName |
target.process.command_line |
ProcessId |
Data/ProcessId |
target.process.pid |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4650
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4651
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMIssuingCA |
Data/LocalMMIssuingCA |
network.tls.client.certificate.issuer |
RemoteMMIssuingCA |
Data/RemoteMMIssuingCA |
network.tls.server.certificate.issuer |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4652
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMIssuingCA |
Data/LocalMMIssuingCA |
network.tls.client.certificate.issuer |
RemoteMMIssuingCA |
Data/RemoteMMIssuingCA |
network.tls.server.certificate.issuer |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4653
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
FailureReason |
Data/FailureReason |
security_result.summary |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4654
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
Protocol |
Data/Protocol |
network.ip_protocol |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalPort |
Data/LocalPort |
principal.port |
FailureReason |
Data/FailureReason |
security_result.summary |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemotePort |
Data/RemotePort |
target.port |
Event ID 4655
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalAddress |
Data/LocalAddress |
principal.ip |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4656
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process") |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
ObjectType |
Data/ObjectType |
target.resource.resource_subtype |
AccessMask |
Data/AccessMask |
principal.process.access_mask |
Event ID 4657
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.registry.registry_key |
NewValue |
Data/NewValue |
target.registry.registry_value_data |
ObjectValueName |
Data/ObjectValueName |
target.registry.registry_value_name |
Event ID 4658
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4659
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process") |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4660
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4661
event version 1 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
AccessReason |
Data/AccessReason |
security_result.description |
version 0 /
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.group.group_display_name (when ObjectType is SAM_ALIAS, SAM_GROUP)
target.user.userid (when ObjectType is SAM_USER)
target.administrative_domain (when ObjectType is SAM_DOMAIN)
target.hostname (when ObjectType is SAM_SERVER) |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4662
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
AdditionalInfo |
Data/AdditionalInfo |
security_result.description |
Properties |
Data/Properties |
security_result.detection_fields.key/value |
AccessMask |
Data/AccessMask |
principal.process.access_mask principal.resource.attribute.permissions |
ObjectName |
Data/ObjectName |
target.resource.name |
ObjectServer |
Data/ObjectServer |
target.resource.parent |
Event ID 4663
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
AccessMask |
Data/AccessMask |
principal.process.access_mask principal.resource.attribute.permissions |
Event ID 4664
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
FileName |
Data/FileName |
target.file.full_path |
LinkName |
Data/LinkName |
target.resource.name |
Event ID 4665
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_CREATION |
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
ClientName |
Data/ClientName |
principal.asset.hostname |
AppName |
Data/AppName |
target.application |
AppInstance |
Data/AppInstance |
target.resource.product_object_id |
Event ID 4666
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
ClientName |
Data/ClientName |
principal.asset.hostname |
AppName |
Data/AppName |
target.application |
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4667
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_DELETION |
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
ClientName |
Data/ClientName |
principal.asset.hostname |
AppName |
Data/AppName |
target.application |
Event ID 4668
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
ClientName |
Data/ClientName |
principal.asset.hostname |
AppName |
Data/AppName |
target.application |
Event ID 4670
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
OldSd |
Data/OldSd |
security_result.detection_fields.key/value |
NewSd |
Data/NewSd |
security_result.detection_fields.key/value |
Event ID 4671
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
CallerDomainName |
Data/CallerDomainName |
principal.administrative_domain |
CallerUserName |
Data/CallerUserName |
principal.user.userid |
CallerUserSid |
Data/CallerUserSid |
principal.user.windows_sid |
Event ID 4672
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 4673
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to GENERIC_EVENT. |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
SubjectUserSid |
principal.user.windows_sid |
ProcessName |
Data/ProcessName |
target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field. |
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 4674
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS If the ProcessName field is absent, then set metadata.event_type to GENERIC_EVENT. |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ProcessName |
Data/ProcessName |
target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field. |
ProcessId |
Data/ProcessId |
target.process.pid |
ObjectName |
ObjectName |
target.resource.name |
Event ID 4675
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4688
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = PROCESS_LAUNCH |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
NewProcessName |
Data/NewProcessName |
target.process.file.full_path |
NewProcessId |
Data/NewProcessId |
target.process.pid |
ParentProcessName |
Data/ParentProcessName |
principal.process.file.full_path |
TokenElevationType |
Data/TokenElevationType |
target.labels additional.fields.key additional.fields.value.string_value |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
commandLine |
Data/commandLine |
principal.process.command_line |
version 2 /
NXLog field |
Event Viewer field |
UDM field |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
MandatoryLabel |
Data/MandatoryLabel |
target.labels additional.fields.key additional.fields.value.string_value |
Event ID 4689
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = PROCESS_TERMINATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ProcessName |
Data/ProcessName |
target.process.file.full_path |
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 4690
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SourceProcessId |
Data/SourceProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SourceHandleId |
Data/SourceHandleId |
src.resource.name |
TargetProcessId |
Data/TargetProcessId |
target.process.pid |
TargetHandleId |
Data/TargetHandleId |
target.resource.name |
Event ID 4691
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4692
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
FailureReason |
Data/FailureReason |
security_result.description |
RecoveryServer |
Data/RecoveryServer |
target.hostname |
Event ID 4693
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
RecoveryReason |
Data/RecoveryReason |
security_result.description |
Event ID 4694
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
FailureReason |
Data/FailureReason |
security_result.description |
Event ID 4695
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
FailureReason |
Data/FailureReason |
security_result.description |
Event ID 4696
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = PROCESS_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetProcessName |
Data/TargetProcessName |
target.process.command_line |
TargetProcessId |
Data/TargetProcessId |
target.process.pid |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4697
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ServiceName |
Data/ServiceName |
target.application |
ServiceFileName |
Data/ServiceFileName |
target.process.file.full_path |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
Event ID 4698
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_CREATION
target.resource.resource_type = TASK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
Message |
Data/Message |
URI set to target.file.full_path Command set to target.process.command_line |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ParentProcessId |
Data/ParentProcessId |
target.process.parent_process.pid |
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 4699
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_DELETION
target.resource.resource_type = "TASK" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4700
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4701
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_DISABLE
target.resource.resource_type = TASK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4702
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCHEDULED_TASK_MODIFICATION
target.resource.resource_type = TASK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
ParentProcessId |
Data/ParentProcessId |
target.process.parent_process.pid |
Event ID 4703
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_PERMISSIONS_CHANGE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
EnabledPrivilegeList |
Data/EnabledPrivilegeList |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
DisabledPrivilegeList |
Data/DisabledPrivilegeList |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4704
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4705
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4706
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4707
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4709
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application = "IPsec Policy Agent Service" |
Event ID 4710
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent Service" |
Event ID 4711
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4712
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent Service" |
Event ID 4713
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
KerberosPolicyChange |
Data/KerberosPolicyChange |
target.resource.attribute.labels.key = "FieldName_OLD_VALUE" and value="<old_value>" and
target.resource.attribute.labels.key = "FieldName_NEW_VALUE" and value="<new_value>" |
Event ID 4714
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
EfsPolicyChange |
Data/EfsPolicyChange |
target.resource.name |
Event ID 4715
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
OldSd |
Data/OldSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewSd |
Data/NewSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4716
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4717
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = ALLOW |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AccessGranted |
Data/AccessGranted |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4718
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AccessRemoved |
Data/AccessRemoved |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4719
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubcategoryGuid |
Data/SubcategoryGuid |
Populate security_result.category_details based on description received in output of command: auditpol /list /subcategory:* /v. |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
CategoryId |
Data/CategoryId |
security_result[0].category_details is set to "CategoryId" security_result[0].summary is set to "%{CategoryId}" security_result[0].description is set to "%{Category}" |
SubcategoryId |
Data/SubcategoryId |
security_result[0].category_details is set to "SubCategoryId" security_result[0].summary is set to "%{SubCategoryId}" security_result[0].description is set to "%{SubCategory}" extract "Subcategory" description from "Message" field.` |
SubcategoryGuid |
Data/SubcategoryGuid |
security_result[2].category_details is set to "SubcategoryGuid" security_result[2].summary is set to "%{SubcategoryGuid}" security_result[2].description is set to "%{subcategory_guid_description}" |
AuditPolicyChanges |
Data/AuditPolicyChanges |
security_result[3].category_details is set to "AuditPolicyChanges" security_result[3].summary is set to "%{AuditPolicyChanges_description}" extract "AuditPolicyChanges_description" description from "Message" field about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4720
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
DisplayName |
Data/DisplayName |
target.user.user_display_name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4722
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4723
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4724
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4725
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4726
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4727
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4728
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Message |
Data/Message |
Extracted OU, CN, DC fields from the Message log field and mapped it to target.user.attribute.labels |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4729
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4730
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4731
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION security_result.action set to "ALLOW" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4732
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4733
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4734
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4735
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4737
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4738
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.user_display_name |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
SamAccountName |
Data/SamAccountName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
DisplayName |
Data/DisplayName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
UserPrincipalName |
Data/UserPrincipalName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
HomeDirectory |
Data/HomeDirectory |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
HomePath |
Data/HomePath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
ScriptPath |
Data/ScriptPath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
ProfilePath |
Data/ProfilePath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
UserWorkstations |
Data/UserWorkstations |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
PasswordLastSet |
Data/PasswordLastSet |
target.resource.attribute.labels.key target.resource.attribute.labels.value target.user.last_password_change_time |
AccountExpires |
Data/AccountExpires |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
PrimaryGroupId |
Data/PrimaryGroupId |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
AllowedToDelegateTo |
Data/AllowedToDelegateTo |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
OldUacValue |
Data/OldUacValue |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewUacValue |
Data/NewUacValue |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
UserAccountControl |
Data/UserAccountControl |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
UserParameters |
Data/UserParameters |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
SidHistory |
Data/SidHistory |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
LogonHours |
Data/LogonHours |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4739
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = "SETTING" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DomainName |
Data/DomainName |
target.administrative_domain |
DomainPolicyChanged |
Data/DomainPolicyChanged |
target.resource.name |
Event ID 4740
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4741
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_CREATION
target.resource.resource_type = STORAGE_OBJECT target.resource.resource_subtype = Computer Account |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.user_display_name |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
DnsHostName |
Data/DnsHostName |
target.asset.hostname |
Event ID 4742
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = STORAGE_OBJECT target.resource.resource_subtype = Computer Account |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
ServicePrincipalNames |
Data/ServicePrincipalNames |
target.application |
Event ID 4743
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4744
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4745
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4746
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4747
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4748
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4749
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4750
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4751
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4752
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4753
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4754
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION security_result.action set to "ALLOW" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4755
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4756
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4757
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4758
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4759
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4760
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4761
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4762
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4763
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4764
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
GroupTypeChange |
Data/GroupTypeChange |
security_result.summary |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4765
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = SETTING target.resource.resource_subtype = SID History |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4766
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4767
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4768
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN
If LogonType field is missing then extensions.auth.mechanism = MECHANISM_UNSPECIFIED |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
Status |
Data/Status |
security_result.description |
CertIssuerName |
Data/CertIssuerName |
security_result.detection_fields.labels.key = cert_issuer_name and value = %{cert_issuer_name} |
CertSerialNumber |
Data/CertSerialNumber |
security_result.detection_fields.labels.key = cert_serial_number and value = %{cert_serial_number} |
CertThumbprint |
Data/CertThumbprint |
security_result.detection_fields.labels.key = cert_thumbprint and value = %{cert_thumbprint} |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4769
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED
If LogonType field is missing then extensions.auth.mechanism = MECHANISM_UNSPECIFIED
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
ServiceSid |
Data/ServiceSid |
target.user.windows_sid |
Status |
Data/Status |
security_result.description |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TicketOptions |
Data/TicketOptions |
additional.fields.key and additional.fields.value.string_value |
TicketEncryptionType |
Data/TicketEncryptionType |
additional.fields.key and additional.fields.value.string_value |
LogonGuid |
Data/LogonGuid |
additional.fields.key and additional.fields.value.string_value |
TransmittedServices |
Data/TransmittedServices |
additional.fields.key and additional.fields.value.string_value |
Event ID 4770
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
TicketEncryptionType |
Data/TicketEncryptionType |
security_result.about.resource.name |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4771
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN security_result.action set to "BLOCK" |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
Status |
Data/Status |
security_result.description |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4772
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4773
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4774
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ClientUserName |
Data/ClientUserName |
principal.user.userid |
MappingBy |
Data/MappingBy |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
MappedName |
Data/MappedName |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4775
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ClientUserName |
Data/ClientUserName |
principal.user.userid |
MappingBy |
Data/MappingBy |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4776
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN security_result.action = BLOCK |
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
Status |
Data/Status |
security_result.description
Format: Status - Description |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Version |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Level |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Task |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Opcode |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Keywords |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
ThreadID |
Data/ThreadID |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
PackageName |
Data/PackageName |
security_result.about.resource.name |
Event ID 4777
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN
security_result.category = "AUTH_VIOLATION" |
Status |
Data/Status |
security_result.summary |
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4778
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.action set to "ALLOW" |
SessionName |
Data/SessionName |
network.session_id |
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
AccountName |
Data/AccountName |
principal.user.userid |
ClientName |
Data/ClientName |
principal.hostname principal.asset.hostname |
ClientAddress |
Data/ClientAddress |
principal.ip |
Hostname |
Computer |
target.hostname |
Event ID 4779
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SessionName |
Data/SessionName |
network.session_id |
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
AccountName |
Data/AccountName |
principal.user.userid |
ClientName |
Data/ClientName |
principal.asset.hostname |
ClientAddress |
Data/ClientAddress |
target.ip |
Event ID 4780
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4781
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED |
OldTargetUserName |
Data/OldTargetUserName |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
NewTargetUserName |
Data/NewTargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4782
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4783
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4784
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4785
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4786
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4787
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4788
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
MemberName |
Data/MemberName |
target.user.user_display_name |
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4789
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4790
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4791
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4792
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4793
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Status |
Data/Status |
security_result.summary |
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4794
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = SETTING
target.resource.name = "Directory Services Restore Mode administrator password" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Status |
Data/Status |
security_result.description
Format: Status - Description |
Event ID 4797
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4798
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
CallerProcessName |
Data/CallerProcessName |
principal.process.file.full_path |
CallerProcessId |
Data/CallerProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.userid |
Event ID 4799
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
CallerProcessName |
Data/CallerProcessName |
principal.process.file.full_path |
CallerProcessId |
Data/CallerProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4800
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TargetDomainName |
Data/TargetDomainName |
principal.administrative_domain |
TargetUserName |
Data/TargetUserName |
principal.user.userid |
TargetUserSid |
Data/TargetUserSid |
principal.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4801
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TargetDomainName |
Data/TargetDomainName |
principal.administrative_domain |
TargetUserName |
Data/TargetUserName |
principal.user.userid |
TargetUserSid |
Data/TargetUserSid |
principal.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4816
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
PeerName |
Data/PeerName |
target.ip |
ProtocolSequence |
Data/ProtocolSequence |
additional.fields.key additional.fields.value.string_value |
SecurityError |
Data/SecurityError |
security_result.detection_fields.key/value |
Event ID 4817
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = "SETTING" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
OldSd |
Data/OldSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewSd |
Data/NewSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4818
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AccessReason |
Data/AccessReason |
security_result.description |
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4819
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4820
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
DeviceName |
Data/DeviceName |
principal.hostname |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4821
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN security_result.action set to "BLOCK" |
DeviceName |
Data/DeviceName |
principal.hostname |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4822
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
DeviceName |
Data/DeviceName |
principal.hostname |
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4823
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
DeviceName |
Data/DeviceName |
principal.hostname |
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4824
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
ServiceName |
Data/ServiceName |
target.application |
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4825
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
ClientAddress |
Data/ClientAddress |
principal.ip |
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4826
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4830
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4864
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4865
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4866
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4867
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4868
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4869
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4870
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
RevocationReason |
Data/RevocationReason |
security_result.description |
Event ID 4871
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4872
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
PublishURLs |
Data/PublishURLs |
target.file.full_path |
Event ID 4873
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4874
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4875
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4876
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4877
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4878
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4879
Provider: Microsoft-Windows-MSDTC Client 2
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
param1 |
Data/param1 |
security_result.summary
Format: Error Code: %{value} |
SourceName |
Not available |
target.application |
param2 |
Data/param2 |
target.hostname |
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4880
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4881
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4882
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_PERMISSIONS_CHANGE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4883
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4884
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4885
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4886
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RequestId |
Data/RequestId |
additional.fields.key additional.fields.value.string_value |
Requester |
Data/Requester |
additional.fields.key additional.fields.value.string_value |
Attributes |
Data/Attributes |
additional.fields.key additional.fields.value.string_value |
Event ID 4887
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RequestId |
Data/RequestId |
additional.fields.key additional.fields.value.string_value |
Requester |
Data/Requester |
additional.fields.key additional.fields.value.string_value |
Attributes |
Data/Attributes |
additional.fields.key additional.fields.value.string_value |
Disposition |
Data/Disposition |
additional.fields.key additional.fields.value.string_value |
SubjectKeyIdentifier |
Data/SubjectKeyIdentifier |
additional.fields.key additional.fields.value.string_value |
Subject |
Data/Subject |
additional.fields.key additional.fields.value.string_value |
Event ID 4888
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
Event ID 4889
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4890
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4891
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4892
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
PropertyName |
Data/PropertyName |
target.resource.name |
Event ID 4893
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4894
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4895
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4896
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4897
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
RoleSeparationEnabled |
Data/RoleSeparationEnabled |
target.resource.name = "Role separation enabled: %{RoleSeparationEnabled}" |
Event ID 4898
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4899
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4900
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4902
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_CREATION
target.resource.resource_type = SETTING |
PuaPolicyId |
Data/PuaPolicyId |
target.resource.product_object_id |
Event ID 4904
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4905
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4906
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4907
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_MODIFICATION (ObjectType = File, SymbolicLink)
REGISTRY_MODIFICATION (ObjectType = Key)
PROCESS_UNCATEGORIZED (ObjectType = Process)
USER_RESOURCE_UPDATE_PERMISSIONS (ObjectType = all other) |
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ProcessName |
Data/ProcessName |
target.process.command_line |
ProcessId |
Data/ProcessId |
target.process.pid |
NewSd |
Data/NewSd |
target.resource.attribute.labels.key = "NewSd" value in target.resource.attribute.labels.value |
OldSd |
Data/OldSd |
target.resource.attribute.labels.key = "OldSd" value in target.resource.attribute.labels.value |
Event ID 4908
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
Event ID 4909
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
OldBlockedOrdinals |
Data/OldBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewBlockedOrdinals |
Data/NewBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4910
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
OldIgnoreDefaultSettings |
Data/OldIgnoreDefaultSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewIgnoreDefaultSettings |
Data/NewIgnoreDefaultSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
OldIgnoreLocalSettings |
Data/OldIgnoreLocalSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewIgnoreLocalSettings |
Data/NewIgnoreLocalSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
OldBlockedOrdinals |
Data/OldBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
NewBlockedOrdinals |
Data/NewBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4911
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4912
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4913
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4928
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4929
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then map to target.hostname |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4930
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4931
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4932
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4933
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4934
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4935
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4936
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4937
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4944
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4945
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
target.resource.resource_type = "FIREWALL_RULE" |
RuleId |
Data/RuleId |
target.resource.product_object_id |
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4946
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
RuleName |
Data/RuleName |
target.resource.name |
RuleId |
Data/RuleId |
target.resource.product_object_id |
Event ID 4947
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
RuleId |
Data/RuleId |
target.resource.product_object_id |
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4948
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_DELETION
target.resource.resource_type = SETTING |
RuleId |
Data/RuleId |
target.resource.product_object_id |
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4949
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4950
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
SettingType |
Data/SettingType |
target.resource.name |
Event ID 4951
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
Data/RuleId |
security_result.rule_id |
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4952
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
Data/RuleId |
security_result.rule_id |
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4953
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ReasonForRejection |
Data/ReasonForRejection |
security_result.description |
RuleId |
Data/RuleId |
security_result.rule_id |
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4954
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4956
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4957
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
Data/RuleId |
security_result.rule_id |
RuleName |
Data/RuleName |
security_result.rule_name |
RuleAttr |
Data/RuleAttr |
security_result.summary |
Event ID 4958
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Reason |
Data/Reason |
security_result.description |
RuleId |
Data/RuleId |
security_result.rule_id |
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4960
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4961
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4962
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4963
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4964
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
TargetUserName |
Data/TargetUserName |
target.user.userid |
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4965
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4976
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
LocalAddress |
Data/LocalAddress |
principal.ip |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4977
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
LocalAddress |
Data/LocalAddress |
principal.ip |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4978
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
LocalAddress |
Data/LocalAddress |
principal.ip |
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4979
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4980
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4981
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4982
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4983
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalEMPrincipalName |
Data/LocalEMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
FailureReason |
Data/FailureReason |
security_result.description |
RemoteEMPrincipalName |
Data/RemoteEMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4984
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
LocalEMPrincipalName |
Data/LocalEMPrincipalName |
principal.hostname |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
FailureReason |
Data/FailureReason |
security_result.description |
RemoteEMPrincipalName |
Data/RemoteEMPrincipalName |
target.hostname |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4985
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5002
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 5005
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 5007
Provider: Microsoft Antimalware
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5009
Provider: Microsoft-Windows-WAS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
AppPoolID |
|
target.resource.name |
Event ID 5016
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
CSEExtensionName |
Data/CSEExtensionName |
target.resource.name |
CSEExtensionId |
Data/CSEExtensionId |
target.resource.product_object_id |
Event ID 5017
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
OperationDescription |
Data/OperationDescription |
security_result.description |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
OperationElapsedTimeInMilliSeconds |
Data/OperationElapsedTimeInMilliSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5024
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5025
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5027
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5028
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5029
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5030
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5031
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
|
|
metadata.event_type = STATUS_UPDATE and security_result.action=BLOCK |
Application |
Data/Application |
target.application |
Event ID 5032
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE and security_result.action=BLOCK |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5033
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5034
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5035
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5037
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5038
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
param1 |
Data/param1 |
target.file.full_path |
Event ID 5039
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = REGISTRY_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ProcessName |
Data/ProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
ObjectPath |
Data/ObjectPath |
principal.registry.registry_key |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectVirtualPath |
Data/ObjectVirtualPath |
target.registry.registry_key |
Event ID 5040
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5041
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5042
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5043
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
ConnectionSecurityRuleId |
Data/ConnectionSecurityRuleId |
security_result.rule_id |
ConnectionSecurityRuleName |
Data/ConnectionSecurityRuleName |
security_result.rule_name |
Event ID 5044
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
ConnectionSecurityRuleId |
Data/ConnectionSecurityRuleId |
security_result.rule_id |
ConnectionSecurityRuleName |
Data/ConnectionSecurityRuleName |
security_result.rule_name |
Event ID 5045
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5046
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5047
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5048
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5049
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_DELETION |
IpSecSecurityAssociationName |
Data/IpSecSecurityAssociationName |
target.resource.name |
IpSecSecurityAssociationId |
Data/IpSecSecurityAssociationId |
target.resource.product_object_id |
Event ID 5050
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "Windows Firewall" |
CallerProcessName |
Data/CallerProcessName |
principal.process.command_line |
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 5051
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
FileName |
Data/FileName |
principal.file.full_path |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
VirtualFileName |
Data/VirtualFileName |
target.file.full_path |
Event ID 5056
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Module |
Data/Module |
target.resource.name |
Event ID 5057
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Reason |
Data/Reason |
security_result.description |
Event ID 5058
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
KeyUserPath |
Data/KeyFilePath |
target.file.full_path and security_result.about.file.full_path |
KeyName |
Data/KeyName |
target.resource.name |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 5059
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ReturnCode |
Data/ReturnCode |
security_result.summary
Format: Error Code - %{value} |
KeyName |
Data/KeyName |
target.resource.name |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5060
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Reason |
Data/Reason |
security_result.description |
Event ID 5061
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Operation |
Data/Operation |
security_result.description |
ReturnCode |
Data/ReturnCode |
security_result.summary
Format: Return Code - %{value} |
KeyName |
Data/KeyName |
target.resource.name |
Event ID 5062
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5063
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ModuleName |
Data/ModuleName |
target.resource.name |
Event ID 5064
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5065
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5066
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5067
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5068
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5069
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5070
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5071
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
security_result.action = BLOCK |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5074
Provider: Microsoft-Windows-WAS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
AppPoolID |
|
target.resource.name |
Event ID 5077
Provider: Microsoft-Windows-WAS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
AppPoolID |
|
target.resource.name |
Event ID 5116
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5117
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5120
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5121
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5122
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5123
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
PropertyName |
Data/PropertyName |
target.resource.name |
Event ID 5124
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5125
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5126
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
Event ID 5127
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
Event ID 5136
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_MODIFICATION (ObjectClass="group")
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT (other ObjectClass) |
ObjectGUID |
Data/ObjectGUID |
based on type of object class.
target.group.product_object_id (ObjectClass="group")
target.resource.product_object_id (other ObjectClass) |
AttributeValue |
Data/AttributeValue |
If AttributeLDAPDisplayName is "member" then attribute_value set to target.user.user_display_name, else attribute_value set to target.resource.name |
ObjectDN |
Data/ObjectDN |
If ObjectClass is "group" then object_name set to target.group.group_display_name |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5137
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
DSName |
Data/DSName |
target.administrative_domain |
DSType |
Data/DSType |
target.application |
Event ID 5138
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5139
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
OldObjectDN |
Data/OldObjectDN |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
NewObjectDN |
Data/NewObjectDN |
additional.fields.key additional.fields.value.string_value If ObjectClass = "computer", object_name is set to target.hostname If ObjectClass = "user", object_name is set to target.user.user_display_name. If ObjectClass = "group", object_name is set to target.group.group_display_name. |
ObjectClass |
Data/ObjectClass |
additional.fields.key additional.fields.value.string_value |
Provider: Microsoft-Windows-WAS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
ProtocolID |
|
network.application_protocol |
AppPoolID |
|
target.resource.name |
Event ID 5140
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ShareName |
Data/ShareName |
target.resource.name |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
Event ID 5141
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
ObjectClass |
Data/ObjectClass |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
ObjectDN |
Data/ObjectDN |
If ObjectClass == "group" then object_name is set to target.group.group_display_name If ObjectClass = "computer", then object_name is set to target.hostname If ObjectClass = "user", then object_name is set to target.user.user_display_name else ObjectDN is set to target.labels.key/value ObjectClass is set to target.labels.key/value ObjectDN is set to additional.fields.key and additional.fields.value.string_value ObjectClass is set to additional.fields.key and additional.fields.value.string_value |
DSName |
Data/DSName |
target.administrative_domain |
DSType |
Data/DSType |
target.application |
Event ID 5142
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5143
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5144
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5145
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
IpAddress |
Data/IpAddress |
principal.ip |
IpPort |
Data/IpPort |
principal.port |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
AccessReason |
Data/AccessReason |
security_result.description |
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
ShareName |
Data/ShareName |
target.resource.name |
RelativeTargetName |
Data/RelativeTargetName |
target.file.names |
Event ID 5146
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
EtherType |
Data/EtherType |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcevSwitchPort |
Data/SourcevSwitchPort |
principal.port |
DestAddress |
Data/DestAddress |
target.ip |
DestinationvSwitchPort |
Data/DestinationvSwitchPort |
target.port |
Event ID 5147
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
EtherType |
Data/EtherType |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5148
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
security_result.category=NETWORK_DENIAL_OF_SERVICE
security_result.action = BLOCK |
Event ID 5149
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = ALLOW |
Event ID 5150
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
EtherType |
Data/EtherType |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5151
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
EtherType |
Data/EtherType |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5152
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
principal.application |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcePort |
Data/SourcePort |
principal.port |
ProcessId |
Data/ProcessId |
principal.process.pid |
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
DestAddress |
Data/DestAddress |
target.ip |
DestPort |
Data/DestPort |
target.port
|
version 1 / Windows 11 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
Event ID 5153
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
Protocol |
Data/Protocol |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcePort |
Data/SourcePort |
principal.port |
ProcessId |
Data/ProcessId |
principal.process.pid |
Application |
Data/Application |
target.application |
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
DestAddress |
Data/DestAddress |
target.ip |
DestPort |
Data/DestPort |
target.port |
version 1 / Windows 11 and Windows Server 2022/
NXLog field |
Event Viewer field |
UDM field |
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
Event ID 5154
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE security_result.action = ALLOW |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
target.application |
SourceAddress |
Data/SourceAddress |
target.ip |
SourcePort |
Data/SourcePort |
target.port |
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5155
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = BLOCK |
Protocol |
Data/Protocol |
network.ip_protocol |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcePort |
Data/SourcePort |
principal.port |
ProcessId |
Data/ProcessId |
principal.process.pid |
Application |
Data/Application |
target.application |
Event ID 5156
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = ALLOW |
Direction |
Data/Direction |
network.direction |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
principal.application |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcePort |
Data/SourcePort |
principal.port |
ProcessId |
Data/ProcessId |
principal.process.pid |
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
DestAddress |
Data/DestAddress |
target.ip |
DestPort |
Data/DestPort |
target.port |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
RemoteUserID |
Data/RemoteUserID |
target.user.userid |
RemoteMachineID |
Data/RemoteMachineID |
target.user.windows_sid |
Event ID 5157
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = BLOCK |
Direction |
Data/Direction |
network.direction |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
principal.application |
SourceAddress |
Data/SourceAddress |
principal.ip |
SourcePort |
Data/SourcePort |
principal.port |
ProcessId |
Data/ProcessId |
principal.process.pid |
DestAddress |
Data/DestAddress |
target.ip |
DestPort |
Data/DestPort |
target.port |
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
RemoteUserID |
Data/RemoteUserID |
target.user.userid |
RemoteMachineID |
Data/RemoteMachineID |
target.user.windows_sid |
Event ID 5158
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = ALLOW |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
target.application |
SourceAddress |
Data/SourceAddress |
target.ip |
SourcePort |
Data/SourcePort |
target.port |
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5159
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = BLOCK |
Protocol |
Data/Protocol |
network.ip_protocol |
Application |
Data/Application |
target.application |
SourceAddress |
Data/SourceAddress |
target.ip |
SourcePort |
Data/SourcePort |
target.port |
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5168
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
IpAddresses |
Data/IpAddresses |
target.ip |
Event ID 5169
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DSName |
Data/DSName |
target.application |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5170
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DSName |
Data/DSName |
target.application |
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5186
Provider: Microsoft-Windows-WAS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 5257
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5308
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DCName |
Data/DCName |
target.administrative_domain |
DCIPAddress |
Data/DCIPAddress |
target.ip |
Event ID 5309
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
MachineRole |
Data/MachineRole |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5310
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
PrincipalCNName |
Data/PrincipalCNName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
DCDomainName |
Data/DCDomainName |
target.administrative_domain |
DCName |
Data/DCName |
target.hostname |
Event ID 5311
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
PolicyProcessingMode |
Data/PolicyProcessingMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5312
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DescriptionString |
Data/DescriptionString |
security_result.description |
Event ID 5313
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
DescriptionString |
Data/DescriptionString |
security_result.description |
GPOInfoList |
Data/GPOInfoList |
target.resource.name |
Event ID 5314
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
LinkDescription |
Data/LinkDescription |
security_result.description |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
PolicyApplicationMode |
Data/PolicyApplicationMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5315
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
Event ID 5320
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
InfoDescription |
Data/InfoDescription |
security_result.description |
Event ID 5321
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
InfoDescription |
Data/InfoDescription |
security_result.description |
OperationParameter1 |
Data/OperationParameter1 |
target.resource.product_object_id |
Event ID 5324
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SessionId |
Data/SessionId |
network.session_id |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5326
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
DCDiscoveryTimeInMilliSeconds |
Data/DCDiscoveryTimeInMilliSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5327
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
NetworkBandwidthInKbps |
Data/NetworkBandwidthInKbps |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5340
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
PolicyApplicationMode |
Data/PolicyApplicationMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5351
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5376
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
BackupFileName |
Data/BackupFileName |
target.file.full_path |
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5377
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
BackupFileName |
Data/BackupFileName |
target.file.full_path |
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5378
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED and security_result.category=POLICY_VIOLATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
TargetServer |
Data/TargetServer |
target.hostname |
UserUPN |
Data/UserUPN |
target.user.userid |
Event ID 5379
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = RESOURCE_READ
target.resource.name = Credential Manager credentials |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5380
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5381
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5382
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Resource |
Data/Resource |
target.resource.name |
Event ID 5440
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5441
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5442
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5443
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5444
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5446
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5447
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
ProviderKey |
Data/ProviderKey |
about.resource.attribute.labels.key / value |
ProviderName |
Data/ProviderName |
about.resource.attribute.labels.key / value |
ChangeType |
Data/ChangeType |
about.resource.attribute.labels.key / value |
FilterKey |
Data/FilterKey |
about.resource.attribute.labels.key / value |
FilterType |
Data/FilterType |
about.resource.attribute.labels.key / value |
LayerKey |
Data/LayerKey |
about.resource.attribute.labels.key / value |
LayerName |
Data/LayerName |
about.resource.attribute.labels.key / value |
LayerId |
Data/LayerId |
about.resource.attribute.labels.key / value |
Weight |
Data/Weight |
about.resource.attribute.labels.key / value |
Conditions |
Data/Conditions |
about.resource.attribute.labels.key / value |
Action |
Data/Action |
about.resource.attribute.labels.key / value |
CalloutKey |
Data/CalloutKey |
about.resource.attribute.labels.key / value |
CalloutName |
Data/CalloutName |
about.resource.attribute.labels.key / value |
|
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
FilterName |
Data/FilterName |
target.resource.name |
FilterId |
Data/FilterId |
target.resource.product_object_id |
Event ID 5448
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5449
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5450
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5451
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
IpProtocol |
Data/IpProtocol |
network.ip_protocol |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalPort |
Data/LocalPort |
principal.port |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemotePort |
Data/RemotePort |
target.port |
Event ID 5452
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
IpProtocol |
Data/IpProtocol |
network.ip_protocol |
LocalAddress |
Data/LocalAddress |
principal.ip |
LocalPort |
Data/LocalPort |
principal.port |
RemoteAddress |
Data/RemoteAddress |
target.ip |
RemotePort |
Data/RemotePort |
target.port |
Event ID 5453
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5456
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5457
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5458
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5459
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Policy |
Data/Policy |
target.resource.name |
Event ID 5460
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5461
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Policy |
Data/Policy |
target.resource.name |
Event ID 5462
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Policy |
Data/Policy |
target.resource.name |
Event ID 5463
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5464
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5465
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5466
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5467
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5468
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5471
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5472
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Policy |
Data/Policy |
target.resource.name |
Event ID 5473
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Policy |
Data/Policy |
target.resource.name |
Event ID 5474
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Policy |
Data/Policy |
target.resource.name |
Event ID 5477
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5478
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application = "IPsec Policy Agent service" |
Event ID 5479
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent service" |
Event ID 5480
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5483
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Event ID 5484
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Event ID 5485
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5615
Provider: Microsoft-Windows-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application = "Windows Management Instrumentation" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5617
Provider: Microsoft-Windows-WMI
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application = "Windows Management Instrumentation" |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5632
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
LocalMac |
Data/LocalMac |
principal.mac |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
ReasonText |
Data/ReasonText |
security_result.description |
PeerMac |
Data/PeerMac |
target.mac |
Event ID 5633
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_CONNECTION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
ReasonText |
Data/ReasonText |
security_result.description |
Event ID 5712
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
ProcessId |
Data/ProcessId |
principal.process.pid |
RemoteIpAddress |
Data/RemoteIpAddress |
target.ip |
RemotePort |
Data/RemotePort |
target.port |
Event ID 5719
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5721
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5722
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data_2 |
|
security_result.summary
Format: %{Data_2} - %{Extract description from Message} |
Data |
|
target.hostname |
Event ID 5723
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
|
target.hostname |
Event ID 5774
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5775
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5781
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5782
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5802
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5805
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
|
target.hostname |
Event ID 5807
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5823
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5827
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Data |
|
target.hostname |
Event ID 5830
Provider: NETLOGON
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE target_hostname set to target.hostname |
Event ID 5857
Provider: Microsoft-Windows-WMI-Activity
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessID |
Data/ProcessID |
target.process.pid |
Code |
Data/Code |
security_result.summary is set to "Code - %{Code}" |
HostProcess |
Data/HostProcess |
target.process.file.full_path |
ProviderPath |
Data/ProviderPath |
target.file.full_path |
Event ID 5858
Provider: Microsoft-Windows-WMI-Activity
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ClientMachine |
Data/ClientMachine |
principal.hostname |
User |
Data/User |
principal.user.windows_sid |
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5859
Provider: Microsoft-Windows-WMI-Activity
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
NamespaceName |
Data/NamespaceName |
target.file.full_path |
User |
Data/User |
principal.user.windows_sid |
ProcessID |
Data/ProcessID |
target.process.pid |
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5860
Provider: Microsoft-Windows-WMI-Activity
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
NamespaceName |
Data/NamespaceName |
target.file.full_path |
User |
Data/User |
principal.user.windows_sid |
Processid |
Data/User |
target.process.pid |
ClientMachine |
Data/ClientMachine |
principal.hostname |
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5861
Provider: Microsoft-Windows-WMI-Activity
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.application" set to "%{SourceName}" security_result.summary" set to "%{Channel}" |
Message |
System/Message |
Namespace set to target.file.full_path |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5888
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectCollectionName |
Data/ObjectCollectionName |
target.resource.name |
ModifiedObjectProperties |
Data/ModifiedObjectProperties |
We can use target.resource.attribute.labels.key/value UDM mappings as follows (check whether it is possible by using kv in conf):
target.resource.attribute.labels.key = "<Property_Name>_OLD_VALUE" target.resource.attribute.labels.value= "<OLD_VALUE>" target.resource.attribute.labels.key = "<Property_Name>_NEW_VALUE" target.resource.attribute.labels.value= "<NEW_VALUE>" |
Event ID 5889
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_DELETION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5890
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_CREATION |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ObjectCollectionName |
Data/ObjectCollectionName |
target.resource.name |
Event ID 6000
Windows 10 client / Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Provider: Microsoft-Windows-Eventlog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Channel |
Data/Channel |
target.file.full_path |
Event ID 6001
Windows 10 client / Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Event ID 6003
Windows 10 client / Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Event ID 6005
Windows Server 2019 / Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
|
|
metadata.event_type = SERVICE_START
target.application = "%{SourceName}" |
SourceName |
|
target.application |
Event ID 6006
Windows 10 client / Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
|
target.application |
|
|
metadata.event_type = SERVICE_STOP
target.application = "%{SourceName}" |
Provider: Microsoft-Windows-W3LOGSVC
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
Message |
|
security_result.summary |
SourceName |
|
target.application |
ProcessId |
|
target.process.pid |
Event ID 6008
Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
target.application = "%{SourceName}" |
Event ID 6009
Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6011
Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Message |
|
Extract hostnames and map old value with principal.hostname and new modified value to target.hostname |
Event ID 6013
Provider: EventLog
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6038
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6062
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 6100
Provider: Microsoft-Windows-Diagnostics-Networking
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 6144
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6145
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6148
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCAN_UNCATEGORIZED |
Event ID 6149
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SCAN_UNCATEGORIZED |
Event ID 6272
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = ALLOW |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6273
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
Reason |
Data/Reason |
security_result.summary |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6274
version 1 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6275
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
Reason |
Data/Reason |
security_result.summary |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6276
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = QUARANTINE |
MachineInventory |
Data/MachineInventory |
principal.asset.platform_software.platform_version |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6277
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW_WITH_MODIFICATION |
CalledStationID |
Data/CalledStationID |
principal.asset.platform_software.platform_version |
FullyQualifiedSubjectMachineName |
Data/FullyQualifiedSubjectMachineName |
principal.user.userid |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.windows_sid |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6278
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
MachineInventory |
Data/MachineInventory |
principal.asset.platform_software.platform_version |
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6279
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = BLOCK |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6280
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6281
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
param1 |
Data/param1 |
target.file.full_path |
Event ID 6313
Provider: ADSync
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
principal.administrative_domain |
Event ID 6400
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6401
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6402
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6403
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6404
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 6405
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6406
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6407
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6408
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6409
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6410
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = FILE_UNCATEGORIZED |
param1 |
Data/param1 |
target.file.full_path |
Event ID 6416
version 0 / Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED resource.resource_type set to "DEVICE" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
ClassId |
Data/ClassId |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
VendorIds |
Data/VendorIds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
CompatibleIds |
Data/CompatibleIds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
LocationInformation |
Data/LocationInformation |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
version 1 /
NXLog field |
Event Viewer field |
UDM field |
DeviceDescription |
Data/DeviceDescription |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
ClassName |
Data/ClassName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
DeviceId |
Data/DeviceId |
target.resource.product_object_id |
Event ID 6417
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 6418
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 6419
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6420
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="BLOCK" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6421
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6422
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="ALLOW" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6423
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="BLOCK" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6424
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="ALLOW" |
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
DeviceId |
Data/DeviceId |
target.resource.id |
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6946
Provider: ADSync
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.description |
Event ID 6952
Provider: ADSync
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Data |
|
security_result.description |
Event ID 7000
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED Extract error and map it to security_result.summary |
param1 |
Data/param1 |
target.application |
Event ID 7001
Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 7002
Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7003
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7005
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7009
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
param2 |
Data/param2 |
target.application |
Event ID 7010
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7011
Windows Server 2019 / Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
param1 |
Data/param1 |
target.application |
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7012
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7017
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7021
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data |
|
target.hostname |
Data_1 |
|
target.resource.name |
Event ID 7022
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
param1 |
Not available |
target.application |
Event ID 7023
Windows 10 client / Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP Extract error and map it to security_result.summary |
param1 |
Data/param1 |
target.application |
|
|
metadata.event_type = SERVICE_STOP |
param2 |
Not available |
security_result.description
Format: Error Code - %{value} |
param1 |
Not available |
target.application |
Event ID 7024
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
param2 |
Not available |
security_result.description
Format: Error Code - %{value} |
param1 |
Not available |
target.application |
Event ID 7025
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Event ID 7026
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
target.resource.resource_type = DEVICE target.resource.resource_subtype = "boot-start or system-start driver" |
param1 |
Not available |
target.application |
Event ID 7031
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
param1 |
Not available |
target.application |
Event ID 7032
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
param2 |
Not available |
security_result.action_details |
param4 |
Not available |
security_result.description
Error Code: %{value} |
param3 |
Not available |
target.application |
Event ID 7034
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP
security_result.action = BLOCK |
param1 |
Not available |
target.application |
Event ID 7036
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
If the param2 log field value is equal to stopped , then the
metadata.event_type UDM field is set to SERVICE_STOP .Else, if the param2 log field value is equal to start , then the
metadata.event_type UDM field is set to SERVICE_START .Else, if the param2 log field value is equal to running ,
then the metadata.event_type UDM field is set to SERVICE_UNSPECIFIED .
|
param1 |
Not available |
target.application |
param2 |
Not available |
If the |
Event ID 7038
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
param2 |
|
principal.hostname |
param3 |
|
security_result.description
Format: %{param3} - %{Extract description from Message} |
param1 |
|
target.application |
Event ID 7040
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_MODIFICATION |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param1 |
Data/param1 |
target.application |
Event ID 7042
Windows Server 2019 / Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param1 |
Data/param1 |
target.application |
Event ID 7045
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_CREATION |
ServiceName |
Data/ServiceName |
target.application |
ImagePath |
Data/ImagePath |
target.process.file.full_path |
UserID |
System/UserID |
target.user.windows_sid |
Event ID 8000
Provider: Netwtw10
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Status |
|
security_result.summary |
Event ID 8003
Provider: bowser
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Data_1 |
|
target.hostname |
Data_2 |
|
target.resource.product_object_id |
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
FullFilePath |
|
target.process.file.full_path |
FilePath |
|
target.file.full_path |
FileHash |
|
target.file.sha256 |
Fqbn |
|
target.group.group_display_name |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8004
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
FullFilePath |
|
target.process.file.full_path |
FilePath |
|
target.file.full_path |
FileHash |
|
target.file.sha256 |
Fqbn |
|
target.group.group_display_name |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8005
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8006
Provider: Microsoft-Windows-GroupPolicy
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
FullFilePath |
|
target.process.file.full_path |
FilePath |
|
target.file.full_path |
FileHash |
|
target.file.sha256 |
Fqbn |
|
target.group.group_display_name |
Event ID 8007
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
FullFilePath |
|
target.process.file.full_path |
FilePath |
|
target.file.full_path |
FileHash |
|
target.file.sha256 |
Fqbn |
|
target.group.group_display_name |
Event ID 8008
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8009
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ErrorCode |
Data/ErrorCode |
security_result.summary set to ErrorCode - %{ErrorCode} |
Event ID 8010
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8015
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8017
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8018
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8019
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8020
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8021
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: BROWSER
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
Fqbn |
|
target.group.group_display_name |
Event ID 8022
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
Fqbn |
|
target.group.group_display_name |
Event ID 8025
Provider: Microsoft-Windows-AppLocker
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
RuleId |
|
security_result.rule_id |
TargetUser |
|
target.user.userid |
TargetProcessId |
|
target.process.pid |
Fqbn |
|
target.group.group_display_name |
Event ID 8027
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8030
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8033
Provider: Microsoft-Windows-DNS-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
DnsServerList |
|
intermediary.ip |
Ipaddress |
|
target.ip |
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8191
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8193
Provider: VSS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE target.application = %{SourceName} |
Event ID 8198
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 8222
Provider: VSSAudit
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
|
principal.administrative_domain |
AccountType |
|
principal.user.attribute.roles.name |
Data_3 |
|
target.process.file.full_path |
Data_8 |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Data_9 |
|
target.resource.name |
Event ID 8223
Provider: VSSAudit
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
Data_7 |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Data_8 |
|
target.resource.name |
Event ID 8224
Provider: VSS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
Not available |
target.application |
Event ID 8225
Provider: VSS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
SourceName |
Not available |
target.application |
Event ID 8230
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 9007
Provider: nhi
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 9008
Provider: nhi
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 9027
Provider: Desktop Window Manager
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 10000
Windows Server 2019 / Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param1 |
Data/param1 |
target.process.command_line |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
||
|
|
metadata.event_type = STATUS_UPDATE
|
|
|
|
|
target.resource.id |
Event ID 10001
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param3 |
Data/param3 |
target.application |
param1 |
Data/param1 |
target.process.command_line |
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ExtensibleModulePath |
Data/ExtensibleModulePath |
target.process.file.full_path |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
ServiceName |
|
target.application |
CLSID |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 10002
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ExtensibleModulePath |
Data/ExtensibleModulePath |
target.process.file.full_path |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
ServiceName |
|
target.application |
CLSID |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 10004
Provider: Microsoft-Windows-WLAN-AutoConfig
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
ExtensibleModulePath |
|
target.process.file.full_path |
Event ID 10005
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param2 |
Data/param2 |
target.application |
Event ID 10010
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 10016
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param7 |
Data/param7 |
target.administrative_domain |
param10 |
Data/param10 |
target.application |
param1 |
Data/param1 |
target.resource.attribute.permissions.name |
param5 |
Data/param5 |
target.resource.product_object_id |
param6 |
Data/param6 |
target.user.userid |
param8 |
Data/param8 |
target.user.windows_sid |
Event ID 10100
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10111
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
InstanceId |
|
target.resource.id |
Event ID 10118
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_AUDIT_LOG_UNCATEGORIZED |
Event ID 10020
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
param2 |
|
security_result.summary |
Event ID 10028
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
param3 |
Data/param3 |
principal.process.file.full_path |
param2 |
Data/param2 |
principal.process.pid |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
param1 |
Data/param1 |
target.ip |
Event ID 10036
Provider: Microsoft-Windows-DistributedCOM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Domain Name |
Data/Domain Name |
target.administrative_domain |
Client IP Address |
Data/Client IP Address |
target.ip |
User Name |
Data/User Name |
target.user.user_display_name |
SID |
Data/SID |
target.user.windows_sid |
Event ID 10110
Provider: Microsoft-Windows-DriverFrameworks-UserMode
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Status |
|
security_result.summary |
Event ID 10148
Windows 10 client / Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10149
Windows 10 client / Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10154
Windows 10 client / Provider: Microsoft-Windows-WinRM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10317
Provider: Microsoft-Windows-NDIS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AdapterName |
|
target.resource.name |
UserID |
|
principal.user.windows_sid |
Event ID 10400
Provider: Microsoft-Windows-NDIS
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
AdapterName |
|
target.resource.name |
Event ID 11707
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Message |
|
target.application Extract product_name from Message field and map it to target.application |
Event ID 12294
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
UserName |
|
target.user.userid |
Event ID 14204
Provider: Microsoft-Windows-WMPNSS-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START |
ServiceName |
|
target.application |
Event ID 14205
Provider: Microsoft-Windows-WMPNSS-Service
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_STOP |
ServiceName |
|
target.application |
Event ID 14531
Provider: Microsoft-Windows-DfsSvc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 14533
Provider: Microsoft-Windows-DfsSvc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 14554
Provider: Microsoft-Windows-DfsSvc
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 15007
Provider: Microsoft-Windows-HttpEvent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Url |
Data/Url |
target.url |
Event ID 15008
Provider: Microsoft-Windows-HttpEvent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Url |
Data/Url |
target.url |
Event ID 15021
Provider: Microsoft-Windows-HttpEvent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Endpoint |
|
target.ip and target.port |
DeviceObject |
|
target.resource.name |
Event ID 15301
Provider: Microsoft-Windows-HttpEvent
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_CREATION |
Endpoint |
Data/Endpoint |
target.ip and target.port |
Event ID 16384
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Title |
Data/Title |
security_result.summary |
User |
Data/User |
target.user.userid |
Event ID 16385
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Id |
Data/Id |
target.resource.product_object_id |
Title |
Data/Title |
target.resource.name |
User |
Data/User |
target.user.userid |
FileList |
Data/FileList |
target.file.full_path |
Event ID 16388
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Title |
Data/Title |
security_result.summary |
User |
Data/User |
target.user.userid |
Event ID 16392
version 0 / Provider: Microsoft-Windows-Bits-Client
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Event ID 16394
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 16401
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorMessage |
Data/ErrorMessage |
security_result.description |
GroupName |
Data/GroupName |
target.group.group_display_name |
Event ID 16413
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
ErrorString |
Data/ErrorString |
security_result.description |
GroupName |
Data/GroupName |
target.group.group_display_name |
Event ID 16647
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16648
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16962
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16963
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Registry SD String |
Data/Registry SD String |
target.registry.registry_value_name |
Event ID 16966
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16969
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16977
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
Event ID 16978
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = SETTING |
AccountName |
Data/AccountName |
target.user.userid |
Event ID 16979
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = SETTING |
Event ID 16982
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 16983
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 16984
Provider: Microsoft-Windows-Directory-Services-SAM
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 18452
Provider: MSSQL$ENTERPRISE191
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN, If complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname |
SourceName |
System/SourceName |
principal.application |
Event ID 18456
Provider: MSSQL$ENTERPRISE100
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN, if complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname complete_username set to target.user.userid (if UserID is empty) |
SourceName |
System/SourceName |
principal.application |
Provider: MSSQLSERVER
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = USER_LOGIN, if complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname complete_username set to target.user.userid (if UserID is empty) |
SourceName |
System/SourceName |
principal.application |
Event ID 20001
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
Event ID 20003
Provider: Microsoft-Windows-UserPnp
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description target_resource_name set to target.resource.name |
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
Event ID 20063
Provider: RemoteAccess
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 20171
Provider: RemoteAccess
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 20192
Provider: RemoteAccess
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 28680
Provider: PRIVMAN
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 28701
Provider: PRIVMAN
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_HEARTBEAT
target_hostname set to target.hostname target_ip set to target.ip |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 33205
Provider: MSSQL$LABX2010$AUDIT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQL$SQL16$AUDIT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_resource_name set to target.resource.name |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQL$SYNEL$AUDIT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQLSERVER$AUDIT
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36867
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36868
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
CSPName |
|
target.resource.name |
KeyName |
|
target.resource.product_object_id |
Event ID 36870
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36871
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36874
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36877
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36880
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36881
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36882
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36886
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36887
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36888
Provider: Schannel
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 40960
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Domain |
System/Domain |
principal.administrative_domain |
AccountName |
System/AccountName |
principal.user.userid |
UserID |
System/UserID |
principal.user.windows_sid |
Error |
|
security_result.summary |
Target |
|
target.hostname |
Event ID 40970
Provider: LsaSrv
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Target |
Data/Target |
network.application_protocol/target.hostname/target.administrative_domain |
Error |
Data/Error |
security_result.summary |
Event ID 2147487656
version 0 / Provider: Microsoft-Windows-Winlogon
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3221228478
Provider: Microsoft-Windows-Wininit
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = metadata.event_type = STATUS_SHUTDOWN security_result.description" set to "ErrorCode - %{error_code}" |
Event ID 5447
Provider: Microsoft Corporation
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
ProviderKey |
Data/ProviderKey |
about.resource.attribute.labels.key/value |
ProviderName |
Data/ProviderName |
about.resource.attribute.labels.key/value |
ChangeType |
Data/ChangeType |
about.resource.attribute.labels.key/value |
FilterKey |
Data/FilterKey |
about.resource.attribute.labels.key/value |
FilterType |
Data/FilterType |
about.resource.attribute.labels.key/value |
LayerKey |
Data/LayerKey |
about.resource.attribute.labels.key/value |
LayerName |
Data/LayerName |
about.resource.attribute.labels.key/value |
LayerId |
Data/LayerId |
about.resource.attribute.labels.key/value |
Weight |
Data/Weight |
about.resource.attribute.labels.key/value |
Conditions |
Data/Conditions |
about.resource.attribute.labels.key/value |
Action |
Data/Action |
about.resource.attribute.labels.key/value |
|
Data/ProcessId |
principal.process.pid |
UserName |
Data/UserName |
principal.user.userid |
UserSid |
Data/UserSid |
principal.user.windows_sid |
FilterName |
Data/FilterName |
target.resource.name |
FilterId |
Data/FilterId |
target.resource.product_object_id |
Event ID 403
Provider: PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = STATUS_UPDATE
|
Message |
|
metadata.description NewEngineState is set to target.labels.key/value PreviousEngineState is set to target.labels.key/value HostName is set to target.hostname HostVersion is set to target.labels.key/value HostId is set to target.labels.key/value HostApplication is set to target.application EngineVersion is set to target.labels.key/value RunspaceId is set to target.labels.key/value PipelineId is set to target.labels.key/value CommandName is set to target.labels.key/value CommandType is set to target.labels.key/value ScriptName is set to target.process.file.names CommandPath is set to target.process.file.full_path CommandLine is set to target.process.command_line NewEngineState is set to additional.fields.key and additional.fields.value.string_value PreviousEngineState is set to additional.fields.key and additional.fields.value.string_value HostVersion is set to additional.fields.key and additional.fields.value.string_value HostId is set to additional.fields.key and additional.fields.value.string_value EngineVersion is set to additional.fields.key and additional.fields.value.string_value RunspaceId is set to additional.fields.key and additional.fields.value.string_value PipelineId is set to additional.fields.key and additional.fields.value.string_value CommandName is set to additional.fields.key and additional.fields.value.string_value CommandType is set to additional.fields.key and additional.fields.value.string_value |
Event ID 4105
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
|
|
metadata.event_type = SERVICE_START
|
UserID |
|
principal.user.windows_sid |
Domain |
|
principal.administrative_domain |
ScriptBlockId |
|
principal.resource.product_object_id |
SourceName |
|
target.application |
Category |
|
security_result.summary |
Message |
|
security_result.description |
ProcessID |
|
principal.process.pid |
AccountType |
|
principal.user.userid |
RunspaceId |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 105
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description pid is set to target.process.pid additional_data is set to about.labels.key/value additional_data is set to additional.fields.key and additional.fields.value.string_value |
Event ID 4440
Provider: Microsoft-Windows-Complus
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
param1 |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 8200
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
security_result.description |
Event ID 1004
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
security_result.description |
Event ID 1014
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
security_result.description |
Event ID 8197
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
security_result.description RuleId is set to security_result.rule_id Action is set to security_result.action_details app_name is set to target.application AppId is set to target.labels.key/value SkuId is set to target.labels.key/value NotificationInterval is set to target.labels.key/value Trigger is set to target.labels.key/value AppId is set to additional.fields.key and additional.fields.value.string_value SkuId is set to additional.fields.key and additional.fields.value.string_value NotificationInterval is set to additional.fields.key and additional.fields.value.string_value Trigger is set to additional.fields.key and additional.fields.value.string_value |
Event ID 20482
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 1033
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
security_result.description DirectiveName is set to target.labels.key/value AppId is set to target.labels.key/value SkuId is set to target.labels.key/value DirectiveName is set to additional.fields.key and additional.fields.value.string_value AppId is set to additional.fields.key and additional.fields.value.string_value SkuId is set to additional.fields.key and additional.fields.value.string_value |
Event ID 1013
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
metadata.description SkuId is set to target.labels.key/value SkuId is set to additional.fields.key and additional.fields.value.string_value |
|
Event ID 1067
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 12304
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 1036
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 20489
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 20481
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 1025
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description product_name is set to target.application ProcessPath is set to target.process.file.full_path ProcessName is set to target.process.command_line ProcessId is set to target.process.pid |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 12305
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 12311
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 20488
Provider: Microsoft-Windows-Security-SPP
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 1281
Provider: Microsoft-Windows-TPM-WMI
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 63
Provider: Microsoft-Windows-WMI
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Event ID 1025
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description product_name is set to target.application ProcessPath is set to target.process.file.full_path ProcessName is set to target.process.command_line ProcessId is set to target.process.pid |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 11724
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_START
|
||
Message |
|
metadata.description Product is set to target.application |
Event ID 1005
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 1038
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 1029
Provider: MsiInstaller
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE
|
||
Message |
|
metadata.description |
Domain |
|
principal.administrative_domain |
AccountName |
|
principal.user.userid |
UserID |
|
principal.user.windows_sid |
AccountType |
|
principal.user.attribute.roles.name |
Event ID 7030
Provider: Service Control Manager
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED
target.appliaction is set to Printer Extensions and Notifications service
|
||
Message |
|
metadata.description |
Event ID 202
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
ActionName |
security_result.action_details |
|
TaskInstanceId |
target.resource.product_object_id |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
Event ID 103
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
TaskInstanceId |
target.resource.product_object_id |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
Event ID 119
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
InstanceId |
target.resource.product_object_id |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
UserName |
target.user.user_display_name |
Event ID 141
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_DELETION target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
UserName |
principal.user.user_display_name |
Event ID 106
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
UserContext |
target.user.user_display_name |
Event ID 108
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
InstanceId |
target.resource.product_object_id |
Event ID 110
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
InstanceId |
target.resource.product_object_id |
|
UserContext |
principal.user.user_display_name |
Event ID 118
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
InstanceId |
target.resource.product_object_id |
Event ID 142
Provider: Microsoft-Windows-TaskScheduler
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCHEDULED_TASK_DISABLE target.resource.resource_type = TASK |
||
TaskName |
target.resource.name |
|
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
UserName |
principal.user.user_display_name |
Event ID 2006
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2001
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 216
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2003
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2005
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 637
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 327
Provider: ESENT
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_UNSPECIFIED |
||
Message |
metadata.description Extract PID and map it to UDM field target.process.pid Extract src_path and map it to UDM field src.file.full_path Extract target_path and map it to UDM field target.file.full_path |
Event ID 17063
Provider: MSSQLSERVER
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE |
||
Message |
security_result.description |
Event ID 17137
Provider: MSSQLSERVER
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_START |
||
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
Message |
metadata.description Extract database_name and map it to UDM field target.application |
Event ID 49930
Provider: MSSQLSERVER
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE |
||
Message |
metadata.description |
Event ID 852
Provider: MSSQLSERVER
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE |
||
Message |
metadata.description |
Event ID 53504
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_START target.application = IPC |
||
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
Message |
metadata.description |
|
param2 |
target.domain.name |
Event ID 40962
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = STATUS_UPDATE |
||
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
Message |
metadata.description |
Event ID 40961
Provider: Microsoft-Windows-PowerShell
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SERVICE_START |
||
Domain |
principal.administrative_domain |
|
AccountName |
principal.user.attribute.roles.name |
|
UserID |
principal.user.windows_sid |
|
AccountType |
principal.user.roles.description |
|
Message |
metadata.description |
Event ID 530
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 531
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 532
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 533
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 534
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 535
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 536
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 537
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 539
Provider: Microsoft-Windows-Security-Auditing
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 1116
Provider: Microsoft-Windows-Windows Defender
NXLog field |
Event Viewer field |
UDM field |
metadata.event_type = SCAN_UNCATEGORIZED |
||
FWLink |
additional.fields.key additional.fields.value.string_value |
|
ThreatName |
security_result.threat_name |
|
ThreatID |
security_result.threat_id |
|
SeverityName |
security_result.detection_fields.key/value |
|
CategoryName |
security_result.category = SOFTWARE_PUA
security_result.category_details
|
|
Path |
target.file.full_path |
|
DetectionOrigin |
security_result.detection_fields.key/value |
|
DetectionType |
security_result.detection_fields.key/value |
|
DetectionSource |
security_result.detection_fields.key/value |
|
DetectionUser |
target.user.userid |
|
ProcessName |
target.process.file.full_path |
|
SecurityintelligenceVersion |
security_result.detection_fields.key/value |
|
EngineVersion |
security_result.detection_fields.key/value |
|
Product Name |
additional.fields.key additional.fields.value.string_value |
|
Product Version |
additional.fields.key additional.fields.value.string_value |
|
Detection ID |
security_result.detection_fields.key/value |
|
Detection Time |
security_result.first_discovered_time |
|
Severity ID |
security_result.detection_fields.key/value |
|
Category ID |
security_result.detection_fields.key/value |
|
Status Code |
security_result.detection_fields.key/value |
|
State |
security_result.detection_fields.key/value |
|
Source ID |
security_result.detection_fields.key/value |
|
Origin ID |
security_result.detection_fields.key/value |
|
Execution ID |
security_result.detection_fields.key/value |
|
Execution Name |
security_result.detection_fields.key/value |
|
Type ID |
security_result.detection_fields.key/value |
|
Pre Execution Status |
security_result.detection_fields.key/value |
|
Action ID |
security_result.detection_fields.key/value |
|
Action Name |
security_result.action_details |
|
Error Code |
security_result.detection_fields.key/value |
|
Error Description |
security_result.description |
|
Post Clean Status |
security_result.detection_fields.key/value |
|
Additional Actions ID |
security_result.detection_fields.key/value |
|
Additional Actions String |
security_result.detection_fields.key/value |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-09 UTC.