Collect Microsoft Windows Event data
This document describes the deployment architecture, installation steps, and required configuration that produce logs supported by the Chronicle parser for Windows events. This document also includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
To ingest Windows event logs to Chronicle, you can use NXLog forwarder ingestion or Google Cloud native ingestion. For more information, regarding native ingestion see Ingest Google Cloud data to Chronicle.
Information in this document applies to the parser with the WINEVTLOG ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.
Before you begin
Review the recommended deployment architecture
If your deployment includes a Windows server on Google Cloud, then we recommended that you use Google Cloud native ingestion. Otherwise, you can use NXLog forwarder ingestion.
Google Cloud native ingestion architecture
If the Windows events have the Provider value Microsoft-Windows-Security-Auditing, then the WINEVTLOG parser supports Google Cloud native ingestion.
Configure Ops Agent to ingest Microsoft Windows Event logs into Chronicle
- Deploy a Windows server in Google Cloud.
- Configure an Ops Agent on Windows Server.
- Install the Cloud Logging agent on Windows Server.
- Enable the following export filter in the Chronicle instance:
(log_id("winevt.raw") OR log_id("windows_event_log")). For more information, see Ingest Google Cloud data to Chronicle.
NXLog forwarder ingestion deployment architecture
This diagram illustrates the recommended foundational components in a deployment architecture to collect and send Microsoft Windows Event data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:
- Systems in the deployment architecture are configured with the UTC time zone.
- NXLog is installed on the collector Microsoft Windows server.
- The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
- Microsoft Windows systems in the deployment architecture use.
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service is enabled for remote system management.
- NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.
Chronicle forwarder is installed on the collector Microsoft Windows or Linux server.
Review the supported devices and versions
The Chronicle parser supports logs from the following Microsoft Windows server versions. Microsoft Windows server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition do not differ.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Chronicle parser supports logs from Microsoft Windows 10 and higher client systems.
Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.
Review the supported log types
The Chronicle parser supports the following log types generated by Microsoft Windows systems. For more information about these log types, see the Microsoft Windows Event Log documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.
| Log Type | Notes |
|---|---|
| Security | Security audit and event logs. |
| Application | Events logged by applications or programs. If the manifest isn't installed locally, application logs will have missing / hex values. |
| System | Events logged by Microsoft Windows system components. |
Configure the Microsoft Windows servers, endpoints, and domain controllers
- Install and configure the servers, endpoints, and domain controllers.
- Configure all systems with the UTC time zone.
- Configure devices to forward logs to a collector Microsoft Windows server.
- Configure a Source Initiated Subscription on Microsoft Windows server (Collector). For information, see Setting up a Source Initiated Subscription.
- Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.
Configure the Microsoft Windows collector server
Set up a collector Microsoft Windows server to collect from systems.
- Configure the system with the UTC time zone.
- Install NXLog. Follow the NXLog documentation.
Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace
<hostname>and<port>values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.define ROOT C:\Program Files (x86)\nxlog define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname> define WINEVTLOG_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_windevents> Module om_tcp Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS% Port %WINEVTLOG_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route>Start the NXLog service.
Configure the central Microsoft Windows or Linux server
See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.
- Configure the system with the UTC time zone.
- Install the Chronicle forwarder on the central Microsoft Windows or Linux server.
Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.
- syslog: common: enabled: true data_type: WINEVTLOG batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Field mapping reference: Common device event fields to UDM fields
The following fields are common across multiple Event IDs and are mapped the same way.
| NXLog field | UDM field |
|---|---|
| EventTime | metadata.event_timestamp |
| Hostname | principal.hostname |
| EventID | product_event_type is set to "%{EventID}" security_result.rule_name is set to "EventID: %{EventID}" |
| SourceName | metadata.product_name is set to "%25%7BSourceName}" metadata.vendor is set to "Microsoft" |
Category |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Channel |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
| Severity | Values mapped to security_result.severity field as follows: Original value 0 (None), is set to UNKNOWN_SEVERITY Original value 1 (Critical) is set to INFORMATIONAL Original value 2 (Error) is set to ERROR Original value 3 (Warning) is set to ERROR Original value 4 (Informational) is set to INFORMATIONAL Original value 5 (Verbose) is set to INFORMATIONAL |
| UserID | principal.user.windows_sid |
| ExecutionProcessID | principal.process.pid |
| ProcessID | principal.process.pid |
| ProviderGuid | metadata.product_deployment_id |
| RecordNumber | metadata.product_log_id |
SourceModuleName |
observer.labels.key/value additional.fields.key additional.fields.value.string_value |
| SourceModuleType | observer.application |
Opcode |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
| ActivityID | security_result.detection_fields.key/value |
Field mapping reference: device event field to UDM field by EventID
The following section describes how NXlog/EventViewer fields are mapped to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.
The section heading identifies the Event Id, plus version (e.g. version 0) and operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more than one section for an Event ID when the map for a specific version or operating system is different.
Event ID 0
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Provider: gupdate
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: hcmon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
Provider: edgeupdate
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 1
Provider: Microsoft-Windows-FilterManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 1 / Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessID |
Data/ProcessID |
principal.process.pid
|
Provider: Microsoft-Windows-Sysmon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = PROCESS_LAUNCH
If EventLevelName contains "Information" then security_result.severity = INFORMATIONAL |
|
EventData.Hashes |
|
Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
|
EventData.User |
|
Domain set to principal.administrative_domain
Username set to principal.user.userid |
|
Description |
|
metadata.description |
|
CommandLine |
|
target.process.command_line |
|
Image |
|
target.process.file.full_path |
|
ParentCommandLine |
|
target.process.parent_process.command_line |
|
ParentImage |
|
target.process.parent_process.file.full_path |
|
ParentProcessId |
|
target.process.parent_process.pid |
|
ProcessId |
|
target.process.pid |
|
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon:%{EventOriginId}" |
Provider: SecurityCenter
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
SourceName |
Not available |
target.application |
Provider: telegraf
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data |
|
security_result.description |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Context |
Data/Context |
security_result.description |
Event ID 2
Provider: MEIx64
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Provider: SecurityCenter
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
Not available |
target.application |
Provider: vmci
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Provider: Microsoft-Windows-WHEA-Logger
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 3
version 3 / Provider: Microsoft-Windows-Power-Troubleshooter
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_STARTUP |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
SleepTime |
Data/SleepTime |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
WakeTime |
Data/WakeTime |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
WakeSourceType |
Data/WakeSourceType |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
WakeSourceText |
Data/WakeSourceText |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Provider: Microsoft-Windows-Security-Kerberos
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
File |
|
target.file.full_path |
Provider: Virtual Disk Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Provider: vmci
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
jobTitle |
|
target.resource.name |
|
processPath |
|
target.process.file.full_path |
Event ID 4
Provider: Microsoft-Windows-Security-Kerberos
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Server |
|
target.hostname |
Provider: Virtual Disk Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
name |
|
target.resource.name |
|
Id |
|
target.resource.product_object_id |
|
url |
|
target.url |
|
fileLength |
|
target.file.size |
Event ID 5
Provider: iScsiPrt
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: McAfee Service Controller
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Search-ProfileNotify
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
SourceName |
|
target.application |
|
User |
Data/User |
target.user.userid |
Event ID 6
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
|
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
|
ErrorMsg |
|
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
|
Context |
|
target.application |
Provider: Microsoft-Windows-FilterManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 7
Provider: AdmPwd
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary
Format: "Error: %{Data}" |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 8
Provider: CylanceSvc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Provider: WSH
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data_1 |
|
principal.labels additional.fields.key additional.fields.value.string_value |
Data_2 |
principal.labels additional.fields.key additional.fields.value.string_value |
|
Data_3 |
principal.process.command_line | |
Message |
metadata.description |
Event ID 9
Provider: volsnap
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
VolumeName |
|
target.file.full_path |
Event ID 10
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 11
Provider: Microsoft-Windows-Hyper-V-Netvsc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
MiniportName |
|
target.resource.name |
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary is set to "ErrorCode: %{Error}"
|
Provider: Microsoft-Windows-Wininit
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 12
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_STARTUP |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Sysmon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_CREATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL |
|
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon: %{EventOriginId}" |
|
EventData/EventType |
|
target.registry.registry_key |
|
EventData/TargetObject |
|
target.registry.registry_value_name |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-UserModePowerService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ProcessPath |
|
target.process.file.full_path |
|
NewSchemeGuid |
|
target.resource.product_object_id |
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 13
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN |
Provider: Microsoft-Windows-Sysmon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_MODIFICATION
If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL |
|
EventOriginId |
|
target.process.product_specific_process_id set to "sysmon: %{EventOriginId}" |
|
EventData/EventType |
|
target.registry.registry_key |
|
EventData/Details |
|
target.registry.registry_value_data |
Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
|
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
AccountType |
|
principal.user.attribute.roles.name |
|
Message |
|
metadata.description |
|
UserID |
|
principal.user.windows_sid |
|
CA |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
ErrorCode |
|
security_result.summary Format: summary is set to %{error_code} - %{error_message} |
Provider: NPS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
|
target.ip |
Event ID 14
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
ClientName |
|
principal.asset.hostname |
|
Target |
|
target.application |
|
Account |
|
target.hostname |
Provider: Microsoft-Windows-Wininit
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Error |
Data/Error |
security_result.description Format: Error - %{value} |
Provider:TPM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 15
Provider: Disk
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_hostname set to target.hostname |
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
NewSize |
Data/NewSize |
target.file.size |
|
HiveName |
Data/HiveName |
target.registry.registry_key |
Provider: SecurityCenter
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider:TPM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 16
Provider: Microsoft-Windows-HAL
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
ClientName |
|
principal.asset.hostname |
|
Target |
|
target.application |
|
Account |
|
target.hostname |
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_MODIFICATION |
|
Domain |
System/Domain |
principal.administrative_domain |
|
ProcessID |
System/ProcessID |
principal.process.pid |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
HiveName |
Data/HiveName |
target.registry.registry_key |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-HAL
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 17
Provider: Microsoft-Windows-WHEA-Logger
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details Message set to metadata.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 18
Provider: BTHUSB
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: TPM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 19
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Category |
Data/Category |
security_result.category_details |
Provider: Intel-SST-OED
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
Category |
|
security_result.summary |
Provider: Microsoft-Windows-WHEA-Logger
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 20
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
updateRevisionNumber |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
updateTitle |
|
target.resource.name |
|
updateGuid |
|
target.resource.product_object_id |
Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 21
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 22
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
Category set to security_result.category_details Message set to metadata.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
updatelist |
|
security_result.description |
Provider: Microsoft-Windows-UserModePowerService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 23
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 24
Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-General
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
|
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Provider:TPM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
UserID |
Security/UseID |
principal.user.windows_sid |
Event ID 25
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 26
Provider: Application Popup
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Caption |
|
security_result.summary |
Provider: Microsoft-Windows-CertificationAuthority
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application = "Active Directory Certificate Services" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCName |
Data/DCName |
target.administrative_domain |
|
CACommonName |
Data/CACommonName |
target.user.userid |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Target |
|
target.hostname |
|
Name |
|
target.user.userid |
Event ID 27
version 0 / Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
|
NewLogFilePath |
Data/NewLogFilePath |
target.file.full_path |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 28
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 29
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 30
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 31
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 32
Provider: e1iexpress
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 33
Provider: volsnap
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
VolumeName |
|
target.file.full_path |
|
DeviceName |
|
target.resource.name |
Event ID 34
Provider: Oracle.xstore
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_READ |
|
DBID |
|
additional.fields.key/value |
|
SourceName |
|
principal.application |
|
DATABASE_USER |
|
principal.user.uerid |
|
ACTION |
|
target.process.command_line |
Event ID 35
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: NPS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Message |
|
Ip set to target.ip |
Event ID 37
Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
ClientName |
|
principal.asset.hostname |
|
ServerName |
|
target.hostname |
Provider: Microsoft-Windows-Kernel-Processor-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Number |
Data/Number |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
CapDurationInSeconds |
Data/CapDurationInSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 38
Provider: Microsoft-Windows-CertificationAuthority
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "Active Directory Certificate Services" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
CACommonName |
Data/CACommonName |
target.user.userid |
Event ID 40
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 42
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
version 2 Windows 10 client /
|
NXLog field |
Event Viewer field |
UDM field |
|
Reason |
Data/Reason |
security_result.description |
Event ID 43
Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
updateRevisionNumber |
Data/updateRevisionNumber |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
updateTitle |
Data/updateTitle |
target.resource.name |
|
updateGuid |
Data/updateGuid |
target.resource.product_object_id |
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 44
version 0 Windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Category |
Data/Category |
security_result.category_details |
Event ID 45
Provider: Symantec AntiVirus
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
Data |
|
security_result.summary |
Event ID 47
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorMessage |
|
security_result.description |
|
ManualPeer |
|
target.ip |
Provider: Microsoft-Windows-WHEA-Logger
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 49
Provider: Microsoft-Windows-Hyper-V-Netvsc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Status |
Data/Status |
security_result.summary |
Event ID 50
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 51
Provider: Disk
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_hostname set to target.hostname |
Event ID 55
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Outcome |
|
security_result.summary |
Event ID 57
Provider: hpqilo3
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 58
Provider: partmgr
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to metadata.description |
Provider: volsnap
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to metadata.description |
Event ID 59
Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
name |
|
target.resource.name |
|
Id |
|
target.resource.product_object_id |
|
url |
|
target.url |
|
fileLength |
|
target.file.size |
Event ID 60
Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
name |
|
target.resource.name |
|
url |
|
target.url |
|
fileLength |
|
target.file.size |
Event ID 61
Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
name |
|
target.resource.name |
|
Id |
|
target.resource.product_object_id |
|
url |
|
target.url |
|
fileLength |
|
target.file.size |
Event ID 64
Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Context |
|
target.application |
Event ID 75
Provider: Microsoft-Windows-CertificationAuthority
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services" |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
ErrorMessageText |
|
security_result.summary |
Event ID 77
Provider: Microsoft-Windows-CertificationAuthority
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application set to "Active Directory Certificate Services" |
|
WarningMessage |
|
security_result.description |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 80
Provider: ocz10xx
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data |
|
target.hostname |
Event ID 81
Provider: hpqilo2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-FailoverClustering-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
Event ID 98
Provider: Microsoft-Windows-Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_HEARTBEAT |
|
Domain |
System/Domain |
principal.administrative_domain |
|
DeviceName |
Data/DeviceName |
principal.hostname |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 100
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Provider: Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
|
Event ID 101
Provider: Application Management Group Policy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 102
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Message |
|
Extract PID and map it to UDM field target.process.pid |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ProcessID |
Data/ProcessID |
principal.process.pid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
TaskName |
Data/TaskName |
target.resource.name |
|
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Event ID 103
Provider: Application Management Group Policy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Message |
System/Message |
Extract PID and map it to UDM field target.process.pid |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
Provider: ocz10xx
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data |
|
target.hostname |
Event ID 104
Windows 10 client / Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Windows Server 2019 /
|
NXLog field |
Event Viewer field |
UDM field |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Forwarding
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
SubscriptionManagerAddress |
Data/SubscriptionManagerAddress |
target.url |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 105
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Channel |
Data/Channel |
security_result.description |
|
BackupPath |
Data/BackupPath |
target.file.full_path |
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
Provider: VMTools
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
SourceName |
Not available |
target.application |
Provider: WudfUsbccidDriver
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 106
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 107
version 0 Windows 10 client / Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
InstanceId |
Data/InstanceId |
target.resource.product_object_id |
Event ID 108
Provider: Application Management Group Policy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: VMTools
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
Not available |
target.application |
Event ID 109
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ProcessID |
Data/ProcessID |
principal.process.pid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN |
|
ShutdownReason |
Data/ShutdownReason |
security_result.description |
Event ID 110
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 111
version 0/ Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
version 0/ Provider: Microsoft-Windows-AppReadiness
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Result |
Data/Result |
security_result.summary |
Event ID 112
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 115
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Event ID 129
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Priority |
Data/Priority |
security_result.priority_details |
|
Path |
Data/Path |
target.process.file.full_path |
|
ProcessID |
Data/ProcessID |
target.process.pid |
|
TaskName |
Data/TaskName |
target.resource.name |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
Event ID 130
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
|
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 131
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
|
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 132
Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 134
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
|
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 137
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 138
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DomainPeer |
Data/DomainPeer |
target.administrative_domain |
Event ID 139
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 140
Provider: Microsoft-Windows-Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
DeviceName |
|
principal.hostname |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_MODIFICATION
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
UserName |
Data/UserName |
target.user..user_display_name |
Event ID 142
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Message set to security_result.summary |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
errorCode |
|
security_result.summary |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 143
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 145
Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
resourceUrl |
|
target.url |
|
AccountName |
|
principal.user.userid |
|
AccountType |
|
principal.user.attribute.roles.name |
|
Domain |
|
principal.administrative_domain |
Event ID 146
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 153
Provider: Disk
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 156
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 157
Provider: disk
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Event ID 158
Provider: Disk
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary target_url set to target.url |
Provider: Microsoft-Windows-Time-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TimeProvider |
|
target.resource.name |
Event ID 159
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 160
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 161
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 163
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 164
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 165
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 167
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 169
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Status |
Data/Status |
security_result.summary |
Event ID 170
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 171
version 0 / Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Version |
Data/Version/ |
principal.asset.software.version |
Event ID 172
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Reason |
Data/Reason |
security_result.description |
Event ID 173
Provider: Microsoft-Windows-Hyper-V-Hypervisor
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 181
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = status_update |
|
Status |
Data/Status |
security_result.summary |
Event ID 185
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Status |
Data/Status |
security_result.summary |
Event ID 187
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ApiCallerName |
|
principal.process.file.full_path |
Event ID 195
Provider: Microsoft-Windows-USB-USBHUB3
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 196
Provider: Microsoft-Windows-USB-USBHUB3
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 200
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
TaskInstanceId |
Data/TaskInstanceId |
target.resource.product_object_id |
Event ID 201
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED
target.resource.resource_type = TASK |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
TaskInstanceId |
Data/TaskInstanceId |
target.resource.product_object_id |
Event ID 202
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 203
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 204
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Security-Kerberos
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 205
version 0 Windows Server 2019 / Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
version 1 / Windows 10 client /
|
NXLog field |
Event Viewer field |
UDM field |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
version 2 / Windows 10 client /
|
NXLog field |
Event Viewer field |
UDM field |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 216
version 1 / Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 219
Provider: Microsoft-Windows-Kernel-PnP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DriverName |
|
target.hostname |
|
FailureName |
|
target.resource.name |
Event ID 218
version 0 / Provider: Microsoft-Windows-WindowsUpdateClient
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 221
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 225
Provider: Microsoft-Windows-Kernel-PnP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DeviceInstance |
|
target.hostname |
|
ProcessName |
|
target.process.file.full_path |
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 233
Provider: Microsoft-Windows-Hyper-V-VmSwitch
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
Event ID 231
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Code |
Data/Code |
security_result.summary set to "Code - %{Code}" |
Event ID 234
Provider: Microsoft-Windows-Hyper-V-VmSwitch
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
Event ID 238
Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
version 1 / Provider: Microsoft-Windows-Kernel-Boot
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 258
Provider: VMUpgradeHelper
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceName |
Not available |
target.application |
Event ID 260
Provider: VMUpgradeHelper
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceName |
Not available |
target.application |
Event ID 263
version 0 / Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 271
Provider: VMUpgradeHelper
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceName |
Not available |
target.application |
Event ID 272
Provider: VMUpgradeHelper
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceName |
Not available |
target.application |
Event ID 299
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 300
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 301
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 302
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 304
version 0 / Provider: Microsoft-Windows-Ntfs
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Status |
Data/Status |
security_result.summary |
Event ID 313
version 0 / Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Event ID 325
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
||
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it target.process.pid |
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
| TaskName
|
|
target.resource.name |
| QueuedTaskInstanceId
|
|
target.resource.product_object_id |
| Domain
|
|
principal.administrative_domain |
| AccountName
|
|
principal.user.attribute.roles.name |
| UserID
|
|
principal.user.windows_sid |
| AccountType
|
|
principal.user.roles.description |
Event ID 326
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID and map it to target.process.pid |
Event ID 400
Provider: PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data_2 |
|
Extract HostName from Data_2 HostName is set to target.hostname |
Event ID 403
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_9 |
|
network.http.user_agent |
|
Domain |
System/Domain |
principal.administrative_domain |
|
Data_8 |
|
principal.ip |
|
Data_7 |
|
principal.port |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Data_3 |
|
target.ip |
|
Data_5 |
|
target.url |
Event ID 404
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Data_3 |
|
security_description set to %{Data_3}: %{Data_4} |
|
Data_4 |
|
security_description set to %{Data_3}: %{Data_4} |
Event ID 405
Provider: ADSync
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
principal.administrative_domain |
|
Data_1 |
|
principal.user.userid |
Event ID 410
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_4 |
|
network.http.user_agent |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Data_10 |
|
target.ip |
|
Data_8 |
|
target.url |
Event ID 412
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 424
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 500
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 501
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 506
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
Event ID 507
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE reason_description set to security_result.description |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
version 10 / Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
Event ID 508
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. Extract PID and map it to target.process.pid |
Event ID 510
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_1 |
|
Data_1.Host set to target.hostname Data_1.User-Agent set to network.http.user_agent Data_1.X-MS-Endpoint-Absolute-Path set to target.url |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 517
Provider: Microsoft-Windows-DFSN-Server
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
UserID |
|
principal.user.windows_sid |
|
DfsNamespace |
|
target.resource.name |
Event ID 521
Provider: Security
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 529
Provider: Security
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN
security_result.action = BLOCK security_result.category = AUTH_VIOLATION |
|
LogonType |
Not available |
extensions.auth.mechanism |
|
Message |
Not available |
username set to target.user.userid domain set to target.administrative_domain target_workstation set to target.hostname |
Event ID 566
Provider: Microsoft-Windows-Kernel-Power
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
Event ID 600
Provider: PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Category |
|
metadata.description |
|
SourceName |
|
principal.application |
|
HostApplication |
|
target.file.full_path |
|
ProviderName |
|
target.resource.name |
Event ID 601
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. metadata.description = Attempt to install a service |
|
SubjectUserName |
|
principal.user.userid |
|
Summary |
|
security_result.summary |
|
ServiceName |
|
target.process.command_line |
|
ServiceFileName |
|
target.process.file.full_path |
Event ID 642
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE.
Extract PID map it to target.process.pid |
Event ID 653
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Event ID 654
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Event ID 663
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Event ID 700
Provider: NTDS ISAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
MessageSourceAddress |
|
principal.ip |
Event ID 701
Provider: NTDS ISAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
MessageSourceAddress |
|
principal.ip |
Event ID 719
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Category |
Data/Category |
security_result.category_details |
Event ID 781
Provider: Microsoft-Windows-Complus
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
param3 |
Data/param3 |
target.registry.registry_key |
Event ID 800
Provider: PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
metadata.description set to "Pipeline execution"
security_result.summary set to "Pipeline execution details for command line" |
|
SourceName |
|
principal.application |
|
UserId |
|
principal.user.userid |
|
HostApplication |
|
target.file.full_path |
Event ID 888
Provider: top_5
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 900
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
Event ID 902
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
Event ID 903
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = SERVICE_STOP
target.application = "Software Protection" |
Event ID 904
Provider: Directory Synchronization
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.summary |
Event ID 1000
Provider: Microsoft-Windows-SCPNP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ReaderName |
Data/ReaderName |
target.resource.name |
|
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Provider: Microsoft-Windows-LoadPerf
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AccountName |
|
principal.user.attribute.roles.name |
|
AccountType |
|
principal.user.attribute.roles.description |
|
UserID |
|
principal.user.windows_sid |
Event ID 1001
Provider: Microsoft Antimalware
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED target_resource_product_object_id set to target.resource.product_object_id |
Provider: Microsoft-Windows-WER-SystemErrorReporting
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
param2 |
|
target.file.full_path |
Provider: SNMP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Provider: Windows Error Reporting
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-LoadPerf
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AccountName |
|
principal.user.attribute.roles.name |
|
AccountType |
|
principal.user.attribute.roles.description |
|
UserID |
|
principal.user.windows_sid |
Event ID 1003
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Category |
Data/Category |
target.application |
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1004
Provider: IPMIDRV
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data |
|
target.hostname |
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
Reason |
Data/Reason |
security_result.description |
|
Category |
Data/Category |
target.application |
Provider: SNMP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: TdIca
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip target_port set to target_port |
Event ID 1005
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
Category |
Data/Category |
target.application |
Event ID 1007
Provider: TdIca
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip target_port set to target_port |
Event ID 1008
Provider: Microsoft-Windows-Perflib
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
EventXML.param1 |
|
target.application |
|
EventXML.param2 |
|
target.file.full_path |
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Reason |
Data/Reason |
security_result.description |
|
Category |
Data/Category |
target.application |
Event ID 1010
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
Category |
Data/Category |
target.application |
Event ID 1013
Provider: Microsoft-Windows-Search
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
Category |
Data/Category |
target.application |
Event ID 1014
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_DNS network.ip_protocol is set to "DNS" |
|
QueryName |
|
network.dns.questions.name |
Event ID 1016
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1023
Provider: Microsoft-Windows-Perflib
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Library |
Data/Library |
target.file.full_path |
Event ID 1025
Provider: Microsoft-Windows-TPM-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1026
Provider: Microsoft-Windows-TPM-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode} |
Event ID 1027
Provider: Microsoft-Windows-TPM-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1030
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
|
security_result.description |
|
ErrorCode |
|
security_result.summary
Format: ErrorCode - %{ErrorCode} |
|
DCName |
|
target.administrative_domain |
Provider: Microsoft-Windows-Kernel-PnP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Device |
Data/Device |
target.hostname |
Event ID 1031
Provider: Microsoft-Windows-Kernel-PnP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Device |
Data/Device |
target.hostname |
Event ID 1033
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Extract product_name and map to target.application |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1034
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1037
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1040
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1042
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1053
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1054
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1055
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{ErrorCode} |
Event ID 1056
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE server_certificate_subject set to network.tls.server.certificate.subject |
Event ID 1057
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target.resource_resource_type = DATABASE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1058
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
|
DCName |
Data/DCName |
target.administrative_domain |
|
FilePath |
Data/FilePath |
target.file.full_path |
Event ID 1064
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.summary |
Event ID 1066
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 1067
Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1068
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
DCName |
EventData.DCName |
target.administrative_domain |
Event ID 1069
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ResourceGroup |
|
target.group.group_display_name |
|
ResourceName |
|
target.resource.name |
Event ID 1073
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param1 |
Data/param1 |
target.hostname |
|
param2 |
Data/param2 |
target.user.userid |
Event ID 1074
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN |
Provider: USER32
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN
target_process_file_full_path set to target.process.file.full_path target_hostname set to target.hostname |
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
Domain |
|
principal.administrative_domain |
Provider: USER32
|
NXLog field |
Event Viewer field |
UDM field |
|
Domain |
System/Domain |
principal.administrative_domain |
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
param2 |
Data/param2 |
principal.hostname |
|
param1 |
Data/param1 |
principal.process.file.full_path |
|
AccountType |
|
principal.user.attribute.roles.name |
Provider: USER32
|
NXLog field |
Event Viewer field |
UDM field |
|
AccountName |
System/AccountName |
principal.user.userid |
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
UserID |
|
principal.user.windows_sid |
|
param3 |
Data/param3 |
security_result.description |
|
param7 |
Data/param7 |
target.user.userid |
Event ID 1076
Provider: User32
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1085
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1096
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
|
security_result.summary Format: ErrorCode - %{ErrorCode} |
|
ErrorDescription |
|
security_result.description |
|
DCName |
|
target.administrative_domain |
|
FilePath |
|
principal.process.file.full_path |
Event ID 1100
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "Event Logging Service" |
|
|
Message |
security_result.description |
Event ID 1101
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1102
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
target_ip set to target.ip
target_url set to target.url
client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: DFS Replication
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_WIPE |
|
|
SubjectDomainName |
principal.administrative_domain |
|
|
SubjectUserName |
principal.user.userid |
|
|
SubjectUserSid |
principal.user.windows_sid |
Event ID 1103
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1104
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1105
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AutoBackup.BackupPath |
Data/BackupPath |
target.file.full_path |
Event ID 1106
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
Event ID 1107
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED
target.application = "Event Logging Service" |
|
ProcessID |
Data/ProcessID |
principal.process.pid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: Error Code: %{value} |
Event ID 1108
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 1112
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
|
security_result.description |
|
ErrorCode |
|
security_result.summary
Format: ErrorCode - %{ErrorCode} |
|
DCName |
|
target.administrative_domain |
|
ExtensionName |
|
target.resource.name |
|
ExtensionId |
|
target.resource.product_object_id |
Event ID 1126
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_1 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
|
Data_2 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Event ID 1127
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
|
security_result.summary Format: ErrorCode - %{ErrorCode} |
|
ErrorDescription |
|
security_result.description |
|
DCName |
|
target.administrative_domain |
Event ID 1128
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ExtensionName |
|
target.resource.name |
|
ExtensionId |
|
target.resource.product_object_id |
Event ID 1129
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
Event ID 1130
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
ErrorDescription |
Data/ErrorDescription |
security_result.description |
|
GPOFileSystemPath |
Data/GPOFileSystemPath |
target.file.full_path |
Event ID 1134
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1150
Provider: Microsoft Antimalware
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED platform_version set to principal.asset.platform_software.platform_version |
Event ID 1162
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1173
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1196
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
StatusString |
|
security_result.summary |
|
ResourceName |
|
target.resource.name |
Event ID 1200
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
Message |
|
metadata.description |
|
UserID |
target.user.windows_sid |
Event ID 1201
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
Message |
|
metadata.description |
|
UserID |
target.user.windows_sid |
Event ID 1202
Provider: SceCli
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Message |
|
security_result.summary Format: summary is set to 0x%{error_code} - %{error_message} |
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
Message |
|
metadata.description |
"SERVICE" |
extensions.auth.mechanism |
|
"SSO" |
extensions.auth.typ |
|
UserID |
target.user.windows_sid |
Event ID 1203
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
Message |
|
metadata.description |
"SERVICE" |
extensions.auth.mechanism |
|
"SSO" |
extensions.auth.typ |
|
UserID |
target.user.windows_sid |
Event ID 1204
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
|
Message |
|
metadata.description |
Event ID 1205
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ResourceGroup |
|
target.group.group_display_name |
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
|
Message |
|
metadata.description |
Event ID 1206
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGOUT |
|
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1207
Provider: AD FS Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGOUT |
|
Message |
|
metadata.description |
UserID |
target.user.windows_sid |
Event ID 1213
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 1216
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data_3 |
|
security_result.description |
|
Data |
|
security_result.summary
Format: "Error Code - %{Data}" |
Event ID 1226
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1254
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ResourceGroup |
|
target.group.group_display_name |
Event ID 1257
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
DNSZone |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ResourceGroup |
|
target.group.group_display_name |
Event ID 1282
Provider: Microsoft-Windows-TPM-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 1307
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1311
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1317
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 1500
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1501
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1502
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1503
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCName |
Data/DCName |
target.administrative_domain |
Event ID 1531
Provider: Microsoft-Windows-User Profiles Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Domain |
Not available |
principal.administrative_domain |
|
AccountName |
Not available |
principal.user.userid |
|
UserID |
Not available |
principal.user.windows_sid |
|
SourceName |
Not available |
target.application |
Event ID 1532
Provider: Microsoft-Windows-User Profiles Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
Domain |
Not available |
principal.administrative_domain |
|
AccountName |
Not available |
principal.user.userid |
|
UserID |
Not available |
principal.user.windows_sid |
|
SourceName |
Not available |
target.application |
Event ID 1535
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data |
|
security_result.description |
Event ID 1564
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_READ |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ShareName |
|
target.resource.name |
Event ID 1566
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1573
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1593
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_READ
target.resource_resource_type = DATABASE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DatabaseFilePath |
|
target.file.full_path |
Event ID 1643
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1644
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1645
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1653
Provider: Microsoft-Windows-FailoverClustering
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 1699
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_4 |
|
security_result.summary set to "Error Code - %{Data_4}" |
Event ID 1704
Provider: SceCli
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
ProcessId |
|
principal.process.pid |
|
Message |
|
security_result.summary |
Event ID 1865
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1925
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 1955
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2000
Provider: Microsoft Antimalware
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
current_signature_version set to target.resource.attribute.labels.key/value previous_signature_version set to target.resource.attribute.labels.key/value |
Event ID 2001
Provider: Microsoft Antimalware
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_14 |
|
security_result.summary |
|
Data_17 |
|
target.url |
Provider: NTDS ISAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
MessageSourceAddress |
|
principal.ip |
Event ID 2004
Provider: Microsoft-Windows-Resource-Exhaustion-Detector
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 2041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
Event ID 2042
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2053
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2065
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2085
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
MessageSourceAddress |
|
principal.ip |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2089
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2108
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_3 |
|
security_result.summary set to "Error: %{Data_4} - %{Data_3}" |
|
Data_4 |
|
security_result.summary set to "Error: %{Data_4} - %{Data_3}" |
Event ID 2811
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2887
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2889
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Message |
|
principal_ip is set to principal.ip principal_port is set to principal.port principal_user_id is set to principal.user.userid |
Event ID 2896
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_1 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
|
Data_2 |
|
security_result.summary set to "Error: %{Data_1} - %{Data_2}" |
Event ID 2904
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2946
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 2947
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
Data_2 |
|
principal.ip |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_3 |
|
security_result.summary set to "Error: %{Data_3}" |
Event ID 2974
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
Data_2 |
|
security_result.summary set to "Error Code - %{Data_2}" |
Event ID 3005
Provider: LogRhythm Agent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Message |
|
security_result.description |
Event ID 3006
Provider: LogRhythm Agent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
Message |
|
Message is set to security_result.description ip is set to target.ip port is set to target.port |
Event ID 3040
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 3041
Provider: Microsoft-Windows-ActiveDirectory_DomainService
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
Event ID 3072
Provider: Foundation Agents
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3096
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Message set to security_result.summary |
Event ID 3260
Provider: Workstation
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3261
Provider: Workstation
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4000
version 0 Windows 10 client / Provider: Microsoft-Windows-Diagnostics-Networking
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4001
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4003
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: %{ErrorCode}-%{ErrorMsg} |
Event ID 4005
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ReasonForSyncProcessing |
Data/ReasonForSyncProcessing |
security_result.summary |
|
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
|
PolicyActivityId |
Data/PolicyActivityId |
target.resource.product_object_id |
Event ID 4006
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
|
PolicyActivityId |
Data/PolicyActivityId |
target.resource.product_object_id |
Event ID 4016
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DescriptionString |
Data/DescriptionString |
security_result.description |
|
CSEExtensionName |
Data/CSEExtensionName |
target.resource.name |
|
CSEExtensionId |
Data/CSEExtensionId |
target.resource.product_object_id |
Event ID 4017
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
OperationDescription |
Data/OperationDescription |
security_result.description |
Event ID 4096
Provider: NetJoin
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
|
ComputerName |
Data/ComputerName |
target.hostname |
Event ID 4097
Provider: Microsoft-Windows-CAPI2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Provider: NetJoin
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
NetStatusCode |
Data/NetStatusCode |
security_result.description |
|
DomainName |
Data/DomainName |
target.administrative_domain |
|
ComputerName |
Data/ComputerName |
target.hostname |
Event ID 4100
Provider: Microsoft-Windows-Diagnostics-Networking
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4101
Provider: Display
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 4103
version 1 / Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.description |
|
AccountName |
|
principal.user.attribute.roles.name |
|
UserID |
|
principal.user.windows_sid |
|
Category |
|
security_result.summary |
|
CommandName |
|
target.application |
|
ScriptName |
|
target.file.full_path |
|
HostApplication |
|
target.process.command_line target.process.file.full_path |
Event ID 4104
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Domain |
|
principal.administrative_domain |
|
ScriptBlockText |
Data/ScriptBlockText |
security_result.detection_fields.key/value |
|
UserID |
|
principal.user.windows_sid |
|
Category |
|
security_result.summary |
|
Message |
|
security_result.description |
|
SourceName |
|
target.application |
Event ID 4108
Provider: Microsoft-Windows-CAPI2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE
Extract information from Message field and map it to network.tls.client.certificate |
Event ID 4109
Provider: Microsoft-Windows-CAPI2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE
Extract information from Message field and map it to network.tls.client.certificate |
Event ID 4111
Provider: Microsoft-Windows-MSDTC
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
Not available |
target.application |
Event ID 4112
Provider: Microsoft-Windows-CAPI2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 4113
Provider: Microsoft-Windows-CAPI2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 4115
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4116
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4117
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4124
Provider: Microsoft-Windows-BitLocker-API
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4125
Provider: Microsoft-Windows-BitLocker-API
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
Data/Data |
security_result.description Format: Error - %{value} |
Event ID 4126
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4127
Provider: Microsoft-Windows-BitLocker-API
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
Data/Data |
security_result.description |
Event ID 4133
Provider: Microsoft-Windows-BitLocker-API
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4199
Provider: Tcpip
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
Data/Data |
principal.ip |
|
Data_1 |
Data/Data_1 |
target.mac |
Event ID 4200
Provider: Microsoft-Windows-Iphlpsvc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
Interface |
|
target_resource_product_object_id set to target.resource.product_object_id |
|
Address |
|
target.ip |
Event ID 4202
Provider: Microsoft-Windows-MSDTC 2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
SourceName |
Not available |
target.application |
|
param9 |
Data/param9 |
target.user.userid |
Event ID 4227
Provider: Tcpip
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
Message set to security_result.summary |
Event ID 4230
Provider: Tcpip
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4257
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4319
Provider: NetBT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4321
Provider: NetBT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION |
|
Data |
Data/Data |
principal.hostname and principal.port |
|
Data_1 |
Data/Data_1 |
principal.ip |
|
Data_2 |
Data/Data_2 |
target.ip |
Event ID 4326
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 4400
Provider: NPS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_1 |
|
principal.administrative_domain |
Event ID 4608
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_STARTUP |
Event ID 4609
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_SHUTDOWN |
Event ID 4610
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AuthenticationPackageName |
Data/AuthenticationPackageName |
target.resource.name |
Event ID 4611
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = PROCESS_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
LogonProcessName |
Data/LogonProcessName |
target.process.command_line |
Event ID 4612
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4614
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
NotificationPackageName |
Data/NotificationPackageName |
target.resource.name |
Event ID 4615
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4616
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
NewDate |
Data/NewDate |
target.resource.attribute.labels.key = "NewDate" value in target.resource.attribute.labels.value |
|
NewTime |
Data/NewTime |
target.resource.attribute.labels.key = "NewTime" value in target.resource.attribute.labels.value |
|
PreviousDate |
Data/PreviousDate |
target.resource.attribute.labels.key = "PreviousDate" value in target.resource.attribute.labels.value |
|
PreviousTime |
Data/PreviousTime |
target.resource.attribute.labels.key = "PreviousTime" value in target.resource.attribute.labels.value |
Event ID 4618
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TargetUserDomain |
Data/TargetUserDomain |
target.administrative_domain |
|
ComputerName |
Data/ComputerName |
target.hostname |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4621
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
CrashOnAuditFailValue |
Data/CrashOnAuditFailValue |
security_result.summary |
Event ID 4622
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SecurityPackageName |
Data/SecurityPackageName |
target.resource.name |
Event ID 4624
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN security_result.action set to "ALLOW" |
|
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
TargetLogonId |
Data/TargetLogonId |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
|
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AuthenticationPackageName |
Data/AuthenticationPackageName |
security_result.about.resource.name |
|
ElevatedToken |
Data/ElevatedToken |
security_result.detection_fields.labels.key/value |
|
IpAddress |
Data/IpAddress |
src.ip |
|
IpPort |
Data/IpPort |
src.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
LogonProcessName |
Data/LogonProcessName |
target.process.file.full_path |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
version 2 /
|
NXLog field |
Event Viewer field |
UDM field |
|
TargetOutboundUserName |
Data/TargetOutboundUserName |
target.user.user_display_name |
Event ID 4625
Provider: Microsoft-Windows-EventSystem
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
param3 |
Data/param3 |
about.registry.registry_key |
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN
security_result.category = AUTH_VIOLATION
security_result.action = BLOCK
extensions.auth.type set to MACHINE |
|
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AuthenticationPackageName |
Data/AuthenticationPackageName |
security_result.about.resource.name |
|
Status |
Data/Status |
security_result.summary
Populate description corresponding to the status codes. Format: Status(%{Status}): %{status_description}. If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.' |
|
SubStatus |
Data/SubStatus |
security_result.description Populate description corresponding to the substatus codes. Format: SubStatus(%{SubStatus}): %{sub_status_description} If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.' |
|
IpAddress |
Data/IpAddress |
src.ip |
|
IpPort |
Data/IpPort |
src.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
LogonProcessName |
Data/LogonProcessName |
target.process.file.full_path |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4626
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4627
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
|
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
GroupMembership |
Data/GroupMembership |
target.user.group_identifiers |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4634
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGOUT
security_result.action = ALLOW |
|
LogonType |
Data/LogonType |
extensions.auth.mechanism and extensions.auth.details |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4646
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
Event ID 4647
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGOUT |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4648
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN
security_result.action set to "ALLOW"
extensions.auth.mechanism set to "USERNAME_PASSWORD" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
IpAddress |
Data/IpAddress |
src.ip |
|
IpPort |
Data/IpPort |
src.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4649
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
LogonProcessName |
Data/LogonProcessName |
principal.process.command_line |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
WorkstationName |
Data/WorkstationName |
principal.asset.hostname principal.asset_id |
|
ProcessName |
Data/ProcessName |
target.process.command_line |
|
ProcessId |
Data/ProcessId |
target.process.pid |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4650
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4651
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMIssuingCA |
Data/LocalMMIssuingCA |
network.tls.client.certificate.issuer |
|
RemoteMMIssuingCA |
Data/RemoteMMIssuingCA |
network.tls.server.certificate.issuer |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4652
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMIssuingCA |
Data/LocalMMIssuingCA |
network.tls.client.certificate.issuer |
|
RemoteMMIssuingCA |
Data/RemoteMMIssuingCA |
network.tls.server.certificate.issuer |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4653
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
FailureReason |
Data/FailureReason |
security_result.summary |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4654
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalPort |
Data/LocalPort |
principal.port |
|
FailureReason |
Data/FailureReason |
security_result.summary |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemotePort |
Data/RemotePort |
target.port |
Event ID 4655
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4656
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process") |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
ObjectType |
Data/ObjectType |
target.resource.resource_subtype |
|
AccessMask |
Data/AccessMask |
principal.process.access_mask |
Event ID 4657
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.registry.registry_key |
|
NewValue |
Data/NewValue |
target.registry.registry_value_data |
|
ObjectValueName |
Data/ObjectValueName |
target.registry.registry_value_name |
Event ID 4658
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4659
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process") |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4660
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4661
event version 1 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
AccessReason |
Data/AccessReason |
security_result.description |
version 0 /
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.group.group_display_name (when ObjectType is SAM_ALIAS, SAM_GROUP)
target.user.userid (when ObjectType is SAM_USER)
target.administrative_domain (when ObjectType is SAM_DOMAIN)
target.hostname (when ObjectType is SAM_SERVER) |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4662
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
AdditionalInfo |
Data/AdditionalInfo |
security_result.description |
|
Properties |
Data/Properties |
security_result.detection_fields.key/value |
|
AccessMask |
Data/AccessMask |
principal.process.access_mask principal.resource.attribute.permissions |
|
ObjectName |
Data/ObjectName |
target.resource.name |
|
ObjectServer |
Data/ObjectServer |
target.resource.parent |
Event ID 4663
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
|
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
|
AccessMask |
Data/AccessMask |
principal.process.access_mask principal.resource.attribute.permissions |
Event ID 4664
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
FileName |
Data/FileName |
target.file.full_path |
|
LinkName |
Data/LinkName |
target.resource.name |
Event ID 4665
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_CREATION |
|
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
|
ClientName |
Data/ClientName |
principal.asset.hostname |
|
AppName |
Data/AppName |
target.application |
|
AppInstance |
Data/AppInstance |
target.resource.product_object_id |
Event ID 4666
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
|
ClientName |
Data/ClientName |
principal.asset.hostname |
|
AppName |
Data/AppName |
target.application |
|
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4667
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_DELETION |
|
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
|
ClientName |
Data/ClientName |
principal.asset.hostname |
|
AppName |
Data/AppName |
target.application |
Event ID 4668
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ClientDomain |
Data/ClientDomain |
principal.administrative_domain |
|
ClientName |
Data/ClientName |
principal.asset.hostname |
|
AppName |
Data/AppName |
target.application |
Event ID 4670
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
|
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
OldSd |
Data/OldSd |
security_result.detection_fields.key/value |
|
NewSd |
Data/NewSd |
security_result.detection_fields.key/value |
Event ID 4671
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
|
CallerDomainName |
Data/CallerDomainName |
principal.administrative_domain |
|
CallerUserName |
Data/CallerUserName |
principal.user.userid |
|
CallerUserSid |
Data/CallerUserSid |
principal.user.windows_sid |
Event ID 4672
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 4673
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to GENERIC_EVENT. |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
SubjectUserSid |
principal.user.windows_sid |
|
ProcessName |
Data/ProcessName |
target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field. |
|
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 4674
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS If the ProcessName field is absent, then set metadata.event_type to GENERIC_EVENT. |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ProcessName |
Data/ProcessName |
target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field. |
|
ProcessId |
Data/ProcessId |
target.process.pid |
|
ObjectName |
ObjectName |
target.resource.name |
Event ID 4675
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4688
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = PROCESS_LAUNCH |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
NewProcessName |
Data/NewProcessName |
target.process.file.full_path |
|
NewProcessId |
Data/NewProcessId |
target.process.pid |
|
ParentProcessName |
Data/ParentProcessName |
principal.process.file.full_path |
|
TokenElevationType |
Data/TokenElevationType |
target.labels additional.fields.key additional.fields.value.string_value |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
commandLine |
Data/commandLine |
principal.process.command_line |
version 2 /
|
NXLog field |
Event Viewer field |
UDM field |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
MandatoryLabel |
Data/MandatoryLabel |
target.labels additional.fields.key additional.fields.value.string_value |
Event ID 4689
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = PROCESS_TERMINATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ProcessName |
Data/ProcessName |
target.process.file.full_path |
|
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 4690
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SourceProcessId |
Data/SourceProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SourceHandleId |
Data/SourceHandleId |
src.resource.name |
|
TargetProcessId |
Data/TargetProcessId |
target.process.pid |
|
TargetHandleId |
Data/TargetHandleId |
target.resource.name |
Event ID 4691
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink)
REGISTRY_UNCATEGORIZED (ObjectType = Key)
PROCESS_OPEN (ObjectType = Process)
USER_RESOURCE_ACCESS (ObjectType = Event) |
|
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4692
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
FailureReason |
Data/FailureReason |
security_result.description |
|
RecoveryServer |
Data/RecoveryServer |
target.hostname |
Event ID 4693
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
RecoveryReason |
Data/RecoveryReason |
security_result.description |
Event ID 4694
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
FailureReason |
Data/FailureReason |
security_result.description |
Event ID 4695
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
FailureReason |
Data/FailureReason |
security_result.description |
Event ID 4696
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = PROCESS_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetProcessName |
Data/TargetProcessName |
target.process.command_line |
|
TargetProcessId |
Data/TargetProcessId |
target.process.pid |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4697
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ServiceName |
Data/ServiceName |
target.application |
|
ServiceFileName |
Data/ServiceFileName |
target.process.file.full_path |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
Event ID 4698
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_CREATION
target.resource.resource_type = TASK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
|
Message |
Data/Message |
URI set to target.file.full_path Command set to target.process.command_line |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ParentProcessId |
Data/ParentProcessId |
target.process.parent_process.pid |
|
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 4699
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_DELETION
target.resource.resource_type = "TASK" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4700
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_ENABLE
target.resource.resource_type = TASK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4701
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_DISABLE
target.resource.resource_type = TASK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ParentProcessId |
Data/ParentProcessId |
principal.process.parent_process.pid |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 4702
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCHEDULED_TASK_MODIFICATION
target.resource.resource_type = TASK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TaskName |
Data/TaskName |
target.resource.name |
version 1 / Windows 10 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
|
ParentProcessId |
Data/ParentProcessId |
target.process.parent_process.pid |
Event ID 4703
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_PERMISSIONS_CHANGE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
EnabledPrivilegeList |
Data/EnabledPrivilegeList |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
|
DisabledPrivilegeList |
Data/DisabledPrivilegeList |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4704
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4705
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4706
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4707
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4709
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application = "IPsec Policy Agent Service" |
Event ID 4710
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent Service" |
Event ID 4711
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4712
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent Service" |
Event ID 4713
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
KerberosPolicyChange |
Data/KerberosPolicyChange |
target.resource.attribute.labels.key = "FieldName_OLD_VALUE" and value="<old_value>" and
target.resource.attribute.labels.key = "FieldName_NEW_VALUE" and value="<new_value>" |
Event ID 4714
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
EfsPolicyChange |
Data/EfsPolicyChange |
target.resource.name |
Event ID 4715
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
OldSd |
Data/OldSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewSd |
Data/NewSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4716
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
Event ID 4717
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = ALLOW |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AccessGranted |
Data/AccessGranted |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4718
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AccessRemoved |
Data/AccessRemoved |
target.user.attribute.permissions.name
target.user.attribute.permissions.description |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4719
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubcategoryGuid |
Data/SubcategoryGuid |
Populate security_result.category_details based on description received in output of command: auditpol /list /subcategory:* /v. |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
CategoryId |
Data/CategoryId |
security_result[0].category_details is set to "CategoryId" security_result[0].summary is set to "%{CategoryId}" security_result[0].description is set to "%{Category}" |
|
SubcategoryId |
Data/SubcategoryId |
security_result[0].category_details is set to "SubCategoryId" security_result[0].summary is set to "%{SubCategoryId}" security_result[0].description is set to "%{SubCategory}" extract "Subcategory" description from "Message" field.` |
|
SubcategoryGuid |
Data/SubcategoryGuid |
security_result[2].category_details is set to "SubcategoryGuid" security_result[2].summary is set to "%{SubcategoryGuid}" security_result[2].description is set to "%{subcategory_guid_description}" |
|
AuditPolicyChanges |
Data/AuditPolicyChanges |
security_result[3].category_details is set to "AuditPolicyChanges" security_result[3].summary is set to "%{AuditPolicyChanges_description}" extract "AuditPolicyChanges_description" description from "Message" field about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4720
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
DisplayName |
Data/DisplayName |
target.user.user_display_name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4722
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4723
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4724
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PASSWORD |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4725
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4726
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4727
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4728
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
Message |
Data/Message |
Extracted OU, CN, DC fields from the Message log field and mapped it to target.user.attribute.labels |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4729
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4730
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4731
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION security_result.action set to "ALLOW" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4732
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4733
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4734
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4735
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4737
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4738
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.user_display_name |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
SamAccountName |
Data/SamAccountName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
DisplayName |
Data/DisplayName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
UserPrincipalName |
Data/UserPrincipalName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
HomeDirectory |
Data/HomeDirectory |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
HomePath |
Data/HomePath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
ScriptPath |
Data/ScriptPath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
ProfilePath |
Data/ProfilePath |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
UserWorkstations |
Data/UserWorkstations |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
PasswordLastSet |
Data/PasswordLastSet |
target.resource.attribute.labels.key target.resource.attribute.labels.value target.user.last_password_change_time |
|
AccountExpires |
Data/AccountExpires |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
PrimaryGroupId |
Data/PrimaryGroupId |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
AllowedToDelegateTo |
Data/AllowedToDelegateTo |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
OldUacValue |
Data/OldUacValue |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewUacValue |
Data/NewUacValue |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
UserAccountControl |
Data/UserAccountControl |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
UserParameters |
Data/UserParameters |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
SidHistory |
Data/SidHistory |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
LogonHours |
Data/LogonHours |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4739
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = "SETTING" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DomainName |
Data/DomainName |
target.administrative_domain |
|
DomainPolicyChanged |
Data/DomainPolicyChanged |
target.resource.name |
Event ID 4740
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4741
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_CREATION
target.resource.resource_type = STORAGE_OBJECT target.resource.resource_subtype = Computer Account |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.user_display_name |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
|
DnsHostName |
Data/DnsHostName |
target.asset.hostname |
Event ID 4742
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = STORAGE_OBJECT target.resource.resource_subtype = Computer Account |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
|
ServicePrincipalNames |
Data/ServicePrincipalNames |
target.application |
Event ID 4743
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4744
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4745
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4746
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4747
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4748
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4749
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4750
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4751
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4752
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4753
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4754
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION security_result.action set to "ALLOW" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4755
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4756
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4757
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4758
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4759
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4760
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4761
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4762
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4763
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
Event ID 4764
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
GroupTypeChange |
Data/GroupTypeChange |
security_result.summary |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4765
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = SETTING target.resource.resource_subtype = SID History |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.user.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4766
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4767
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4768
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN
If LogonType field is missing then extensions.auth.mechanism = MECHANISM_UNSPECIFIED |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
Status |
Data/Status |
security_result.description |
|
CertIssuerName |
Data/CertIssuerName |
security_result.detection_fields.labels.key = cert_issuer_name and value = %{cert_issuer_name} |
|
CertSerialNumber |
Data/CertSerialNumber |
security_result.detection_fields.labels.key = cert_serial_number and value = %{cert_serial_number} |
|
CertThumbprint |
Data/CertThumbprint |
security_result.detection_fields.labels.key = cert_thumbprint and value = %{cert_thumbprint} |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4769
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED
If LogonType field is missing then extensions.auth.mechanism = MECHANISM_UNSPECIFIED
If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
ServiceSid |
Data/ServiceSid |
target.user.windows_sid |
|
Status |
Data/Status |
security_result.description |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TicketOptions |
Data/TicketOptions |
additional.fields.key and additional.fields.value.string_value |
|
TicketEncryptionType |
Data/TicketEncryptionType |
additional.fields.key and additional.fields.value.string_value |
|
LogonGuid |
Data/LogonGuid |
additional.fields.key and additional.fields.value.string_value |
|
TransmittedServices |
Data/TransmittedServices |
additional.fields.key and additional.fields.value.string_value |
Event ID 4770
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
TicketEncryptionType |
Data/TicketEncryptionType |
security_result.about.resource.name |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4771
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN security_result.action set to "BLOCK" |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
Status |
Data/Status |
security_result.description |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4772
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4773
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4774
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ClientUserName |
Data/ClientUserName |
principal.user.userid |
|
MappingBy |
Data/MappingBy |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
MappedName |
Data/MappedName |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4775
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ClientUserName |
Data/ClientUserName |
principal.user.userid |
|
MappingBy |
Data/MappingBy |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 4776
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN security_result.action = BLOCK |
|
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
|
Status |
Data/Status |
security_result.description
Format: Status - Description |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
Version |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
Level |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
Task |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
Opcode |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
Keywords |
|
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
ThreadID |
Data/ThreadID |
about.labels.key/value additional.fields.key additional.fields.value.string_value |
|
PackageName |
Data/PackageName |
security_result.about.resource.name |
Event ID 4777
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN
security_result.category = "AUTH_VIOLATION" |
|
Status |
Data/Status |
security_result.summary |
|
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4778
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.action set to "ALLOW" |
|
SessionName |
Data/SessionName |
network.session_id |
|
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
|
AccountName |
Data/AccountName |
principal.user.userid |
|
ClientName |
Data/ClientName |
principal.hostname principal.asset.hostname |
|
ClientAddress |
Data/ClientAddress |
principal.ip |
|
Hostname |
Computer |
target.hostname |
Event ID 4779
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SessionName |
Data/SessionName |
network.session_id |
|
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
|
AccountName |
Data/AccountName |
principal.user.userid |
|
ClientName |
Data/ClientName |
principal.asset.hostname |
|
ClientAddress |
Data/ClientAddress |
target.ip |
Event ID 4780
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4781
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED |
|
OldTargetUserName |
Data/OldTargetUserName |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
NewTargetUserName |
Data/NewTargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4782
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4783
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4784
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4785
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4786
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4787
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4788
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
|
MemberName |
Data/MemberName |
target.user.user_display_name |
|
MemberSid |
Data/MemberSid |
target.user.windows_sid |
Event ID 4789
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4790
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4791
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4792
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
PrivilegeList |
Data/PrivilegeList |
target.group.attribute.permissions.name |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4793
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Status |
Data/Status |
security_result.summary |
|
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4794
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type = SETTING
target.resource.name = "Directory Services Restore Mode administrator password" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Status |
Data/Status |
security_result.description
Format: Status - Description |
Event ID 4797
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
Workstation |
Data/Workstation |
principal.asset.hostname principal.asset_id |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4798
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
CallerProcessName |
Data/CallerProcessName |
principal.process.file.full_path |
|
CallerProcessId |
Data/CallerProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.userid |
Event ID 4799
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
CallerProcessName |
Data/CallerProcessName |
principal.process.file.full_path |
|
CallerProcessId |
Data/CallerProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4800
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TargetDomainName |
Data/TargetDomainName |
principal.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
principal.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
principal.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4801
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TargetDomainName |
Data/TargetDomainName |
principal.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
principal.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
principal.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4816
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
PeerName |
Data/PeerName |
target.ip |
|
ProtocolSequence |
Data/ProtocolSequence |
additional.fields.key additional.fields.value.string_value |
|
SecurityError |
Data/SecurityError |
security_result.detection_fields.key/value |
Event ID 4817
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = "SETTING" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
OldSd |
Data/OldSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewSd |
Data/NewSd |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4818
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AccessReason |
Data/AccessReason |
security_result.description |
|
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4819
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4820
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
DeviceName |
Data/DeviceName |
principal.hostname |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4821
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN security_result.action set to "BLOCK" |
|
DeviceName |
Data/DeviceName |
principal.hostname |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
Event ID 4822
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
DeviceName |
Data/DeviceName |
principal.hostname |
|
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4823
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
DeviceName |
Data/DeviceName |
principal.hostname |
|
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4824
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
ServiceName |
Data/ServiceName |
target.application |
|
TargetUserName |
Data/TargetUserName |
target.group.group_display_name |
|
TargetSid |
Data/TargetSid |
target.group.windows_sid |
Event ID 4825
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS security_result.action set to "BLOCK" |
|
AccountDomain |
Data/AccountDomain |
principal.administrative_domain |
|
ClientAddress |
Data/ClientAddress |
principal.ip |
|
AccountName |
Data/AccountName |
principal.user.userid |
Event ID 4826
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4830
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetSid |
Data/TargetSid |
target.user.windows_sid |
Event ID 4864
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4865
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4866
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4867
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4868
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4869
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4870
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
RevocationReason |
Data/RevocationReason |
security_result.description |
Event ID 4871
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4872
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
PublishURLs |
Data/PublishURLs |
target.file.full_path |
Event ID 4873
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4874
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4875
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4876
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4877
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4878
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4879
Provider: Microsoft-Windows-MSDTC Client 2
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
param1 |
Data/param1 |
security_result.summary
Format: Error Code: %{value} |
|
SourceName |
Not available |
target.application |
|
param2 |
Data/param2 |
target.hostname |
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4880
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4881
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4882
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_PERMISSIONS_CHANGE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4883
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4884
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4885
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4886
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RequestId |
Data/RequestId |
additional.fields.key additional.fields.value.string_value |
|
Requester |
Data/Requester |
additional.fields.key additional.fields.value.string_value |
|
Attributes |
Data/Attributes |
additional.fields.key additional.fields.value.string_value |
Event ID 4887
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RequestId |
Data/RequestId |
additional.fields.key additional.fields.value.string_value |
|
Requester |
Data/Requester |
additional.fields.key additional.fields.value.string_value |
|
Attributes |
Data/Attributes |
additional.fields.key additional.fields.value.string_value |
|
Disposition |
Data/Disposition |
additional.fields.key additional.fields.value.string_value |
|
SubjectKeyIdentifier |
Data/SubjectKeyIdentifier |
additional.fields.key additional.fields.value.string_value |
|
Subject |
Data/Subject |
additional.fields.key additional.fields.value.string_value |
Event ID 4888
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.action = BLOCK |
Event ID 4889
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4890
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4891
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4892
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
PropertyName |
Data/PropertyName |
target.resource.name |
Event ID 4893
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4894
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4895
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4896
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4897
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
RoleSeparationEnabled |
Data/RoleSeparationEnabled |
target.resource.name = "Role separation enabled: %{RoleSeparationEnabled}" |
Event ID 4898
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4899
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4900
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
TemplateInternalName |
Data/TemplateInternalName |
target.resource.name |
Event ID 4902
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_CREATION
target.resource.resource_type = SETTING |
|
PuaPolicyId |
Data/PuaPolicyId |
target.resource.product_object_id |
Event ID 4904
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4905
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 4906
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4907
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_MODIFICATION (ObjectType = File, SymbolicLink)
REGISTRY_MODIFICATION (ObjectType = Key)
PROCESS_UNCATEGORIZED (ObjectType = Process)
USER_RESOURCE_UPDATE_PERMISSIONS (ObjectType = all other) |
|
ObjectName |
Data/ObjectName |
Object Type | UDM Field --------------------------+------------------------------------ File, SymbolicLink | target.file.full_path Key | target.registry.registry_key Process | target.process.file.full_path Event | target.resource.name |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ProcessName |
Data/ProcessName |
target.process.command_line |
|
ProcessId |
Data/ProcessId |
target.process.pid |
|
NewSd |
Data/NewSd |
target.resource.attribute.labels.key = "NewSd" value in target.resource.attribute.labels.value |
|
OldSd |
Data/OldSd |
target.resource.attribute.labels.key = "OldSd" value in target.resource.attribute.labels.value |
Event ID 4908
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
Event ID 4909
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
OldBlockedOrdinals |
Data/OldBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewBlockedOrdinals |
Data/NewBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4910
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
OldIgnoreDefaultSettings |
Data/OldIgnoreDefaultSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewIgnoreDefaultSettings |
Data/NewIgnoreDefaultSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
OldIgnoreLocalSettings |
Data/OldIgnoreLocalSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewIgnoreLocalSettings |
Data/NewIgnoreLocalSettings |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
OldBlockedOrdinals |
Data/OldBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
NewBlockedOrdinals |
Data/NewBlockedOrdinals |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 4911
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4912
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
Event ID 4913
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectName |
Data/ObjectName |
target.resource.name |
Event ID 4928
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4929
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then map to target.hostname |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4930
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4931
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SourceAddr |
Data/SourceAddr |
target.ip or target.hostname If SourceAddr field value not in IP form then it map to target.hostname |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4932
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4933
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4934
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4935
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4936
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4937
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
StatusCode |
Data/StatusCode |
security_result.summary is set to StatusCode: %{StatusCode} |
Event ID 4944
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4945
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
target.resource.resource_type = "FIREWALL_RULE" |
|
RuleId |
Data/RuleId |
target.resource.product_object_id |
|
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4946
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
RuleName |
Data/RuleName |
target.resource.name |
|
RuleId |
Data/RuleId |
target.resource.product_object_id |
Event ID 4947
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
RuleId |
Data/RuleId |
target.resource.product_object_id |
|
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4948
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_DELETION
target.resource.resource_type = SETTING |
|
RuleId |
Data/RuleId |
target.resource.product_object_id |
|
RuleName |
Data/RuleName |
target.resource.name |
Event ID 4949
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4950
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
SettingType |
Data/SettingType |
target.resource.name |
Event ID 4951
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
Data/RuleId |
security_result.rule_id |
|
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4952
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
Data/RuleId |
security_result.rule_id |
|
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4953
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ReasonForRejection |
Data/ReasonForRejection |
security_result.description |
|
RuleId |
Data/RuleId |
security_result.rule_id |
|
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4954
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4956
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 4957
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
Data/RuleId |
security_result.rule_id |
|
RuleName |
Data/RuleName |
security_result.rule_name |
|
RuleAttr |
Data/RuleAttr |
security_result.summary |
Event ID 4958
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Reason |
Data/Reason |
security_result.description |
|
RuleId |
Data/RuleId |
security_result.rule_id |
|
RuleName |
Data/RuleName |
security_result.rule_name |
Event ID 4960
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4961
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4962
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4963
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4964
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetDomainName |
Data/TargetDomainName |
target.administrative_domain |
|
TargetUserName |
Data/TargetUserName |
target.user.userid |
|
TargetUserSid |
Data/TargetUserSid |
target.user.windows_sid |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 4965
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4976
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4977
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4978
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
Event ID 4979
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4980
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4981
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4982
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalMMPrincipalName |
Data/LocalMMPrincipalName |
principal.hostname |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
RemoteMMPrincipalName |
Data/RemoteMMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4983
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalEMPrincipalName |
Data/LocalEMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
FailureReason |
Data/FailureReason |
security_result.description |
|
RemoteEMPrincipalName |
Data/RemoteEMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4984
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
LocalEMPrincipalName |
Data/LocalEMPrincipalName |
principal.hostname |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalKeyModPort |
Data/LocalKeyModPort |
principal.port |
|
FailureReason |
Data/FailureReason |
security_result.description |
|
RemoteEMPrincipalName |
Data/RemoteEMPrincipalName |
target.hostname |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemoteKeyModPort |
Data/RemoteKeyModPort |
target.port |
Event ID 4985
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5002
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 5005
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 5007
Provider: Microsoft Antimalware
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5009
Provider: Microsoft-Windows-WAS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
AppPoolID |
|
target.resource.name |
Event ID 5016
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
CSEExtensionName |
Data/CSEExtensionName |
target.resource.name |
|
CSEExtensionId |
Data/CSEExtensionId |
target.resource.product_object_id |
Event ID 5017
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
OperationDescription |
Data/OperationDescription |
security_result.description |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
OperationElapsedTimeInMilliSeconds |
Data/OperationElapsedTimeInMilliSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5024
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5025
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5027
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5028
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5029
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5030
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5031
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
|
|
metadata.event_type = STATUS_UPDATE and security_result.action=BLOCK |
|
Application |
Data/Application |
target.application |
Event ID 5032
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE and security_result.action=BLOCK |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 5033
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5034
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5035
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5037
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5038
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
param1 |
Data/param1 |
target.file.full_path |
Event ID 5039
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = REGISTRY_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ProcessName |
Data/ProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
ObjectPath |
Data/ObjectPath |
principal.registry.registry_key |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectVirtualPath |
Data/ObjectVirtualPath |
target.registry.registry_key |
Event ID 5040
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
|
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5041
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
|
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5042
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
|
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5043
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
ConnectionSecurityRuleId |
Data/ConnectionSecurityRuleId |
security_result.rule_id |
|
ConnectionSecurityRuleName |
Data/ConnectionSecurityRuleName |
security_result.rule_name |
Event ID 5044
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
ConnectionSecurityRuleId |
Data/ConnectionSecurityRuleId |
security_result.rule_id |
|
ConnectionSecurityRuleName |
Data/ConnectionSecurityRuleName |
security_result.rule_name |
Event ID 5045
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
AuthenticationSetName |
Data/AuthenticationSetName |
target.resource.name |
|
AuthenticationSetId |
Data/AuthenticationSetId |
target.resource.product_object_id |
Event ID 5046
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
|
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5047
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
|
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5048
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
CryptographicSetName |
Data/CryptographicSetName |
target.resource.name |
|
CryptographicSetId |
Data/CryptographicSetId |
target.resource.product_object_id |
Event ID 5049
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_DELETION |
|
IpSecSecurityAssociationName |
Data/IpSecSecurityAssociationName |
target.resource.name |
|
IpSecSecurityAssociationId |
Data/IpSecSecurityAssociationId |
target.resource.product_object_id |
Event ID 5050
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "Windows Firewall" |
|
CallerProcessName |
Data/CallerProcessName |
principal.process.command_line |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 5051
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
FileName |
Data/FileName |
principal.file.full_path |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
VirtualFileName |
Data/VirtualFileName |
target.file.full_path |
Event ID 5056
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Module |
Data/Module |
target.resource.name |
Event ID 5057
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Reason |
Data/Reason |
security_result.description |
Event ID 5058
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
KeyUserPath |
Data/KeyFilePath |
target.file.full_path and security_result.about.file.full_path |
|
KeyName |
Data/KeyName |
target.resource.name |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
Event ID 5059
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ReturnCode |
Data/ReturnCode |
security_result.summary
Format: Error Code - %{value} |
|
KeyName |
Data/KeyName |
target.resource.name |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5060
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Reason |
Data/Reason |
security_result.description |
Event ID 5061
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Operation |
Data/Operation |
security_result.description |
|
ReturnCode |
Data/ReturnCode |
security_result.summary
Format: Return Code - %{value} |
|
KeyName |
Data/KeyName |
target.resource.name |
Event ID 5062
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5063
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ModuleName |
Data/ModuleName |
target.resource.name |
Event ID 5064
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5065
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5066
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5067
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5068
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5069
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5070
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5071
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
security_result.action = BLOCK |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5074
Provider: Microsoft-Windows-WAS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
|
AppPoolID |
|
target.resource.name |
Event ID 5077
Provider: Microsoft-Windows-WAS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
|
AppPoolID |
|
target.resource.name |
Event ID 5116
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5117
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5120
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5121
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5122
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5123
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
PropertyName |
Data/PropertyName |
target.resource.name |
Event ID 5124
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5125
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5126
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
Event ID 5127
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
Event ID 5136
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_MODIFICATION (ObjectClass="group")
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT (other ObjectClass) |
|
ObjectGUID |
Data/ObjectGUID |
based on type of object class.
target.group.product_object_id (ObjectClass="group")
target.resource.product_object_id (other ObjectClass) |
|
AttributeValue |
Data/AttributeValue |
If AttributeLDAPDisplayName is "member" then attribute_value set to target.user.user_display_name, else attribute_value set to target.resource.name |
|
ObjectDN |
Data/ObjectDN |
If ObjectClass is "group" then object_name set to target.group.group_display_name |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5137
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
|
DSName |
Data/DSName |
target.administrative_domain |
|
DSType |
Data/DSType |
target.application |
Event ID 5138
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5139
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
|
OldObjectDN |
Data/OldObjectDN |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
|
NewObjectDN |
Data/NewObjectDN |
additional.fields.key additional.fields.value.string_value If ObjectClass = "computer", object_name is set to target.hostname If ObjectClass = "user", object_name is set to target.user.user_display_name. If ObjectClass = "group", object_name is set to target.group.group_display_name. |
Provider: Microsoft-Windows-WAS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_process_pid set to target.process.pid |
|
ProtocolID |
|
network.application_protocol |
|
AppPoolID |
|
target.resource.name |
Event ID 5140
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ShareName |
Data/ShareName |
target.resource.name |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
Event ID 5141
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
SubjectLogonId |
Data/SubjectLogonId |
principal.labels.key/value additional.fields.key additional.fields.value.string_value |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
|
ObjectClass |
Data/ObjectClass |
target.labels.key/value additional.fields.key additional.fields.value.string_value |
|
ObjectDN |
Data/ObjectDN |
If ObjectClass == "group" then object_name is set to target.group.group_display_name If ObjectClass = "computer", then object_name is set to target.hostname If ObjectClass = "user", then object_name is set to target.user.user_display_name else ObjectDN is set to target.labels.key/value ObjectClass is set to target.labels.key/value ObjectDN is set to additional.fields.key and additional.fields.value.string_value ObjectClass is set to additional.fields.key and additional.fields.value.string_value |
|
DSName |
Data/DSName |
target.administrative_domain |
|
DSType |
Data/DSType |
target.application |
Event ID 5142
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5143
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
|
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5144
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
|
ShareName |
Data/ShareName |
target.resource.name |
Event ID 5145
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
IpAddress |
Data/IpAddress |
principal.ip |
|
IpPort |
Data/IpPort |
principal.port |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
AccessReason |
Data/AccessReason |
security_result.description |
|
ShareLocalPath |
Data/ShareLocalPath |
target.file.full_path |
|
AccessList |
Data/AccessList |
target.resource.attribute.permissions.name |
|
ShareName |
Data/ShareName |
target.resource.name |
|
RelativeTargetName |
Data/RelativeTargetName |
target.file.names |
Event ID 5146
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
EtherType |
Data/EtherType |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcevSwitchPort |
Data/SourcevSwitchPort |
principal.port |
|
DestAddress |
Data/DestAddress |
target.ip |
|
DestinationvSwitchPort |
Data/DestinationvSwitchPort |
target.port |
Event ID 5147
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
EtherType |
Data/EtherType |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5148
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
security_result.category=NETWORK_DENIAL_OF_SERVICE
security_result.action = BLOCK |
Event ID 5149
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = ALLOW |
Event ID 5150
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
EtherType |
Data/EtherType |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5151
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
EtherType |
Data/EtherType |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
DestAddress |
Data/DestAddress |
target.ip |
Event ID 5152
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
principal.application |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcePort |
Data/SourcePort |
principal.port |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
|
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
|
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
|
DestAddress |
Data/DestAddress |
target.ip |
|
DestPort |
Data/DestPort |
target.port
|
version 1 / Windows 11 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
Event ID 5153
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcePort |
Data/SourcePort |
principal.port |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
Application |
Data/Application |
target.application |
|
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
|
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
|
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
|
DestAddress |
Data/DestAddress |
target.ip |
|
DestPort |
Data/DestPort |
target.port |
version 1 / Windows 11 and Windows Server 2022/
|
NXLog field |
Event Viewer field |
UDM field |
|
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
Event ID 5154
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE security_result.action = ALLOW |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
target.application |
|
SourceAddress |
Data/SourceAddress |
target.ip |
|
SourcePort |
Data/SourcePort |
target.port |
|
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5155
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = BLOCK |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcePort |
Data/SourcePort |
principal.port |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
Application |
Data/Application |
target.application |
Event ID 5156
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = ALLOW |
|
Direction |
Data/Direction |
network.direction |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
principal.application |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcePort |
Data/SourcePort |
principal.port |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
|
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
|
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
|
DestAddress |
Data/DestAddress |
target.ip |
|
DestPort |
Data/DestPort |
target.port |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
RemoteUserID |
Data/RemoteUserID |
target.user.userid |
|
RemoteMachineID |
Data/RemoteMachineID |
target.user.windows_sid |
Event ID 5157
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION
security_result.action = BLOCK |
|
Direction |
Data/Direction |
network.direction |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
principal.application |
|
SourceAddress |
Data/SourceAddress |
principal.ip |
|
SourcePort |
Data/SourcePort |
principal.port |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
DestAddress |
Data/DestAddress |
target.ip |
|
DestPort |
Data/DestPort |
target.port |
|
FilterRTID |
Data/FilterRTID |
security_result.detection_fields.key/value |
|
LayerName |
Data/LayerName |
security_result.detection_fields.key/value |
|
LayerRTID |
Data/LayerRTID |
security_result.detection_fields.key/value |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
FilterOrigin |
Data/FilterOrigin |
security_result.detection_fields.key/value |
|
RemoteUserID |
Data/RemoteUserID |
target.user.userid |
|
RemoteMachineID |
Data/RemoteMachineID |
target.user.windows_sid |
Event ID 5158
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = ALLOW |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
target.application |
|
SourceAddress |
Data/SourceAddress |
target.ip |
|
SourcePort |
Data/SourcePort |
target.port |
|
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5159
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
security_result.action = BLOCK |
|
Protocol |
Data/Protocol |
network.ip_protocol |
|
Application |
Data/Application |
target.application |
|
SourceAddress |
Data/SourceAddress |
target.ip |
|
SourcePort |
Data/SourcePort |
target.port |
|
ProcessId |
Data/ProcessId |
target.process.pid |
Event ID 5168
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
IpAddresses |
Data/IpAddresses |
target.ip |
Event ID 5169
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DSName |
Data/DSName |
target.application |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5170
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DSName |
Data/DSName |
target.application |
|
ObjectGUID |
Data/ObjectGUID |
target.resource.product_object_id |
Event ID 5186
Provider: Microsoft-Windows-WAS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 5257
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5308
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCName |
Data/DCName |
target.administrative_domain |
|
DCIPAddress |
Data/DCIPAddress |
target.ip |
Event ID 5309
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
MachineRole |
Data/MachineRole |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5310
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
PrincipalCNName |
Data/PrincipalCNName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DCDomainName |
Data/DCDomainName |
target.administrative_domain |
|
DCName |
Data/DCName |
target.hostname |
Event ID 5311
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
PolicyProcessingMode |
Data/PolicyProcessingMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5312
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DescriptionString |
Data/DescriptionString |
security_result.description |
Event ID 5313
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
DescriptionString |
Data/DescriptionString |
security_result.description |
|
GPOInfoList |
Data/GPOInfoList |
target.resource.name |
Event ID 5314
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
LinkDescription |
Data/LinkDescription |
security_result.description |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
PolicyApplicationMode |
Data/PolicyApplicationMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5315
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
Event ID 5320
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
InfoDescription |
Data/InfoDescription |
security_result.description |
Event ID 5321
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
InfoDescription |
Data/InfoDescription |
security_result.description |
|
OperationParameter1 |
Data/OperationParameter1 |
target.resource.product_object_id |
Event ID 5324
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SessionId |
Data/SessionId |
network.session_id |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5326
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
DCDiscoveryTimeInMilliSeconds |
Data/DCDiscoveryTimeInMilliSeconds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5327
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
NetworkBandwidthInKbps |
Data/NetworkBandwidthInKbps |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5340
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
PolicyApplicationMode |
Data/PolicyApplicationMode |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
Event ID 5351
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5376
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
BackupFileName |
Data/BackupFileName |
target.file.full_path |
|
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5377
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
BackupFileName |
Data/BackupFileName |
target.file.full_path |
|
ClientProcessId |
Data/ClientProcessId |
target.process.pid |
Event ID 5378
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED and security_result.category=POLICY_VIOLATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
TargetServer |
Data/TargetServer |
target.hostname |
|
UserUPN |
Data/UserUPN |
target.user.userid |
Event ID 5379
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = RESOURCE_READ
target.resource.name = Credential Manager credentials |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5380
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5381
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5382
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
Resource |
Data/Resource |
target.resource.name |
Event ID 5440
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5441
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5442
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5443
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5444
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5446
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5447
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
|
ProviderKey |
Data/ProviderKey |
about.resource.attribute.labels.key / value |
|
ProviderName |
Data/ProviderName |
about.resource.attribute.labels.key / value |
|
ChangeType |
Data/ChangeType |
about.resource.attribute.labels.key / value |
|
FilterKey |
Data/FilterKey |
about.resource.attribute.labels.key / value |
|
FilterType |
Data/FilterType |
about.resource.attribute.labels.key / value |
|
LayerKey |
Data/LayerKey |
about.resource.attribute.labels.key / value |
|
LayerName |
Data/LayerName |
about.resource.attribute.labels.key / value |
|
LayerId |
Data/LayerId |
about.resource.attribute.labels.key / value |
|
Weight |
Data/Weight |
about.resource.attribute.labels.key / value |
|
Conditions |
Data/Conditions |
about.resource.attribute.labels.key / value |
|
Action |
Data/Action |
about.resource.attribute.labels.key / value |
|
CalloutKey |
Data/CalloutKey |
about.resource.attribute.labels.key / value |
|
CalloutName |
Data/CalloutName |
about.resource.attribute.labels.key / value |
|
|
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
|
FilterName |
Data/FilterName |
target.resource.name |
|
FilterId |
Data/FilterId |
target.resource.product_object_id |
Event ID 5448
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5449
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5450
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 5451
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
IpProtocol |
Data/IpProtocol |
network.ip_protocol |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalPort |
Data/LocalPort |
principal.port |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemotePort |
Data/RemotePort |
target.port |
Event ID 5452
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
IpProtocol |
Data/IpProtocol |
network.ip_protocol |
|
LocalAddress |
Data/LocalAddress |
principal.ip |
|
LocalPort |
Data/LocalPort |
principal.port |
|
RemoteAddress |
Data/RemoteAddress |
target.ip |
|
RemotePort |
Data/RemotePort |
target.port |
Event ID 5453
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5456
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5457
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5458
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5459
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5460
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5461
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5462
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5463
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5464
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5465
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5466
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5467
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5468
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5471
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5472
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5473
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5474
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
|
Policy |
Data/Policy |
target.resource.name |
Event ID 5477
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5478
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application = "IPsec Policy Agent service" |
Event ID 5479
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "IPsec Policy Agent service" |
Event ID 5480
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5483
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Event ID 5484
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Error |
Data/Error |
security_result.summary
Format - Error Code: %{value} |
Event ID 5485
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5615
Provider: Microsoft-Windows-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application = "Windows Management Instrumentation" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5617
Provider: Microsoft-Windows-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application = "Windows Management Instrumentation" |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 5632
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
LocalMac |
Data/LocalMac |
principal.mac |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
ReasonText |
Data/ReasonText |
security_result.description |
|
PeerMac |
Data/PeerMac |
target.mac |
Event ID 5633
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_CONNECTION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
ReasonText |
Data/ReasonText |
security_result.description |
Event ID 5712
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessName |
Data/ProcessName |
principal.process.file.full_path |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
|
RemoteIpAddress |
Data/RemoteIpAddress |
target.ip |
|
RemotePort |
Data/RemotePort |
target.port |
Event ID 5719
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5721
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5722
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data_2 |
|
security_result.summary
Format: %{Data_2} - %{Extract description from Message} |
|
Data |
|
target.hostname |
Event ID 5723
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
|
target.hostname |
Event ID 5774
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5775
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5781
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5782
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5802
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5805
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
|
target.hostname |
Event ID 5807
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5823
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 5827
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Data |
|
target.hostname |
Event ID 5830
Provider: NETLOGON
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE target_hostname set to target.hostname |
Event ID 5857
Provider: Microsoft-Windows-WMI-Activity
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessID |
Data/ProcessID |
target.process.pid |
|
Code |
Data/Code |
security_result.summary is set to "Code - %{Code}" |
|
HostProcess |
Data/HostProcess |
target.process.file.full_path |
|
ProviderPath |
Data/ProviderPath |
target.file.full_path |
Event ID 5858
Provider: Microsoft-Windows-WMI-Activity
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ClientMachine |
Data/ClientMachine |
principal.hostname |
|
User |
Data/User |
principal.user.windows_sid |
|
ClientProcessId |
Data/ClientProcessId |
principal.process.pid |
|
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5859
Provider: Microsoft-Windows-WMI-Activity
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
NamespaceName |
Data/NamespaceName |
target.file.full_path |
|
User |
Data/User |
principal.user.windows_sid |
|
ProcessID |
Data/ProcessID |
target.process.pid |
|
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5860
Provider: Microsoft-Windows-WMI-Activity
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
NamespaceName |
Data/NamespaceName |
target.file.full_path |
|
User |
Data/User |
principal.user.windows_sid |
|
Processid |
Data/User |
target.process.pid |
|
ClientMachine |
Data/ClientMachine |
principal.hostname |
|
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5861
Provider: Microsoft-Windows-WMI-Activity
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.application" set to "%{SourceName}" security_result.summary" set to "%{Channel}" |
|
Message |
System/Message |
Namespace set to target.file.full_path |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
PossibleCause |
Data/PossibleCause |
security_result.description |
Event ID 5888
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_UPDATE_CONTENT |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectCollectionName |
Data/ObjectCollectionName |
target.resource.name |
|
ModifiedObjectProperties |
Data/ModifiedObjectProperties |
We can use target.resource.attribute.labels.key/value UDM mappings as follows (check whether it is possible by using kv in conf):
target.resource.attribute.labels.key = "<Property_Name>_OLD_VALUE" target.resource.attribute.labels.value= "<OLD_VALUE>" target.resource.attribute.labels.key = "<Property_Name>_NEW_VALUE" target.resource.attribute.labels.value= "<NEW_VALUE>" |
Event ID 5889
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_DELETION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
Event ID 5890
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_CREATION |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ObjectCollectionName |
Data/ObjectCollectionName |
target.resource.name |
Event ID 6000
Windows 10 client / Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Provider: Microsoft-Windows-Eventlog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Channel |
Data/Channel |
target.file.full_path |
Event ID 6001
Windows 10 client / Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Event ID 6003
Windows 10 client / Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Event ID 6005
Windows Server 2019 / Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
target.application = "winlogon notification subscriber" |
Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
|
|
metadata.event_type = SERVICE_START
target.application = "%{SourceName}" |
|
SourceName |
|
target.application |
Event ID 6006
Windows 10 client / Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
|
target.application |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "%{SourceName}" |
Provider: Microsoft-Windows-W3LOGSVC
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
Message |
|
security_result.summary |
|
SourceName |
|
target.application |
|
ProcessId |
|
target.process.pid |
Event ID 6008
Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
target.application = "%{SourceName}" |
Event ID 6009
Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6011
Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Message |
|
Extract hostnames and map old value with principal.hostname and new modified value to target.hostname |
Event ID 6013
Provider: EventLog
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6038
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6062
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 6100
Provider: Microsoft-Windows-Diagnostics-Networking
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 6144
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6145
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6148
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCAN_UNCATEGORIZED |
Event ID 6149
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SCAN_UNCATEGORIZED |
Event ID 6272
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = ALLOW |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6273
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
Reason |
Data/Reason |
security_result.summary |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6274
version 1 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6275
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
security_result.action = BLOCK |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
Reason |
Data/Reason |
security_result.summary |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6276
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = QUARANTINE |
|
MachineInventory |
Data/MachineInventory |
principal.asset.platform_software.platform_version |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6277
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW_WITH_MODIFICATION |
|
CalledStationID |
Data/CalledStationID |
principal.asset.platform_software.platform_version |
|
FullyQualifiedSubjectMachineName |
Data/FullyQualifiedSubjectMachineName |
principal.user.userid |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.windows_sid |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6278
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
|
MachineInventory |
Data/MachineInventory |
principal.asset.platform_software.platform_version |
|
SubjectMachineName |
Data/SubjectMachineName |
principal.user.userid |
|
SubjectMachineSID |
Data/SubjectMachineSID |
principal.user.windows_sid |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6279
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = BLOCK |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6280
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_CHANGE_PERMISSIONS
security_result.action = ALLOW |
|
SubjectDomainName |
Data/SubjectDomainName |
target.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
target.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
target.user.windows_sid |
Event ID 6281
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
param1 |
Data/param1 |
target.file.full_path |
Event ID 6313
Provider: ADSync
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
principal.administrative_domain |
Event ID 6400
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6401
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6402
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ClientIPAddress |
Data/ClientIPAddress |
principal.ip |
Event ID 6403
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6404
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.description |
Event ID 6405
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6406
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6407
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6408
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6409
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 6410
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = FILE_UNCATEGORIZED |
|
param1 |
Data/param1 |
target.file.full_path |
Event ID 6416
version 0 / Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED resource.resource_type set to "DEVICE" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
ClassId |
Data/ClassId |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
VendorIds |
Data/VendorIds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
CompatibleIds |
Data/CompatibleIds |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
LocationInformation |
Data/LocationInformation |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
version 1 /
|
NXLog field |
Event Viewer field |
UDM field |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
ClassName |
Data/ClassName |
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
DeviceId |
Data/DeviceId |
target.resource.product_object_id |
Event ID 6417
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 6418
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ProcessId |
Data/ProcessId |
principal.process.pid |
Event ID 6419
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6420
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="BLOCK" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6421
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6422
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="ALLOW" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6423
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="BLOCK" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6424
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_RESOURCE_ACCESS
Set security_result.action="ALLOW" |
|
SubjectDomainName |
Data/SubjectDomainName |
principal.administrative_domain |
|
SubjectUserName |
Data/SubjectUserName |
principal.user.userid |
|
SubjectUserSid |
Data/SubjectUserSid |
principal.user.windows_sid |
|
DeviceId |
Data/DeviceId |
target.resource.id |
|
DeviceDescription |
Data/DeviceDescription |
target.resource.name |
Event ID 6946
Provider: ADSync
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.description |
Event ID 6952
Provider: ADSync
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED If required fields for above mentioned metadata.event_type are not present, then set metadata.event_type to STATUS_UPDATE. |
|
Data |
|
security_result.description |
Event ID 7000
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED Extract error and map it to security_result.summary |
|
param1 |
Data/param1 |
target.application |
Event ID 7001
Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Event ID 7002
Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7003
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7005
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7009
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
param2 |
Data/param2 |
target.application |
Event ID 7010
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7011
Windows Server 2019 / Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
param1 |
Data/param1 |
target.application |
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7012
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7017
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Event ID 7021
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data |
|
target.hostname |
|
Data_1 |
|
target.resource.name |
Event ID 7022
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
param1 |
Not available |
target.application |
Event ID 7023
Windows 10 client / Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP Extract error and map it to security_result.summary |
|
param1 |
Data/param1 |
target.application |
|
|
|
metadata.event_type = SERVICE_STOP |
|
param2 |
Not available |
security_result.description
Format: Error Code - %{value} |
|
param1 |
Not available |
target.application |
Event ID 7024
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
param2 |
Not available |
security_result.description
Format: Error Code - %{value} |
|
param1 |
Not available |
target.application |
Event ID 7025
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Event ID 7026
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
target.resource.resource_type = DEVICE target.resource.resource_subtype = "boot-start or system-start driver" |
|
param1 |
Not available |
target.application |
Event ID 7031
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
param1 |
Not available |
target.application |
Event ID 7032
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
param2 |
Not available |
security_result.action_details |
|
param4 |
Not available |
security_result.description
Error Code: %{value} |
|
param3 |
Not available |
target.application |
Event ID 7034
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP
security_result.action = BLOCK |
|
param1 |
Not available |
target.application |
Event ID 7036
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
If the param2 log field value is equal to stopped, then the
metadata.event_type UDM field is set to SERVICE_STOP.Else, if the param2 log field value is equal to start, then the
metadata.event_type UDM field is set to SERVICE_START.Else, if the param2 log field value is equal to running,
then the metadata.event_type UDM field is set to SERVICE_UNSPECIFIED.
|
|
param1 |
Not available |
target.application |
|
param2 |
Not available |
If the |
Event ID 7038
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
param2 |
|
principal.hostname |
|
param3 |
|
security_result.description
Format: %{param3} - %{Extract description from Message} |
|
param1 |
|
target.application |
Event ID 7040
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_MODIFICATION |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param1 |
Data/param1 |
target.application |
Event ID 7042
Windows Server 2019 / Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param1 |
Data/param1 |
target.application |
Event ID 7045
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_CREATION |
|
ServiceName |
Data/ServiceName |
target.application |
|
ImagePath |
Data/ImagePath |
target.process.file.full_path |
|
UserID |
System/UserID |
target.user.windows_sid |
Event ID 8000
Provider: Netwtw10
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Status |
|
security_result.summary |
Event ID 8003
Provider: bowser
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Data_1 |
|
target.hostname |
|
Data_2 |
|
target.resource.product_object_id |
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
FullFilePath |
|
target.process.file.full_path |
|
FilePath |
|
target.file.full_path |
|
FileHash |
|
target.file.sha256 |
|
Fqbn |
|
target.group.group_display_name |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8004
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
FullFilePath |
|
target.process.file.full_path |
|
FilePath |
|
target.file.full_path |
|
FileHash |
|
target.file.sha256 |
|
Fqbn |
|
target.group.group_display_name |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8005
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.description |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
|
TargetLogonId |
Data/TargetLogonId |
additional.fields.key additional.fields.value.string_value |
Event ID 8006
Provider: Microsoft-Windows-GroupPolicy
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.attribute.roles.name |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorCode |
Data/ErrorCode |
security_result.summary
Format: ErrorCode - %{value} |
|
PrincipalSamName |
Data/PrincipalSamName |
target.hostname |
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
FullFilePath |
|
target.process.file.full_path |
|
FilePath |
|
target.file.full_path |
|
FileHash |
|
target.file.sha256 |
|
Fqbn |
|
target.group.group_display_name |
Event ID 8007
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
FullFilePath |
|
target.process.file.full_path |
|
FilePath |
|
target.file.full_path |
|
FileHash |
|
target.file.sha256 |
|
Fqbn |
|
target.group.group_display_name |
Event ID 8008
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8009
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ErrorCode |
Data/ErrorCode |
security_result.summary set to ErrorCode - %{ErrorCode} |
Event ID 8010
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8015
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8017
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8018
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8019
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8020
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8021
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: BROWSER
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
Fqbn |
|
target.group.group_display_name |
Event ID 8022
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
Fqbn |
|
target.group.group_display_name |
Event ID 8025
Provider: Microsoft-Windows-AppLocker
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
RuleId |
|
security_result.rule_id |
|
TargetUser |
|
target.user.userid |
|
TargetProcessId |
|
target.process.pid |
|
Fqbn |
|
target.group.group_display_name |
Event ID 8027
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8030
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8033
Provider: Microsoft-Windows-DNS-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
DnsServerList |
|
intermediary.ip |
|
Ipaddress |
|
target.ip |
|
ErrorCode |
Data/ErrorCode |
security_result.summary summary set to ErrorCode - %{ErrorCode} |
Event ID 8191
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 8193
Provider: VSS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE target.application = %{SourceName} |
Event ID 8198
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 8222
Provider: VSSAudit
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
|
principal.administrative_domain |
|
AccountType |
|
principal.user.attribute.roles.name |
|
Data_3 |
|
target.process.file.full_path |
|
Data_8 |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
Data_9 |
|
target.resource.name |
Event ID 8223
Provider: VSSAudit
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
Data_7 |
|
target.resource.attribute.labels.key target.resource.attribute.labels.value |
|
Data_8 |
|
target.resource.name |
Event ID 8224
Provider: VSS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
Not available |
target.application |
Event ID 8225
Provider: VSS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
SourceName |
Not available |
target.application |
Event ID 8230
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 9007
Provider: nhi
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 9008
Provider: nhi
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 9027
Provider: Desktop Window Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
Event ID 10000
Windows Server 2019 / Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param1 |
Data/param1 |
target.process.command_line |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
||
|
|
|
metadata.event_type = STATUS_UPDATE
|
|
|
|
|
|
target.resource.id |
Event ID 10001
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param3 |
Data/param3 |
target.application |
|
param1 |
Data/param1 |
target.process.command_line |
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ExtensibleModulePath |
Data/ExtensibleModulePath |
target.process.file.full_path |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
ServiceName |
|
target.application |
|
CLSID |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 10002
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ExtensibleModulePath |
Data/ExtensibleModulePath |
target.process.file.full_path |
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
ServiceName |
|
target.application |
|
CLSID |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 10004
Provider: Microsoft-Windows-WLAN-AutoConfig
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
ExtensibleModulePath |
|
target.process.file.full_path |
Event ID 10005
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_UNSPECIFIED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param2 |
Data/param2 |
target.application |
Event ID 10010
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 10016
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param7 |
Data/param7 |
target.administrative_domain |
|
param10 |
Data/param10 |
target.application |
|
param1 |
Data/param1 |
target.resource.attribute.permissions.name |
|
param5 |
Data/param5 |
target.resource.product_object_id |
|
param6 |
Data/param6 |
target.user.userid |
|
param8 |
Data/param8 |
target.user.windows_sid |
Event ID 10100
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10111
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
InstanceId |
|
target.resource.id |
Event ID 10118
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_AUDIT_LOG_UNCATEGORIZED |
Event ID 10020
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
param2 |
|
security_result.summary |
Event ID 10028
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = NETWORK_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
param3 |
Data/param3 |
principal.process.file.full_path |
|
param2 |
Data/param2 |
principal.process.pid |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
param1 |
Data/param1 |
target.ip |
Event ID 10036
Provider: Microsoft-Windows-DistributedCOM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Domain Name |
Data/Domain Name |
target.administrative_domain |
|
Client IP Address |
Data/Client IP Address |
target.ip |
|
User Name |
Data/User Name |
target.user.user_display_name |
|
SID |
Data/SID |
target.user.windows_sid |
Event ID 10110
Provider: Microsoft-Windows-DriverFrameworks-UserMode
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Status |
|
security_result.summary |
Event ID 10148
Windows 10 client / Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10149
Windows 10 client / Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10154
Windows 10 client / Provider: Microsoft-Windows-WinRM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 10317
Provider: Microsoft-Windows-NDIS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AdapterName |
|
target.resource.name |
|
UserID |
|
principal.user.windows_sid |
Event ID 10400
Provider: Microsoft-Windows-NDIS
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
AdapterName |
|
target.resource.name |
Event ID 11707
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Message |
|
target.application Extract product_name from Message field and map it to target.application |
Event ID 12294
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
UserName |
|
target.user.userid |
Event ID 14204
Provider: Microsoft-Windows-WMPNSS-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START |
|
ServiceName |
|
target.application |
Event ID 14205
Provider: Microsoft-Windows-WMPNSS-Service
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_STOP |
|
ServiceName |
|
target.application |
Event ID 14531
Provider: Microsoft-Windows-DfsSvc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 14533
Provider: Microsoft-Windows-DfsSvc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 14554
Provider: Microsoft-Windows-DfsSvc
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 15007
Provider: Microsoft-Windows-HttpEvent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Url |
Data/Url |
target.url |
Event ID 15008
Provider: Microsoft-Windows-HttpEvent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Url |
Data/Url |
target.url |
Event ID 15021
Provider: Microsoft-Windows-HttpEvent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Endpoint |
|
target.ip and target.port |
|
DeviceObject |
|
target.resource.name |
Event ID 15301
Provider: Microsoft-Windows-HttpEvent
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_CREATION |
|
Endpoint |
Data/Endpoint |
target.ip and target.port |
Event ID 16384
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = SERVICE_START
target.application = "Software Protection" |
version 0 / Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Title |
Data/Title |
security_result.summary |
|
User |
Data/User |
target.user.userid |
Event ID 16385
version 0 / Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Id |
Data/Id |
target.resource.product_object_id |
|
Title |
Data/Title |
target.resource.name |
|
User |
Data/User |
target.user.userid |
|
FileList |
Data/FileList |
target.file.full_path |
Event ID 16388
version 0 / Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Title |
Data/Title |
security_result.summary |
|
User |
Data/User |
target.user.userid |
Event ID 16392
version 0 / Provider: Microsoft-Windows-Bits-Client
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
ErrorCode |
Data/ErrorCode |
security_result.summary is set to "ErrorCode: %{ErrorCode}" |
Event ID 16394
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
|
Not available |
metadata.event_type = STATUS_UPDATE |
Event ID 16401
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorMessage |
Data/ErrorMessage |
security_result.description |
|
GroupName |
Data/GroupName |
target.group.group_display_name |
Event ID 16413
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = GROUP_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
ErrorString |
Data/ErrorString |
security_result.description |
|
GroupName |
Data/GroupName |
target.group.group_display_name |
Event ID 16647
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16648
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16962
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16963
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Registry SD String |
Data/Registry SD String |
target.registry.registry_value_name |
Event ID 16966
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16969
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 16977
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type = SETTING |
Event ID 16978
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = SETTING |
|
AccountName |
Data/AccountName |
target.user.userid |
Event ID 16979
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION target.resource.resource_type = SETTING |
Event ID 16982
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
Event ID 16983
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
version 0 / Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 16984
Provider: Microsoft-Windows-Directory-Services-SAM
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 18452
Provider: MSSQL$ENTERPRISE191
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN, If complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname |
|
SourceName |
System/SourceName |
principal.application |
Event ID 18456
Provider: MSSQL$ENTERPRISE100
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN, if complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname complete_username set to target.user.userid (if UserID is empty) |
|
SourceName |
System/SourceName |
principal.application |
Provider: MSSQLSERVER
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = USER_LOGIN, if complete_username or database_name is not empty, otherwise metadata.event_type = USER_UNCATEGORIZED
security_result.category = AUTH_VIOLATION |
|
Message |
System/Message |
client_ip set to principal.ip database_name set to target.hostname complete_username set to target.user.userid (if UserID is empty) |
|
SourceName |
System/SourceName |
principal.application |
Event ID 20001
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
Event ID 20003
Provider: Microsoft-Windows-UserPnp
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description target_resource_name set to target.resource.name |
|
|
|
metadata.event_type = STATUS_UPDATE target_resource_name set to target.resource.name |
Event ID 20063
Provider: RemoteAccess
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 20171
Provider: RemoteAccess
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 20192
Provider: RemoteAccess
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 28680
Provider: PRIVMAN
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 28701
Provider: PRIVMAN
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_HEARTBEAT
target_hostname set to target.hostname target_ip set to target.ip |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 33205
Provider: MSSQL$LABX2010$AUDIT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQL$SQL16$AUDIT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED target_resource_name set to target.resource.name |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQL$SYNEL$AUDIT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Provider: MSSQLSERVER$AUDIT
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36867
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36868
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
CSPName |
|
target.resource.name |
|
KeyName |
|
target.resource.product_object_id |
Event ID 36870
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36871
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36874
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36877
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36880
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36881
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36882
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED Message set to security_result.summary |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED
Message set to security_result.summary |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36886
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36887
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 36888
Provider: Schannel
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountType |
System/AccountType |
principal.user.attribute.roles.name |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
Event ID 40960
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED |
|
Domain |
System/Domain |
principal.administrative_domain |
|
AccountName |
System/AccountName |
principal.user.userid |
|
UserID |
System/UserID |
principal.user.windows_sid |
|
Error |
|
security_result.summary |
|
Target |
|
target.hostname |
Event ID 40970
Provider: LsaSrv
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
|
Target |
Data/Target |
network.application_protocol/target.hostname/target.administrative_domain |
|
Error |
Data/Error |
security_result.summary |
Event ID 2147487656
version 0 / Provider: Microsoft-Windows-Winlogon
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE |
Event ID 3221228478
Provider: Microsoft-Windows-Wininit
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = metadata.event_type = STATUS_SHUTDOWN security_result.description" set to "ErrorCode - %{error_code}" |
Event ID 5447
Provider: Microsoft Corporation
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SETTING_MODIFICATION
target.resource.resource_type set to SETTING |
|
ProviderKey |
Data/ProviderKey |
about.resource.attribute.labels.key/value |
|
ProviderName |
Data/ProviderName |
about.resource.attribute.labels.key/value |
|
ChangeType |
Data/ChangeType |
about.resource.attribute.labels.key/value |
|
FilterKey |
Data/FilterKey |
about.resource.attribute.labels.key/value |
|
FilterType |
Data/FilterType |
about.resource.attribute.labels.key/value |
|
LayerKey |
Data/LayerKey |
about.resource.attribute.labels.key/value |
|
LayerName |
Data/LayerName |
about.resource.attribute.labels.key/value |
|
LayerId |
Data/LayerId |
about.resource.attribute.labels.key/value |
|
Weight |
Data/Weight |
about.resource.attribute.labels.key/value |
|
Conditions |
Data/Conditions |
about.resource.attribute.labels.key/value |
|
Action |
Data/Action |
about.resource.attribute.labels.key/value |
|
|
Data/ProcessId |
principal.process.pid |
|
UserName |
Data/UserName |
principal.user.userid |
|
UserSid |
Data/UserSid |
principal.user.windows_sid |
|
FilterName |
Data/FilterName |
target.resource.name |
|
FilterId |
Data/FilterId |
target.resource.product_object_id |
Event ID 403
Provider: PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = STATUS_UPDATE
|
|
Message |
|
metadata.description NewEngineState is set to target.labels.key/value PreviousEngineState is set to target.labels.key/value HostName is set to target.hostname HostVersion is set to target.labels.key/value HostId is set to target.labels.key/value HostApplication is set to target.application EngineVersion is set to target.labels.key/value RunspaceId is set to target.labels.key/value PipelineId is set to target.labels.key/value CommandName is set to target.labels.key/value CommandType is set to target.labels.key/value ScriptName is set to target.process.file.names CommandPath is set to target.process.file.full_path CommandLine is set to target.process.command_line NewEngineState is set to additional.fields.key and additional.fields.value.string_value PreviousEngineState is set to additional.fields.key and additional.fields.value.string_value HostVersion is set to additional.fields.key and additional.fields.value.string_value HostId is set to additional.fields.key and additional.fields.value.string_value EngineVersion is set to additional.fields.key and additional.fields.value.string_value RunspaceId is set to additional.fields.key and additional.fields.value.string_value PipelineId is set to additional.fields.key and additional.fields.value.string_value CommandName is set to additional.fields.key and additional.fields.value.string_value CommandType is set to additional.fields.key and additional.fields.value.string_value |
Event ID 4105
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
|
|
metadata.event_type = SERVICE_START
|
|
UserID |
|
principal.user.windows_sid |
|
Domain |
|
principal.administrative_domain |
|
ScriptBlockId |
|
principal.resource.product_object_id |
|
SourceName |
|
target.application |
|
Category |
|
security_result.summary |
|
Message |
|
security_result.description |
|
ProcessID |
|
principal.process.pid |
|
AccountType |
|
principal.user.userid |
|
RunspaceId |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 105
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description pid is set to target.process.pid additional_data is set to about.labels.key/value additional_data is set to additional.fields.key and additional.fields.value.string_value |
Event ID 4440
Provider: Microsoft-Windows-Complus
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
|
param1 |
|
target.labels.key/value additional.fields.key additional.fields.value.string_value |
Event ID 8200
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
security_result.description |
Event ID 1004
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
security_result.description |
Event ID 1014
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
security_result.description |
Event ID 8197
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
security_result.description RuleId is set to security_result.rule_id Action is set to security_result.action_details app_name is set to target.application AppId is set to target.labels.key/value SkuId is set to target.labels.key/value NotificationInterval is set to target.labels.key/value Trigger is set to target.labels.key/value AppId is set to additional.fields.key and additional.fields.value.string_value SkuId is set to additional.fields.key and additional.fields.value.string_value NotificationInterval is set to additional.fields.key and additional.fields.value.string_value Trigger is set to additional.fields.key and additional.fields.value.string_value |
Event ID 20482
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 1033
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
security_result.description DirectiveName is set to target.labels.key/value AppId is set to target.labels.key/value SkuId is set to target.labels.key/value DirectiveName is set to additional.fields.key and additional.fields.value.string_value AppId is set to additional.fields.key and additional.fields.value.string_value SkuId is set to additional.fields.key and additional.fields.value.string_value |
Event ID 1013
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
metadata.description SkuId is set to target.labels.key/value SkuId is set to additional.fields.key and additional.fields.value.string_value |
|
Event ID 1067
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 12304
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 1036
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 20489
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 20481
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 1025
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description product_name is set to target.application ProcessPath is set to target.process.file.full_path ProcessName is set to target.process.command_line ProcessId is set to target.process.pid |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 12305
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 12311
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 20488
Provider: Microsoft-Windows-Security-SPP
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 1281
Provider: Microsoft-Windows-TPM-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 63
Provider: Microsoft-Windows-WMI
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
Event ID 1025
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description product_name is set to target.application ProcessPath is set to target.process.file.full_path ProcessName is set to target.process.command_line ProcessId is set to target.process.pid |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 11724
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_START
|
||
|
Message |
|
metadata.description Product is set to target.application |
Event ID 1005
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 1038
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 1029
Provider: MsiInstaller
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE
|
||
|
Message |
|
metadata.description |
|
Domain |
|
principal.administrative_domain |
|
AccountName |
|
principal.user.userid |
|
UserID |
|
principal.user.windows_sid |
|
AccountType |
|
principal.user.attribute.roles.name |
Event ID 7030
Provider: Service Control Manager
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED
target.appliaction is set to Printer Extensions and Notifications service
|
||
|
Message |
|
metadata.description |
Event ID 202
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
ActionName |
security_result.action_details |
|
|
TaskInstanceId |
target.resource.product_object_id |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
Event ID 103
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
TaskInstanceId |
target.resource.product_object_id |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
Event ID 119
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
InstanceId |
target.resource.product_object_id |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
UserName |
target.user.user_display_name |
Event ID 141
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_DELETION target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
UserName |
principal.user.user_display_name |
Event ID 106
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
UserContext |
target.user.user_display_name |
Event ID 108
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
InstanceId |
target.resource.product_object_id |
Event ID 110
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
InstanceId |
target.resource.product_object_id |
|
|
UserContext |
principal.user.user_display_name |
Event ID 118
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
InstanceId |
target.resource.product_object_id |
Event ID 142
Provider: Microsoft-Windows-TaskScheduler
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SCHEDULED_TASK_DISABLE target.resource.resource_type = TASK |
||
|
TaskName |
target.resource.name |
|
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
UserName |
principal.user.user_display_name |
Event ID 2006
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2001
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 216
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2003
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 2005
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 637
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid |
Event ID 327
Provider: ESENT
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_UNSPECIFIED |
||
|
Message |
metadata.description Extract PID and map it to UDM field target.process.pid Extract src_path and map it to UDM field src.file.full_path Extract target_path and map it to UDM field target.file.full_path |
Event ID 17063
Provider: MSSQLSERVER
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE |
||
|
Message |
security_result.description |
Event ID 17137
Provider: MSSQLSERVER
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_START |
||
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
Message |
metadata.description Extract database_name and map it to UDM field target.application |
Event ID 49930
Provider: MSSQLSERVER
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE |
||
|
Message |
metadata.description |
Event ID 852
Provider: MSSQLSERVER
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE |
||
|
Message |
metadata.description |
Event ID 53504
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_START target.application = IPC |
||
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
Message |
metadata.description |
|
|
param2 |
target.domain.name |
Event ID 40962
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = STATUS_UPDATE |
||
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
Message |
metadata.description |
Event ID 40961
Provider: Microsoft-Windows-PowerShell
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = SERVICE_START |
||
|
Domain |
principal.administrative_domain |
|
|
AccountName |
principal.user.attribute.roles.name |
|
|
UserID |
principal.user.windows_sid |
|
|
AccountType |
principal.user.roles.description |
|
|
Message |
metadata.description |
Event ID 530
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 531
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 532
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 533
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 534
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 535
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 536
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 537
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Event ID 539
Provider: Microsoft-Windows-Security-Auditing
|
NXLog field |
Event Viewer field |
UDM field |
|
metadata.event_type = USER_LOGIN
security_result.action set to "FAIL"
|
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-12 UTC.