Collect Microsoft Windows Event data

This document:

describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Chronicle parser for Windows events. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields.

Information in this document applies to the parser with the WINEVTLOG ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

Review the recommended deployment architecture

This diagram illustrates the recommended foundational components in a deployment architecture to collect and send Microsoft Windows Event data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

Systems in the deployment architecture are configured with the UTC time zone.
NXLog is installed on the collector Microsoft Windows server.
The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
Microsoft Windows systems in the deployment architecture use.
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service is enabled for remote system management.
NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.
Chronicle forwarder is installed on the collector Microsoft Windows or Linux server.

Note: If you choose to deploy the Chronicle Linux forwarder, the central Linux server and collector Microsoft Windows server will be different systems. If you choose to deploy the Chronicle forwarder for Microsoft Windows, the central Microsoft Windows server and collector Microsoft Windows server can be the same system.

Review the supported devices and versions

The Chronicle parser supports logs from the following Microsoft Windows server versions. Microsoft Windows server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition do not differ.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Chronicle parser supports logs from Microsoft Windows 10 and higher client systems.

Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Chronicle parser supports the following log types generated by Microsoft Windows systems. For more information about these log types, see the Microsoft Windows Event Log documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type	Notes
Security	Security audit and event logs.
Application	Events logged by applications or programs. If the manifest isn't installed locally, application logs will have missing / hex values.
System	Events logged by Microsoft Windows system components.

Configure the Microsoft Windows servers, endpoints, and domain controllers

Install and configure the servers, endpoints, and domain controllers.
Configure all systems with the UTC time zone.
Configure devices to forward logs to a collector Microsoft Windows server.
Configure a Source Initiated Subscription on Microsoft Windows server (Collector). For information, see Setting up a Source Initiated Subscription.
Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.

Configure the Microsoft Windows collector server

Set up a collector Microsoft Windows server to collect from systems.

Configure the system with the UTC time zone.
Install NXLog. Follow the NXLog documentation.

Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace <hostname> and <port> values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.

  define ROOT     C:\Program Files (x86)\nxlog
  define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname>
  define WINDNS_OUTPUT_DESTINATION_PORT <port>
  define CERTDIR  %ROOT%\cert
  define CONFDIR  %ROOT%\conf
  define LOGDIR   %ROOT%\data
  define LOGFILE  %LOGDIR%\nxlog.log
  LogFile %LOGFILE%
  Moduledir %ROOT%\modules
  CacheDir  %ROOT%\data
  Pidfile   %ROOT%\data\nxlog.pid
  SpoolDir  %ROOT%\data
  <Extension _json>
      Module      xm_json
  </Extension>
  <Input windows_security_eventlog>
      Module  im_msvistalog
      <QueryXML>
          <QueryList>
              <Query Id="0">
                  <Select Path="Application">*</Select>
                  <Select Path="System">*</Select>
                  <Select Path="Security">*</Select>
              </Query>
          </QueryList>
      </QueryXML>
      ReadFromLast  False
      SavePos  False
  </Input>
  <Output out_chronicle_windevents>
      Module      om_tcp
      Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%
      Port        %WINDNS_OUTPUT_DESTINATION_PORT%
      Exec        $EventTime = integer($EventTime) / 1000;
      Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
      Exec        to_json();
  </Output>
  <Route r2>
      Path    windows_security_eventlog is set to out_chronicle_windevents
  </Route>

Start the NXLog service.

Configure the central Microsoft Windows or Linux server

See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

Configure the system with the UTC time zone.
Install the Chronicle forwarder on the central Microsoft Windows or Linux server.

Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.

  - syslog:
      common:
        enabled: true
        data_type: WINEVTLOG
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Field mapping reference: Common device event fields to UDM fields

The following fields are common across multiple Event IDs and are mapped the same way.

NXLog field	UDM field
EventTime	metadata.event_timestamp
Hostname	principal.hostname
EventID	product_event_type is set to "%{EventID}" security_result.rule_name is set to "EventID: %{EventID}"
SourceName	metadata.product_name is set to "%25%7BSourceName}" metadata.vendor is set to "Microsoft"
Category	about.labels.key/value
Channel	about.labels.key/value
Severity	Values mapped to security_result.severity field as follows: Original value 0 (None), is set to UNKNOWN_SEVERITY Original value 1 (Critical) is set to INFORMATIONAL Original value 2 (Error) is set to ERROR Original value 3 (Warning) is set to ERROR Original value 4 (Informational) is set to INFORMATIONAL Original value 5 (Verbose) is set to INFORMATIONAL
UserID	principal.user.windows_sid
ExecutionProcessID	principal.process.pid
ProcessID	principal.process.pid
ProviderGuid	metadata.product_deployment_id
RecordNumber	metadata.product_log_id
SourceModuleName	observer.labels.key/value
SourceModuleType	observer.application
ActivityID	security_result.detection_fields.key/value

Field mapping reference: device event field to UDM field by EventID

The following section describes how NXlog/EventViewer fields are mapped to UDM fields. Data may be mapped differently for different Microsoft Windows Event IDs.

The section heading identifies the Event Id, plus version (e.g. version 0) and operatiing system (e.g. Microsoft Windows 10 client) if applicable. There may be more than one section for an Event ID when the map for a specific version or operating system is different.

Event ID 0

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Data

security_result.summary

Provider: gupdate

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: hcmon

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

target_resource_name set to target.resource.name

Event ID 1

Provider: Microsoft-Windows-FilterManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_LAUNCH If EventLevelName contains "Information" then security_result.severity = INFORMATIONAL
EventData.Hashes		Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1
EventData.User		Domain set to principal.administrative_domain Username set to principal.user.userid
Description		metadata.description
CommandLine		target.process.command_line
Image		target.process.file.full_path
ParentCommandLine		target.process.parent_process.command_line
ParentImage		target.process.parent_process.file.full_path
ParentProcessId		target.process.parent_process.pid
ProcessId		target.process.pid
EventOriginId		target.process.product_specific_process_id set to "sysmon:%{EventOriginId}"

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
SourceName	Not available	target.application

Provider: telegraf

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		security_result.description

Event ID 2

Provider: MEIx64

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
SourceName	Not available	target.application

Provider: vmci

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

Message set to security_result.summary

Event ID 3

version 3 / Provider: Microsoft-Windows-Power-Troubleshooter

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_STARTUP
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
SleepTime	Data/SleepTime	target.resource.attribute.labels.key/value
WakeTime	Data/WakeTime	target.resource.attribute.labels.key/value
WakeSourceType	Data/WakeSourceType	target.resource.attribute.labels.key/value
WakeSourceText	Data/WakeSourceText	target.resource.attribute.labels.key/value

Provider: Microsoft-Windows-Security-Kerberos

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
File		target.file.full_path

Provider: Virtual Disk Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED

Provider: vmci

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 4

Provider: Microsoft-Windows-Security-Kerberos

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Server		target.hostname

Provider: Virtual Disk Service

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 5

Provider: iScsiPrt

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

Message set to security_result.summary

Provider: McAfee Service Controller

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Search-ProfileNotify

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
SourceName		target.application
User	Data/User	target.user.userid

Event ID 6

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ErrorCode		security_result.summary Format: %{ErrorCode}-%{ErrorMsg}
ErrorMsg		security_result.summary Format: %{ErrorCode}-%{ErrorMsg}
Context		target.application

Provider: Microsoft-Windows-FilterManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 7

Provider: AdmPwd

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If Hostname is absent then metadata.event_type set to GENERIC_EVENT.

Data

security_result.summary

Format:

"Error: %{Data}"

Event ID 9

Provider: volsnap

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
VolumeName		target.file.full_path

Event ID 11

Provider: Microsoft-Windows-Hyper-V-Netvsc

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
MiniportName		target.resource.name

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 12

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_STARTUP
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_CREATION If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
EventOriginId		target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"
EventData/EventType		target.registry.registry_key
EventData/TargetObject		target.registry.registry_value_name

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-UserModePowerService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ProcessPath		target.process.file.full_path
NewSchemeGuid		target.resource.product_object_id

Event ID 13

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN

Provider: Microsoft-Windows-Sysmon

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_MODIFICATION If EventLevelName =~ "Information" then security_result.severity = INFORMATIONAL
EventOriginId		target.process.product_specific_process_id set to "sysmon: %{EventOriginId}"
EventData/EventType		target.registry.registry_key
EventData/Details		target.registry.registry_value_data

Provider: Microsoft-Windows-CertificateServicesClient-CertEnroll

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain		principal.administrative_domain
AccountName		principal.user.userid
AccountType		principal.user.attribute.roles.name
Message		metadata.description
UserID		principal.user.windows_sid
CA		about.labels.key/value
ErrorCode		security_result.summary Format: summary => %{error_code} - %{error_message}

Provider: NPS

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Data		target.ip

Event ID 14

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If Hostname or ClientName field is absent then metadata.event_type set to GENERIC_EVENT.
ClientName		principal.hostname
Target		target.application
Account		target.hostname

Provider: Microsoft-Windows-Wininit

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 15

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
NewSize	Data/NewSize	target.file.size
HiveName	Data/HiveName	target.registry.registry_key

Provider: SecurityCenter

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 16

Provider: Microsoft-Windows-HAL

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If Hostname or ClientName field is absent then metadata.event_type set to GENERIC_EVENT.
ClientName		principal.hostname
Target		target.application
Account		target.hostname

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_MODIFICATION
Domain	System/Domain	principal.administrative_domain
ProcessID	System/ProcessID	principal.process.pid
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
HiveName	Data/HiveName	target.registry.registry_key

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 17

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 18

Provider: BTHUSB

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 19

version 0 / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Provider: Intel-SST-OED

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
Category		security_result.summary

Event ID 20

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
updateRevisionNumber		target.resource.attribute.labels.key/value
updateTitle		target.resource.name
updateGuid		target.resource.product_object_id

Event ID 21

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 22

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Category set to security_result.category_details Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
updatelist		security_result.description

Event ID 23

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 24

Provider: Microsoft-Windows-Kernel-General

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 25

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 26

Provider: Application Popup

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Caption		security_result.summary

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START target.application = "Active Directory Certificate Services"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DCName	Data/DCName	target.administrative_domain
CACommonName	Data/CACommonName	target.user.userid

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Target		target.hostname
Name		target.user.userid

Event ID 27

version 0 / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}
NewLogFilePath	Data/NewLogFilePath	target.file.full_path

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 28

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Message set to metadata.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 29

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 30

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 31

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 32

Provider: e1iexpress

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 33

Provider: volsnap

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_UNCATEGORIZED
VolumeName		target.file.full_path
DeviceName		target.resource.name

Event ID 34

Provider: Oracle.xstore

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_READ
DBID		additional.fields.key/value
SourceName		principal.application
DATABASE_USER		principal.user.uerid
ACTION		target.process.command_line

Event ID 35

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If principal.machineid field is absent then metadata.event_type set to GENERIC_EVENT.

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 36

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: NPS

NXLog field

Event Viewer field

UDM field

metadata.event_type = NETWORK_CONNECTION

If target.ip field is absent then metadata.event_type set to STATUS_UPDATE

Message

Ip set to target.ip

Event ID 37

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If Hostname is absent then metadata.event_type set to GENERIC_EVENT.
ClientName		principal.hostname
ServerName		target.hostname

Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Number	Data/Number	target.resource.attribute.labels.key/value
CapDurationInSeconds	Data/CapDurationInSeconds	target.resource.attribute.labels.key/value

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 38

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP target.application = "Active Directory Certificate Services"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
CACommonName	Data/CACommonName	target.user.userid

Event ID 40

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Event ID 42

version 0 windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

version 2 windows 10 client /

NXLog field	Event Viewer field	UDM field
Reason	Data/Reason	security_result.description

Event ID 43

Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
updateRevisionNumber	Data/updateRevisionNumber	target.resource.attribute.labels.key/value
updateTitle	Data/updateTitle	target.resource.name
updateGuid	Data/updateGuid	target.resource.product_object_id

Event ID 44

version 0 windows 10 client / Provider: Microsoft-Windows-WindowsUpdateClient

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Event ID 45

Provider: Symantec AntiVirus

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
Data		security_result.summary

Event ID 47

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage		security_result.description
ManualPeer		target.ip

Provider: Microsoft-Windows-WHEA-Logger

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 50

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 51

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_hostname set to target.hostname

Event ID 55

version 0 windows 10 client / Provider: Microsoft-Windows-Kernel-Processor-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Outcome		security_result.summary

Event ID 57

Provider: hpqilo3

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 58

Provider: partmgr

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to metadata.description

Provider: volsnap

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to metadata.description

Event ID 64

Provider: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Context		target.application

Event ID 75

Provider: Microsoft-Windows-CertificationAuthority

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application set to "Active Directory Certificate Services"
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
ErrorMessageText		security_result.summary

Event ID 80

Provider: ocz10xx

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Event ID 81

Provider: hpqilo2

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Provider: Microsoft-Windows-FailoverClustering-Client

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Event ID 98

Provider: Microsoft-Windows-Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_HEARTBEAT
Domain	System/Domain	principal.administrative_domain
DeviceName	Data/DeviceName	principal.hostname
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
InstanceId	Data/InstanceId	target.resource.product_object_id

Event ID 101

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 102

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Event ID 103

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Message

System/Message

Extract PID and map it to UDM field target.process.pid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Provider: ocz10xx

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Event ID 104

windows 10 client / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

windows 2019 server /

NXLog field	Event Viewer field	UDM field
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Forwarding

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
UserID	System/UserID	principal.user.windows_sid
SubscriptionManagerAddress	Data/SubscriptionManagerAddress	target.url

Provider: WudfUsbccidDriver

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 105

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Channel	Data/Channel	security_result.description
BackupPath	Data/BackupPath	target.file.full_path

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Provider: VMTools

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
SourceName	Not available	target.application

Event ID 106

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 107

version 0 windows 10 client / Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

target.application = "Event Logging Service"

ErrorCode

Data/ErrorCode

security_result.summary

Format:

Error Code: %{value}

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
InstanceId	Data/InstanceId	target.resource.product_object_id

Event ID 108

Provider: Application Management Group Policy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED security_result.description" set to "ErrorCode - %{error_code}"
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: VMTools

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
SourceName	Not available	target.application

Event ID 109

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN
ShutdownReason	Data/ShutdownReason	security_result.description

Event ID 110

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 111

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 112

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 115

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Data

security_result.summary

Event ID 129

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
Priority	Data/Priority	security_result.priority_details
Path	Data/Path	target.process.file.full_path
ProcessID	Data/ProcessID	target.process.pid
TaskName	Data/TaskName	target.resource.name

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description

Event ID 130

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 131

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 134

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorMessage	Data/ErrorMessage	security_result.description
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 137

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 138

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DomainPeer	Data/DomainPeer	target.administrative_domain

Event ID 139

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 140

Provider: Microsoft-Windows-Ntfs

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
DeviceName		principal.hostname
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_MODIFICATION target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
UserName	Data/UserName	target.user..user_display_name

Event ID 142

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 143

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 146

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED Message set to security_result.summary
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 153

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 157

Provider: disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

Event ID 158

Provider: Disk

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

Message set to security_result.summary

target_url set to target.url

Provider: Microsoft-Windows-Time-Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
TimeProvider		target.resource.name

Event ID 172

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Reason	Data/Reason	security_result.description

Event ID 200

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
TaskInstanceId	Data/TaskInstanceId	target.resource.product_object_id

Event ID 201

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_UNCATEGORIZED target.resource.resource_type = TASK
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name
TaskInstanceId	Data/TaskInstanceId	target.resource.product_object_id

Event ID 202

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 203

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 204

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 205

version 0 windows 2019 server / Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
DomainName	Data/DomainName	target.administrative_domain

Event ID 219

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DriverName		target.hostname
FailureName		target.resource.name

Event ID 225

Provider: Microsoft-Windows-Kernel-PnP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DeviceInstance		target.hostname
ProcessName		target.process.file.full_path

Event ID 233

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid

Event ID 234

Provider: Microsoft-Windows-Hyper-V-VmSwitch

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid

Event ID 238

Provider: Microsoft-Windows-Kernel-Boot

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If AccountName or UserID fields are absent then metadata.event_type set to GENERIC_EVENT.
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 258

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 260

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 271

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 272

Provider: VMUpgradeHelper

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SourceName	Not available	target.application

Event ID 299

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 300

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it to target.process.pid

Event ID 301

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it to target.process.pid

Event ID 302

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it to target.process.pid

Event ID 325

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it target.process.pid

Event ID 326

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it to target.process.pid

Event ID 403

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_9		network.http.user_agent
Domain	System/Domain	principal.administrative_domain
Data_8		principal.ip
Data_7		principal.port
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_3		target.ip
Data_5		target.url

Event ID 404

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_3		security_description set to %{Data_3}: %{Data_4}
Data_4		security_description set to %{Data_3}: %{Data_4}

Event ID 405

Provider: ADSync

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Data		principal.administrative_domain
Data_1		principal.user.userid

Event ID 410

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_4		network.http.user_agent
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Data_10		target.ip
Data_8		target.url

Event ID 412

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 424

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 500

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 501

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 506

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE security_result.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Event ID 507

Provider: Microsoft-Windows-Kernel-Power

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE reason_description set to security_result.description
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid

Event ID 508

Provider: ESENT

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_UNSPECIFIED

If target.process field is absent then metadata.event_type set to GENERIC_EVENT

Extract PID and map it to target.process.pid

Event ID 510

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_1		Data_1.Host set to target.hostname Data_1.User-Agent set to network.http.user_agent Data_1.X-MS-Endpoint-Absolute-Path set to target.url
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 517

Provider: Microsoft-Windows-DFSN-Server

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
UserID		principal.user.windows_sid
DfsNamespace		target.resource.name

Event ID 521

Provider: Security

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

Event ID 529

Provider: Security

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN security_result.action = BLOCK security_result.category = AUTH_VIOLATION
LogonType	Not available	extensions.auth.mechanism
Message	Not available	username set to target.user.userid domain set to target.administrative_domain target_workstation set to target.hostname

Event ID 600

Provider: PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT
Category		metadata.description
SourceName		principal.application
HostApplication		target.file.full_path
ProviderName		target.resource.name

Event ID 601

Provider: Directory Synchronization

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT. metadata.description = Attempt to install a service
SubjectUserName		principal.user.userid
Summary		security_result.summary
ServiceName		target.process.command_line
ServiceFileName		target.process.file.full_path

Provider: Microsoft-Windows-TaskScheduler

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
Category	Data/Category	security_result.category_details

Event ID 781

Provider: Microsoft-Windows-Complus

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
param3	Data/param3	target.registry.registry_key

Event ID 800

Provider: PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT metadata.description set to "Pipeline execution" security_result.summary set to "Pipeline execution details for command line"
SourceName		principal.application
UserId		principal.user.userid
HostApplication		target.file.full_path

Event ID 888

Provider: top_5

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 900

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 902

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_START

target.application = "Software Protection"

Event ID 903

Provider: Microsoft-Windows-Security-SPP

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = SERVICE_STOP

target.application = "Software Protection"

Event ID 904

Provider: Directory Synchronization

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Data

security_result.summary

Event ID 1001

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

target_resource_product_object_id set to target.resource.product_object_id

Provider: Microsoft-Windows-WER-SystemErrorReporting

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
param2		target.file.full_path

Provider: SNMP

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Provider: Windows Error Reporting

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1003

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Category	Data/Category	target.application

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1004

Provider: IPMIDRV

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data		target.hostname

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Reason	Data/Reason	security_result.description
Category	Data/Category	target.application

Provider: SNMP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1005

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Category	Data/Category	target.application

Event ID 1007

Provider: TdIca

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

target_ip set to target.ip

target_port set to target_port

Event ID 1008

Provider: Microsoft-Windows-Perflib

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
EventXML.param1		target.application
EventXML.param2		target.file.full_path

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Reason	Data/Reason	security_result.description
Category	Data/Category	target.application

Event ID 1010

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_MODIFICATION
Category	Data/Category	target.application

Event ID 1013

Provider: Microsoft-Windows-Search

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
Category	Data/Category	target.application

Event ID 1016

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1023

Provider: Microsoft-Windows-Perflib

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
Library	Data/Library	target.file.full_path

Event ID 1030

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription		security_result.description
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
DCName		target.administrative_domain

Event ID 1033

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract product_name and map to target.application
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1034

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 1037

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 1040

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1042

Provider: MsiInstaller

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE Extract process_id and map it to target.process.pid
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1053

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1054

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1055

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
ErrorCode	Data/ErrorCode	security_result.summary Format: ErrorCode - %{ErrorCode}

Event ID 1056

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

server_certificate_subject set to network.tls.server.certificate.subject

Event ID 1057

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED target.resource_resource_type = DATABASE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1058

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
DCName	Data/DCName	target.administrative_domain
FilePath	Data/FilePath	target.file.full_path

Event ID 1064

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

security_result.summary

Event ID 1066

Provider: Microsoft-Windows-Security-SPP

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = GENERIC_EVENT

Event ID 1067

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 1069

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name
ResourceName		target.resource.name

Event ID 1073

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
param1	Data/param1	target.hostname
param2	Data/param2	target.user.userid

Event ID 1074

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN

Provider: USER32

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_SHUTDOWN

target_process_file_full_path set to target.process.file.full_path

target_hostname set to target.hostname

Provider: User32

NXLog field	Event Viewer field	UDM field
Domain		principal.administrative_domain

Provider: USER32

NXLog field	Event Viewer field	UDM field
Domain	System/Domain	principal.administrative_domain

Provider: User32

NXLog field	Event Viewer field	UDM field
param2	Data/param2	principal.hostname
param1	Data/param1	principal.process.file.full_path
AccountType		principal.user.attribute.roles.name

Provider: USER32

NXLog field	Event Viewer field	UDM field
AccountName	System/AccountName	principal.user.userid

Provider: User32

NXLog field	Event Viewer field	UDM field
UserID		principal.user.windows_sid
param3	Data/param3	security_result.description
param7	Data/param7	target.user.userid

Event ID 1076

Provider: User32

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1085

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description
ErrorCode	Data/ErrorCode	security_result.summary Format: ErrorCode - %{value}
DCName	Data/DCName	target.administrative_domain

Event ID 1100

Provider: Microsoft-Windows-Eventlog

NXLog field

Event Viewer field

UDM field

metadata.event_type = SERVICE_STOP

target.application = "Event Logging Service"

Event ID 1101

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1102

Provider: AD FS Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED target_ip set to target.ip target_url set to target.url client_certificate_serial set to network.tls.client.certificate.serial client_certificate_subject set to network.tls.client.certificate.subject
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Provider: DFS Replication

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_WIPE
	SubjectDomainName	principal.administrative_domain
	SubjectUserName	principal.user.userid
	SubjectUserSid	principal.user.windows_sid

Event ID 1103

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1104

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1105

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AutoBackup.BackupPath	Data/BackupPath	target.file.full_path

Event ID 1106

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Reason	Data/Reason	security_result.description

Event ID 1107

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED target.application = "Event Logging Service"
ProcessID	Data/ProcessID	principal.process.pid
ErrorCode	Data/ErrorCode	security_result.summary Format: Error Code: %{value}

Event ID 1108

Provider: Microsoft-Windows-Eventlog

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 1112

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription		security_result.description
ErrorCode		security_result.summary Format: ErrorCode - %{ErrorCode}
DCName		target.administrative_domain
ExtensionName		target.resource.name
ExtensionId		target.resource.product_object_id

Event ID 1126

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_1		security_result.summary set to "Error: %{Data_1} - %{Data_2}"
Data_2		security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Event ID 1128

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ExtensionName		target.resource.name
ExtensionId		target.resource.product_object_id

Event ID 1129

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ErrorDescription	Data/ErrorDescription	security_result.description

Event ID 1134

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1150

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

platform_version set to principal.asset.platform_software.platform_version

Event ID 1162

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1173

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1196

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
StatusString		security_result.summary
ResourceName		target.resource.name

Event ID 1205

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Event ID 1213

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Event ID 1216

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Data_3		security_result.description
Data		security_result.summary Format: "Error Code - %{Data}"

Event ID 1226

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1254

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Event ID 1257

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
DNSZone		about.labels.key/value
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ResourceGroup		target.group.group_display_name

Event ID 1307

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1311

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1317

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Event ID 1500

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
DCName	Data/DCName	target.administrative_domain

Event ID 1501

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 1502

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
DCName	Data/DCName	target.administrative_domain

Event ID 1503

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
DCName	Data/DCName	target.administrative_domain

Event ID 1531

Provider: Microsoft-Windows-User Profiles Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Domain	Not available	principal.administrative_domain
AccountName	Not available	principal.user.userid
UserID	Not available	principal.user.windows_sid
SourceName	Not available	target.application

Event ID 1532

Provider: Microsoft-Windows-User Profiles Service

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
Domain	Not available	principal.administrative_domain
AccountName	Not available	principal.user.userid
UserID	Not available	principal.user.windows_sid
SourceName	Not available	target.application

Event ID 1535

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data		security_result.description

Event ID 1564

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_READ
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ShareName		target.resource.name

Event ID 1566

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1573

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1593

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_READ target.resource_resource_type = DATABASE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DatabaseFilePath		target.file.full_path

Event ID 1643

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1644

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1645

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1653

Provider: Microsoft-Windows-FailoverClustering

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 1699

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_4		security_result.summary set to "Error Code - %{Data_4}"

Event ID 1704

Provider: SceCli

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
ProcessId		principal.process.pid
Message		security_result.summary

Event ID 1865

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1925

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 1955

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2000

Provider: Microsoft Antimalware

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

current_signature_version set to target.resource.attribute.labels.key/value

previous_signature_version set to target.resource.attribute.labels.key/value

Event ID 2001

Provider: Microsoft Antimalware

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_14		security_result.summary
Data_17		target.url

Provider: NTDS ISAM

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UNCATEGORIZED

If Hostname or MessageSourceAddress field is absent then metadata.event_type set to GENERIC_EVENT.

MessageSourceAddress

principal.ip

Event ID 2004

Provider: Microsoft-Windows-Resource-Exhaustion-Detector

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 2041

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field

Event Viewer field

UDM field

metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED

If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.

Event ID 2042

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2053

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2065

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2085

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
MessageSourceAddress		principal.ip
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2089

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2108

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_3		security_result.summary set to "Error: %{Data_4} - %{Data_3}"
Data_4		security_result.summary set to "Error: %{Data_4} - %{Data_3}"

Event ID 2811

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2887

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2889

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2896

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_1		security_result.summary set to "Error: %{Data_1} - %{Data_2}"
Data_2		security_result.summary set to "Error: %{Data_1} - %{Data_2}"

Event ID 2904

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2946

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 2947

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
Data_2		principal.ip
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_3		security_result.summary set to "Error: %{Data_3}"

Event ID 2974

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid
Data_2		security_result.summary set to "Error Code - %{Data_2}"

Event ID 3040

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 3041

Provider: Microsoft-Windows-ActiveDirectory_DomainService

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED If Hostname field is absent then metadata.event_type set to GENERIC_EVENT.
Domain		principal.administrative_domain
AccountType		principal.user.attribute.roles.name
AccountName		principal.user.userid
UserID		principal.user.windows_sid

Event ID 3072

Provider: Foundation Agents

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 3096

Provider: NETLOGON

NXLog field

Event Viewer field

UDM field

metadata.event_type = STATUS_UPDATE

Message set to security_result.summary

Event ID 3260

Provider: Workstation

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 3261

Provider: Workstation

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 4000

version 0 windows 10 client / Provider: Microsoft-Windows-Diagnostics-Networking

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 4003

Provider: Microsoft-Windows-WLAN-AutoConfig

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
ErrorCode	Data/ErrorCode	security_result.summary Format: %{ErrorCode}-%{ErrorMsg}

Event ID 4005

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.attribute.roles.name
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
ReasonForSyncProcessing	Data/ReasonForSyncProcessing	security_result.summary
PrincipalSamName	Data/PrincipalSamName	target.hostname
PolicyActivityId	Data/PolicyActivityId	target.resource.product_object_id

Event ID 4006

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
PrincipalSamName	Data/PrincipalSamName	target.hostname
PolicyActivityId	Data/PolicyActivityId	target.resource.product_object_id

Event ID 4016

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
DescriptionString	Data/DescriptionString	security_result.description
CSEExtensionName	Data/CSEExtensionName	target.resource.name
CSEExtensionId	Data/CSEExtensionId	target.resource.product_object_id

Event ID 4017

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid
OperationDescription	Data/OperationDescription	security_result.description

Event ID 4096

Provider: NetJoin

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_CONNECTION
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
DomainName	Data/DomainName	target.administrative_domain
ComputerName	Data/ComputerName	target.hostname

Event ID 4097

Provider: Microsoft-Windows-CAPI2

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Provider: NetJoin

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_CONNECTION
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid
NetStatusCode	Data/NetStatusCode	security_result.description
DomainName	Data/DomainName	target.administrative_domain
ComputerName	Data/ComputerName	target.hostname

Event ID 4100

Provider: Microsoft-Windows-Diagnostics-Networking

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 4103

version 1 / Provider: Microsoft-Windows-PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Domain		principal.administrative_domain
AccountType		principal.user.role_description
AccountName		principal.user.role_name
UserID		principal.user.windows_sid
Category		security_result.summary
CommandName		target.application
ScriptName		target.file.full_path
HostApplication		target.process.command_line target.process.file.full_path

Event ID 4104

Provider: Microsoft-Windows-PowerShell

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
Domain		principal.administrative_domain
UserID		principal.user.windows_sid
Category		security_result.summary
SourceName		target.application

Event ID 4108

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Extract information from Message field and map it to network.tls.client.certificate

Event ID 4109

Provider: Microsoft-Windows-CAPI2

NXLog field

Event Viewer field

UDM field

Not available

metadata.event_type = STATUS_UPDATE

Extract information from Message field and map it to network.tls.client.certificate

Event ID 4111

Provider: Microsoft-Windows-MSDTC

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_STOP
SourceName	Not available	target.application

Event ID 4112

Provider: Microsoft-Windows-CAPI2

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 4113

Provider: Microsoft-Windows-CAPI2

NXLog field	Event Viewer field	UDM field
	Not available	metadata.event_type = STATUS_UPDATE

Event ID 4115

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 4116

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.userid
UserID	System/UserID	principal.user.windows_sid

Event ID 4117

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 4126

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 4199

Provider: Tcpip

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Data	Data/Data	principal.ip
Data_1	Data/Data_1	target.mac

Event ID 4200

Provider: Microsoft-Windows-Iphlpsvc

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountName	System/AccountName	principal.user.userid
Interface		target_resource_product_object_id set to target.resource.product_object_id
Address		target.ip

Event ID 4202

Provider: Microsoft-Windows-MSDTC 2

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START
SourceName	Not available	target.application
param9	Data/param9	target.user.userid

Event ID 4227

Provider: Tcpip

NXLog field

Event Viewer field

UDM field

metadata.event_type = GENERIC_EVENT

Message set to security_result.summary

Event ID 4230

Provider: Tcpip

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT

Event ID 4257

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_LOG_UNCATEGORIZED
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 4319

Provider: NetBT

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 4321

Provider: NetBT

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_CONNECTION
Data	Data/Data	principal.hostname and principal.port
Data_1	Data/Data_1	principal.ip
Data_2	Data/Data_2	target.ip

Event ID 4326

Provider: Microsoft-Windows-GroupPolicy

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
Domain	System/Domain	principal.administrative_domain
AccountType	System/AccountType	principal.user.role_description
AccountName	System/AccountName	principal.user.role_name
UserID	System/UserID	principal.user.windows_sid

Event ID 4400

Provider: NPS

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UNCATEGORIZED
Data_1		principal.administrative_domain

Event ID 4608

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_STARTUP

Event ID 4609

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_SHUTDOWN

Event ID 4610

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
AuthenticationPackageName	Data/AuthenticationPackageName	target.resource.name

Event ID 4611

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_UNCATEGORIZED
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
LogonProcessName	Data/LogonProcessName	target.process.command_line

Event ID 4612

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE

Event ID 4614

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
NotificationPackageName	Data/NotificationPackageName	target.resource.name

Event ID 4615

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.command_line
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid

Event ID 4616

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SETTING_MODIFICATION target.resource.resource_type set to SETTING
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid

version 1 /

NXLog field	Event Viewer field	UDM field
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
NewDate	Data/NewDate	target.resource.attribute.labels.key = "NewDate" value in target.resource.attribute.labels.value
NewTime	Data/NewTime	target.resource.attribute.labels.key = "NewTime" value in target.resource.attribute.labels.value
PreviousDate	Data/PreviousDate	target.resource.attribute.labels.key = "PreviousDate" value in target.resource.attribute.labels.value
PreviousTime	Data/PreviousTime	target.resource.attribute.labels.key = "PreviousTime" value in target.resource.attribute.labels.value

Event ID 4618

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GENERIC_EVENT
TargetUserDomain	Data/TargetUserDomain	target.administrative_domain
ComputerName	Data/ComputerName	target.hostname
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4621

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
CrashOnAuditFailValue	Data/CrashOnAuditFailValue	security_result.summary

Event ID 4622

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SecurityPackageName	Data/SecurityPackageName	target.resource.name

Event ID 4624

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN security_result.action set to "ALLOW"
LogonType	Data/LogonType	extensions.auth.mechanism and extensions.auth.details
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
TargetLogonId	Data/TargetLogonId	target.labels.key/value
WorkstationName	Data/WorkstationName	principal.hostname
ProcessName	Data/ProcessName	principal.process.command_line
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
AuthenticationPackageName	Data/AuthenticationPackageName	security_result.about.resource.name
ElevatedToken	Data/ElevatedToken	security_result.detection_fields.labels.key/value
IpAddress	Data/IpAddress	src.ip
IpPort	Data/IpPort	src.port
TargetDomainName	Data/TargetDomainName	target.administrative_domain
LogonProcessName	Data/LogonProcessName	target.process.file.full_path
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4625

Provider: Microsoft-Windows-EventSystem

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
param3	Data/param3	about.registry.registry_key

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN security_result.category = AUTH_VIOLATION security_result.action = BLOCK extensions.auth.type set to MACHINE
LogonType	Data/LogonType	extensions.auth.mechanism and extensions.auth.details
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectLogonId	Data/SubjectLogonId	principal.labels.key/value
WorkstationName	Data/WorkstationName	principal.hostname
ProcessName	Data/ProcessName	principal.process.command_line
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
AuthenticationPackageName	Data/AuthenticationPackageName	security_result.about.resource.name
Status	Data/Status	security_result.summary Populate description corresponding to the status codes. Format: Status(%{Status}): %{status_description}. If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'
SubStatus	Data/SubStatus	security_result.description Populate description corresponding to the substatus codes. Format: SubStatus(%{SubStatus}): %{sub_status_description} If the value coming is 0xc000006d, then store the value 'The cause is either a bad username or authentication information (referred from doc table.'
IpAddress	Data/IpAddress	src.ip
IpPort	Data/IpPort	src.port
TargetDomainName	Data/TargetDomainName	target.administrative_domain
LogonProcessName	Data/LogonProcessName	target.process.file.full_path
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4626

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
LogonType	Data/LogonType	extensions.auth.mechanism and extensions.auth.details
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4627

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = GROUP_UNCATEGORIZED
LogonType	Data/LogonType	extensions.auth.mechanism and extensions.auth.details
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TargetDomainName	Data/TargetDomainName	target.administrative_domain
GroupMembership	Data/GroupMembership	target.user.group_identifiers
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4634

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGOUT security_result.action = ALLOW
LogonType	Data/LogonType	extensions.auth.mechanism and extensions.auth.details
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4646

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_START

Event ID 4647

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGOUT
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4648

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN security_result.action set to "ALLOW" extensions.auth.mechanism set to "USERNAME_PASSWORD"
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.command_line
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
IpAddress	Data/IpAddress	src.ip
IpPort	Data/IpPort	src.port
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid

Event ID 4649

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SYSTEM_AUDIT_UNCATEGORIZED
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
LogonProcessName	Data/LogonProcessName	principal.process.command_line
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TargetDomainName	Data/TargetDomainName	target.administrative_domain
WorkstationName	Data/WorkstationName	target.hostname
ProcessName	Data/ProcessName	target.process.command_line
ProcessId	Data/ProcessId	target.process.pid
TargetUserName	Data/TargetUserName	target.user.userid

Event ID 4650

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMPrincipalName	Data/LocalMMPrincipalName	principal.hostname
LocalAddress	Data/LocalAddress	principal.ip
LocalKeyModPort	Data/LocalKeyModPort	principal.port
RemoteMMPrincipalName	Data/RemoteMMPrincipalName	target.hostname
RemoteAddress	Data/RemoteAddress	target.ip
RemoteKeyModPort	Data/RemoteKeyModPort	target.port

Event ID 4651

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMIssuingCA	Data/LocalMMIssuingCA	network.tls.client.certificate.issuer
RemoteMMIssuingCA	Data/RemoteMMIssuingCA	network.tls.server.certificate.issuer
LocalMMPrincipalName	Data/LocalMMPrincipalName	principal.hostname
LocalAddress	Data/LocalAddress	principal.ip
LocalKeyModPort	Data/LocalKeyModPort	principal.port
RemoteMMPrincipalName	Data/RemoteMMPrincipalName	target.hostname
RemoteAddress	Data/RemoteAddress	target.ip
RemoteKeyModPort	Data/RemoteKeyModPort	target.port

Event ID 4652

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
LocalMMIssuingCA	Data/LocalMMIssuingCA	network.tls.client.certificate.issuer
RemoteMMIssuingCA	Data/RemoteMMIssuingCA	network.tls.server.certificate.issuer
LocalMMPrincipalName	Data/LocalMMPrincipalName	principal.hostname
LocalAddress	Data/LocalAddress	principal.ip
LocalKeyModPort	Data/LocalKeyModPort	principal.port
RemoteMMPrincipalName	Data/RemoteMMPrincipalName	target.hostname
RemoteAddress	Data/RemoteAddress	target.ip
RemoteKeyModPort	Data/RemoteKeyModPort	target.port

Event ID 4653

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
LocalAddress	Data/LocalAddress	principal.ip
LocalKeyModPort	Data/LocalKeyModPort	principal.port
FailureReason	Data/FailureReason	security_result.summary
RemoteAddress	Data/RemoteAddress	target.ip
RemoteKeyModPort	Data/RemoteKeyModPort	target.port

Event ID 4654

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
Protocol	Data/Protocol	network.ip_protocol
LocalAddress	Data/LocalAddress	principal.ip
LocalPort	Data/LocalPort	principal.port
FailureReason	Data/FailureReason	security_result.summary
RemoteAddress	Data/RemoteAddress	target.ip
RemotePort	Data/RemotePort	target.port

Event ID 4655

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = NETWORK_UNCATEGORIZED
LocalAddress	Data/LocalAddress	principal.ip
RemoteAddress	Data/RemoteAddress	target.ip

Event ID 4656

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ObjectName	Data/ObjectName	target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process")
AccessList	Data/AccessList	target.resource.attribute.permissions.name
PrivilegeList	Data/PrivilegeList	target.user.attribute.permissions.name

Event ID 4657

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = REGISTRY_MODIFICATION
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ObjectName	Data/ObjectName	target.registry.registry_key
NewValue	Data/NewValue	target.registry.registry_value_data
ObjectValueName	Data/ObjectValueName	target.registry.registry_value_name

Event ID 4658

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid

Event ID 4659

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ObjectName	Data/ObjectName	target.file.full_path (when ObjectType = "File") target.process.command_line (when ObjectType = "Process")
AccessList	Data/AccessList	target.resource.attribute.permissions.name
PrivilegeList	Data/PrivilegeList	target.user.attribute.permissions.name

Event ID 4660

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_DELETION
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid

Event ID 4661

event version 1 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
AccessReason	Data/AccessReason	security_result.description

version 0 /

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ObjectName	Data/ObjectName	target.group.group_display_name (when ObjectType is SAM_ALIAS, SAM_GROUP) target.user.userid (when ObjectType is SAM_USER) target.administrative_domain (when ObjectType is SAM_DOMAIN) target.hostname (when ObjectType is SAM_SERVER)
AccessList	Data/AccessList	target.resource.attribute.permissions.name
PrivilegeList	Data/PrivilegeList	target.user.attribute.permissions.name

Event ID 4662

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
SubjectLogonId	Data/SubjectLogonId	principal.labels.key/value
AdditionalInfo	Data/AdditionalInfo	security_result.description
Properties	Data/Properties	security_result.detection_fields.key/value
AccessMask	Data/AccessMask	principal.process.access_mask principal.resource.attribute.permissions Populate description corresponding to the access codes.
ObjectName	Data/ObjectName	target.resource.name
ObjectServer	Data/ObjectServer	target.resource.parent

Event ID 4663

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink) REGISTRY_UNCATEGORIZED (ObjectType = Key) PROCESS_OPEN (ObjectType = Process) USER_RESOURCE_ACCESS (ObjectType = Event)
ObjectName	Data/ObjectName	Object Type \| UDM Field --------------------------+------------------------------------ File, SymbolicLink \| target.file.full_path Key \| target.registry.registry_key Process \| target.process.file.full_path Event \| target.resource.name
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
AccessList	Data/AccessList	target.resource.attribute.permissions.name

Event ID 4664

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_CREATION
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
FileName	Data/FileName	target.file.full_path
LinkName	Data/LinkName	target.resource.name

Event ID 4665

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_CREATION
ClientDomain	Data/ClientDomain	principal.administrative_domain
ClientName	Data/ClientName	principal.user.userid
AppName	Data/AppName	target.application
AppInstance	Data/AppInstance	target.resource.product_object_id

Event ID 4666

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_RESOURCE_ACCESS
ClientDomain	Data/ClientDomain	principal.administrative_domain
ClientName	Data/ClientName	principal.user.userid
AppName	Data/AppName	target.application
ObjectName	Data/ObjectName	target.resource.name

Event ID 4667

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_DELETION
ClientDomain	Data/ClientDomain	principal.administrative_domain
ClientName	Data/ClientName	principal.user.userid
AppName	Data/AppName	target.application

Event ID 4668

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
ClientDomain	Data/ClientDomain	principal.administrative_domain
ClientName	Data/ClientName	principal.user.userid
AppName	Data/AppName	target.application

Event ID 4670

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink) REGISTRY_UNCATEGORIZED (ObjectType = Key) PROCESS_OPEN (ObjectType = Process) USER_RESOURCE_ACCESS (ObjectType = Event)
ObjectName	Data/ObjectName	Object Type \| UDM Field --------------------------+------------------------------------ File, SymbolicLink \| target.file.full_path Key \| target.registry.registry_key Process \| target.process.file.full_path Event \| target.resource.name
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.file.full_path
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
OldSd	Data/OldSd	security_result.detection_fields.key/value
NewSd	Data/NewSd	security_result.detection_fields.key/value

Event ID 4671

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE security_result.action = BLOCK
CallerDomainName	Data/CallerDomainName	principal.administrative_domain
CallerUserName	Data/CallerUserName	principal.user.userid
CallerUserSid	Data/CallerUserSid	principal.user.windows_sid

Event ID 4672

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = USER_LOGIN
SubjectDomainName	Data/SubjectDomainName	target.administrative_domain
PrivilegeList	Data/PrivilegeList	target.user.attribute.permissions.name
SubjectUserName	Data/SubjectUserName	target.user.userid
SubjectUserSid	Data/SubjectUserSid	target.user.windows_sid

Event ID 4673

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED If ProcessName field is absent then metadata.event_type set to GENERIC_EVENT.
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	SubjectUserSid	principal.user.windows_sid
ProcessName	Data/ProcessName	target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field.
ProcessId	Data/ProcessId	target.process.pid

Event ID 4674

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED If ProcessName field is absent then metadata.event_type set to GENERIC_EVENT.
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ProcessName	Data/ProcessName	target.process.command_line If ProcessName field not in log then extract "Process ID" and "Process Name" from "Message" field.
ProcessId	Data/ProcessId	target.process.pid
ObjectName	ObjectName	target.resource.name

Event ID 4675

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4688

version 0 / Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_LAUNCH
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
NewProcessName	Data/NewProcessName	target.process.file.full_path
NewProcessId	Data/NewProcessId	target.process.pid
ParentProcessName	Data/ParentProcessName	principal.process.file.full_path

version 1 /

NXLog field	Event Viewer field	UDM field
commandLine	Data/commandLine	principal.process.command_line

version 2 /

NXLog field	Event Viewer field	UDM field
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4689

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_TERMINATION
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ProcessName	Data/ProcessName	target.process.file.full_path
ProcessId	Data/ProcessId	target.process.pid

Event ID 4690

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = RESOURCE_CREATION
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SourceProcessId	Data/SourceProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
SourceHandleId	Data/SourceHandleId	src.resource.name
TargetProcessId	Data/TargetProcessId	target.process.pid
TargetHandleId	Data/TargetHandleId	target.resource.name

Event ID 4691

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = FILE_OPEN (ObjectType = File, SymbolicLink) REGISTRY_UNCATEGORIZED (ObjectType = Key) PROCESS_OPEN (ObjectType = Process) USER_RESOURCE_ACCESS (ObjectType = Event)
ObjectName	Data/ObjectName	Object Type \| UDM Field --------------------------+------------------------------------ File, SymbolicLink \| target.file.full_path Key \| target.registry.registry_key Process \| target.process.file.full_path Event \| target.resource.name
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid

Event ID 4692

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
FailureReason	Data/FailureReason	security_result.description
RecoveryServer	Data/RecoveryServer	target.hostname

Event ID 4693

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
RecoveryReason	Data/RecoveryReason	security_result.description

Event ID 4694

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
FailureReason	Data/FailureReason	security_result.description

Event ID 4695

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = STATUS_UPDATE
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
FailureReason	Data/FailureReason	security_result.description

Event ID 4696

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = PROCESS_UNCATEGORIZED
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ProcessName	Data/ProcessName	principal.process.command_line
ProcessId	Data/ProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TargetDomainName	Data/TargetDomainName	target.administrative_domain
TargetProcessName	Data/TargetProcessName	target.process.command_line
TargetProcessId	Data/TargetProcessId	target.process.pid
TargetUserName	Data/TargetUserName	target.user.userid
TargetUserSid	Data/TargetUserSid	target.user.windows_sid

Event ID 4697

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SERVICE_UNSPECIFIED
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ServiceName	Data/ServiceName	target.application
ServiceFileName	Data/ServiceFileName	target.process.file.full_path

Event ID 4698

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_CREATION target.resource.resource_type = TASK
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ParentProcessId	Data/ParentProcessId	target.process.parent_process.pid
ClientProcessId	Data/ClientProcessId	target.process.pid
TaskName	Data/TaskName	target.resource.name

Event ID 4699

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_DELETION target.resource.resource_type = "TASK"
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ParentProcessId	Data/ParentProcessId	principal.process.parent_process.pid
ClientProcessId	Data/ClientProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name

Event ID 4700

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_ENABLE target.resource.resource_type = TASK
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ParentProcessId	Data/ParentProcessId	principal.process.parent_process.pid
ClientProcessId	Data/ClientProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name

Event ID 4701

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_DISABLE target.resource.resource_type = TASK
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
ParentProcessId	Data/ParentProcessId	principal.process.parent_process.pid
ClientProcessId	Data/ClientProcessId	principal.process.pid
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
TaskName	Data/TaskName	target.resource.name

Event ID 4702

Provider: Microsoft-Windows-Security-Auditing

NXLog field	Event Viewer field	UDM field
		metadata.event_type = SCHEDULED_TASK_MODIFICATION target.resource.resource_type = TASK
SubjectDomainName	Data/SubjectDomainName	principal.administrative_domain
SubjectUserName	Data/SubjectUserName	principal.user.userid
SubjectUserSid	Data/SubjectUserSid	principal.user.windows_sid
ParentProcessId