Windows
The windows log type records events that happen in Windows applications, system services, and the Windows operating system.
The following code snippet contains all the raw_field and ecs mappings for this log type:
"mappings":[
{
"raw_field":"AccountName",
"ecs":"winlog.computerObject.name"
},
{
"raw_field":"AuthenticationPackageName",
"ecs":"winlog.event_data.AuthenticationPackageName"
},
{
"raw_field":"Channel",
"ecs":"winlog.channel"
},
{
"raw_field":"Company",
"ecs":"winlog.event_data.Company"
},
{
"raw_field":"ComputerName",
"ecs":"winlog.computer_name"
},
{
"raw_field":"Description",
"ecs":"winlog.event_data.Description"
},
{
"raw_field":"Details",
"ecs":"winlog.event_data.Detail"
},
{
"raw_field":"Device",
"ecs":"winlog.event_data.Device"
},
{
"raw_field":"FileName",
"ecs":"winlog.event_data.FileName"
},
{
"raw_field":"FileVersion",
"ecs":"winlog.event_data.FileVersion"
},
{
"raw_field":"IntegrityLevel",
"ecs":"winlog.event_data.IntegrityLevel"
},
{
"raw_field":"IpAddress",
"ecs":"winlog.event_data.IpAddress"
},
{
"raw_field":"KeyLength",
"ecs":"winlog.event_data.KeyLength"
},
{
"raw_field":"Keywords",
"ecs":"winlog.keywords"
},
{
"raw_field":"LogonId",
"ecs":"winlog.event_data.LogonId"
},
{
"raw_field":"LogonProcessName",
"ecs":"winlog.event_data.LogonProcessName"
},
{
"raw_field":"LogonType",
"ecs":"winlog.event_data.LogonType"
},
{
"raw_field":"OriginalFilename",
"ecs":"winlog.event_data.OriginalFileName"
},
{
"raw_field":"Path",
"ecs":"winlog.event_data.Path"
},
{
"raw_field":"PrivilegeList",
"ecs":"winlog.event_data.PrivilegeList"
},
{
"raw_field":"ProcessId",
"ecs":"winlog.event_data.ProcessId"
},
{
"raw_field":"Product",
"ecs":"winlog.event_data.Product"
},
{
"raw_field":"Provider",
"ecs":"winlog.provider_name"
},
{
"raw_field":"ProviderName",
"ecs":"winlog.provider_name"
},
{
"raw_field":"ScriptBlockText",
"ecs":"winlog.event_data.ScriptBlockText"
},
{
"raw_field":"ServerName",
"ecs":"winlog.event_data.TargetServerName"
},
{
"raw_field":"Service",
"ecs":"winlog.event_data.ServiceName"
},
{
"raw_field":"Signed",
"ecs":"winlog.event_data.Signed"
},
{
"raw_field":"State",
"ecs":"winlog.event_data.State"
},
{
"raw_field":"Status",
"ecs":"winlog.event_data.Status"
},
{
"raw_field":"SubjectDomainName",
"ecs":"winlog.event_data.SubjectDomainName"
},
{
"raw_field":"SubjectLogonId",
"ecs":"winlog.event_data.SubjectLogonId"
},
{
"raw_field":"SubjectUserName",
"ecs":"winlog.event_data.SubjectUserName"
},
{
"raw_field":"SubjectUserSid",
"ecs":"winlog.event_data.SubjectUserSid"
},
{
"raw_field":"TargetLogonId",
"ecs":"winlog.event_data.TargetLogonId"
},
{
"raw_field":"TargetName",
"ecs":"winlog.event_data.TargetUserName"
},
{
"raw_field":"TargetServerName",
"ecs":"winlog.event_data.TargetServerName"
},
{
"raw_field":"TargetUserName",
"ecs":"winlog.event_data.TargetUserName"
},
{
"raw_field":"TargetUserSid",
"ecs":"winlog.event_data.TargetUserSid"
},
{
"raw_field":"TaskName",
"ecs":"winlog.task"
},
{
"raw_field":"Type",
"ecs":"winlog.user.type"
},
{
"raw_field":"User",
"ecs":"winlog.user.name"
},
{
"raw_field":"UserName",
"ecs":"winlog.user.name"
},
{
"raw_field":"Workstation",
"ecs":"winlog.event_data.Workstation"
},
{
"raw_field":"WorkstationName",
"ecs":"winlog.event_data.Workstation"
},
{
"raw_field":"event_uid",
"ecs":"winlog.event_id"
},
{
"raw_field":"CommandLine",
"ecs":"process.command_line"
},
{
"raw_field":"hostname",
"ecs":"host.hostname"
},
{
"raw_field":"message",
"ecs":"windows.message"
},
{
"raw_field":"Provider_Name",
"ecs":"winlog.provider_name"
},
{
"raw_field":"EventId",
"ecs":"winlog.event_id"
},
{
"raw_field":"processPath",
"ecs":"winlog.event_data.ProcessPath"
},
{
"raw_field":"ProcessName",
"ecs":"winlog.event_data.ProcessName"
},
{
"raw_field":"ObjectName",
"ecs":"winlog.computerObject.name"
},
{
"raw_field":"param1",
"ecs":"winlog.event_data.param1"
},
{
"raw_field":"param2",
"ecs":"winlog.event_data.param2"
},
{
"raw_field":"creationTime",
"ecs":"timestamp"
},
{
"raw_field":"Origin",
"ecs":"winlog.event_data.Origin"
},
{
"raw_field":"ParentImage",
"ecs":"winlog.event_data.ParentImage"
},
{
"raw_field":"TargetPort",
"ecs":"winlog.event_data.TargetPort"
},
{
"raw_field":"Query",
"ecs":"winlog.event_data.Query"
},
{
"raw_field":"DestinationPort",
"ecs":"destination.port"
},
{
"raw_field":"StartAddress",
"ecs":"winlog.event_data.StartAddress"
},
{
"raw_field":"TicketOptions",
"ecs":"winlog.event_data.TicketOptions"
},
{
"raw_field":"ParentCommandLine",
"ecs":"winlog.event_data.ParentCommandLine"
},
{
"raw_field":"AllowedToDelegateTo",
"ecs":"winlog.event_data.AllowedToDelegateTo"
},
{
"raw_field":"HostApplication",
"ecs":"winlog.event_data.HostApplication"
},
{
"raw_field":"AccessMask",
"ecs":"winlog.event_data.AccessMask"
},
{
"raw_field":"Hashes",
"ecs":"winlog.event_data.Hashes"
},
{
"raw_field":"SidHistory",
"ecs":"winlog.event_data.SidHistory"
},
{
"raw_field":"Initiated",
"ecs":"winlog.event_data.Initiated"
},
{
"raw_field":"DestinationIp",
"ecs":"destination.ip"
},
{
"raw_field":"RelativeTargetName",
"ecs":"winlog.event_data.RelativeTargetName"
},
{
"raw_field":"Source_Name",
"ecs":"winlog.event_data.Source_Name"
},
{
"raw_field":"AttributeLDAPDisplayName",
"ecs":"winlog.event_data.AttributeLDAPDisplayName"
},
{
"raw_field":"DeviceDescription",
"ecs":"winlog.event_data.DeviceDescription"
},
{
"raw_field":"AttributeValue",
"ecs":"winlog.event_data.AttributeValue"
},
{
"raw_field":"ObjectValueName",
"ecs":"winlog.event_data.ObjectValueName"
},
{
"raw_field":"QueryStatus",
"ecs":"winlog.event_data.QueryStatus"
},
{
"raw_field":"TargetParentProcessId",
"ecs":"winlog.event_data.TargetParentProcessId"
},
{
"raw_field":"OldUacValue",
"ecs":"winlog.event_data.OldUacValue"
},
{
"raw_field":"FailureCode",
"ecs":"winlog.event_data.FailureCode"
},
{
"raw_field":"OldTargetUserName",
"ecs":"winlog.event_data.OldTargetUserName"
},
{
"raw_field":"NewUacValue",
"ecs":"winlog.event_data.NewUacValue"
},
{
"raw_field":"ServiceName",
"ecs":"winlog.event_data.ServiceName"
},
{
"raw_field":"Imphash",
"ecs":"winlog.event_data.Imphash"
},
{
"raw_field":"NewValue",
"ecs":"winlog.event_data.NewValue"
},
{
"raw_field":"Action",
"ecs":"winlog.event_data.Action"
},
{
"raw_field":"SourceImage",
"ecs":"winlog.event_data.SourceImage"
},
{
"raw_field":"QNAME",
"ecs":"winlog.event_data.QNAME"
},
{
"raw_field":"Properties",
"ecs":"winlog.event_data.Properties"
},
{
"raw_field":"AuditPolicyChanges",
"ecs":"winlog.event_data.AuditPolicyChanges"
},
{
"raw_field":"Accesses",
"ecs":"winlog.event_data.Accesses"
},
{
"raw_field":"ClassName",
"ecs":"winlog.event_data.ClassName"
},
{
"raw_field":"ObjectClass",
"ecs":"winlog.event_data.ObjectClass"
},
{
"raw_field":"PipeName",
"ecs":"winlog.event_data.PipeName"
},
{
"raw_field":"HiveName",
"ecs":"winlog.event_data.HiveName"
},
{
"raw_field":"StartModule",
"ecs":"winlog.event_data.StartModule"
},
{
"raw_field":"HostVersion",
"ecs":"winlog.event_data.HostVersion"
},
{
"raw_field":"DestinationHostname",
"ecs":"winlog.event_data.DestinationHostname"
},
{
"raw_field":"QueryName",
"ecs":"winlog.event_data.QueryName"
},
{
"raw_field":"RemoteName",
"ecs":"winlog.event_data.RemoteName"
},
{
"raw_field":"PasswordLastSet",
"ecs":"winlog.event_data.PasswordLastSet"
},
{
"raw_field":"ErrorCode",
"ecs":"winlog.event_data.ErrorCode"
},
{
"raw_field":"AccessList",
"ecs":"winlog.event_data.AccessList"
},
{
"raw_field":"Address",
"ecs":"winlog.event_data.Address"
},
{
"raw_field":"PossibleCause",
"ecs":"winlog.event_data.PossibleCause"
},
{
"raw_field":"DestPort",
"ecs":"destination.port"
},
{
"raw_field":"Image",
"ecs":"winlog.event_data.Image"
},
{
"raw_field":"CertThumbprint",
"ecs":"winlog.event_data.CertThumbprint"
},
{
"raw_field":"TicketEncryptionType",
"ecs":"winlog.event_data.TicketEncryptionType"
},
{
"raw_field":"ServiceType",
"ecs":"winlog.event_data.ServiceType"
},
{
"raw_field":"ObjectServer",
"ecs":"winlog.event_data.ObjectServer"
},
{
"raw_field":"ImagePath",
"ecs":"winlog.event_data.ImagePath"
},
{
"raw_field":"NewName",
"ecs":"winlog.event_data.NewName"
},
{
"raw_field":"CallTrace",
"ecs":"winlog.event_data.CallTrace"
},
{
"raw_field":"SamAccountName",
"ecs":"winlog.event_data.SamAccountName"
},
{
"raw_field":"GrantedAccess",
"ecs":"winlog.event_data.GrantedAccess"
},
{
"raw_field":"EngineVersion",
"ecs":"winlog.event_data.EngineVersion"
},
{
"raw_field":"OriginalName",
"ecs":"winlog.event_data.OriginalName"
},
{
"raw_field":"AuditSourceName",
"ecs":"winlog.event_data.AuditSourceName"
},
{
"raw_field":"sha1",
"ecs":"hash.sha1"
},
{
"raw_field":"SourceIp",
"ecs":"source.ip"
},
{
"raw_field":"Payload",
"ecs":"winlog.event_data.Payload"
},
{
"raw_field":"Level",
"ecs":"winlog.event_data.Level"
},
{
"raw_field":"Application",
"ecs":"winlog.event_data.Application"
},
{
"raw_field":"RemoteAddress",
"ecs":"winlog.event_data.RemoteAddress"
},
{
"raw_field":"SearchFilter",
"ecs":"winlog.event_data.SearchFilter"
},
{
"raw_field":"ApplicationPath",
"ecs":"winlog.event_data.ApplicationPath"
},
{
"raw_field":"TargetFilename",
"ecs":"winlog.event_data.TargetFilename"
},
{
"raw_field":"CurrentDirectory",
"ecs":"winlog.event_data.CurrentDirectory"
},
{
"raw_field":"ObjectType",
"ecs":"winlog.event_data.ObjectType"
},
{
"raw_field":"ServicePrincipalNames",
"ecs":"winlog.event_data.ServicePrincipalNames"
},
{
"raw_field":"TemplateContent",
"ecs":"winlog.event_data.TemplateContent"
},
{
"raw_field":"QueryResults",
"ecs":"winlog.event_data.QueryResults"
},
{
"raw_field":"ServiceStartType",
"ecs":"winlog.event_data.ServiceStartType"
},
{
"raw_field":"EventType",
"ecs":"winlog.event_data.EventType"
},
{
"raw_field":"TargetSid",
"ecs":"winlog.event_data.TargetSid"
},
{
"raw_field":"ParentUser",
"ecs":"winlog.event_data.ParentUser"
},
{
"raw_field":"NewTargetUserName",
"ecs":"winlog.event_data.NewTargetUserName"
},
{
"raw_field":"DestAddress",
"ecs":"winlog.event_data.DestAddress"
},
{
"raw_field":"ContextInfo",
"ecs":"winlog.event_data.ContextInfo"
},
{
"raw_field":"HostName",
"ecs":"host.name"
},
{
"raw_field":"NewTemplateContent",
"ecs":"winlog.event_data.NewTemplateContent"
},
{
"raw_field":"LayerRTID",
"ecs":"winlog.event_data.LayerRTID"
},
{
"raw_field":"ImageFileName",
"ecs":"winlog.event_data.ImageFileName"
},
{
"raw_field":"StartFunction",
"ecs":"winlog.event_data.StartFunction"
},
{
"raw_field":"Value",
"ecs":"winlog.event_data.Value"
},
{
"raw_field":"ModifyingApplication",
"ecs":"winlog.event_data.ModifyingApplication"
},
{
"raw_field":"Destination",
"ecs":"winlog.event_data.Destination"
},
{
"raw_field":"Commandline",
"ecs":"winlog.event_data.Commandline"
},
{
"raw_field":"Message",
"ecs":"winlog.event_data.Message"
},
{
"raw_field":"ShareName",
"ecs":"winlog.event_data.ShareName"
},
{
"raw_field":"SourcePort",
"ecs":"source.port"
},
{
"raw_field":"CallerProcessName",
"ecs":"winlog.event_data.CallerProcessName"
},
{
"raw_field":"ServiceFileName",
"ecs":"winlog.event_data.ServiceFileName"
},
{
"raw_field":"DestinationIsIpv6",
"ecs":"winlog.event_data.DestinationIsIpv6"
},
{
"raw_field":"TargetImage",
"ecs":"winlog.event_data.TargetImage"
},
{
"raw_field":"SourceAddress",
"ecs":"source.ip"
},
{
"raw_field":"TargetObject",
"ecs":"winlog.event_data.TargetObject"
},
{
"raw_field":"Caption",
"ecs":"winlog.event_data.Caption"
},
{
"raw_field":"LocalName",
"ecs":"winlog.event_data.LocalName"
},
{
"raw_field":"ImageLoaded",
"ecs":"winlog.event_data.ImageLoaded"
},
{
"raw_field":"EventID",
"ecs":"winlog.event_id"
},
{
"raw_field":"sha256",
"ecs":"hash.sha256"
},
{
"raw_field":"ScriptBlockLogging",
"ecs":"winlog.event_data.ScriptBlockLogging"
},
{
"raw_field":"SourceParentImage",
"ecs":"winlog.event_data.SourceParentImage"
},
{
"raw_field":"SourceFilename",
"ecs":"winlog.event_data.SourceFilename"
},
{
"raw_field":"Protocol",
"ecs":"winlog.event_data.Protocol"
},
{
"raw_field":"ValidatedPolicy",
"ecs":"winlog.event_data.ValidatedPolicy"
},
{
"raw_field":"ProcessPath",
"ecs":"winlog.event_data.ProcessPath"
},
{
"raw_field":"OldValue",
"ecs":"winlog.event_data.OldValue"
},
{
"raw_field":"ParentProcessId",
"ecs":"winlog.event_data.ParentProcessId"
},
{
"raw_field":"TaskContentNew",
"ecs":"winlog.event_data.TaskContentNew"
},
{
"raw_field":"Name",
"ecs":"winlog.event_data.Name"
},
{
"raw_field":"payload",
"ecs":"winlog.event_data.payload"
},
{
"raw_field":"SourceHostname",
"ecs":"winlog.event_data.SourceHostname"
},
{
"raw_field":"ClientProcessId",
"ecs":"winlog.event_data.ClientProcessId"
},
{
"raw_field":"TargetParentImage",
"ecs":"winlog.event_data.TargetParentImage"
},
{
"raw_field":"ImpersonationLevel",
"ecs":"winlog.event_data.ImpersonationLevel"
},
{
"raw_field":"ExceptionCode",
"ecs":"winlog.event_data.ExceptionCode"
},
{
"raw_field":"FilterOrigin",
"ecs":"winlog.event_data.FilterOrigin"
},
{
"raw_field":"PackagePath",
"ecs":"winlog.event_data.PackagePath"
},
{
"raw_field":"SignatureStatus",
"ecs":"winlog.event_data.SignatureStatus"
},
{
"raw_field":"Hash",
"ecs":"winlog.event_data.Hash"
},
{
"raw_field":"AppID",
"ecs":"winlog.event_data.AppID"
},
{
"raw_field":"SidList",
"ecs":"winlog.event_data.SidList"
},
{
"raw_field":"ProcessNameBuffer",
"ecs":"winlog.event_data.ProcessNameBuffer"
},
{
"raw_field":"PreviousCreationUtcTime",
"ecs":"winlog.event_data.PreviousCreationUtcTime"
},
{
"raw_field":"Contents",
"ecs":"winlog.event_data.Contents"
},
{
"raw_field":"TargetOutboundUserName",
"ecs":"winlog.event_data.TargetOutboundUserName"
},
{
"raw_field":"ImageName",
"ecs":"winlog.event_data.ImageName"
},
{
"raw_field":"md5",
"ecs":"hash.md5"
},
{
"raw_field":"DeviceName",
"ecs":"winlog.event_data.DeviceName"
},
{
"raw_field":"RequestedPolicy",
"ecs":"winlog.event_data.RequestedPolicy"
},
{
"raw_field":"FileNameBuffer",
"ecs":"winlog.event_data.FileNameBuffer"
},
{
"raw_field":"TaskContent",
"ecs":"winlog.event_data.TaskContent"
},
{
"raw_field":"SourceCommandLine",
"ecs":"winlog.event_data.SourceCommandLine"
},
{
"raw_field":"CreationUtcTime",
"ecs":"winlog.event_data.CreationUtcTime"
},
{
"raw_field":"AppName",
"ecs":"winlog.event_data.AppName"
},
{
"raw_field":"subjectName",
"ecs":"winlog.event_data.subjectName"
},
{
"raw_field":"process",
"ecs":"winlog.event_data.process"
},
{
"raw_field":"PackageFullName",
"ecs":"winlog.event_data.PackageFullName"
},
{
"raw_field":"SourceName",
"ecs":"winlog.event_data.SourceName"
},
{
"raw_field":"Data",
"ecs":"winlog.event_data.Data"
},
{
"raw_field":"param3",
"ecs":"winlog.event_data.param3"
},
{
"raw_field":"Signature",
"ecs":"winlog.event_data.Signature"
}
]