Windows

The windows log type records events that happen in Windows applications, system services, and the Windows operating system.

The following code snippet contains all the raw_field and ecs mappings for this log type:

  1. "mappings":[
  2. {
  3. "raw_field":"AccountName",
  4. "ecs":"winlog.computerObject.name"
  5. },
  6. {
  7. "raw_field":"AuthenticationPackageName",
  8. "ecs":"winlog.event_data.AuthenticationPackageName"
  9. },
  10. {
  11. "raw_field":"Channel",
  12. "ecs":"winlog.channel"
  13. },
  14. {
  15. "raw_field":"Company",
  16. "ecs":"winlog.event_data.Company"
  17. },
  18. {
  19. "raw_field":"ComputerName",
  20. "ecs":"winlog.computer_name"
  21. },
  22. {
  23. "raw_field":"Description",
  24. "ecs":"winlog.event_data.Description"
  25. },
  26. {
  27. "raw_field":"Details",
  28. "ecs":"winlog.event_data.Detail"
  29. },
  30. {
  31. "raw_field":"Device",
  32. "ecs":"winlog.event_data.Device"
  33. },
  34. {
  35. "raw_field":"FileName",
  36. "ecs":"winlog.event_data.FileName"
  37. },
  38. {
  39. "raw_field":"FileVersion",
  40. "ecs":"winlog.event_data.FileVersion"
  41. },
  42. {
  43. "raw_field":"IntegrityLevel",
  44. "ecs":"winlog.event_data.IntegrityLevel"
  45. },
  46. {
  47. "raw_field":"IpAddress",
  48. "ecs":"winlog.event_data.IpAddress"
  49. },
  50. {
  51. "raw_field":"KeyLength",
  52. "ecs":"winlog.event_data.KeyLength"
  53. },
  54. {
  55. "raw_field":"Keywords",
  56. "ecs":"winlog.keywords"
  57. },
  58. {
  59. "raw_field":"LogonId",
  60. "ecs":"winlog.event_data.LogonId"
  61. },
  62. {
  63. "raw_field":"LogonProcessName",
  64. "ecs":"winlog.event_data.LogonProcessName"
  65. },
  66. {
  67. "raw_field":"LogonType",
  68. "ecs":"winlog.event_data.LogonType"
  69. },
  70. {
  71. "raw_field":"OriginalFilename",
  72. "ecs":"winlog.event_data.OriginalFileName"
  73. },
  74. {
  75. "raw_field":"Path",
  76. "ecs":"winlog.event_data.Path"
  77. },
  78. {
  79. "raw_field":"PrivilegeList",
  80. "ecs":"winlog.event_data.PrivilegeList"
  81. },
  82. {
  83. "raw_field":"ProcessId",
  84. "ecs":"winlog.event_data.ProcessId"
  85. },
  86. {
  87. "raw_field":"Product",
  88. "ecs":"winlog.event_data.Product"
  89. },
  90. {
  91. "raw_field":"Provider",
  92. "ecs":"winlog.provider_name"
  93. },
  94. {
  95. "raw_field":"ProviderName",
  96. "ecs":"winlog.provider_name"
  97. },
  98. {
  99. "raw_field":"ScriptBlockText",
  100. "ecs":"winlog.event_data.ScriptBlockText"
  101. },
  102. {
  103. "raw_field":"ServerName",
  104. "ecs":"winlog.event_data.TargetServerName"
  105. },
  106. {
  107. "raw_field":"Service",
  108. "ecs":"winlog.event_data.ServiceName"
  109. },
  110. {
  111. "raw_field":"Signed",
  112. "ecs":"winlog.event_data.Signed"
  113. },
  114. {
  115. "raw_field":"State",
  116. "ecs":"winlog.event_data.State"
  117. },
  118. {
  119. "raw_field":"Status",
  120. "ecs":"winlog.event_data.Status"
  121. },
  122. {
  123. "raw_field":"SubjectDomainName",
  124. "ecs":"winlog.event_data.SubjectDomainName"
  125. },
  126. {
  127. "raw_field":"SubjectLogonId",
  128. "ecs":"winlog.event_data.SubjectLogonId"
  129. },
  130. {
  131. "raw_field":"SubjectUserName",
  132. "ecs":"winlog.event_data.SubjectUserName"
  133. },
  134. {
  135. "raw_field":"SubjectUserSid",
  136. "ecs":"winlog.event_data.SubjectUserSid"
  137. },
  138. {
  139. "raw_field":"TargetLogonId",
  140. "ecs":"winlog.event_data.TargetLogonId"
  141. },
  142. {
  143. "raw_field":"TargetName",
  144. "ecs":"winlog.event_data.TargetUserName"
  145. },
  146. {
  147. "raw_field":"TargetServerName",
  148. "ecs":"winlog.event_data.TargetServerName"
  149. },
  150. {
  151. "raw_field":"TargetUserName",
  152. "ecs":"winlog.event_data.TargetUserName"
  153. },
  154. {
  155. "raw_field":"TargetUserSid",
  156. "ecs":"winlog.event_data.TargetUserSid"
  157. },
  158. {
  159. "raw_field":"TaskName",
  160. "ecs":"winlog.task"
  161. },
  162. {
  163. "raw_field":"Type",
  164. "ecs":"winlog.user.type"
  165. },
  166. {
  167. "raw_field":"User",
  168. "ecs":"winlog.user.name"
  169. },
  170. {
  171. "raw_field":"UserName",
  172. "ecs":"winlog.user.name"
  173. },
  174. {
  175. "raw_field":"Workstation",
  176. "ecs":"winlog.event_data.Workstation"
  177. },
  178. {
  179. "raw_field":"WorkstationName",
  180. "ecs":"winlog.event_data.Workstation"
  181. },
  182. {
  183. "raw_field":"event_uid",
  184. "ecs":"winlog.event_id"
  185. },
  186. {
  187. "raw_field":"CommandLine",
  188. "ecs":"process.command_line"
  189. },
  190. {
  191. "raw_field":"hostname",
  192. "ecs":"host.hostname"
  193. },
  194. {
  195. "raw_field":"message",
  196. "ecs":"windows.message"
  197. },
  198. {
  199. "raw_field":"Provider_Name",
  200. "ecs":"winlog.provider_name"
  201. },
  202. {
  203. "raw_field":"EventId",
  204. "ecs":"winlog.event_id"
  205. },
  206. {
  207. "raw_field":"processPath",
  208. "ecs":"winlog.event_data.ProcessPath"
  209. },
  210. {
  211. "raw_field":"ProcessName",
  212. "ecs":"winlog.event_data.ProcessName"
  213. },
  214. {
  215. "raw_field":"ObjectName",
  216. "ecs":"winlog.computerObject.name"
  217. },
  218. {
  219. "raw_field":"param1",
  220. "ecs":"winlog.event_data.param1"
  221. },
  222. {
  223. "raw_field":"param2",
  224. "ecs":"winlog.event_data.param2"
  225. },
  226. {
  227. "raw_field":"creationTime",
  228. "ecs":"timestamp"
  229. },
  230. {
  231. "raw_field":"Origin",
  232. "ecs":"winlog.event_data.Origin"
  233. },
  234. {
  235. "raw_field":"ParentImage",
  236. "ecs":"winlog.event_data.ParentImage"
  237. },
  238. {
  239. "raw_field":"TargetPort",
  240. "ecs":"winlog.event_data.TargetPort"
  241. },
  242. {
  243. "raw_field":"Query",
  244. "ecs":"winlog.event_data.Query"
  245. },
  246. {
  247. "raw_field":"DestinationPort",
  248. "ecs":"destination.port"
  249. },
  250. {
  251. "raw_field":"StartAddress",
  252. "ecs":"winlog.event_data.StartAddress"
  253. },
  254. {
  255. "raw_field":"TicketOptions",
  256. "ecs":"winlog.event_data.TicketOptions"
  257. },
  258. {
  259. "raw_field":"ParentCommandLine",
  260. "ecs":"winlog.event_data.ParentCommandLine"
  261. },
  262. {
  263. "raw_field":"AllowedToDelegateTo",
  264. "ecs":"winlog.event_data.AllowedToDelegateTo"
  265. },
  266. {
  267. "raw_field":"HostApplication",
  268. "ecs":"winlog.event_data.HostApplication"
  269. },
  270. {
  271. "raw_field":"AccessMask",
  272. "ecs":"winlog.event_data.AccessMask"
  273. },
  274. {
  275. "raw_field":"Hashes",
  276. "ecs":"winlog.event_data.Hashes"
  277. },
  278. {
  279. "raw_field":"SidHistory",
  280. "ecs":"winlog.event_data.SidHistory"
  281. },
  282. {
  283. "raw_field":"Initiated",
  284. "ecs":"winlog.event_data.Initiated"
  285. },
  286. {
  287. "raw_field":"DestinationIp",
  288. "ecs":"destination.ip"
  289. },
  290. {
  291. "raw_field":"RelativeTargetName",
  292. "ecs":"winlog.event_data.RelativeTargetName"
  293. },
  294. {
  295. "raw_field":"Source_Name",
  296. "ecs":"winlog.event_data.Source_Name"
  297. },
  298. {
  299. "raw_field":"AttributeLDAPDisplayName",
  300. "ecs":"winlog.event_data.AttributeLDAPDisplayName"
  301. },
  302. {
  303. "raw_field":"DeviceDescription",
  304. "ecs":"winlog.event_data.DeviceDescription"
  305. },
  306. {
  307. "raw_field":"AttributeValue",
  308. "ecs":"winlog.event_data.AttributeValue"
  309. },
  310. {
  311. "raw_field":"ObjectValueName",
  312. "ecs":"winlog.event_data.ObjectValueName"
  313. },
  314. {
  315. "raw_field":"QueryStatus",
  316. "ecs":"winlog.event_data.QueryStatus"
  317. },
  318. {
  319. "raw_field":"TargetParentProcessId",
  320. "ecs":"winlog.event_data.TargetParentProcessId"
  321. },
  322. {
  323. "raw_field":"OldUacValue",
  324. "ecs":"winlog.event_data.OldUacValue"
  325. },
  326. {
  327. "raw_field":"FailureCode",
  328. "ecs":"winlog.event_data.FailureCode"
  329. },
  330. {
  331. "raw_field":"OldTargetUserName",
  332. "ecs":"winlog.event_data.OldTargetUserName"
  333. },
  334. {
  335. "raw_field":"NewUacValue",
  336. "ecs":"winlog.event_data.NewUacValue"
  337. },
  338. {
  339. "raw_field":"ServiceName",
  340. "ecs":"winlog.event_data.ServiceName"
  341. },
  342. {
  343. "raw_field":"Imphash",
  344. "ecs":"winlog.event_data.Imphash"
  345. },
  346. {
  347. "raw_field":"NewValue",
  348. "ecs":"winlog.event_data.NewValue"
  349. },
  350. {
  351. "raw_field":"Action",
  352. "ecs":"winlog.event_data.Action"
  353. },
  354. {
  355. "raw_field":"SourceImage",
  356. "ecs":"winlog.event_data.SourceImage"
  357. },
  358. {
  359. "raw_field":"QNAME",
  360. "ecs":"winlog.event_data.QNAME"
  361. },
  362. {
  363. "raw_field":"Properties",
  364. "ecs":"winlog.event_data.Properties"
  365. },
  366. {
  367. "raw_field":"AuditPolicyChanges",
  368. "ecs":"winlog.event_data.AuditPolicyChanges"
  369. },
  370. {
  371. "raw_field":"Accesses",
  372. "ecs":"winlog.event_data.Accesses"
  373. },
  374. {
  375. "raw_field":"ClassName",
  376. "ecs":"winlog.event_data.ClassName"
  377. },
  378. {
  379. "raw_field":"ObjectClass",
  380. "ecs":"winlog.event_data.ObjectClass"
  381. },
  382. {
  383. "raw_field":"PipeName",
  384. "ecs":"winlog.event_data.PipeName"
  385. },
  386. {
  387. "raw_field":"HiveName",
  388. "ecs":"winlog.event_data.HiveName"
  389. },
  390. {
  391. "raw_field":"StartModule",
  392. "ecs":"winlog.event_data.StartModule"
  393. },
  394. {
  395. "raw_field":"HostVersion",
  396. "ecs":"winlog.event_data.HostVersion"
  397. },
  398. {
  399. "raw_field":"DestinationHostname",
  400. "ecs":"winlog.event_data.DestinationHostname"
  401. },
  402. {
  403. "raw_field":"QueryName",
  404. "ecs":"winlog.event_data.QueryName"
  405. },
  406. {
  407. "raw_field":"RemoteName",
  408. "ecs":"winlog.event_data.RemoteName"
  409. },
  410. {
  411. "raw_field":"PasswordLastSet",
  412. "ecs":"winlog.event_data.PasswordLastSet"
  413. },
  414. {
  415. "raw_field":"ErrorCode",
  416. "ecs":"winlog.event_data.ErrorCode"
  417. },
  418. {
  419. "raw_field":"AccessList",
  420. "ecs":"winlog.event_data.AccessList"
  421. },
  422. {
  423. "raw_field":"Address",
  424. "ecs":"winlog.event_data.Address"
  425. },
  426. {
  427. "raw_field":"PossibleCause",
  428. "ecs":"winlog.event_data.PossibleCause"
  429. },
  430. {
  431. "raw_field":"DestPort",
  432. "ecs":"destination.port"
  433. },
  434. {
  435. "raw_field":"Image",
  436. "ecs":"winlog.event_data.Image"
  437. },
  438. {
  439. "raw_field":"CertThumbprint",
  440. "ecs":"winlog.event_data.CertThumbprint"
  441. },
  442. {
  443. "raw_field":"TicketEncryptionType",
  444. "ecs":"winlog.event_data.TicketEncryptionType"
  445. },
  446. {
  447. "raw_field":"ServiceType",
  448. "ecs":"winlog.event_data.ServiceType"
  449. },
  450. {
  451. "raw_field":"ObjectServer",
  452. "ecs":"winlog.event_data.ObjectServer"
  453. },
  454. {
  455. "raw_field":"ImagePath",
  456. "ecs":"winlog.event_data.ImagePath"
  457. },
  458. {
  459. "raw_field":"NewName",
  460. "ecs":"winlog.event_data.NewName"
  461. },
  462. {
  463. "raw_field":"CallTrace",
  464. "ecs":"winlog.event_data.CallTrace"
  465. },
  466. {
  467. "raw_field":"SamAccountName",
  468. "ecs":"winlog.event_data.SamAccountName"
  469. },
  470. {
  471. "raw_field":"GrantedAccess",
  472. "ecs":"winlog.event_data.GrantedAccess"
  473. },
  474. {
  475. "raw_field":"EngineVersion",
  476. "ecs":"winlog.event_data.EngineVersion"
  477. },
  478. {
  479. "raw_field":"OriginalName",
  480. "ecs":"winlog.event_data.OriginalName"
  481. },
  482. {
  483. "raw_field":"AuditSourceName",
  484. "ecs":"winlog.event_data.AuditSourceName"
  485. },
  486. {
  487. "raw_field":"sha1",
  488. "ecs":"hash.sha1"
  489. },
  490. {
  491. "raw_field":"SourceIp",
  492. "ecs":"source.ip"
  493. },
  494. {
  495. "raw_field":"Payload",
  496. "ecs":"winlog.event_data.Payload"
  497. },
  498. {
  499. "raw_field":"Level",
  500. "ecs":"winlog.event_data.Level"
  501. },
  502. {
  503. "raw_field":"Application",
  504. "ecs":"winlog.event_data.Application"
  505. },
  506. {
  507. "raw_field":"RemoteAddress",
  508. "ecs":"winlog.event_data.RemoteAddress"
  509. },
  510. {
  511. "raw_field":"SearchFilter",
  512. "ecs":"winlog.event_data.SearchFilter"
  513. },
  514. {
  515. "raw_field":"ApplicationPath",
  516. "ecs":"winlog.event_data.ApplicationPath"
  517. },
  518. {
  519. "raw_field":"TargetFilename",
  520. "ecs":"winlog.event_data.TargetFilename"
  521. },
  522. {
  523. "raw_field":"CurrentDirectory",
  524. "ecs":"winlog.event_data.CurrentDirectory"
  525. },
  526. {
  527. "raw_field":"ObjectType",
  528. "ecs":"winlog.event_data.ObjectType"
  529. },
  530. {
  531. "raw_field":"ServicePrincipalNames",
  532. "ecs":"winlog.event_data.ServicePrincipalNames"
  533. },
  534. {
  535. "raw_field":"TemplateContent",
  536. "ecs":"winlog.event_data.TemplateContent"
  537. },
  538. {
  539. "raw_field":"QueryResults",
  540. "ecs":"winlog.event_data.QueryResults"
  541. },
  542. {
  543. "raw_field":"ServiceStartType",
  544. "ecs":"winlog.event_data.ServiceStartType"
  545. },
  546. {
  547. "raw_field":"EventType",
  548. "ecs":"winlog.event_data.EventType"
  549. },
  550. {
  551. "raw_field":"TargetSid",
  552. "ecs":"winlog.event_data.TargetSid"
  553. },
  554. {
  555. "raw_field":"ParentUser",
  556. "ecs":"winlog.event_data.ParentUser"
  557. },
  558. {
  559. "raw_field":"NewTargetUserName",
  560. "ecs":"winlog.event_data.NewTargetUserName"
  561. },
  562. {
  563. "raw_field":"DestAddress",
  564. "ecs":"winlog.event_data.DestAddress"
  565. },
  566. {
  567. "raw_field":"ContextInfo",
  568. "ecs":"winlog.event_data.ContextInfo"
  569. },
  570. {
  571. "raw_field":"HostName",
  572. "ecs":"host.name"
  573. },
  574. {
  575. "raw_field":"NewTemplateContent",
  576. "ecs":"winlog.event_data.NewTemplateContent"
  577. },
  578. {
  579. "raw_field":"LayerRTID",
  580. "ecs":"winlog.event_data.LayerRTID"
  581. },
  582. {
  583. "raw_field":"ImageFileName",
  584. "ecs":"winlog.event_data.ImageFileName"
  585. },
  586. {
  587. "raw_field":"StartFunction",
  588. "ecs":"winlog.event_data.StartFunction"
  589. },
  590. {
  591. "raw_field":"Value",
  592. "ecs":"winlog.event_data.Value"
  593. },
  594. {
  595. "raw_field":"ModifyingApplication",
  596. "ecs":"winlog.event_data.ModifyingApplication"
  597. },
  598. {
  599. "raw_field":"Destination",
  600. "ecs":"winlog.event_data.Destination"
  601. },
  602. {
  603. "raw_field":"Commandline",
  604. "ecs":"winlog.event_data.Commandline"
  605. },
  606. {
  607. "raw_field":"Message",
  608. "ecs":"winlog.event_data.Message"
  609. },
  610. {
  611. "raw_field":"ShareName",
  612. "ecs":"winlog.event_data.ShareName"
  613. },
  614. {
  615. "raw_field":"SourcePort",
  616. "ecs":"source.port"
  617. },
  618. {
  619. "raw_field":"CallerProcessName",
  620. "ecs":"winlog.event_data.CallerProcessName"
  621. },
  622. {
  623. "raw_field":"ServiceFileName",
  624. "ecs":"winlog.event_data.ServiceFileName"
  625. },
  626. {
  627. "raw_field":"DestinationIsIpv6",
  628. "ecs":"winlog.event_data.DestinationIsIpv6"
  629. },
  630. {
  631. "raw_field":"TargetImage",
  632. "ecs":"winlog.event_data.TargetImage"
  633. },
  634. {
  635. "raw_field":"SourceAddress",
  636. "ecs":"source.ip"
  637. },
  638. {
  639. "raw_field":"TargetObject",
  640. "ecs":"winlog.event_data.TargetObject"
  641. },
  642. {
  643. "raw_field":"Caption",
  644. "ecs":"winlog.event_data.Caption"
  645. },
  646. {
  647. "raw_field":"LocalName",
  648. "ecs":"winlog.event_data.LocalName"
  649. },
  650. {
  651. "raw_field":"ImageLoaded",
  652. "ecs":"winlog.event_data.ImageLoaded"
  653. },
  654. {
  655. "raw_field":"EventID",
  656. "ecs":"winlog.event_id"
  657. },
  658. {
  659. "raw_field":"sha256",
  660. "ecs":"hash.sha256"
  661. },
  662. {
  663. "raw_field":"ScriptBlockLogging",
  664. "ecs":"winlog.event_data.ScriptBlockLogging"
  665. },
  666. {
  667. "raw_field":"SourceParentImage",
  668. "ecs":"winlog.event_data.SourceParentImage"
  669. },
  670. {
  671. "raw_field":"SourceFilename",
  672. "ecs":"winlog.event_data.SourceFilename"
  673. },
  674. {
  675. "raw_field":"Protocol",
  676. "ecs":"winlog.event_data.Protocol"
  677. },
  678. {
  679. "raw_field":"ValidatedPolicy",
  680. "ecs":"winlog.event_data.ValidatedPolicy"
  681. },
  682. {
  683. "raw_field":"ProcessPath",
  684. "ecs":"winlog.event_data.ProcessPath"
  685. },
  686. {
  687. "raw_field":"OldValue",
  688. "ecs":"winlog.event_data.OldValue"
  689. },
  690. {
  691. "raw_field":"ParentProcessId",
  692. "ecs":"winlog.event_data.ParentProcessId"
  693. },
  694. {
  695. "raw_field":"TaskContentNew",
  696. "ecs":"winlog.event_data.TaskContentNew"
  697. },
  698. {
  699. "raw_field":"Name",
  700. "ecs":"winlog.event_data.Name"
  701. },
  702. {
  703. "raw_field":"payload",
  704. "ecs":"winlog.event_data.payload"
  705. },
  706. {
  707. "raw_field":"SourceHostname",
  708. "ecs":"winlog.event_data.SourceHostname"
  709. },
  710. {
  711. "raw_field":"ClientProcessId",
  712. "ecs":"winlog.event_data.ClientProcessId"
  713. },
  714. {
  715. "raw_field":"TargetParentImage",
  716. "ecs":"winlog.event_data.TargetParentImage"
  717. },
  718. {
  719. "raw_field":"ImpersonationLevel",
  720. "ecs":"winlog.event_data.ImpersonationLevel"
  721. },
  722. {
  723. "raw_field":"ExceptionCode",
  724. "ecs":"winlog.event_data.ExceptionCode"
  725. },
  726. {
  727. "raw_field":"FilterOrigin",
  728. "ecs":"winlog.event_data.FilterOrigin"
  729. },
  730. {
  731. "raw_field":"PackagePath",
  732. "ecs":"winlog.event_data.PackagePath"
  733. },
  734. {
  735. "raw_field":"SignatureStatus",
  736. "ecs":"winlog.event_data.SignatureStatus"
  737. },
  738. {
  739. "raw_field":"Hash",
  740. "ecs":"winlog.event_data.Hash"
  741. },
  742. {
  743. "raw_field":"AppID",
  744. "ecs":"winlog.event_data.AppID"
  745. },
  746. {
  747. "raw_field":"SidList",
  748. "ecs":"winlog.event_data.SidList"
  749. },
  750. {
  751. "raw_field":"ProcessNameBuffer",
  752. "ecs":"winlog.event_data.ProcessNameBuffer"
  753. },
  754. {
  755. "raw_field":"PreviousCreationUtcTime",
  756. "ecs":"winlog.event_data.PreviousCreationUtcTime"
  757. },
  758. {
  759. "raw_field":"Contents",
  760. "ecs":"winlog.event_data.Contents"
  761. },
  762. {
  763. "raw_field":"TargetOutboundUserName",
  764. "ecs":"winlog.event_data.TargetOutboundUserName"
  765. },
  766. {
  767. "raw_field":"ImageName",
  768. "ecs":"winlog.event_data.ImageName"
  769. },
  770. {
  771. "raw_field":"md5",
  772. "ecs":"hash.md5"
  773. },
  774. {
  775. "raw_field":"DeviceName",
  776. "ecs":"winlog.event_data.DeviceName"
  777. },
  778. {
  779. "raw_field":"RequestedPolicy",
  780. "ecs":"winlog.event_data.RequestedPolicy"
  781. },
  782. {
  783. "raw_field":"FileNameBuffer",
  784. "ecs":"winlog.event_data.FileNameBuffer"
  785. },
  786. {
  787. "raw_field":"TaskContent",
  788. "ecs":"winlog.event_data.TaskContent"
  789. },
  790. {
  791. "raw_field":"SourceCommandLine",
  792. "ecs":"winlog.event_data.SourceCommandLine"
  793. },
  794. {
  795. "raw_field":"CreationUtcTime",
  796. "ecs":"winlog.event_data.CreationUtcTime"
  797. },
  798. {
  799. "raw_field":"AppName",
  800. "ecs":"winlog.event_data.AppName"
  801. },
  802. {
  803. "raw_field":"subjectName",
  804. "ecs":"winlog.event_data.subjectName"
  805. },
  806. {
  807. "raw_field":"process",
  808. "ecs":"winlog.event_data.process"
  809. },
  810. {
  811. "raw_field":"PackageFullName",
  812. "ecs":"winlog.event_data.PackageFullName"
  813. },
  814. {
  815. "raw_field":"SourceName",
  816. "ecs":"winlog.event_data.SourceName"
  817. },
  818. {
  819. "raw_field":"Data",
  820. "ecs":"winlog.event_data.Data"
  821. },
  822. {
  823. "raw_field":"param3",
  824. "ecs":"winlog.event_data.param3"
  825. },
  826. {
  827. "raw_field":"Signature",
  828. "ecs":"winlog.event_data.Signature"
  829. }
  830. ]