blue-team-tools/tools/config/winlogbeat-modules-enabled.yml

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - es-rule-eql
  - es-eql
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers
logsources:
  windows:
    product: windows
    index: winlogbeat-*
  windows-application:
    product: windows
    service: application
    conditions:
      winlog.channel: Application
  windows-security:
    product: windows
    service: security
    conditions:
      winlog.channel: Security
  windows-system:
    product: windows
    service: system
    conditions:
      winlog.channel: System
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
  windows-powershell:
    product: windows
    service: powershell
    conditions:
      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
  windows-classicpowershell:
    product: windows
    service: powershell-classic
    conditions:
      winlog.channel: 'Windows PowerShell'
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      winlog.channel: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
  windows-ntlm:
    product: windows
    service: ntlm
    conditions:
      winlog.channel: 'Microsoft-Windows-NTLM/Operational'
  windows-defender:
    product: windows
    service: windefend
    conditions:
      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
  windows-printservice-admin:
    product: windows
    service: printservice-admin
    conditions:
      winlog.channel: 'Microsoft-Windows-PrintService/Admin'
  windows-printservice-operational:
    product: windows
    service: printservice-operational
    conditions:
      winlog.channel: 'Microsoft-Windows-PrintService/Operational'
  windows-codeintegrity-operational:
    product: windows
    service: codeintegrity-operational
    conditions:
      winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
  windows-smbclient-security:
    product: windows
    service: smbclient-security
    conditions:
      winlog.channel: 'Microsoft-Windows-SmbClient/Security'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      winlog.channel:
        - 'Microsoft-Windows-AppLocker/MSI and Script'
        - 'Microsoft-Windows-AppLocker/EXE and DLL'
        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
  windows-msexchange-management:
    product: windows
    service: msexchange-management
    conditions:
      winlog.channel: 'MSExchange Management'
  microsoft-servicebus-client:
    product: windows
    service: microsoft-servicebus-client
    conditions:
      winlog.channel: 'Microsoft-ServiceBus-Client'
  windows-firewall-advanced-security:
    product: windows
    service: firewall-as
    conditions:
      winlog.channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'      
  windows-bits-client:
    product: windows
    service: bits-client
    conditions:
      winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
    EventID: event.code
    Channel: winlog.channel
    #Keywords: from "<System><Keywords>Value</Keywords></System><EventData>" is lost with winlogbeat exist in nxlog
    Provider_Name: winlog.provider_name
    CallingProcessName: winlog.event_data.CallingProcessName
    ComputerName: winlog.computer_name
    EventType: winlog.event_data.EventType
    FailureCode: winlog.event_data.FailureCode
    FileName: file.path
    HiveName: winlog.event_data.HiveName
    ProcessCommandLine: winlog.event_data.ProcessCommandLine
    SecurityID: winlog.event_data.SecurityID
    Source: winlog.event_data.Source
    # Channel: WLAN-Autoconfig AND EventID: 8001
    AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
    BSSID: winlog.event_data.BSSID
    BSSType: winlog.event_data.BSSType
    CipherAlgorithm: winlog.event_data.CipherAlgorithm
    ConnectionId: winlog.event_data.ConnectionId
    ConnectionMode: winlog.event_data.ConnectionMode
    InterfaceDescription: winlog.event_data.InterfaceDescription
    InterfaceGuid: winlog.event_data.InterfaceGuid
    OnexEnabled: winlog.event_data.OnexEnabled
    PHYType: winlog.event_data.PHYType
    ProfileName: winlog.event_data.ProfileName
    SSID: winlog.event_data.SSID
    Accesses: winlog.event_data.Accesses
    ClassName: winlog.event_data.ClassName
    ClassId: winlog.event_data.ClassId
    DeviceDescription: winlog.event_data.DeviceDescription
    # ErrorCode =>  printservice-admin  EventID: 4909 or 808
    ErrorCode: winlog.event_data.ErrorCode 
    FilePath: winlog.event_data.FilePath
    # Filename =>  product: antivirus
    Filename: winlog.event_data.Filename    
    LDAPDisplayName: winlog.event_data.LDAPDisplayName
    # Level => Source: MSExchange Control Panel EventID: 4
    Level: winlog.event_data.Level
    TargetProcessAddress: winlog.event_data.TargetProcessAddress
    # UserName => smbclient-security  eventid:31017
    UserName: winlog.event_data.UserName
    #
    # Sysmon/Operational up to ID 25
    #
    RuleName: winlog.event_data.RuleName
    ProcessGuid: process.entity_id
    ProcessId: process.pid
    Image: process.executable
    FileVersion: 
        category=process_creation: process.pe.file_version
        category=image_load: file.pe.file_version
        default: winlog.event_data.FileVersion
    Description:
        category=process_creation: process.pe.description
        category=image_load: file.pe.description
        category=sysmon_error: winlog.event_data.Description
        default: winlog.event_data.Description
    Product:
        category=process_creation: process.pe.product
        category=image_load: file.pe.product
        default: winlog.event_data.Product
    Company: 
        category=process_creation: process.pe.company
        category=image_load: file.pe.company
        default: winlog.event_data.Company
    OriginalFileName: 
        category=process_creation: process.pe.original_file_name
        category=image_load: file.pe.original_file_name
        default: winlog.event_data.OriginalFileName
    CommandLine: 
        category=process_creation: process.command_line
        service=security: process.command_line
        service=powershell-classic: powershell.command.value
        default: winlog.event_data.CommandLine
    CurrentDirectory: process.working_directory
    LogonGuid: winlog.event_data.LogonGuid
    LogonId: winlog.event_data.LogonId
    TerminalSessionId: winlog.event_data.TerminalSessionId
    IntegrityLevel: winlog.event_data.IntegrityLevel
    ParentProcessGuid: process.parent.entity_id
    ParentProcessId: process.parent.pid
    ParentImage: process.parent.executable
    ParentCommandLine: process.parent.command_line
    ParentUser: winlog.event_data.ParentUser  #Sysmon 13.30
    SourceUser: winlog.event_data.SourceUser  #Sysmon 13.30
    TargetUser: winlog.event_data.TargetUser  #Sysmon 13.30
    TargetFilename: file.path
    CreationUtcTime: winlog.event_data.CreationUtcTime
    PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime
    Protocol: 
        category=network_connection: network.transport
        default: winlog.event_data.Protocol
    Initiated: 
        category=network_connection: network.direction
        default: winlog.event_data.Initiated
    #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
    SourceIp: source.ip
    SourceHostname: source.domain
    SourcePort: source.port
    SourcePortName: winlog.event_data.SourcePortName
    #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
    DestinationIp: destination.ip
    DestinationHostname: destination.domain
    DestinationPort: destination.port
    DestinationPortName: network.protocol
    State: winlog.event_data.State
    Version: winlog.event_data.Version
    SchemaVersion: winlog.event_data.SchemaVersion
    ImageLoaded: file.path
    Signed: file.code_signature.signed
    Signature: 
        category=driver_loaded: file.code_signature.subject_name
        category=image_loaded: file.code_signature.subject_name
        default: winlog.event_data.Signature
    SignatureStatus: file.code_signature.status
    SourceProcessGuid: process.entity_id
    SourceProcessId: process.pid
    SourceImage: process.executable
    TargetProcessGuid: winlog.event_data.TargetProcessGuid
    TargetProcessId: winlog.event_data.TargetProcessId
    TargetImage: winlog.event_data.TargetImage
    NewThreadId: winlog.event_data.NewThreadId
    StartAddress: winlog.event_data.StartAddress
    StartModule: winlog.event_data.StartModule
    StartFunction: winlog.event_data.StartFunction
    Device: file.path
    SourceThreadId: process.thread.id
    GrantedAccess: winlog.event_data.GrantedAccess
    CallTrace: winlog.event_data.CallTrace
    TargetObject: registry.path
    Details: winlog.event_data.Details
    NewName: winlog.event_data.NewName
    Configuration: winlog.event_data.Configuration
    ConfigurationFileHash: winlog.event_data.ConfigurationFileHash
    PipeName: file.name
    User: winlog.event_data.User
    EventNamespace: winlog.event_data.EventNamespace
    Name: winlog.event_data.Name
    Query: winlog.event_data.Query
    Operation: winlog.event_data.Operation
    Type: winlog.event_data.Type
    Destination: process.executable
    Consumer: winlog.event_data.Consumer
    Filter: winlog.event_data.Filter
    QueryName: dns.question.name
    QueryStatus: sysmon.dns.status
    QueryResults: winlog.event_data.QueryResults
    IsExecutable: sysmon.file.is_executable
    Archived: sysmon.file.archived
    Session: winlog.event_data.Session
    ClientInfo: winlog.event_data.ClientInfo
    # SYSMON Hashes
    Hashes: winlog.event_data.Hashes
    # extraction from Hashes NOT a original field but find in some rule
    md5:
        category=driver_load: hash.md5
        category=image_load: file.hash.md5
        default: process.hash.md5
    sha1:
        category=driver_load: hash.sha1
        category=image_load: file.hash.sha1
        default: process.hash.sha1
    sha256:
        category=driver_load: hash.sha256
        category=image_load: file.hash.sha256
        default: process.hash.sha256
    Imphash: 
        category=driver_load: hash.imphash
        category=image_load: file.hash.imphash
        default: process.pe.imphash
    #
    # Powershell
    #
    CommandName: powershell.command.name
    CommandPath: powershell.command.path
    CommandType: powershell.command.type
    EngineVersion: 
        service=powershell-classic: powershell.engine.version
        default: winlog.event_data.EngineVersion
    HostApplication: process.command_line
    HostId: process.entity_id
    HostName: process.title
    HostVersion:
        service=powershell-classic: powershell.process.executable_version
        default: winlog.event_data.HostVersion
    NewEngineState: powershell.engine.new_state
    PipelineId: powershell.pipeline_id
    PreviousEngineState: powershell.engine.previous_state
    RunspaceId: powershell.runspace_id
    ScriptName: file.path
    SequenceNumber: event.sequence
    NewProviderState: powershell.provider.new_state
    ProviderName: powershell.provider.name
    Payload: winlog.event_data.Payload
    ContextInfo: winlog.event_data.ContextInfo
    MessageNumber: powershell.sequence
    MessageTotal: powershell.total
    ScriptBlockText: powershell.file.script_block_text
    ScriptBlockId: powershell.file.script_block_id
    #
    # Security
    #
    AccessGranted: winlog.event_data.AccessGranted
    AccessList: winlog.event_data.AccessList
    AccessMask: winlog.event_data.AccessMask
    AccessReason: winlog.event_data.AccessReason
    AccessRemoved: winlog.event_data.AccessRemoved
    AccountDomain: user.domain
    AccountExpires: winlog.event_data.AccountExpires
    AccountName: user.name
    AdditionalInfo: winlog.event_data.AdditionalInfo
    AdditionalInfo2: winlog.event_data.AdditionalInfo2
    AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
    AppCorrelationID: winlog.event_data.AppCorrelationID
    Application: process.executable
    AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
    AttributeSyntaxOID: winlog.event_data.AttributeSyntaxOID
    AttributeValue: winlog.event_data.AttributeValue
    AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
    AuditSourceName: winlog.event_data.AuditSourceName
    AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
    CallerProcessId: winlog.event_data.CallerProcessId
    CallerProcessName: winlog.event_data.CallerProcessName
    CategoryId: winlog.event_data.CategoryId
    CertIssuerName: winlog.event_data.CertIssuerName
    CertSerialNumber: winlog.event_data.CertSerialNumber
    CertThumbprint: winlog.event_data.CertThumbprint
    ClientAddress: source.ip
    ClientName: source.domain
    ClientProcessId: winlog.event_data.ClientProcessId
    ClientProcessStartKey: winlog.event_data.ClientProcessStartKey
    ComputerAccountChange: winlog.event_data.ComputerAccountChange
    CrashOnAuditFailValue: winlog.event_data.CrashOnAuditFailValue
    DestAddress: destination.ip
    DestPort: destination.port
    Direction: winlog.event_data.Direction
    DisplayName: winlog.event_data.DisplayName
    DnsHostName: winlog.event_data.DnsHostName
    DomainBehaviorVersion: winlog.event_data.DomainBehaviorVersion
    DomainName: winlog.event_data.DomainName
    DomainPolicyChanged: winlog.event_data.DomainPolicyChanged
    DomainSid: winlog.event_data.DomainSid
    DSName: winlog.event_data.DSName
    DSType: winlog.event_data.DSType
    Dummy: winlog.event_data.Dummy
    ElevatedToken: winlog.event_data.ElevatedToken
    EventSourceId: winlog.event_data.EventSourceId
    FailureReason: winlog.event_data.FailureReason
    FilterRTID: winlog.event_data.FilterRTID
    ForceLogoff: winlog.event_data.ForceLogoff
    FQDN: winlog.event_data.FQDN
    GroupTypeChange: winlog.event_data.GroupTypeChange
    HandleId: winlog.event_data.HandleId
    HomeDirectory: winlog.event_data.HomeDirectory
    HomePath: winlog.event_data.HomePath
    ImagePath: winlog.event_data.ImagePath
    ImpersonationLevel: winlog.event_data.ImpersonationLevel
    IpAddress: source.ip
    IpPort: source.port
    KeyLength: winlog.event_data.KeyLength
    LayerName: winlog.event_data.LayerName
    LayerRTID: winlog.event_data.LayerRTID
    LmPackageName: winlog.event_data.LmPackageName
    LockoutDuration: winlog.event_data.LockoutDuration
    LockoutObservationWindow: winlog.event_data.LockoutObservationWindow
    LockoutThreshold: winlog.event_data.LockoutThreshold
    LogonHours: winlog.event_data.LogonHours
    SubjectLogonId:
        service=security: winlog.logon.id
        default: winlog.event_data.SubjectLogonId
    LogonProcessName: winlog.event_data.LogonProcessName
    LogonType: winlog.event_data.LogonType
    MachineAccountQuota: winlog.event_data.MachineAccountQuota
    MandatoryLabel: winlog.event_data.MandatoryLabel
    MasterKeyId: winlog.event_data.MasterKeyId
    MaxPasswordAge: winlog.event_data.MaxPasswordAge
    MemberName: winlog.event_data.MemberName
    MemberSid: winlog.event_data.MemberSid
    MinPasswordAge: winlog.event_data.MinPasswordAge
    MinPasswordLength: winlog.event_data.MinPasswordLength
    MixedDomainMode: winlog.event_data.MixedDomainMode
    NewProcessId: process.pid
    NewProcessName: process.executable
    NewSd: winlog.event_data.NewSd
    NewTargetUserName: winlog.event_data.NewTargetUserName
    NewTime: winlog.event_data.NewTime
    NewUacValue: winlog.event_data.NewUacValue
    NewValue: winlog.event_data.NewValue
    NewValueType: winlog.event_data.NewValueType
    ObjectClass: winlog.event_data.ObjectClass
    ObjectDN: winlog.event_data.ObjectDN
    ObjectGUID: winlog.event_data.ObjectGUID
    ObjectName: winlog.event_data.ObjectName
    ObjectServer: winlog.event_data.ObjectServer
    ObjectType: winlog.event_data.ObjectType
    ObjectValueName: winlog.event_data.ObjectValueName
    OemInformation: winlog.event_data.OemInformation
    OldSd: winlog.event_data.OldSd
    OldTargetUserName: winlog.event_data.OldTargetUserName
    OldUacValue: winlog.event_data.OldUacValue
    OldValue: winlog.event_data.OldValue
    OldValueType: winlog.event_data.OldValueType
    OpCorrelationID: winlog.event_data.OpCorrelationID
    OperationType: winlog.event_data.OperationType
    PackageName: winlog.event_data.PackageName
    ParentProcessName: process.parent.name
    PasswordHistoryLength: winlog.event_data.PasswordHistoryLength
    PasswordLastSet: winlog.event_data.PasswordLastSet
    PasswordProperties: winlog.event_data.PasswordProperties
    PreAuthType: winlog.event_data.PreAuthType
    PreviousTime: winlog.event_data.PreviousTime
    PrimaryGroupId: winlog.event_data.PrimaryGroupId
    PrivilegeList: winlog.event_data.PrivilegeList
    ProcessName: process.executable
    ProfilePath: winlog.event_data.ProfilePath
    Properties: winlog.event_data.Properties
    PuaCount: winlog.event_data.PuaCount
    PuaPolicyId: winlog.event_data.PuaPolicyId
    RecoveryKeyId: winlog.event_data.RecoveryKeyId
    RecoveryServer: winlog.event_data.RecoveryServer
    RelativeTargetName: winlog.event_data.RelativeTargetName
    RemoteMachineID: winlog.event_data.RemoteMachineID
    RemoteUserID: winlog.event_data.RemoteUserID
    ResourceAttributes: winlog.event_data.ResourceAttributes
    RestrictedAdminMode: winlog.event_data.RestrictedAdminMode
    RestrictedSidCount: winlog.event_data.RestrictedSidCount
    RpcCallClientLocality: winlog.event_data.RpcCallClientLocality
    SamAccountName: winlog.event_data.SamAccountName
    ScriptPath: winlog.event_data.ScriptPath
    Service: winlog.event_data.Service
    ServiceAccount: winlog.event_data.ServiceAccount
    ServiceFileName: winlog.event_data.ServiceFileName
    ServiceName:
        service=security: service.name
        default: winlog.event_data.ServiceName
    ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
    ServiceSid: winlog.event_data.ServiceSid
    ServiceStartType: winlog.event_data.ServiceStartType
    ServiceType: winlog.event_data.ServiceType
    SessionId: winlog.event_data.SessionId
    SessionName: winlog.event_data.SessionName
    ShareLocalPath: winlog.event_data.ShareLocalPath
    ShareName: winlog.event_data.ShareName
    SidHistory: winlog.event_data.SidHistory
    SidList: winlog.event_data.SidList
    SourceAddress: source.ip
    Status: winlog.event_data.Status
    StartType: winlog.event_data.StartType
    SubcategoryGuid: winlog.event_data.SubcategoryGuid
    SubcategoryId: winlog.event_data.SubcategoryId
    SubjectDomainName:
        service=security: user.domain
        default: winlog.event_data.SubjectDomainName
    SubjectUserName:
        service=security: user.name
        default: winlog.event_data.SubjectUserName
    SubjectUserSid:
        service=security: user.id
        default: winlog.event_data.SubjectUserSid
    SubStatus: winlog.event_data.SubStatus
    TargetDomainName: user.domain
    TargetLinkedLogonId: winlog.event_data.TargetLinkedLogonId
    TargetLogonId:
        service=security: winlog.logon.id
        default: winlog.event_data.TargetLogonId
    TargetOutboundDomainName: winlog.event_data.TargetOutboundDomainName
    TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
    TargetServerName: winlog.event_data.TargetServerName
    TargetSid: winlog.event_data.TargetSid
    TargetUserName: winlog.event_data.TargetUserName
    TargetUserSid: winlog.event_data.TargetUserSid
    TaskContent: winlog.event_data.TaskContent
    TaskName: winlog.event_data.TaskName
    TicketEncryptionType: winlog.event_data.TicketEncryptionType
    TicketOptions: winlog.event_data.TicketOptions
    TokenElevationType: winlog.event_data.TokenElevationType
    TransactionId: winlog.event_data.TransactionId
    TransmittedServices: winlog.event_data.TransmittedServices
    UserAccountControl: winlog.event_data.UserAccountControl
    UserParameters: winlog.event_data.UserParameters
    UserPrincipalName: winlog.event_data.UserPrincipalName
    UserWorkstations: winlog.event_data.UserWorkstations
    VirtualAccount: winlog.event_data.VirtualAccount
    Workstation: winlog.event_data.Workstation
    WorkstationName: source.domain
    #
    # System
    #
    DriveName: winlog.event_data.DriveName
    DeviceName: winlog.event_data.DeviceName
    HeaderFlags: winlog.event_data.HeaderFlags
    Severity: winlog.event_data.Severity
    Origin: winlog.event_data.Origin
    Verb: winlog.event_data.Verb
    Outcome: winlog.event_data.Outcome
    SampleLength: winlog.event_data.SampleLength
    SampleData: winlog.event_data.SampleData
    SourceFile: winlog.event_data.SourceFile
    SourceLine: winlog.event_data.SourceLine
    SourceTag: winlog.event_data.SourceTag
    CallStack: winlog.event_data.CallStack
    #
    # Microsoft-Windows-Windows Defender/Operational
    #
    Action_ID: winlog.event_data.Action\ ID
    Action_Name: winlog.event_data.Action\ Name
    Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID
    Additional_Actions_String: winlog.event_data.Additional\ Actions\ String
    Category_ID: winlog.event_data.Category\ ID
    Category_Name: winlog.event_data.Category\ Name
    Detection_ID: winlog.event_data.Detection\ ID
    Detection_Time: winlog.event_data.Detection\ Time
    Detection_User: winlog.event_data.Detection\ User
    Engine_Version: winlog.event_data.Engine\ Version
    Error_Code: winlog.event_data.Error\ Code
    Error_Description: winlog.event_data.Error\ Description
    Execution_ID: winlog.event_data.Execution\ ID
    Execution_Name: winlog.event_data.Execution\ Name
    FWLink: winlog.event_data.FWLink
    New_Value: winlog.event_data.New\ Value
    Old_Value: winlog.event_data.Old\ Value
    Origin_ID: winlog.event_data.Origin\ ID
    Origin_Name: winlog.event_data.Origin\ Name
    Path: winlog.event_data.Path
    Post_Clean_Status: winlog.event_data.Post\ Clean\ Status
    Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status
    Process_Name: winlog.event_data.Process\ Name
    Product_Name: winlog.event_data.Product\ Name
    Product_Version: winlog.event_data.Product\ Version
    Remediation_User: winlog.event_data.Remediation\ User
    Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version
    Severity_ID: winlog.event_data.Severity\ ID
    Severity_Name: winlog.event_data.Severity\ Name
    Source_ID: winlog.event_data.Source\ ID
    Source_Name: winlog.event_data.Source\ Name
    Status_Code: winlog.event_data.Status\ Code
    Status_Description: winlog.event_data.Status\ Description
    Threat_ID: winlog.event_data.Threat\ ID
    Threat_Name: winlog.event_data.Threat\ Name
    Type_ID: winlog.event_data.Type\ ID
    Type_Name: winlog.event_data.Type\ Name
    #
    # Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    #
    ApplicationPath: winlog.event_data.ApplicationPath
    ModifyingApplication: winlog.event_data.ModifyingApplication
    Action: winlog.event_data.Action