diff --git a/tools/config/logrhythm_winevent.yml b/tools/config/logrhythm_winevent.yml
new file mode 100644
index 000000000..84b6bee43
--- /dev/null
+++ b/tools/config/logrhythm_winevent.yml
@@ -0,0 +1,71 @@
+---
+title: LogRhythm Windows EventID Field Mapping
+
+order: 20
+backends:
+ - es-qs-lr
+
+logsources:
+  eventlogs:
+    product: windows
+    conditions:
+      logSourceTypeName: 'MS Windows Event Logging XML - Security'
+
+fieldmappings:
+  EventID: vendorMessageID
+  TicketOptions: object
+  TicketEncryptionType: sessionType
+  ServiceName: processName
+  TargetUserName:
+    - originUser
+    - impactedUser
+  Workstation: originHostname
+  SubjectUserName: originUser
+  LogonType: command
+  LogonProcessName: processName
+  WorkstationName:
+    - originHostname
+    - impactedHostname
+  SubjectLogonId: session
+  SubStatus: status
+  IpPort: originPort
+  IpAddress:
+    - originIp
+    - impactedIp
+  ErrorCode: responseCode
+  Task: vendorInfo
+  PrivilegeList: subject
+  SamAccountName: impactedUser
+  PrimaryGroupId: group
+  StatusCode: responseCode
+  Level: severity
+  SubjectDomainName: domainOrigin
+  DSName: domainImpacted
+  ObjectDN: objectName
+  ObjectGUID: object
+  ObjectClass: objectType
+  OperationType: action
+  Computer: impactedHostname
+  CategoryId: policy
+  SubcategoryId: objectName
+  SubCategoryGuid: object
+  AuditPolicyChanges: action
+  ObjectCollectionName: objectType
+  CountOfCredentialsReturned: quantity
+  AlgorithmName: policy
+  KeyName: objectName
+  KeyType: objectType
+  KeyFilePath: object
+  Operation: action
+  ReturnCode: responseCode
+  ChannelType: objectType
+  DomainName: domainImpacted
+  ExecutionProcessId: processId
+  processName: process
+  ProviderName: vendorInfo
+  SChannelName: objectName
+  SecureChannelName: objectName
+  ThreadId: session
+  UserName: 
+    - originUser
+    - impactedUser
\ No newline at end of file