logsources: windows-security: product: windows service: security conditions: event_source: 'Microsoft-Windows-Security-Auditing' windows-security: product: windows service: system conditions: event_source: 'Microsoft-Windows-Security-Auditing' fieldmappings: EventID: event_id FailureCode: result_code GroupName: group_name KeyLength: key_length LogonProcess: logon_process LogonType: logon_type ServiceName: service SubjectAccountName: EventID=4611: - user EventID=4624: - target_user - caller_user EventID=4625: - target_user - caller_user EventID=4634: - user EventID=4648: - target_user - caller_user EventID=4662: - user EventID=4672: - user EventID=4688: - user EventID=4719: - user EventID=4720: - target_user - caller_user EventID=4722: - target_user - caller_user EventID=4723: - target_user - caller_user EventID=4724: - target_user - caller_user EventID=4728: - user - member EventID=4729: - user - member EventID=4731: - user EventID=4732: - user - member EventID=4735: - user EventID=4737: - user EventID=4738: - target_user - caller_user EventID=4740: - target_user - caller_user EventID=4742: - target_user - caller_user EventID=4755: - user EventID=4756: - user - member EventID=4757: - user - member EventID=4767: - target_user - caller_user EventID=4768: - user EventID=4769: - user EventID=4770: - user EventID=4771: - user EventID=4774: - user EventID=4776: - user EventID=4781: - target_user - caller_user EventID=4904: - user EventID=4905: - user EventID=5061: - user EventID=5136: - user EventID=5137: - user default: - caller_user - target_user - user - member TicketOptions: ticket_options TicketEnctyption: ticket_encryption Type: event_type UserName: default: - caller_user - target_user - user - member SourceWorkstation: workstation