title: STIX for Windows Logs backends: - stix order: 40 logsources: windows: product: windows fieldmappings: AccessMask: - x-windows:accessmask Accesses: - x-windows:accesses AccountDomain: - user-account:x_domain AccountID: - user-account:user_id AccountName: - user-account:account_login - user-account:display_name AccountSecurityID: - user-account:x_security_id CallTrace: - x-windows:calltrace ClientIP: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value ComputerName: - x-host:name Description: - x-event:action DestinationIsIpv6: - x-windows:destisipv6 DestinationHostname: - network-traffic:dst_ref.value Device: - file:name ErrorCode: - x-error:code Event-ID: - x-event:id - x-event:code EventID: - x-event:id - x-event:code Event_ID: - x-event:id - x-event:code EventType: - x-event:action ExtendedErrorCode: - x-error:code - x-error:id FileDirectory: - directory:path FileExtension: - file:x_extension FileHash: - file:hashes.SHA-256 - file:hashes.MD5 - file:hashes.SHA-1 FilePath: - file:name Filename: - file:name GrantedAccess: - x-windows:grantedaccess GroupDomain: - x-group:domain GroupID: - x-group:id GroupName: - x-group:name GroupSecurityID: - x-group:security_id HomeDirectory: - directory:path IMPHash: - x-windows:imphash Imphash: - x-windows:imphash Image: - process:image_ref.name ImageLoadedTempPath: - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path ImageName: - process:image_ref.name ImagePath: - process:image_ref.name ImageTempPath: - process:image_ref.x_temp_path InitiatedConnection: - x-windows:initiatedconnection Initiated: - x-windows:initiatedconnection InitiatorUserName: - user-account:user_id - user-account:account_login IntegrityLevel: - x-windows:integritylevel LoadedImage: - process:extensions.'windows-service-ext'.service_dll_refs[*].name LoadedImageName: - process:extensions.'windows-service-ext'.service_dll_refs[*].name LogonType: - x-windows:logontype MD5Hash: - file:hashes.MD5 Message: - x-event:original NewName: - windows-registry-key:key ObjectName: - x-windows:objectname ObjectType: - x-windows:objecttype ParentCommandLine: - process:parent_ref.command_line ParentImage: - process:parent_ref.image_ref.name ParentImageName: - process:parent_ref.image_ref.name ParentProcessGuid: - process:parent_ref.x_guid ParentProcessName: - process:parent_ref.image_ref.name ParentProcessPath: - process:parent_ref.image_ref.name PipeName: - x-windows:pipename ProcessCommandLine: - process:command_line Command: - process:command_line CommandLine: - process:command_line ProcessGuid: - process:x_guid ProcessId: - process:pid ProcessName: - process:image_ref.name ProcessPath: - process:image_ref.name QueryName: - x-windows:queryname QueryResults: - x-windows:queryresults QueryStatus: - x-windows:querystatus RegistryKey: - windows-registry-key:key RegistryValueData: - windows-registry-key:values[*].data RegistryValueName: - windows-registry-key:values[*].name SAMAccountName: - user-account:account_login - user-account:display_name SHA1Hash: - file:hashes.SHA-1 SHA256Hash: - file:hashes.SHA-256 ServiceFileName: - process:extensions.'windows-service-ext'.service_dll_refs[*].name ServiceName: - process:extensions.'windows-service-ext'.service_name ShareName: - x-windows:sharename SharePath: - x-windows:sharepath Signature: - x-windows:signature SignatureStatus: - x-windows:signaturestatus Signed: - x-windows:signed SourceImage: - x-windows:sourceimage SourceImageTempPath: - x-windows:sourceimagetemppath SourceWorkstation: - x-windows:sourceworkstation StartAddress: - x-windows:startaddress StartFunction: - x-windows:startfunction StartModule: - x-windows:startmodule TargetAccountSecurityID: - x-windows:targetaccountsecurityid TargetComputerDomain: - x-windows:targetcomputerdomain TargetComputerName: - x-windows:targetcomputername TargetDetails: - x-windows:targetdetails Details: - windows-registry-key:values[*].data - x-event:original TargetFilename: - file:name TargetImage: - x-windows:targetimage TargetImageName: - x-windows:targetimagename TargetObject: - windows-registry-key:key TargetProcessGuid: - x-windows:targetprocessguid TargetProcessAddress: - x-windows:startaddress TargetUserDomain: - x-windows:targetuserdomain TargetUserName: - x-windows:targetusername TaskName: - x-windows:taskname TicketEncryptionType: - x-windows:ticketencryptiontype User: - user-account:user_id UserDomain: - user-account:x_domain event-id: - x-event:id eventId: - x-event:id event_data.FileName: - file:name event_data.Image: - process:image_ref.name event_data.ImageLoaded: - process:extensions.'windows-service-ext'.service_dll_refs[*].name ImageLoaded: - process:extensions.'windows-service-ext'.service_dll_refs[*].name event_data.ImagePath: - process:image_ref.name event_data.ParentCommandLine: - process:parent_ref.command_line event_data.ParentImage: - process:parent_ref.image_ref.name event_data.ParentProcessName: - process:parent_ref.image_ref.name event_data.PipeName: - x-windows:pipename event_data.ServiceFileName: - process:extensions.'windows-service-ext'.service_dll_refs[*].name event_data.ShareName: - x-windows:sharename event_data.Signature: - x-windows:signature event_data.SourceImage: - x-windows:sourceimage event_data.StartModule: - x-windows:startmodule event_data.SubjectUserName: - user-account:user_id - user-account:account_login event_data.TargetFilename: - file:name event_data.TargetImage: - x-windows:targetimage event_data.User: - user-account:user_id event_id: - x-event:id eventid: - x-event:id