title: Google Chronicle field mapping order: 20 backends: - chronicle fieldmappings: EventID: metadata.product_event_type EventId: metadata.product_event_type event_id: metadata.product_event_type CommandLine: target.process.command_line Commandline: target.process.command_line Command: target.process.command_line ComputerName: target.hostname CurrentDirectory: principal.file.full_path DestinationHostname: target.hostname dest-domain: target.hostname DestinationIp: target.ip event_data.DestinationIp: target.ip destinationIp: target.ip dst_ip: target.ip dest_ip: target.ip DestinationIP: target.ip DestinationIsIpv6: target.ip DestinationAddress: target.ip #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 DestinationPort: target.port dst_port: target.port dest_port: target.port DestinationPortName: protocol Details: metadata.description EventType: metadata.event_type type: metadata.event_type FileName: target.file.full_path OriginalFileName: target.file.full_path TargetFileName: target.file.full_path event_data.TargetFilename: target.file.full_path file_name: target.file.full_path Targetfilename: target.file.full_path FilePath: target.file.full_path Hashes: target.file.md5 event_data.Hashes: target.file.md5 Hash: target.file.md5 hash: target.file.md5 Imphash: target.file.md5 file_hash: target.file.md5 file_hash_imphash: target.file.md5 Image: target.process.file.full_path event_data.Image: target.process.file.full_path baseImage: src.process.file.full_path ImageLoaded: target.process.file.full_path ImageLoad: target.process.file.full_path ImagePath: target.file.full_path IpAddress: principal.ip IpPort: principal.port logonType: extensions.auth.mechanism LogonType: extensions.auth.mechanism ObjectValueName: target.registry.registry_value_name ParentCommandLine: src.process.command_line ParentProcessName: src.process.file.full_path ServiceFileName: target.process.command_line ServiceName: target.process.command_line ParentImage: src.process.file.full_path Path: target.file.full_path PipeName: file.name ProcessCommandLine: target.process.command_line ProcessName: target.process.file.full_path process.name: target.process.command_line process.args: target.process.command_line exe: target.process.file.full_path TaskName: target.resource.name TargetProcessAddress: target.process.file.file_metadata.pe.import_hash StartAddress: target.process.file.file_metadata.pe.import_hash event_data.StartAddress: target.process.file.file_metadata.pe.import_hash FailureCode: security_result.description Status: security_result.description TicketOptions: security_result.about.labels.value SourceHostname: principal.hostname cs_host: - principal.hostname - target.hostname Host: principal.hostname SourceImage: src.process.file.full_path SourceIp: principal.ip SourceIP: principal.ip SourceAddress: principal.ip src_ip: principal.ip SourceNetworkAddress: principal.ip ip: principal.ip SourcePort: principal.port src_port: principal.port SubjectDomainName: src.user.domain SubjectUserName: src.user.user_display_name SubjectUserSid: src.user.userid TargetFilename: target.file.full_path TargetImage: target.process.file.full_path TargetObject: target.registry.registry_key event_data.TargetObject: target.registry.registry_key TargetDomainName: target.user.domain TargetUserName: target.user.user_display_name TargetUserSid: target.user.userid SidHistory: target.process.product_specific_process_id sid: target.process.product_specific_process_id Sid: target.process.product_specific_process_id User: src.user.user_display_name domain: src.hostname WorkstationName: principal.hostname URL: target.url url: target.url http_uri: target.url c_uri_query: target.url query: target.url c-uri-path: target.url c-useragent: src.application StartModule: src.application UserAgent: src.application User-Agent: src.application http_userAgent: src.application http_url_rootDomain: target.hostname dns_query_name: network.dns.questions.name r_dns: target.hostname r-dns: target.hostname Signature: target.registry.registry_value_data signature: target.registry.registry_value_data Value: target.registry.registry_value_data TargetValue: target.registry.registry_value_data ObjectName: - target.registry.registry_value_data - target.file.full_path ScriptBlockText: target.process.command_line Command_Line: target.process.command_line event_data.CommandLine: target.process.command_line commandLine: target.process.command_line c-uri: target.url cs-uri-query: target.url c-uri-query: target.url c_uri: target.url request_url: target.url cs_uri_query: target.url c-uri-extension: target.url resource.URL: target.url web.url: target.url web.payload: target.url http_method: network.http.method cs_method: network.http.method cs-method: network.http.method HttpMethod: network.http.method web.method: network.http.method web.status: network.http.response_code application: network.http.user_agent Application: network.http.user_agent AccountName: src.user.user_display_name objectType: src.user.user_display_name ObjectType: src.user.user_display_name ShareName: target.resource.name RelativeTargetName: target.file.full_path AccessMask: target.process.access_mask Properties: target.process.file.file_metadata.pe.import_hash Product: metadata.product_name product: metadata.product_name FileVersion: metadata.description description: metadata.description Description: metadata.description Company: metadata.description Source: src.application app: src.application AuthenticationPackageName: src.application action: security_result.action NewProcessName: target.process.command_line answers: network.dns.answers.data answer: network.dns.answers.data sc-status: network.http.response_code cs-host: target.hostname eventName: metadata.description destination.domain: target.hostname destination: target.hostname