title: Conversion for Windows Native Auditing Events
order: 10
logsources:
    process_creation:
        category: process_creation
        product: windows
        conditions:
            EventID: 4688
        rewrite:
            product: windows
            service: security
    registry_event:
        category: registry_event
        product: windows
        conditions:
            EventID: 4657
            OperationType:
                - 'New registry value created'
                - 'Existing registry value modified'
        rewrite:
            product: windows
            service: security
fieldmappings:
    Image: NewProcessName
    ParentImage: ParentProcessName
    Details: NewValue
    ParentCommandLine: ProcessCommandLine
    LogonId: SubjectLogonId