---
title: LogRhythm Windows EventID Field Mapping

order: 20
backends:
 - es-qs-lr

logsources:
  eventlogs:
    product: windows
    conditions:
      logSourceTypeName: 'MS Windows Event Logging XML - Security'

fieldmappings:
  EventID: vendorMessageID
  TicketOptions: object
  TicketEncryptionType: sessionType
  ServiceName: processName
  TargetUserName:
    - originUser
    - impactedUser
  Workstation: originHostname
  SubjectUserName: originUser
  LogonType: command
  LogonProcessName: processName
  WorkstationName:
    - originHostname
    - impactedHostname
  SubjectLogonId: session
  SubStatus: status
  IpPort: originPort
  IpAddress:
    - originIp
    - impactedIp
  ErrorCode: responseCode
  Task: vendorInfo
  PrivilegeList: subject
  SamAccountName: impactedUser
  PrimaryGroupId: group
  StatusCode: responseCode
  Level: severity
  SubjectDomainName: domainOrigin
  DSName: domainImpacted
  ObjectDN: objectName
  ObjectGUID: object
  ObjectClass: objectType
  OperationType: action
  Computer: impactedHostname
  CategoryId: policy
  SubcategoryId: objectName
  SubCategoryGuid: object
  AuditPolicyChanges: action
  ObjectCollectionName: objectType
  CountOfCredentialsReturned: quantity
  AlgorithmName: policy
  KeyName: objectName
  KeyType: objectType
  KeyFilePath: object
  Operation: action
  ReturnCode: responseCode
  ChannelType: objectType
  DomainName: domainImpacted
  ExecutionProcessId: processId
  processName: process
  ProviderName: vendorInfo
  SChannelName: objectName
  SecureChannelName: objectName
  ThreadId: session
  UserName:
    - originUser
    - impactedUser