{
  "channel_name": [
    "winlog.channel"
  ],
  "command_line": [
    "process.command_line",
    "process.args"
  ],
  "destination_address": [
    "destination.ip"
  ],
  "destination_port": [
    "destination.port",
    "server.port"
  ],
  "effective_gid": [
    "user.group.id"
  ],
  "effective_group_name": [
    "user.group.name"
  ],
  "effective_uid": [
    "user.id"
  ],
  "effective_user_name": [
    "user.name"
  ],
  "endpoint.core_os": [
    "host.os.platform"
  ],
  "endpoint.hostname": [
    "host.hostname"
  ],
  "endpoint.ip_address": [
    "host.ip"
  ],
  "endpoint.mac_address": [
    "host.mac"
  ],
  "endpoint.name": [
    "host.name"
  ],
  "endpoint.operating_system": [
    "host.os.full"
  ],
  "event_id": [
    "winlog.event_id"
  ],
  "event_message": [
    "winlog.message",
    "winlog.event_data.*"
  ],
  "eventlog_user_sid": [
    "winlog.user.sid"
  ],
  "file_name": [
    "file.name",
    "file.extension"
  ],
  "file_path": [
    "file.path"
  ],
  "fileid": [
    "file.inode"
  ],
  "http_request": [
    "http.request.method",
    "http.request.referrer",
    "http.version",
    "http.*"
  ],
  "imphash": [
    "file.hash.imphash"
  ],
  "in_packet_count": [
    "source.packets",
    "destination.packets"
  ],
  "ip_address": [
    "source.ip"
  ],
  "logon_type": [
    "winlog.event_data.LogonType"
  ],
  "machine_id": [
    "host.id"
  ],
  "md5": [
    "process.hash.md5",
    "file.hash.md5"
  ],
  "opcode": [
    "winlog.opcode"
  ],
  "out_packet_count": [
    "source.packets",
    "destination.packets"
  ],
  "parent_pid": [
    "process.parent.id"
  ],
  "parent_process_name": [
    "process.parent.name"
  ],
  "parent_process_path": [
    "process.parent.executable"
  ],
  "pid": [
    "process.pid"
  ],
  "ppid": [
    "process.parent.pid"
  ],
  "process_name": [
    "process.name"
  ],
  "process_path": [
    "process.executable"
  ],
  "protocol": [
    "network.transport"
  ],
  "provider_guid": [
    "winlog.provider_guid"
  ],
  "provider_name": [
    "winlog.provider_name"
  ],
  "query_name": [
    "dns.question.name"
  ],
  "query_options": [
    "dns.flags"
  ],
  "query_results": [
    "dns.answers.data"
  ],
  "query_status": [
    "dns.response_code"
  ],
  "query_type": [
    "dns.type"
  ],
  "severity": [
    "event.severity"
  ],
  "sha1": [
    "process.hash.sha1",
    "file.hash.sha1"
  ],
  "sha256": [
    "process.hash.sha256",
    "file.hash.sha256"
  ],
  "source_address": [
    "source.address",
    "source.ip",
    "client.address"
  ],
  "source_port": [
    "source.port",
    "client.port"
  ],
  "source_process_name": [
    "process.name"
  ],
  "source_process_path": [
    "process.executable"
  ],
  "subject_domain_name": [
    "winlog.event_data.SubjectDomainName"
  ],
  "subject_logon_id": [
    "winlog.event_data.SubjectLogonId"
  ],
  "subject_user_name": [
    "winlog.event_data.UserName"
  ],
  "subject_user_sid": [
    "winlog.event_data.UserSid"
  ],
  "target_domain_name": [
    "winlog.event_data.TargetDomainName",
    "user.domain"
  ],
  "target_logon_id": [
    "winlog.event_data.TargetLogonId"
  ],
  "target_user_name": [
    "user.name"
  ],
  "task": [
    "winlog.task"
  ],
  "tid": [
    "process.thread.id"
  ],
  "timestamp": [
    "@timestamp"
  ],
  "total_in_bytes": [
    "destination.bytes"
  ],
  "total_out_bytes": [
    "source.bytes"
  ],
  "user_domain": [
    "user.domain"
  ],
  "user_name": [
    "user.name"
  ],
  "user_sid": [
    "user.identifer"
  ]
}