Page Contents

Vendor Field Map

Vendor Field Map¶

Microsoft-Windows-Security-Auditing¶

Event ID: 4608¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4610¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
AuthenticationPackageName	package
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4611¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
LogonProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4614¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
NotificationPackageName	package
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4616¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
PreviousTime	old_time
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
NewTime	new_time
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4622¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
SecurityPackageName	package
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4624¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	caller_user
Version	version
ExecutionThreadID	execution_thread_id
TargetLinkedLogonId	target_linked_logon_id
ThreadID	thread_id
ProcessName	process
IpAddress	source_address
Channel	channel
ProcessId	process_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
ImpersonationLevel	impersonation_level
TargetDomainName	domain
TargetLogonId	logon_id
ElevatedToken	elevated_token
TargetUserName	user
TaskValue	task_value
SubjectLogonId	caller_logon_id
TransmittedServices	transmitted_service
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ExecutionProcessID	execution_process_id
LmPackageName	lm_package
WorkstationName	workstation
LogonType	logon_type
Opcode	opcode
SeverityValue	severity
EventID	event_id
VirtualAccount	virtual_account
LogonGuid	logon_guid
AuthenticationPackageName	package
LogonProcessName	logon_process
KeyLength	key_length
ActivityID	activity_id
SubjectDomainName	caller_domain
Keywords	keyword
SubjectUserSid	caller_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4625¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	caller_user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
ProcessName	process
IpAddress	source_address
Channel	channel
Status	status_code
ProcessId	process_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
SubStatus	sub_status_code
TargetUserName	user
SubjectLogonId	logon_id
TransmittedServices	transmitted_service
FailureReason	reason
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ExecutionProcessID	execution_process_id
LmPackageName	lm_package
WorkstationName	workstation
LogonType	logon_type
Opcode	opcode
SeverityValue	severity
EventID	event_id
AuthenticationPackageName	package
LogonProcessName	logon_process
KeyLength	key_length
TargetDomainName	domain
SubjectDomainName	caller_domain
Keywords	keyword
SubjectUserSid	caller_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4627¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TargetDomainName	domain
TargetLogonId	logon_id
TargetUserName	user
SubjectLogonId	caller_logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
EventCountTotal	event_count
LogonType	logon_type
Opcode	opcode
GroupMembership	group_membership
SeverityValue	severity
EventID	event_id
EventIdx	event_idx
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4634¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TargetLogonId	logon_id
TargetUserName	user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
LogonType	logon_type
Opcode	opcode
EventID	event_id
TargetDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4647¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TargetLogonId	logon_id
TargetUserName	user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
TargetDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4648¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	caller_user
Version	version
ThreadID	thread_id
IpAddress	source_address
Channel	channel
TargetInfo	information
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
SubjectLogonId	logon_id
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
LogonGuid	logon_guid
TargetServerName	server
TargetLogonGuid	logon_guid
TargetDomainName	domain
SubjectDomainName	caller_domain
Keywords	keyword
SubjectUserSid	caller_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4653¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
KeyModName	module_name
State	state
Version	version
Role	role
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
MMImpersonationState	impersonation_state
RemoteKeyModPort	destination_port
FailureReason	reason
FailurePoint	failure_point
ProviderGuid	guid
EventTime	log_ts
Task	task
LocalKeyModPort	source_port
OpcodeValue	opcode_value
RemoteAddress	destination_address
LocalMMPrincipalName	local_principal_name
MMFilterID	filter_id
InitiatorCookie	initiator_cookie
LocalAddress	source_address
Opcode	opcode
ResponderCookie	responder_cookie
RemoteMMPrincipalName	remote_principal_name
EventID	event_id
MMAuthMethod	authentication_method
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4656¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
RestrictedSidCount	restricted_id_count
Severity	log_level
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
TransactionId	transaction_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
AccessReason	reason
EventID	event_id
PrivilegeList	privilege
ObjectName	object_name
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4657¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
NewValueType	new_value_type
Hostname	host
SubjectUserName	user
Version	version
OldValue	old_value
ThreadID	thread_id
Channel	channel
HandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectValueName	object_value
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
OperationType	operation_type
SeverityValue	severity
EventID	event_id
ObjectName	object_name
OldValueType	old_value_type
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
NewValue	new_value
EventReceivedTime	event_ts

Event ID: 4658¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
HandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4659¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
TransactionId	transaction_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
ObjectName	object_name
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4660¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TransactionId	transaction_id
Channel	channel
HandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4661¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
RestrictedSidCount	restricted_id_count
Severity	log_level
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
TransactionId	transaction_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
Properties	properties
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
AccessReason	reason
EventID	event_id
PrivilegeList	privilege
ObjectName	object_name
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4662¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
AdditionalInfo	additional_information
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TaskValue	task_value
SubjectLogonId	logon_id
Properties	properties
ObjectType	object_type
ExecutionProcessID	execution_process_id
EventID	event_id
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
OperationType	operation_type
SubjectUserSid	user_id
ProviderGuid	guid
AdditionalInfo2	additional_information_2
ObjectName	object_name
ObjectServer	object_server
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4663¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
ResourceAttributes	attributes
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
ObjectName	object_name
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4664¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TransactionId	transaction_id
LinkName	path
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
FileName	file
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4670¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
Channel	channel
HandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
OldSD	old_sd
TaskValue	task_value
SubjectLogonId	logon_id
ObjectType	object_type
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessId	process_id
ProcessName	process
Opcode	opcode
NewSD	new_sd
SeverityValue	severity
EventID	event_id
ObjectName	object_name
ObjectServer	object_server
OldSd	old_sd
SubjectDomainName	domain
NewSd	new_sd
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4672¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4673¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Service	service
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
Channel	channel
ProcessId	process_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TaskValue	task_value
SubjectLogonId	logon_id
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4674¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
HandleId	handle_id
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
ObjectName	object_name
ObjectServer	object_server
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4675¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
TdoDirection	trust_direction
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TdoAttributes	trust_attribute
TdoSid	trust_id
TargetUserName	user
SidList	id_list
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
TdoType	trust_type
EventID	event_id
TargetDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4688¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
NewProcessId	target_process_id
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
TokenElevationType	token_elevation_type
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	target_id
TargetLogonId	target_logon_id
TargetUserName	target_user
SubjectDomainName	domain
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
NewProcessName	process
TargetDomainName	target_domain
SubjectLogonId	logon_id
Keywords	keyword
SubjectUserSid	user_id
RecordNumber	record
EventReceivedTime	event_ts
ExecutionProcessID	execution_process_id
ExecutionThreatID	execution_thread_id
TaskValue	task_value
Process_Command_Line	command
ParentProcessName	parent_process
MandatoryLabel	integrity_sid
commandline	command

Event ID: 4689¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
Status	status_code
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectDomainName	domain
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectLogonId	logon_id
Keywords	keyword
SubjectUserSid	user_id
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4690¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
TargetHandleId	new_handle_id
ThreadID	thread_id
Channel	channel
SourceHandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
SourceProcessId	source_process_id
Opcode	opcode
SeverityValue	severity
EventID	event_id
TargetProcessId	target_process_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4692¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
MasterKeyId	master_key_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
SubjectLogonId	logon_id
RecoveryKeyId	recover_id
FailureReason	reason
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
Keywords	keywords
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4695¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
MasterKeyId	master_key_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
CryptoAlgorithms	cipher
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProtectedDataFlags	protected_data_flag
SubjectLogonId	logon_id
FailureReason	reason
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
DataDescription	data_description
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4697¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ServiceAccount	service_account
ServiceName	service
Opcode	opcode
SeverityValue	severity
EventID	event_id
ServiceType	object_type
ServiceFileName	file
ActivityID	activity_id
ServiceStartType	start_type
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4698¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TaskContent	task_content
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
TaskName	task
EventID	event_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts
SubjectUserSidName	subject_user_id
RandomDelay	random_delay
WeeksInterval	weeks_interval

Event ID: 4699¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TaskContent	task_content
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
WakeToRun	wake_to_run
UserId	target_user
StopOnIdleEnd	stop_on_idle_end
RunLevel	run_level
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
SubjectLogonId	logon_id
WaitTimeout	wait_timeout
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
RunOnlyIfIdle	run_only_if_idle
ExecutionTimeLimit	execution_time_limit
RestartOnIdle	restart_on_idle
LogonType	logon_type
Opcode	opcode
SeverityValue	severity
TaskName	task
EventID	event_id
StopIfGoingOnBatteries	stop_if_going_on_batteries
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
StartBoundary	start_boundry
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4700¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
WakeToRun	wake_to_run
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
Hostname	host
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
SubjectUserName	user
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TaskContent	content
SourceName	event_source
EventType	event_type
SecurityDescriptor	sd
UserId	user_id
AllowStartOnDemand	allow_start_on_demand
StopOnIdleEnd	stop_on_idle_end
RunOnlyIfNetworkAvailable	run_only_if_network_available
RunOnlyIfIdle	run_only_if_idle
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
SubjectLogonId	logon_id
AllowHardTerminate	allow_hard_terminate
ExecutionProcessID	execution_process_id
EventID	event_id
EventTime	log_ts
OpcodeValue	opcode_value
TaskValue	task_value
ExecutionTimeLimit	execution_time_limit
URI	url
RestartOnIdle	restart_on_idle
SeverityValue	severity
TaskName	task
MultipleInstancesPolicy	multiple_instances_policy
ProviderGuid	guid
ClassId	class_id
ActivityID	activity_id
SubjectDomainName	domain
SubjectUserSid	user_id
StopIfGoingOnBatteries	stop_if_going_on_batteries
RecordNumber	record
GroupId	group_id
EventReceivedTime	event_ts

Event ID: 4701¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
WakeToRun	wake_to_run
Severity	log_level
Author	author
DisallowStartOnRemoteAppSession	disallow_start_on_remote_session
Hostname	host
UseUnifiedSchedulingEngine	user_unified_scheduling_engine
SubjectUserName	user
Priority	priority
Source	source
Version	version
ThreadID	thread_id
Hidden	hidden
TaskContent	task_content
Channel	channel
EventTrigger	event_trigger
Description	description
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SecurityDescriptor	sd
UserId	user_id
AllowStartOnDemand	allow_start_on_demand
RunOnlyIfNetworkAvailable	run_only_if_network_available
RunOnlyIfIdle	run_only_if_idle
DisallowStartIfOnBatteries	disallow_start_on_Batteries
SubjectLogonId	logon_id
Data	data
AllowHardTerminate	allow_hard_terminate
Subscription	subscription
Count	count
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ExecutionTimeLimit	execution_time_limit
Interval	interval
Enabled	enabled
URI	url
Opcode	opcode
SeverityValue	severity
ComHandler	com_handler
TaskName	task
MultipleInstancesPolicy	multiple_instance_policy
EventID	event_id
StopIfGoingOnBatteries	stop_if_going_on_batteries
RestartOnFailure	restart_on_failure
ClassId	class_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
Principal	principle
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4702¶

Windows Field	Logpoint Field
ClassId	class_id
ProcessID	process_id
WakeToRun	wake_to_run
Severity	log_level
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
WaitTimeout	wait_timeout
file_extension	file_type
Hostname	host
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
SubjectUserName	user
Version	version
ThreadID	thread_id
DaysInterval	days_interval
RunOnlyIfNetworkAvailable	run_only_if_network_available
SourceName	event_source
EventType	event_type
SecurityDescriptor	sd
UserId	user_id
AllowStartOnDemand	allow_start_on_demand
StopOnIdleEnd	stop_on_idle_end
RandomDelay	random_delay
RunLevel	run_level
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
SubjectDomainName	domain
AllowHardTerminate	allow_hard_terminate
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
RunOnlyIfIdle	run_only_if_idle
ExecutionTimeLimit	execution_time_limit
URI	url
Category	event_category
RestartOnIdle	restart_on_idle
SeverityValue	severity
TaskName	task
MultipleInstancesPolicy	multiple_instance_policy
EventID	event_id
StopIfGoingOnBatteries	stop_if_going_on_batteries
SubjectLogonId	logon_id
StartWhenAvailable	start_when_available
LogonType	logon_type
SubjectUserSid	user_id
TaskContentNew	content
StartBoundary	start_boundry
RecordNumber	record
Hidden	hidden
EventReceivedTime	event_ts

Event ID: 4703¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
EnabledPrivilegeList	enabled_privilege_list
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TargetLogonId	logon_id
TargetUserName	user
SubjectLogonId	caller_logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
DisabledPrivilegeList	disabled_privilege_list
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
TargetDomainName	domain
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4704¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
TargetUserName	target_user
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4705¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
TargetUserName	target_user
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
PrivilegeList	privilege
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4713¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
KerberosPolicyChange	policy
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4714¶

Windows Field	Logpoint Field
EventID	event_id
ProviderGuid	guid
EventTime	log_ts
Task	task
Severity	log_level
OpcodeValue	opcode_value
ProcessID	process_id
SourceName	event_source
EventType	event_type
Hostname	host
Category	event_category
Version	version
Opcode	opcode
ThreadID	thread_id
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
Channel	channel
EventReceivedTime	event_ts

Event ID: 4716¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
DomainName	domain
Hostname	host
TdoDirection	tdo_direction
SubjectUserName	user
DomainSid	domain_id
Version	version
SidFilteringEnabled	sid_filtering_enabled
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
TdoAttributes	tdo_attributes
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
TdoType	tdo_type
EventID	event_id
SubjectDomainName	caller_domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4717¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TargetSid	target_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
AccessGranted	privilege
TaskValue	task_value
SubjectLogonId	logon_id
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4718¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TargetSid	target_id
Channel	channel
AccessRemoved	privilege
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	caller_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4719¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SubcategoryId	sub_category
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubcategoryGuid	sub_category_guid
SubjectLogonId	logon_id
AuditPolicyChanges	policy
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
CategoryId	category
EventID	event_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4720¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
PrimaryGroupId	group_id
DisplayName	display_name
Severity	log_level
UserParameters	parameter
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
OldUacValue	old_value
UserWorkstations	workstation
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
HomePath	home_path
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
UserAccountControl	user_account_control
LogonHours	logon_hour
Opcode	opcode
ScriptPath	script_path
SubjectUserSid	user_id
ProfilePath	path
HomeDirectory	home_directory
AllowedToDelegateTo	allowed_to_delegate
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
PasswordLastSet	password_last_set
UserPrincipalName	user_principal_name
TargetDomainName	target_domain
SubjectDomainName	domain
AccountExpires	account_expire
NewUacValue	new_value
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4722¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4723¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4724¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4725¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4726¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TaskValue	task_value
TargetUserName	target_user
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4727¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4728¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4729¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4730¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4731¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4732¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ActivityID	activity_id
TaskValue	task_value
TargetUserName	group
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4733¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ExecutionThreadID	execution_thread_id
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4734¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
GroupTypeChange	group_type
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
SourceModuleName	source_module
EventReceivedTime	event_ts

Event ID: 4735¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4737¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4738¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
PrimaryGroupId	group_id
DisplayName	display_name
Severity	log_level
Dummy	dummy
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
OldUacValue	old_value
UserWorkstations	workstation
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
UserParameters	parameter
SidHistory	sid_history
HomePath	home_path
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
UserAccountControl	user_account_control
LogonHours	logon_hour
Opcode	opcode
ScriptPath	script_path
SubjectUserSid	user_id
ProfilePath	path
HomeDirectory	home_directory
AllowedToDelegateTo	allowed_to_delegate
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
PasswordLastSet	password_last_set_ts
UserPrincipalName	user_principal_name
TargetDomainName	target_domain
SubjectDomainName	domain
AccountExpires	account_expire
NewUacValue	new_value
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4739¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
MinPasswordAge	min_password_age
Severity	log_level
DomainName	domain
Hostname	host
SubjectUserName	user
DomainSid	domain_id
Version	version
ThreadID	thread_id
Channel	channel
LockoutThreshold	lockout_threshold
DomainBehaviorVersion	domain_behavior_version
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
PasswordHistoryLength	password_history_length
PasswordProperties	properties
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
DomainPolicyChanged	policy
OpcodeValue	opcode_value
ForceLogoff	force_logoff
LockoutDuration	lockout_duration
Opcode	opcode
SubjectUserSid	user_id
MaxPasswordAge	max_password_age
MinPasswordLength	min_password_length
OemInformation	oem_information
EventID	event_id
MixedDomainMode	mixed_domain_mode
PrivilegeList	privilege
MachineAccountQuota	account_quota
SubjectDomainName	caller_domain
Keywords	keyword
SeverityValue	severity
Message	message
LockoutObservationWindow	observation_window
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4740¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	caller_user
Version	version
ThreadID	thread_id
TargetSid	user_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	caller_id
EventID	event_id
TargetDomainName	workstation
SubjectDomainName	caller_domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4741¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
PrimaryGroupId	group_id
DisplayName	display_name
Severity	log_level
UserParameters	parameter
Hostname	host
ServicePrincipalNames	service
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	computer_id
SubjectLogonId	logon_id
Channel	channel
OldUacValue	old_value
UserWorkstations	workstation
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
DnsHostName	dns_host
SidHistory	sid_history
HomePath	home_path
TargetUserName	computer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
UserAccountControl	user_account_control
LogonHours	logon_hour
Opcode	opcode
ScriptPath	script_path
SubjectUserSid	user_id
ProfilePath	path
HomeDirectory	home_directory
AllowedToDelegateTo	allowed_to_delegate
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
PasswordLastSet	password_last_set
UserPrincipalName	user_principal_name
TargetDomainName	computer_domain
SubjectDomainName	domain
AccountExpires	account_expire
NewUacValue	new_value
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4742¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
PrimaryGroupId	group_id
DisplayName	display_name
Severity	log_level
UserParameters	parameter
Hostname	host
ServicePrincipalNames	service
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	computer_id
SubjectLogonId	logon_id
ComputerAccountChange	computer_account_change
Channel	channel
OldUacValue	old_value
UserWorkstations	workstation
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
DnsHostName	dns_host
SidHistory	sid_history
HomePath	home_path
TargetUserName	computer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
UserAccountControl	user_account_control
LogonHours	logon_hour
Opcode	opcode
ScriptPath	script_path
SubjectUserSid	user_id
ProfilePath	path
HomeDirectory	home_directory
AllowedToDelegateTo	allowed_to_delegate
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
PasswordLastSet	password_last_set_ts
UserPrincipalName	user_principal_name
TargetDomainName	computer_domain
SubjectDomainName	domain
AccountExpires	account_expire
NewUacValue	new_value
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4743¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	computer_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	computer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	computer_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4744¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4745¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4746¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4747¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4748¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4749¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4750¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4751¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity_value
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4752¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4753¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4754¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4755¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4756¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4757¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4758¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4759¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4760¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SidHistory	sid_history
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
SamAccountName	sam_account_name
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4761¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4762¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4763¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4764¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
GroupTypeChange	group_type
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
SourceModuleName	source_module
EventReceivedTime	event_ts

Event ID: 4767¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	target_user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4768¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
TicketEncryptionType	encryption_type
Hostname	host
Version	version
ThreadID	thread_id
TargetSid	user_id
IpAddress	source_address
Channel	channel
Status	status_code
ServiceSid	service_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
PreAuthType	pre_authentication_type
ServiceName	service
Opcode	opcode
EventID	event_id
TargetDomainName	domain
TicketOptions	ticket_option
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4769¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
TicketEncryptionType	encryption_type
Hostname	host
Version	version
ThreadID	thread_id
IpAddress	source_address
Channel	channel
Status	status_code
ServiceSid	service_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
TransmittedServices	transmitted_service
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ServiceName	service
Opcode	opcode
EventID	event_id
LogonGuid	logon_guid
TargetDomainName	domain
TicketOptions	ticket_option
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4770¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
TicketEncryptionType	encryption_type
Hostname	host
Version	version
ThreadID	thread_id
IpAddress	source_address
Channel	channel
ServiceSid	service_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ServiceName	service
Opcode	opcode
EventID	event_id
TargetDomainName	domain
TicketOptions	ticket_option
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4771¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
TargetSid	user_id
IpAddress	source_address
Channel	channel
Status	status_code
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
PreAuthType	pre_authentication_type
ServiceName	service
Opcode	opcode
EventID	event_id
TicketOptions	ticket_option
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4774¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
ProviderGuid	guid
EventTime	log_ts
Task	event_task
MappingBy	mapping_by
OpcodeValue	opcode_value
ClientUserName	user
Opcode	opcode
EventID	event_id
MappedName	mapped_name
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4776¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
PackageName	package
Hostname	host
Workstation	workstation
Version	version
ThreadID	thread_id
Channel	channel
Status	status_code
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4778¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
SessionName	session
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ClientName	workstation
ProviderGuid	guid
EventTime	log_ts
Task	event_task
LogonID	logon_id
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
RecordNumber	record
ClientAddress	source_address
Keywords	keyword
SeverityValue	severity
Message	message
AccountDomain	domain
EventReceivedTime	event_ts

Event ID: 4779¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
SessionName	session
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ClientName	workstation
ProviderGuid	guid
EventTime	log_ts
Task	event_task
LogonID	logon_id
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
RecordNumber	record
ClientAddress	source_address
Keywords	keyword
SeverityValue	severity
Message	message
AccountDomain	domain
EventReceivedTime	event_ts

Event ID: 4780¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
TargetUserName	target_user
SubjectDomainName	domain
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	domain
SubjectLogonId	logon_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4781¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	target_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
NewTargetUserName	new_user
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
OldTargetUserName	target_user
PrivilegeList	privilege
TargetDomainName	target_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4785¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4786¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4787¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4788¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4793¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Workstation	workstation
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
Status	status_code
SourceName	event_source
EventType	event_type
TargetUserName	target_user
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity_value
EventID	event_id
SubjectDomainName	domain
Keywords	keywords
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4798¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
MemberSid	target_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
MemberName	member
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
PrivilegeList	privilege
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4799¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
CallerProcessName	process
ThreadID	thread_id
TargetSid	group_id
SubjectLogonId	logon_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserName	group
CallerProcessId	caller_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
TargetDomainName	group_domain
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4800¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SessionId	session_id
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
TargetUserSid	user_id
TargetDomainName	domain
TargetLogonId	logon_id
TargetUserName	user
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4817¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
OldSD	old_sd
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
NewSD	new_sd
SeverityValue	severity
EventID	event_id
ObjectName	object_name
ObjectServer	object_server
OldSd	old_sd
SubjectDomainName	domain
NewSd	new_sd
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4902¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
PuaPolicyId	policy_id
PuaCount	pua_count
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Version	version
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4904¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
AuditSourceName	audit_source
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
EventSourceId	source_id
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4905¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
AuditSourceName	audit_source
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
EventSourceId	source_id
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4907¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
HandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
OldSD	old_sd
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
NewSD	new_sd
SeverityValue	severity
EventID	event_id
ObjectName	object_name
ObjectServer	object_server
OldSd	old_sd
SubjectDomainName	domain
NewSd	new_sd
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4912¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SubcategoryId	sub_category
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
TargetUserSid	target_id
SubcategoryGuid	sub_category_guid
SubjectLogonId	logon_id
AuditPolicyChanges	policy
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
CategoryId	category_id
EventID	event_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4928¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
StatusCode	status_code
SourceName	event_source
EventType	event_type
SourceAddr	workstation
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
Keywords	keywords
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4929¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
StatusCode	status_code
SourceName	event_source
EventType	event_type
SourceAddr	workstation
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
Keywords	keywords
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4930¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
StatusCode	status_code
SourceName	event_source
EventType	event_type
SourceAddr	workstation
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
Keywords	keywords
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4931¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
StatusCode	status_code
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SourceAddr	source_address
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4932¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
StartUSN	start_user_sequence_number
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4933¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
DestinationDRA	destination_dra
ThreadID	thread_id
Channel	channel
StatusCode	status_code
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
NamingContext	naming_context
Opcode	opcode
Options	options
EventID	event_id
EndUSN	end_user_sequence_number
Keywords	keyword
SeverityValue	severity
Message	message
SourceDRA	source_dra
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4944¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
LogDroppedPacketsEnabled	log_dropped_packet
Version	version
ThreadID	thread_id
Channel	channel
Profile	profile
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
RemoteAdminEnabled	remote_administration
Opcode	opcode
MulticastFlowsEnabled	multicast_flow
GroupPolicyApplied	policy
EventID	event_id
LogSuccessfulConnectionsEnabled	log_successful_connection
Keywords	keyword
SeverityValue	severity
Message	message
EventReceivedTime	event_ts
RecordNumber	record
OperationMode	operation_mode

Event ID: 4945¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
RuleId	rule_id
RuleName	rule
Keywords	keyword
SeverityValue	severity
Message	message
ProfileUsed	profile
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4946¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
ProfileChanged	profile
EventID	event_id
RuleId	rule_id
ActivityID	activity_id
RuleName	rule
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4947¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
ProfileChanged	profile
EventID	event_id
RuleId	rule_id
ActivityID	activity_id
RuleName	rule
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4948¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
ProfileChanged	profile
EventID	event_id
RuleId	rule_id
ActivityID	activity_id
RuleName	rule
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4949¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4950¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
SettingValue	setting_value
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
ProfileChanged	profile
EventID	event_id
SettingType	setting_type
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4953¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
Profile	profile
SourceName	event_source
EventType	event_type
ReasonForRejection	reason
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
RuleId	rule_id
RuleName	rule
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4954¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4956¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ActiveProfile	profile
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4957¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
RuleAttr	attribute
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
RuleId	rule_id
ActivityID	activity_id
RuleName	rule
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 4985¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
TransactionId	transaction_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessName	process
Opcode	opcode
SeverityValue	severity
EventID	event_id
ResourceManager	resource_manager
SubjectDomainName	domain
NewState	new_value
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5024¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5031¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Application	application
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Profiles	profile
Opcode	opcode
EventID	event_id
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5033¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5038¶

Windows Field	Logpoint Field
EventID	event_id
ProviderGuid	guid
EventTime	log_ts
Task	task
Severity	log_level
OpcodeValue	opcode_value
ProcessID	process_id
SourceName	event_source
EventType	event_type
Hostname	host
Category	event_category
Version	version
Opcode	opcode
param1	file
ThreadID	thread_id
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
Channel	channel
EventReceivedTime	event_ts

Event ID: 5056¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
ReturnCode	status_code
Severity	log_level
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
Module	module
SubjectDomainName	domain
Keywords	keywords
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5058¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
ReturnCode	status_code
Severity	log_level
ProviderName	provider
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
KeyName	key
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
KeyType	key_type
Opcode	opcode
SeverityValue	severity
Operation	action
EventID	event_id
SubjectDomainName	domain
KeyFilePath	path
AlgorithmName	cipher
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5059¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
ReturnCode	status_code
Severity	log_level
ProviderName	provider
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
KeyName	key
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
KeyType	key_type
Opcode	opcode
SeverityValue	severity
Operation	action
EventID	event_id
ActivityID	activity_id
SubjectDomainName	domain
AlgorithmName	cipher
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5061¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
ReturnCode	status_code
Severity	log_level
ProviderName	provider
Hostname	host
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
KeyName	key
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
KeyType	key_type
Opcode	opcode
SeverityValue	severity
Operation	action
EventID	event_id
SubjectDomainName	domain
AlgorithmName	cipher
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5136¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
AttributeLDAPDisplayName	ldap_display
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	service_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
AttributeSyntaxOID	attribute_id
Opcode	opcode
OperationType	operation_type
SeverityValue	severity
ObjectDN	object
EventID	event_id
DSType	service_type
AttributeValue	attribute_value
AppCorrelationID	application_id
ObjectClass	class
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5137¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	service_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
ObjectDN	object
EventID	event_id
DSType	service_type
AppCorrelationID	application_id
ObjectClass	class
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5139¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
OldObjectDN	object
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	object_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SubjectUserSid	user_id
EventID	event_id
DSType	service_type
AppCorrelationID	application_id
NewObjectDN	new_object
ObjectClass	class
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5140¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
IpAddress	source_address
Channel	channel
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
ShareName	share_name
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5141¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
TreeDelete	tree_delete
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	object_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
ObjectDN	object
EventID	event_id
DSType	service_type
AppCorrelationID	application_id
ObjectClass	class
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5142¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
ShareLocalPath	share_path
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
ShareName	share_name
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5143¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
ShareLocalPath	share_path
SubjectUserName	user
Version	version
ThreadID	thread_id
NewShareFlags	new_flag
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
NewMaxUsers	new_max_user
OldSD	old_sd
OldMaxUsers	old_max_user
SubjectLogonId	logon_id
ObjectType	object_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OldShareFlags	old_flag
OpcodeValue	opcode_value
NewRemark	new_remark
OldRemark	old_remark
Opcode	opcode
NewSD	new_sd
SeverityValue	severity
EventID	event_id
OldSd	old_sd
SubjectDomainName	domain
NewSd	new_sd
ShareName	share_name
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5144¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
ShareLocalPath	share_path
SubjectUserName	user
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
EventID	event_id
SubjectDomainName	domain
ShareName	share_name
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5145¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
ShareLocalPath	share_path
SubjectUserName	user
AccessList	access
Version	version
ThreadID	thread_id
IpAddress	source_address
Channel	channel
AccessMask	access_mask
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ObjectType	object_type
IpPort	source_port
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
SeverityValue	severity
AccessReason	reason
EventID	event_id
RelativeTargetName	relative_target
SubjectDomainName	domain
ShareName	share_name
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5152¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
protocol	protocol
Severity	log_level
Hostname	host
Application	application
Version	version
ThreadID	thread_id
SourceAddress	source_address
DestPort	destination_port
Channel	channel
Direction	direction
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerRTID	layer_id
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
SourcePort	source_port
Opcode	opcode
DestAddress	destination_address
EventID	event_id
FilterRTID	filter_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5154¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Application	application
Version	version
ThreadID	thread_id
SourceAddress	source_address
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerRTID	layer_id
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Keywords	keyword
Opcode	opcode
EventID	event_id
FilterRTID	filter_id
SourcePort	source_port
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5156¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
protocol	protocol
Severity	log_level
RemoteUserID	user_id
Hostname	host
Application	application
Version	version
ThreadID	thread_id
SourceAddress	source_address
DestPort	destination_port
Channel	channel
Direction	direction
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerRTID	layer_id
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
SourcePort	source_port
Opcode	opcode
DestAddress	destination_address
EventID	event_id
FilterRTID	filter_id
RemoteMachineID	machine_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5157¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
protocol	protocol
Severity	log_level
RemoteUserID	user_id
Hostname	host
Application	application
Version	version
ThreadID	thread_id
SourceAddress	source_address
DestPort	destination_port
Channel	channel
Direction	direction
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerRTID	layer_id
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
SourcePort	source_port
Opcode	opcode
DestAddress	destination_address
EventID	event_id
FilterRTID	filter_id
RemoteMachineID	machine_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5158¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Application	application
Version	version
ThreadID	thread_id
SourceAddress	source_address
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerRTID	layer_id
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Keywords	keyword
Opcode	opcode
EventID	event_id
FilterRTID	filter_id
SourcePort	source_port
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5169¶

Windows Field	Logpoint Field
Category	event_category
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ExecutionThreadID	thread_id
Channel	channel
AttributeLDAPDisplayName	ldap_display
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	service_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
AttributeSyntaxOID	attribute_id
Opcode	opcode
OperationType	operation_type
SeverityValue	severity
ObjectDN	object
EventID	event_id
DSType	service_type
AttributeValue	attribute_value
AppCorrelationID	application_id
ObjectClass	class
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5170¶

Windows Field	Logpoint Field
Category	event_category
Severity	log_level
Hostname	host
DSName	service
SubjectUserName	user
Version	version
ExecutionThreadID	thread_id
Channel	channel
AttributeLDAPDisplayName	ldap_display
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ObjectGUID	service_guid
SubjectLogonId	logon_id
OpCorrelationID	operation_id
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
AttributeSyntaxOID	attribute_id
Opcode	opcode
OperationType	operation_type
SeverityValue	severity
ExpirationTime	exipre_ts
ObjectDN	object
EventID	event_id
DSType	service_type
AttributeValue	attribute_value
AppCorrelationID	application_id
ObjectClass	class
ActivityID	activity_id
SubjectDomainName	domain
Keywords	keyword
SubjectUserSid	user_id
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5440¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerKey	layer_key
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
CalloutKey	callout_key
CalloutType	callout_type
Opcode	opcode
LayerId	layer_id
EventID	event_id
CalloutId	callout_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
CalloutName	callout
EventReceivedTime	event_ts

Event ID: 5441¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
FilterName	filter
FilterKey	filter_key
Hostname	host
Version	version
ThreadID	thread_id
Conditions	condition
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerKey	layer_key
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
CalloutKey	callout_key
FilterId	filter_id
Opcode	opcode
LayerId	layer_id
EventID	event_id
Weight	weight
FilterType	filter_type
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
CalloutName	callout
EventReceivedTime	event_ts

Event ID: 5442¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ProviderType	provider_type
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5444¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
SubLayerName	layer
SubLayerKey	layer_key
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubLayerType	layer_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Weight	weight
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5446¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
Hostname	host
Version	version
ThreadID	thread_id
UserSid	user_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerKey	layer_key
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
CalloutKey	callout_key
CalloutType	callout_type
Opcode	opcode
LayerId	layer_id
EventID	event_id
ChangeType	action
UserName	user
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
CalloutId	callout_id
CalloutName	callout
EventReceivedTime	event_ts

Event ID: 5447¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
FilterName	filter
FilterKey	filter_key
Hostname	host
Version	version
ThreadID	thread_id
UserSid	user_id
Conditions	condition
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
LayerKey	layer_key
LayerName	layer
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
CalloutKey	callout_key
FilterId	filter_id
Opcode	opcode
LayerId	layer_id
EventID	event_id
Weight	weight
ChangeType	action
FilterType	filter_type
UserName	user
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
CalloutName	callout
EventReceivedTime	event_ts

Event ID: 5448¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
Hostname	host
Version	version
ThreadID	thread_id
UserSid	user_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ChangeType	action
ProviderType	provider_type
UserName	user
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5449¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
Hostname	host
Version	version
ThreadID	thread_id
UserSid	user_id
Channel	channel
ProviderContextName	context
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderContextKey	context_key
ProviderContextType	context_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ChangeType	action
UserName	user
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5450¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
ProviderName	provider
ProviderKey	provider_key
SubLayerName	layer
SubLayerKey	layer_key
Hostname	host
Version	version
ThreadID	thread_id
UserSid	user_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubLayerType	layer_type
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Weight	weight
ChangeType	action
UserName	user
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 5478¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 6144¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
GPOList	gpo
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
ErrorCode	status_code
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
Opcode	opcode
EventID	event_id
ActivityID	activity_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 6272¶

Windows Field	Logpoint Field
Category	event_category
CalledStationID	called_station_id
Severity	log_level
NASIPv6Address	nas_ipv6_address
FullyQualifiedSubjectMachineName	machine_name
Hostname	host
SubjectUserName	user
NASPortType	nas_port_type
Version	version
ExecutionThreadID	execution_thread_id
SubjectMachineName	machine
AuthenticationServer	authentication_server
Channel	channel
CallingStationID	calling_station_id
AuthenticationType	authentication_type
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
NASIPv4Address	nas_address
ProxyPolicyName	proxy_policy
ClientName	target_user
AuthenticationProvider	authentication_provider
LoggingResult	result
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
FullyQualifiedSubjectUserName	username
Opcode	opcode
SeverityValue	severity
NetworkPolicyName	policy
NASPort	nas_port
NASIdentifier	nas_id
EventID	event_id
SubjectMachineSID	machine_id
AccountSessionIdentifier	account_session_id
ActivityID	activity_id
SubjectDomainName	domain
ClientIPAddress	source_address
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EAPType	eap_type
EventReceivedTime	event_ts

Event ID: 6273¶

Windows Field	Logpoint Field
Category	event_category
CalledStationID	called_station_id
Severity	log_level
NASIPv6Address	nas_ipv6_address
FullyQualifiedSubjectMachineName	machine_name
Hostname	host
SubjectUserName	user
NASPortType	nas_port_type
Version	version
ExecutionThreadID	execution_thread_id
SubjectMachineName	machine
AuthenticationServer	authentication_server
Channel	channel
CallingStationID	calling_station_id
AuthenticationType	authentication_type
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
NASIPv4Address	nas_address
Reason	reason
ProxyPolicyName	proxy_policy
ClientName	target_user
ReasonCode	status_code
AuthenticationProvider	authentication_provider
LoggingResult	result
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
FullyQualifiedSubjectUserName	username
Opcode	opcode
SeverityValue	severity
NetworkPolicyName	policy
NASPort	nas_port
NASIdentifier	nas_id
EventID	event_id
SubjectMachineSID	machine_id
AccountSessionIdentifier	account_session_id
ActivityID	activity_id
SubjectDomainName	domain
ClientIPAddress	source_address
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EAPType	eap_type
EventReceivedTime	event_ts

Event ID: 6274¶

Windows Field	Logpoint Field
Category	event_category
CalledStationID	called_station_id
Severity	log_level
NASIPv6Address	nas_ipv6_address
FullyQualifiedSubjectMachineName	machine_name
Hostname	host
SubjectUserName	user
NASPortType	nas_port_type
Version	version
ExecutionThreadID	execution_thread_id
SubjectMachineName	machine
AuthenticationServer	authentication_server
Channel	channel
CallingStationID	calling_station_id
AuthenticationType	authentication_type
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
NASIPv4Address	nas_address
Reason	reason
ProxyPolicyName	proxy_policy
ClientName	target_user
ReasonCode	status_code
AuthenticationProvider	authentication_provider
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
FullyQualifiedSubjectUserName	username
Opcode	opcode
SeverityValue	severity
NetworkPolicyName	policy
NASPort	nas_port
NASIdentifier	nas_id
EventID	event_id
SubjectMachineSID	machine_id
AccountSessionIdentifier	account_session_id
ActivityID	activity_id
SubjectDomainName	domain
ClientIPAddress	source_address
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EAPType	eap_type
EventReceivedTime	event_ts

Event ID: 6278¶

Windows Field	Logpoint Field
Category	event_category
CalledStationID	called_station_id
Severity	log_level
NASIPv6Address	nas_ipv6_address
FullyQualifiedSubjectMachineName	machine_name
Hostname	host
QuarantineState	quarantine_state
SubjectUserName	user
NASPortType	nas_port_type
Version	version
ExecutionThreadID	execution_thread_id
SubjectMachineName	machine
AuthenticationServer	authentication_server
Channel	channel
MachineInventory	machine_inventory
CallingStationID	calling_station_id
AuthenticationType	authentication_type
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
NASIPv4Address	nas_address
QuarantineSystemHealthResult	quarantine_system_health_result
ProxyPolicyName	proxy_policy
ClientName	target_user
AuthenticationProvider	authentication_provider
ExtendedQuarantineState	extended_quarantine_state
ExecutionProcessID	execution_process_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
FullyQualifiedSubjectUserName	username
QuarantineHelpURL	quarantine_help_url
Opcode	opcode
SeverityValue	severity
NetworkPolicyName	policy
NASPort	nas_port
NASIdentifier	nas_id
EventID	event_id
QuarantineSessionID	quarantine_session_id
SubjectMachineSID	machine_id
AccountSessionIdentifier	account_session_id
ActivityID	activity_id
SubjectDomainName	domain
ClientIPAddress	source_address
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EAPType	eap_type
EventReceivedTime	event_ts

Event ID: 6416¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
VendorIds	vendor_id
Hostname	host
SubjectUserName	user
ClassName	class
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module
SubjectLogonId	logon_id
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
LocationInformation	location
Opcode	opcode
SeverityValue	severity
EventID	event_id
DeviceDescription	device_description
CompatibleIds	compatible_id
ClassId	class_id
SubjectDomainName	domain
DeviceId	device_id
Keywords	keyword
SubjectUserSid	user_id
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Microsoft-Windows-Winlogon¶

Event ID: 7001¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
UserSid	target_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
Domain	domain
TSId	ts_id
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Microsoft-Windows-RestartManager¶

Event ID: 10005¶

Windows Field	Logpoint Field
Category	event_category
Severity	log_level
nApplications	application_count
Hostname	host
UserID	user_id
Application	application
RebootReasons	reason
ExecutionThreadID	execution_thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ExecutionProcessID	execution_process_id
EventID	event_id
EventTime	log_ts
RmSessionId	session_id
AccountName	user
Opcode	opcode
ProviderGuid	guid
UserData	user_data
Domain	domain
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Microsoft-Windows-GroupPolicy¶

Event ID: 1502¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
DCName	target_domain
ProviderGuid	guid
EventTime	log_ts
Task	event_task
OpcodeValue	opcode_value
ProcessingMode	processing_mode
AccountName	user
Opcode	opcode
EventID	event_id
Domain	domain
SupportInfo2	support_info2
SupportInfo1	support_info1
NumberOfGroupPolicyObjects	object_count
ActivityID	activity_id
ProcessingTimeInMilliseconds	duration
AccountType	account_type
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Microsoft-Windows-TaskScheduler¶

Event ID: 129¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Priority	priority
ExecutionThreadID	execution_thread_id
Channel	channel
SourceName	event_source
EventType	event_type
TaskValue	task_value
Path	path
ExecutionProcessID	execution_process_id
EventID	event_id
EventTime	log_ts
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
TaskName	task
ProviderGuid	guid
Domain	domain
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

PowerShell¶

Event ID: 300¶

Windows Field	Logpoint Field
ExceptionClass	exception_class
ErrorCategory	error_type
ErrorId	error_id
ErrorMessage	error_message
HostName	hostname
ScriptName	script
CommandPath	command_path
Details	details
CommandName	command

Event ID: 800¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
ThreadID	thread_id
Channel	channel
SequenceNumber	sequence_number
SourceName	event_source
EventType	event_type
HostName	hostname
UserId	user
DetailSequence	detail_sequence
HostApplication	application
DetailTotal	detail_total
EventTime	log_ts
Task	task
CommandLine	command
ScriptName	script
Opcode	opcode
EngineVersion	engine_version
Message	message
EventID	event_id
HostVersion	host_version
HostId	host_id
PipelineId	pipeline_id
SeverityValue	severity
EventData	event_data
RunspaceId	space_id
RecordNumber	record
EventReceivedTime	event_ts

Event ID: -¶

Windows Field	Logpoint Field
hostversion	host_version
newenginestate	engine_state
previousenginestate	old_engine_state
newproviderstate	provider_state
commandtype	command_type
newcommandstate	command_state
request	domain

Microsoft-Windows-TerminalServices-Printers¶

Event ID: 1111¶

Windows Field	Logpoint Field
EventID	event_id
ProviderGuid	guid
EventTime	log_ts
Task	task
Severity	log_level
OpcodeValue	opcode_value
ProcessID	process_id
SourceName	event_source
EventType	event_type
Hostname	host
Category	event_category
Version	version
Opcode	opcode
ThreadID	thread_id
Keywords	keywords
SeverityValue	severity
Message	message
EventReceivedTime	event_ts
RecordNumber	record
Channel	channel
EventData	event_data

Microsoft-Windows-TerminalServices-LocalSessionManager¶

Event ID: 21¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 22¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 23¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 24¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 25¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 41¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 42¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 1101¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 1102¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts
UserName	target_user
DomainName	target_domain
UserSid	user_id
LogonId	logon_id

Event ID: 1103¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 1104¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 1105¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Hostname	host
UserID	user_id
SourceNetworkAddress	source_address
ThreadID	thread_id
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
SessionID	session_id
User	user
ProviderGuid	guid
EventTime	log_ts
OpcodeValue	opcode_value
Session_ID	session_id
AccountName	workstation
Source_Network_Address	source_address
EventID	event_id
AccountType	account_type
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

MsiInstaller¶

Event ID: 1040¶

Windows Field	Logpoint Field
EventID	event_id
ProcessID	parent_process_id
EventTime	log_ts
SourceName	event_source
EventType	event_type
ExecutionProcessID	execution_process_id
Hostname	host
UserID	user_id
Category	event_category
AccountName	user
EventData	event_data
ExecutionThreadID	execution_thread_id
AccountType	account_type
ThreadID	thread_id
SeverityValue	severity
FileName	file
RecordNumber	record
TaskValue	task_value
EventReceivedTime	event_ts

Event ID: 1042¶

Windows Field	Logpoint Field
EventID	event_id
ProcessID	parent_process_id
EventTime	log_ts
SourceName	event_source
EventType	event_type
ExecutionProcessID	execution_process_id
Hostname	host
UserID	user_id
Category	event_category
AccountName	user
EventData	event_data
ExecutionThreadID	execution_thread_id
AccountType	account_type
ThreadID	thread_id
SeverityValue	severity
FileName	file
RecordNumber	record
TaskValue	task_value
EventReceivedTime	event_ts

Service Control Manager¶

Event ID: 7000¶

Windows Field	Logpoint Field
EventTime	log_ts
Hostname	host
Keywords	keywords
EventType	event_type
SeverityValue	severity
Severity	log_level
EventID	event_id
SourceName	event_source
ProviderGuid	guid
Version	version
Task	task
OpcodeValue	opcode_value
RecordNumber	record
ExecutionProcessID	process_id
ExecutionThreadID	threat_id
Channel	channel
Message	message
param1	service
param2	reason
EventReceivedTime	event_ts
SourceModuleName	source_module
SourceModuleType	source_module_type

Event ID: 7034¶

Windows Field	Logpoint Field
EventTime	log_ts
Hostname	host
Keywords	keywords
EventType	event_type
SeverityValue	severity
Severity	log_level
EventID	event_id
SourceName	event_source
ProviderGuid	guid
Version	version
Task	task
OpcodeValue	opcode_value
RecordNumber	record
ExecutionProcessID	process_id
ExecutionThreadID	threat_id
Channel	channel
Message	message
param1	service
param2	reason
EventReceivedTime	event_ts
SourceModuleName	source_module
SourceModuleType	source_module_type

Event ID: 7036¶

Windows Field	Logpoint Field
EventTime	log_ts
Hostname	host
Keywords	keywords
EventType	event_type
SeverityValue	severity
Severity	log_level
EventID	event_id
SourceName	event_source
ProviderGuid	guid
Version	version
Task	task
OpcodeValue	opcode_value
RecordNumber	record
ExecutionProcessID	process_id
ExecutionThreadID	threat_id
Channel	channel
Message	message
param1	service
param2	reason
EventReceivedTime	event_ts
SourceModuleName	source_module
SourceModuleType	source_module_type

Event ID: 7040¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
AccountType	account_type
OpcodeValue	opcode_value
AccountName	user
EventID	event_id
Domain	domain
param4	object_type
param3	new_value
param2	old_value
param1	object
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 7045¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
ServiceType	service_type
AccountName	user
ServiceName	service
EventID	event_id
Domain	domain
ImagePath	image
StartType	start_type
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

User32¶

The following table maps the Windows fields of the User32 to the Logpoint taxonomy.

Event ID: 1074¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
UserID	user_id
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
HostName	host
EventID	event_id
EventTime	log_ts
param1	application
AccountName	account
ProviderGuid	guid
Domain	domain
param7	user
param6	comment
param5	shutdown_type
param4	reason_code
param3	reason
param2	workstation
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

ADSync¶

Event ID: 6946¶

Windows Field	Logpoint Field
ExecutionProcessID	execution_process_id
EventID	event_id
EventTime	log_ts
Severity	log_level
RecordNumber	record
Connector_name	connector
EventType	event_type
IsRecycleBinEnabled	is_recycle_bin_enable
Hostname	host
Login_User_name	user
Category	event_category
SourceName	event_source
Login_User_domain	domain
ExecutionThreadID	execution_thread_id
TaskValue	task_value
SeverityValue	severity
EventReceivedTime	event_receive_ts
EventData	event_data
Deleted_Objects_Container	path

SceCli¶

Event ID: 1704¶

Windows Field	Logpoint Field
EventID	event_id
ProcessID	process_id
EventTime	log_ts
Task	event_task
Severity	log_level
SourceModuleType	source_module_type
SourceName	event_source
EventType	event_type
SourceModuleName	source_module_name
Hostname	host
Category	event_category
ProviderGuid	guid
ThreadID	thread_id
Keywords	keyword
SeverityValue	severity
Message	message
RecordNumber	record
Channel	channel
EventReceivedTime	event_ts

Microsoft-Windows-Eventlog¶

Event ID: 1100¶

Windows Field	Logpoint Field
EventID	event_id
ProviderGuid	guid
EventTime	log_ts
Task	task
Severity	log_level
OpcodeValue	opcode_value
ProcessID	process_id
SourceName	event_source
EventType	event_type
Hostname	host
Category	event_category
Version	version
Opcode	opcode
ThreadID	thread_id
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
Channel	channel
EventReceivedTime	event_ts

Windows_Error_Reporting¶

Event ID: 1001¶

Windows Field	Logpoint Field
EventID	event_id
ProcessID	process_id
EventTime	log_ts
Task	event_task
Severity	log_level
SourceName	event_source
EventType	event_type
Hostname	host
Category	event_category
ProviderGuid	guid
ThreadID	thread_id
SeverityValue	severity
RecordNumber	record
EventReceivedTime	event_ts

Microsoft-Windows-AppLocker¶

Event ID: 8002¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
FileHashLength	hash_length
TargetProcessId	target_process_id
ThreadID	thread_id
Channel	channel
FqbnLength	fqbn_length
PolicyNameLength	policy_length
SourceName	event_source
EventType	event_type
PolicyName	policy
EventTime	log_ts
OpcodeValue	opcode_value
UserData	user_data
TargetUser	target_user
Fqbn	fqbn
AccountName	user
RuleNameLength	rule_length
RuleSddl	rule_sddl
Opcode	opcode
EventID	event_id
RuleSddlLength	rule_sddl_length
ProviderGuid	guid
FilePathLength	path_length
Domain	domain
FileHash	hash
RuleId	rule_id
FilePath	path
TargetLogonId	target_logon_id
AccountType	account_type
RuleName	rule
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts
FullFilePathLength	full_path_length
FullFilePath	full_path

Event ID: 8003¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
ThreadID	thread_id
Channel	channel
PolicyNameLength	policy_length
SourceName	event_source
EventType	event_type
PolicyName	policy
EventTime	log_ts
OpcodeValue	opcode_value
TargetUser	target_user
AccountName	user
RuleNameLength	rule_length
Opcode	opcode
EventID	event_id
RuleSddlLength	rule_ssid_length
ProviderGuid	guid
UserData	user_data
Domain	domain
RuleId	rule_id
TargetLogonId	target_logon_id
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 8005¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
ThreadID	thread_id
Channel	channel
PolicyNameLength	policy_length
SourceName	event_source
EventType	event_type
PolicyName	policy
EventTime	log_ts
OpcodeValue	opcode_value
TargetUser	target_user
AccountName	user
RuleNameLength	rule_length
Opcode	opcode
EventID	event_id
RuleSddlLength	rule_ssid_length
ProviderGuid	guid
UserData	user_data
Domain	domain
RuleId	rule_id
TargetLogonId	target_logon_id
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 8020¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
ThreadID	thread_id
Channel	channel
PolicyNameLength	policy_length
SourceName	event_source
EventType	event_type
PolicyName	policy
EventTime	log_ts
OpcodeValue	opcode_value
TargetUser	target_user
AccountName	user
RuleNameLength	rule_length
Opcode	opcode
EventID	event_id
RuleSddlLength	rule_ssid_length
ProviderGuid	guid
UserData	user_data
Domain	domain
RuleId	rule_id
TargetLogonId	target_logon_id
AccountType	account_type
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts
PackageLength	package_length
Package	package

Microsoft-Windows-PrintService¶

Event ID: 300¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
Param1	printer
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 306¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
Param1	printer
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 307¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Param7	datasize
Param6	port
Param5	printer
Param4	workstation
Param3	user
Param2	document
Param1	document_number
Opcode	opcode
Param8	print_count
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 310¶

Windows Field	Logpoint Field
Opcode	Opcode
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Category	event_category
AccountName	user
Param4	workstation
Param3	user
Param2	document
Param1	document_number
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 603¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 800¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
JobId	job_id
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 801¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
JobId	job_id
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 802¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
JobSize	datasize
SourceName	event_source
EventType	event_type
JobId	job_id
Pages	page_count
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 805¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 812¶

Windows Field	Logpoint Field
Opcode	opcode
ProcessID	process_id
Severity	log_level
Destination	destination
UserID	user_id
Source	source
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
ErrorCode	status_code
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
Category	event_category
AccountName	user
Flags	flag
EventID	event_id
UserData	user_data
Domain	domain
Hostname	host
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

Event ID: 842¶

Windows Field	Logpoint Field
Category	event_category
ProcessID	process_id
Severity	log_level
Hostname	host
UserID	user_id
Version	version
ThreadID	thread_id
Channel	channel
SourceName	event_source
EventType	event_type
JobId	job_id
ErrorCode	status_code
ProviderGuid	guid
EventTime	log_ts
Task	task
OpcodeValue	opcode_value
AccountName	user
Opcode	opcode
EventID	event_id
UserData	user_data
Domain	domain
AccountType	account_type
Keywords	keywords
SeverityValue	severity
Message	message
RecordNumber	record
EventReceivedTime	event_ts

DefaultJSONEventSource¶

Windows Field	Logpoint Field
UserName	user
Severity	log_level
Service	service
UserParameters	user_parameter
FileHash	hash
LayerId	layer_id
DSName	ds_name
ServicePrincipalNames	service_principal_name
GPOList	gpo
AccessList	access
DomainSid	domain_id
OldSd	old_sd
FileHashLength	file_hash_length
Activity ID	activity_id
TargetProcessId	target_process_id
TargetSid	target_id
TransactionId	transaction_id
ClientName	remote_user
SourceName	event_source
Direction	direction
TreeDelete	tree_delete
TargetLogonGuid	target_logon_guid
NewState	new_state
NewTargetUserName	new_target_user
SubStatus	substatus
CallerIdentity	caller_identity
RD	received_datasize
Thread_ID	event_thread_id
PasswordProperties	password_properties
OldSD	old_sd
MinPasswordLength	minimum_password_length
TicketEncryptionType	ticket_encryption_type
HomePath	home_path
TargetUserName	target_user
DCName	target_domain
PacketData	packet_data
RelativeTargetName	relative_target_name
HostApplication	application
ExecutionProcessID	execution_process_id
PolicyName	policy
Task	event_task
XID	exchange_id
EventId	event_id
MemberName	member
CommandLine	command
SubcategoryId	subcategory_id
Querystring	query
FilterId	filter_id
ShareLocalPath	share_path
ClientUserName	user
Opcode	opcode
MaxPasswordAge	maximum_password_age
NewSd	new_sd
SubjectUserName	user
CategoryId	category_id
FilePathLength	file_path_length
HostId	host_id
Protocol	protocol
AttributeValue	value
ResourceManager	resource_manager
RuleId	rule_id
PipelineId	pipeline_id
FilterType	filter_type
UserPrincipalName	user_principal_name
ClientAddress	source_address
LockoutThreshold	lockout_threshold
ProcessingTimeInMilliseconds	processing_time
RunspaceId	runspace_id
AccountDomain	domain
Event	event
Request_path	path
RuleSddl	rule_ssdl
DisplayName	display_name
TokenElevationType	token_elevation_type
DomainName	domain
PackageName	package
QNAME	request
Application	application
TicketOptions	ticket_option
AuditSourceName	audit_source
Account_name	account
SessionName	session
HomeDirectory	home_directory
UserSid	user_id
Process_ID	event_process_id
TargetServerName	target_server
Channel	channel
Source_Network_Address	source_address
OldUacValue	old_value
UserWorkstations	workstation
SourceHandleId	handle_id
LocalPort	local_port
SourceAddress	source_address
client_request_id	request_id
ActivityID	activity_id
TCP	tcp
TargetLogonId	target_logon_id
TargetUser	target_user
SidHistory	sid_history
TaskValue	task_value
PasswordHistoryLength	password_history_length
InterfaceIP	host_address
LayerName	layer_name
FailureReason	reason
Workstation	workstation
LmPackageName	package_name
MappingBy	authentication_package
DomainPolicyChanged	domain_policy_changed
X_MS_Forwarded_Client_IP	source_address
LogonHours	logon_hours
LogonType	logon_type
SourceProcessId	process_id
ServiceName	service
PrivilegeList	privilege
ScriptPath	script_path
SubjectUserSid	user_id
Request_URL	url
FqdnLength	fqdn_length
Event_ID	event_identifier
TaskContentNew	task_content_new
Domain	domain
LogonGuid	logon_guid
AuthenticationPackageName	authentication_package
SamAccountName	sam_account_name
NewProcessName	new_process
ProcessName	process
RecordNumber	record
ChangeType	change_type
NumberOfGroupPolicyObjects	gpo_count
RequestType	request_type
Computer	host
RemoteMachineID	remote_machine_id
SourcePort	source_port
ProfilePath	profile_path
Message	message
CalloutName	callout_name
Category	event_category
PrimaryGroupId	primary_group_id
FilePath	path
NewProcessId	target_process_id
ProviderKey	provider_key
RemoteUserID	remote_user_id
LayerKey	layer_key
FilterKey	filter_key
Hostname	host
UserID	user_id
ObjectDN	object_dn
HTTPMethod	request_method
ExecutionThreadID	execution_thread_id
EventRecordID	record_id
RestrictedSidCount	restricted_id_count
Conditions	condition
ShareName	share_name
Status	status
HandleId	handle_id
RuleNameLength	rule_name_length
MemberSid	member_id
ServiceSid	service_id
SequenceNumber	sequence_number
DateAndTime	event_ts
ObjectServer	object_server
EventType	event_type
TargetUserSid	target_id
UserId	user_id
RequestDetails	details
RuleSddlLength	rule_ssdl_length
ErrorCode	error_code
PolicyNameLength	policy_name_length
UrlAbsolutePath	path
LayerRTID	layer_rtid
User	user
SubcategoryGuid	subcategory_guid
Targetedrelying party	target_party
OldTime	old_ts
QTYPE	request_code
Properties	properties
OpCorrelationID	op_correlation_id
IpPort	source_port
ProviderGuid	guid
DSType	ds_type
AttributeSyntaxOID	attribute_Syntax_oid
ContentLength	content_length
CalloutKey	callout_key
User_host_address	host_address
AccountName	user
OperationType	type
EngineVersion	engine_version
Action	action
Throughproxy	proxy
TaskName	task
AccessReason	reason
MixedDomainMode	mixed_domain_mode
Weight	weight
ObjectName	object_name
Source	source_address
ProxyDNSname	proxy_dns
TransmittedServices	transmitted_service
Process_name	event_process
AppCorrelationID	app_correlation_id
MachineAccountQuota	machine_account_quota
Version	version
SubjectLogonId	logon_id
AccountExpires	account_expire
Keywords	keyword
SeverityValue	severity
LockoutObservationWindow	lockout_observation_window
EventReceivedTime	event_ts
ProcessID	process_id
MinPasswordAge	minimum_password_age
ProviderName	provider
FilterName	filter
RuleAttr	rule_attribute
SessionId	session_id
ThreadID	thread_id
IpAddress	source_address
ComputerAccountChange	computer_account_change
ProcessId	process_id
DomainBehaviorVersion	domain_behavior_version
AccessMask	access_mask
AttributeLDAPDisplayName	ldap_display
SourceModuleType	source_module_type
ObjectClass	class
NewUacValue	new_value
SourceModuleName	source_module
DnsHostName	dns_host
DestPort	destination_port
OldTargetUserName	old_target_user
X_MS_Proxy	proxy
UserAgent	user_agent
ClientIP	source_address
BufferSize	buffer_size
ProcessingMode	processing_mode
AuditPolicyChanges	policy
AdditionalInfo	additional_information
EventTime	log_ts
UserAccountControl	user_account_control
LogonID	logon_id
OpcodeValue	opcode_value
TargetInfo	target_information
LockoutDuration	lockout_duration
ForceLogoff	force_logoff
X_MS_Endpoint_Absolute_Path	path
Fqdn	fqdn
LogonProcessName	logon_process
PreAuthType	pre_authentication_type
Machine_name	workstation
Flags	flag
NewSD	new_sd
DestAddress	destination_address
WorkstationName	workstation
EventID	event_id
FilterRTID	filter_rtid
MappedName	mapped_name
TargetDomainName	target_domain
PasswordLastSet	password_last_set_ts
ObjectGUID	object_guid
NewTime	new_ts
KeyLength	key_length
ObjectType	object_type
SubjectDomainName	domain
AccountType	account_type
RuleName	rule
EventData	event_data
AllowedToDelegateTo	allowed_to_delegate_to
Port	source_port

Microsoft Windows Defender¶

Event ID: 1121¶

Windows Field	Logpoint Field
ID	rule_id
process_name	process
detection_time	detection_ts

Event ID: 1126¶

Windows Field	Logpoint Field
process_name	process
detection_time	detection_ts
destination	url
user	target_id
UserID	user_id

Event ID: 1116¶

Windows Field	Logpoint Field
process_name	process
detection_time	detection_ts
destination	url
user	target_id
UserID	user_id

Event ID: 1117¶

Windows Field	Logpoint Field
detection_id	target_id
destination	url
user	target_id
detection_time	detection_ts
category_name	category
process_name	process
action_name	action
threat_name	threat
product_name	product

Event ID: 5013¶

Windows Field	Logpoint Field
process_name	process
detection_id	target_id
destination	url
user	target_id
detection_time	detection_ts
category_name	category
process_name	process
action_name	action
threat_name	threat
product_name	product
value	target_service

Event ID: 1121¶

Windows Field	Logpoint Field
process_name	process
detection_id	target_id
destination	url
user	target_id
detection_time	detection_ts
category_name	category
process_name	process
action_name	action
threat_name	threat
product_name	product
value	target_service

Microsoft Windows Perflib¶

Event ID: 1008¶

Windows Field	Logpoint Field
param1	service
param2	file
binaryData	data
binaryDataSize	datasize

Sysmon Remote Threat Creation¶

Event ID: 8¶

Windows Field	Logpoint Field
startfunction	start_function

DNS Events¶

Event ID: -¶

Windows Field	Logpoint Field
status	direction

Microsoft Windows WMI Activity¶

Event ID: 23¶

Windows Field	Logpoint Field
CorrelationId	correlation_id
GroupOperationId	group_operation_id
OperationId	operation_id
Commandline	command
CreatedProcessId	target_process_id
CreatedProcessCreationTime	target_process_create_time
ClientMachine	host
ClientMachineFQDN	fqdn
ClientProcessId	process_id
ClientProcessCreationTime	process_create_time
IsLocal	is_local
EventReceivedTime	event_ts

Windows BITS Client¶

Event ID: 3¶

Windows Field	Logpoint Field
processPath	process
processId	process_id
jobTitle	job
jobId	job_id
jobOwner	job_owner
ClientProcessStartKey	process_start_key

Event ID: 5¶

Windows Field	Logpoint Field
fileCount	file_count
processId	process_id
jobTitle	job
jobId	job_id
jobOwner	job_owner
ClientProcessStartKey	process_start_key

Event ID: 59¶

Windows Field	Logpoint Field
jobId	job_id
bytesTotal	total_datasize
bytesTransferred	datasize
bytesTransferredFromPeer	received_datasize
fileTime	file_time
fileLength	file_size
transferId	transfer_id
name	job

Event ID: 60¶

Windows Field	Logpoint Field
Id	job_id
AdditionalInfoHr	information
bandwidthLimit	bandwidth
bytesTotal	total_datasize
bytesTransferred	datasize
bytesTransferredFromPeer	received_datasize
fileTime	file_time
fileLength	file_size
transferId	transfer_id
ignoreBandwidthLimitsOnLan	ignore_bandwidth_limit_flag
PeerContextInfo	peer_context
peerProtocolFlags	peer_protocol_flag
name	job

Event ID: 4¶

Windows Field	Logpoint Field
processId	process_id
jobTitle	job
jobId	job_id
jobOwner	job_owner
ClientProcessStartKey	process_start_key
fileCount	file_count
bytesTotal	total_datasize
bytesTransferred	datasize
bytesTransferredFromPeer	received_datasize

Event ID: 209¶

Windows Field	Logpoint Field
isRoaming	is_roaming
jobName	job
jobId	job_id

Event ID: 16403¶

Windows Field	Logpoint Field
processPath	process
processId	process_id
jobTitle	job
jobId	job_id
jobOwner	job_owner
ClientProcessStartKey	process_start_key
RemoteName	url
LocalName	path
fileCount	file_count

Microsoft Windows SMB Client¶

Event ID: 30804¶

Windows Field	Logpoint Field
ConnectionType	connection_type
AddressLength	address_length
ServerName	server
Address	destination_address
ServerNameLength	server_name_length

ASP.NET¶

Event ID: 1309¶

Windows Field	Logpoint Field
Data	event_code
Data_1	message
Data_2	exception_ts
Data_3	exception_utc_ts
Data_4	event_uid
Data_5	event_sequence
Data_6	event_count
Data_7	detail_code
Data_8	application_domain
Data_9	trust
Data_10	application_virtual_path
Data_11	path
Data_12	workstation
Data_13	process_id
Data_14	process
Data_16	exception_class
Data_17	exception_message
Data_18	url
Data_19	request_path
Data_20	host_address
Data_21	is_authenticated
Data_22	thread_account
Data_23	thread_id
Data_24	thread_account
Data_25	is_impersonating
Data_26	stack_trace

Helpful?