# Windows Version 1.2 \\ | **Fields** | **Data Type** | | -------------------------------------- | ------------- | | event.category | array | | event.dataset | text | | event.module | text | | event.kind | text | | event.outcome | text | | event.type | array | | event.action | text | | event.id | text | | event.original | | | event.severity | text | | event.created | date | | event.reason | text | | uuid | text | | organisation.id | text | | sensor.id | text | | | | | source.as.organization.name | text | | source.geo.city\_name | text | | source.geo.country\_code | text | | source.geo.country\_name | text | | source.geo.location.lat | geopoint | | source.geo.location.lon | geopoint | | source.geo.region\_name | text | | source.geo.continent\_code | text | | destination.as.organization.name | text | | destination.geo.city\_name | text | | destination.geo.country\_code | text | | destination.geo.country\_name | text | | destination.geo.location.lat | geopoint | | destination.geo.location.lon | geopoint | | destination.geo.region\_name | text | | destination.geo.continent\_code | text | | source.as.number | text | | threatintel.entity | text | | threatintel.lookup | text | | source.locality | text | | destination.locality | text | | network.community\_id | text | | host.name | text | | user.name | text | | user.domain | text | | process.name | text | | process.executable | text | | process.args | array | | process.pid | int | | process.parent.executable | text | | process.parent.name | text | | process.parent.args | tect | | process.working\_directory | text | | process.parent.pid | int | | file.path | text | | source.ip | ip | | source.port | int | | destination.ip | ip | | destination.port | int | | registry.path | text | | registry.value | text | | hash.imphash | text | | hash.md5 | text | | destination.​domain | text | | destination.​ip | ip | | destination.​port | int | | error.​message | text | | network.​direction | text | | network.​protocol | text | | network.​transport | text | | network.​type | text | | source.​address | ip | | source.​domain | rext | | source.​ip | ip | | source.​port | int | | rule.name | text | | process.pe.imphash | text | | process.command\_line | text | | process.parent.command\_line | text | | process.pe.original\_file\_name | text | | process.pe.company | text | | process.pe.description | text | | process.pe.file\_version | text | | process.pe.product | text | | file.hash | text | | file.pe.imphash | text | | file.name | text | | file.code\_signature.subject\_name | text | | file.pe.original\_file\_name | text | | file.pe.company | text | | file.pe.description | text | | file.pe.file\_version | text | | file.pe.product | text | | file.code\_signature.signed | text | | dns.question.name | text | | network.type | text | | | | | sysmon.dns.status | text | | sysmon.file.archived | text | | sysmon.file.is\_executable | text | | powershell.engine.new\_state | text | | powershell.engine.previous\_state | text | | powershell.provider.new\_state | text | | powershell.provider.name | text | | powershell.sequence | text | | powershell.engine.version | text | | powershell.process.executable\_version | text | | powershell.command.value | text | | powershell.command.path | text | | powershell.command.name | text | | source.user.name | text | | source.user.domain | text | | powershell.file.script\_block\_text | text | | powershell.file.script\_block\_id | text | | rule.uuid | text | | rule.id | text | | error.code | text | | winlog.accesslist | | | winlog.accessmask | | | winlog.accesses | | | source.user.id | | | winlog.action | | | winlog.address | | | winlog.allowedtodelegateto | | | winlog.appid | | | winlog.appname | | | winlog.application | | | winlog.applicationpath | | | winlog.attributeldapdisplayname | | | winlog.attributevalue | | | winlog.auditpolicychanges | | | winlog.auditsourcename | | | **package.name (remove)** | | | winlog.binary | | | winlog.calltrace | | | winlog.caption | | | winlog.certthumbprint | | | winlog.classname | | | winlog.clientprocessid | | | winlog.contents | | | winlog.contextinfo | | | winlog.failurecode | | | winlog.feature\_name | | | winlog.filenamebuffer | | | winlog.grantedaccess | | | winlog.impersonationlevel | | | winlog.integritylevel | | | winlog.keylength | | | winlog.keywords | | | winlog.layerrtid | | | winlog.level | | | winlog.localname | | | winlog.logontype | | | winlog.message | | | winlog.modifyingapplication | | | winlog.name | | | winlog.newname | | | winlog.newtargetusername | | | winlog.newtemplatecontent | | | winlog.newuacvalue | | | winlog.newvalue | | | winlog.objectclass | | | winlog.objectname | | | winlog.objectserver | | | winlog.objecttype | | | winlog.objectvaluename | | | winlog.olduacvalue | | | winlog.oldvalue | | | winlog.origin | | | winlog.originalfilename | | | winlog.packagefullname | | | winlog.packagepath | | | winlog.parentcommandline | | | winlog.parentimage | | | winlog.parentprocessid | | | winlog.parentuser | | | winlog.path | | | | | | winlog.pipename | | | winlog.possiblecause | | | winlog.previouscreationutctime | | | winlog.privilegelist | | | winlog.processid | | | winlog.processname | | | winlog.processnamebuffer | | | winlog.processpath | | | winlog.product | | | winlog.properties | | | winlog.protocol | | | winlog.provider | | | winlog.providername | | | winlog.provider\_name | | | winlog.qname | | | winlog.query | | | winlog.queryname | | | winlog.reason | | | winlog.relativetargetname | | | winlog.remotename | | | winlog.requestedpolicy | | | winlog.samaccountname | | | winlog.searchfilter | | | winlog.servername | | | winlog.service | | | winlog.servicefilename | | | winlog.servicename | | | winlog.serviceprincipalnames | | | winlog.servicestarttype | | | winlog.servicetype | | | winlog.sharename | | | winlog.sidhistory | | | winlog.sidlist | | | winlog.signature | | | winlog.signaturestatus | | | winlog.signed | | | winlog.sourceaddress | | | winlog.sourcecommandline | | | winlog.sourcefilename | | | winlog.sourcehostname | | | winlog.sourceimage | | | winlog.sourceip | | | winlog.sourcename | | | winlog.sourceparentimage | | | winlog.sourceport | | | winlog.startaddress | | | winlog.startfunction | | | winlog.startmodule | | | winlog.state | | | winlog.status | | | winlog.subcategoryguid | | | winlog.subjectdomainname | | | winlog.subjectlogonid | | | winlog.subjectusername | | | winlog.subjectusersid | | | winlog.targetfilename | | | winlog.targetimage | | | user.id | | | destination.user.name | | | winlog.targetparentimage | | | winlog.targetparentprocessid | | | winlog.targetservername | | | winlog.targetsid | | | winlog.targetusername | | | winlog.targetusersid | | | winlog.taskcontent | | | winlog.taskcontentnew | | | winlog.taskname | | | winlog.templatecontent | | | winlog.ticketencryptiontype | | | winlog.ticketoptions | | | winlog.type | | | winlog.user | | | winlog.username | | | winlog.value | | | winlog.workstation | | | winlog.workstationname | | | winlog.param1 | | | winlog.param2 | | | winlog.param3 | | | winlog.payload | | | winlog.process | | | related.user | array | | related.hash | array | | related.ip | array | | related.hosts | array | | agent.type | text | | log.type | text | | observer.type | text | | threatintel.days | int | | | | | threatintel.event\_data | text | | | | | threatintel.malware.malware | text | | threatintel.malware.timestamp | date/time | | threatintel.tags | text | | threatintel.white\_list | text | | threatintel.severity | text | | message | | | | | | asset.category | array | | asset.rank | int | | asset.type | array | | destination.address | ip | | destination.user.group.id | text | | destination.user.group.name | text | | destination.user\_name | text | | dns.answers | array | | dns.response\_code | text | | event.channel | text | | event.code | int | | event.provider | text | | group.domain | text | | group.id | text | | group.name | text | | host.ip | ip | | observer.product | text | | observer.vendor | text | | registry.hive | text | | registry.key | text | | service.name | text | | service.state | text | | service.type | text | | user.target.domain | text | | user.type | text | | event.outcome | text | | | | | | | | **new fields to add** | | | network.direction | | | winlog.exceptioncode | | | winlog.logonprocessname | | | winlog.authenticationpackagename | | | winlog.devicedescription | | | winlog.devicename | | | winlog.errorcode | | | winlog.source\_name | | | winlog.hivename | | | winlog.imagename | | | winlog.new\_value | | | winlog.old\_value | | | winlog.objectname | | | package.path | | | winlog.filterorigin | | | winlog.scriptblocktext | | | winlog.description | | | winlog.targetname | | | winlog.targetoutboundusername | | | winlog.targetlogonid | | | source.domain | | | winlog.subjectname | |