Microsoft Windows Fields

Windows Fields
Field Name Example Values Field Type Notes
source_user_sid_authority1 S-1-0-0 Keyword Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field contianing SID information.
source_user_sid_authority2   Keyword The domain authority portion of the SID
source_user_sid_rid 500 Keyword This is the user RID
target_user_sid_authority1 S-1-0-0 Keyword Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information.
target_user_sid_authority2   Keyword The domain authority portion of the SID
target_user_sid_rid   Keyword This is the user RID
user_sid_authority1   Keyword Initial “authority” with SID preamble. For well-known non-domain SIDs this will be the only field containing SID information.
user_sid_authority2   Keyword The domain authority portion of the SID
user_sid_rid   Keyword This is the user RID
windows_authentication_lmpackage_name   Keyword This field is defined only when the windows_authentication_package_name = “NTLM”
windows_authentication_package_name   Keyword Authentication information from Event ID 4624/4625
windows_authentication_process_name   Keyword Authentication information from Event ID 4624/4625
windows_logon_type 2, 3, 10 Byte https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
windows_logon_type_description   keyword Description mapped to the logon type field
windows_kerberos_encryption 0x12 keyword The Windows kerberos encryption hex value
windows_kerberos_encryption_type   keyword Kerberos ticket encryption types https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
windows_kerberos_service_name   keyword Name of service targeted for Kerberos ticket requests