Collect Windows Sysmon logs

Supported in:

Google secops SIEM

This document explains how to ingest Windows Sysmon logs to Google Security Operations using Bindplane.

Windows System Monitor (Sysmon) is a Windows system service and device driver from Microsoft Sysinternals that monitors and logs system activity to the Windows Event Log. It provides detailed information about process creation, network connections, file creation time changes, and other system behaviors valuable for threat detection and forensic analysis. The Bindplane agent uses the windowseventlog receiver to natively collect Sysmon events from the dedicated Sysmon event channel. The parser supports JSON and XML formats, and maps the extracted fields to the Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2012 R2 or later, or Windows 10/11 client
Administrator access to install Sysmon and Bindplane
Sysmon installed and running on the target system
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows operating system.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```

The service should show as RUNNING.

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to collect Windows Sysmon logs and send to Google SecOps

Locate the configuration file

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    windowseventlog/sysmon:
        channel: Microsoft-Windows-Sysmon/Operational
        raw: true
        max_reads: 100
        poll_interval: 5s
        start_at: end

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        creds_file_path: 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json'
        customer_id: 'YOUR_CUSTOMER_ID'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: 'WINDOWS_SYSMON'
        raw_log_field: body
        ingestion_labels:

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - windowseventlog/sysmon
            exporters:
                - chronicle/chronicle_w_labels

Configuration parameters

Replace the following placeholders:
- Exporter configuration:
  - creds_file_path: Full path to ingestion authentication file (default: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json)
  - YOUR_CUSTOMER_ID: Customer ID from the Get customer ID section
  - endpoint: Regional endpoint URL:
    - US: malachiteingestion-pa.googleapis.com
    - Europe: europe-malachiteingestion-pa.googleapis.com
    - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
    - See Regional Endpoints for complete list

Save the configuration file

After editing, save the file:
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
sc query observiq-otel-collector
```
  5. Check logs for errors:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Install and Configure Sysmon

Sysmon must be installed and running on the Windows system before the Bindplane agent can collect its events.

Install Sysmon

Download Sysmon from Microsoft Sysinternals:

curl -o Sysmon.zip https://download.sysinternals.com/files/Sysmon.zip

Extract and install Sysmon with a recommended configuration:
```
Sysmon64.exe -accepteula -i sysmonconfig.xml
```
If you don't have a Sysmon configuration file, install with default settings:
```
Sysmon64.exe -accepteula -i
```

Verify Sysmon is Running

Verify Sysmon is running:
```
sc query Sysmon64
```
Verify Sysmon events in Event Viewer:
1. Open Event Viewer.
2. Go to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.
3. Verify events are being generated.

Key Sysmon Event Types

Event ID 1: Process creation
Event ID 3: Network connection
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 10: ProcessAccess
Event ID 11: File creation
Event ID 12/13/14: Registry events
Event ID 22: DNS query

UDM mapping table

Log field	UDM mapping	Logic
SourceName
	metadata.vendor_name	The metadata.vendor_name UDM field is set to Microsoft.
	metadata.product_name	The metadata.product_name UDM field is set to Microsoft-Windows-Sysmon.
UtcTime	metadata.event_timestamp
EventID	metadata.product_event_type	If the EventID log field value is equal to 255 then, the metadata.product_event_type UDM field is set to Error - [255]. , Else EventID log field is mapped to the metadata.product_event_type UDM field.,
RecordNumber	metadata.product_log_id
EventRecordID	metadata.product_log_id
Version	metadata.product_version	If the EventID log field value is equal to 4 then, Version log field is mapped to the metadata.product_version UDM field.
QueryResults	network.dns.answers.data	The type_value and data_value fields are extracted from QueryResults log field using the Grok pattern. If the EventID log field value is equal to 22 then, the data_value log field is mapped to the network.dns.answers.data UDM field.
QueryResults	network.dns.answers.type	The type_value and data_value fields are extracted from QueryResults log field using the Grok pattern. If the EventID log field value is equal to 22 then, the type_value log field is mapped to the network.dns.answers.type UDM field.
QueryName	network.dns.questions.name	If the EventID log field value is equal to 22 then, QueryName log field is mapped to the network.dns.questions.name UDM field.
Protocol	network.ip_protocol	If the EventID log field value is equal to 3 then, Protocol log field is mapped to the network.ip_protocol UDM field.
ParentCommandLine	principal.process.command_line	If the EventID log field value is equal to 1 then, ParentCommandLine log field is mapped to the principal.process.command_line UDM field.
User	principal.administrative_domain	The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern. If the principal_administrative_domain log field value is not empty and the User log field value is not empty then, principal_administrative_domain extracted field is mapped to the principal.administrative_domain UDM field. , Else Domain log field is mapped to the principal.administrative_domain UDM field.,
Domain	principal.administrative_domain	The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern. If the principal_administrative_domain log field value is not empty and the User log field value is not empty then, principal_administrative_domain extracted field is mapped to the principal.administrative_domain UDM field. , Else Domain log field is mapped to the principal.administrative_domain UDM field.,
HostName	principal.hostname	If the Hostname log field value is empty then, Computer log field is mapped to the principal.hostname UDM field. , Else HostName log field is mapped to the principal.hostname UDM field and Hostname log field is mapped to the principal.hostname UDM field.,
Computer	principal.hostname	If the Hostname log field value is empty then, Computer log field is mapped to the principal.hostname UDM field. , Else HostName log field is mapped to the principal.hostname UDM field and Hostname log field is mapped to the principal.hostname UDM field.,
HostName	principal.asset.hostname	If the Hostname log field value is empty then, Computer log field is mapped to the principal.asset.hostname UDM field. , Else HostName log field is mapped to the principal.asset.hostname UDM field and Hostname log field is mapped to the principal.asset.hostname UDM field.,
Computer	principal.asset.hostname	If the Hostname log field value is empty then, Computer log field is mapped to the principal.asset.hostname UDM field. , Else HostName log field is mapped to the principal.asset.hostname UDM field and Hostname log field is mapped to the principal.asset.hostname UDM field.,
SourceIp	principal.ip	If the EventID log field value is equal to 3 then, SourceIp log field is mapped to the principal.ip UDM field.
SourcePort	principal.port	If the EventID log field value is equal to 3 then, SourcePort log field is mapped to the principal.port UDM field.
ImageLoaded	principal.process.file.full_path	If the EventID log field value is equal to 6 then, ImageLoaded log field is mapped to the principal.process.file.full_path UDM field.
Image	principal.process.file.full_path	If the EventID log field value contain one of the following values:23791112131415222326 then, Image log field is mapped to the principal.process.file.full_path UDM field.
SourceImage	principal.process.file.full_path	If the EventID log field value contain one of the following values:810 then, SourceImage log field is mapped to the principal.process.file.full_path UDM field.
ParentImage	principal.process.file.full_path	If the EventID log field value is equal to 1 then, ParentImage log field is mapped to the principal.process.file.full_path UDM field.
ProcessId	principal.process.pid	If the EventID log field value contain one of the following values:237911121314152223242526 and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the principal.process.pid UDM field. , Else ProcessId log field is mapped to the principal.process.pid UDM field.
SourceProcessId	principal.process.pid	If the EventID log field value is equal to 8 then, SourceProcessId log field is mapped to the principal.process.pid UDM field.
ParentProcessId	principal.process.pid	If the EventID log field value is equal to 1 then, ParentProcessId log field is mapped to the principal.process.pid UDM field.
ProcessID	observer.process.pid
ProcessGuid	principal.process.product_specific_process_id	If the EventID log field value contain one of the following values:235791112131415222326 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{ProcessGuid}.
ParentProcessGuid	principal.process.product_specific_process_id	If the EventID log field value is equal to 1 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{ParentProcessGuid}.
SourceProcessGuid	principal.process.product_specific_process_id	If the EventID log field value is equal to 8 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{SourceProcessGuid}.
SourceProcessGUID	principal.process.product_specific_process_id	If the EventID log field value is equal to 10 then, principal.process.product_specific_process_id UDM field is set to SYSMON:%{SourceProcessGUID}.
User	principal.user.userid	The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern. If the EventID log field value is not equal to 24 and if the principal_user_userid log field value is not empty and the User log field value is not empty then, principal_user_userid extracted field is mapped to the principal.user.userid UDM field.,
ClientInfo	principal.user.userid	The host and user_id fields are extracted from ClientInfo log field using the Grok pattern. If the EventID log field value is equal to 24 and if the user_id log field value is not empty and the ClientInfo log field value is not empty then, user_id extracted field is mapped to the principal.user.userid UDM field. , Else ClientInfo log field is mapped to the principal.user.userid UDM field.,
AccountName	principal.user.userid	The principal_user_userid and principal_administrative_domain fields are extracted from User log field using the Grok pattern. If the EventID log field value is not equal to 24 and if the principal_user_userid log field value is not empty and the User log field value is not empty then, principal_user_userid extracted field is mapped to the principal.user.userid UDM field. , Else AccountName log field is mapped to the principal.user.userid UDM field.
SourceUser	principal.user.userid
UserID	principal.user.windows_sid	If the UserID log field value matches the regular expression pattern S-\d-(\d+-){1,14}\d+, then the UserID log field is mapped to the principal.user.windows_sid UDM field., , Else, if the UserID log field value not equal to the User log field value, then the UserID log field is mapped to the principal.user.attribute.labels[user_id] UDM field.
Description	security_result.description	If the EventID log field value is equal to 255 and if the Description log field value is not equal to - then, Description log field is mapped to the security_result.description UDM field.
RuleName	security_result.rule_name
EventID	security_result.rule_name	The security_result.rule_name UDM field is set to EventID: %{EventID}.
	security_result.severity	If the Level log field value contain one of the following values:034 or the Level log field value is equal to Information then, the security_result.severity UDM field is set to INFORMATIONAL. , Else, If Level log field value is equal to 2 or the Level log field value is equal to Error then, the security_result.severity UDM field is set to ERROR. If the SeverityValue log field value does not contain one of the following values:Empty- and if the SeverityValue log field value contain one of the following values:123 then, the security_result.severity UDM field is set to INFORMATIONAL. Else, if SeverityValue log field value is equal to 4 then, the security_result.severity UDM field is set to ERROR. Else, if SeverityValue log field value is equal to 5 then, the security_result.severity UDM field is set to CRITICAL.,
Category	about.labels[Category ID]	The category_id and category_tag fields are extracted from Category log field using the Grok pattern. category_id extracted field is mapped to the about.labels.Category ID UDM field.
QueryStatus	security_result.summary	If the EventID log field value is equal to 22 then, the security_result.summary UDM field is set to QueryStatus: %{QueryStatus}.
ID	security_result.summary	If the EventID log field value is equal to 255 then, ID log field is mapped to the security_result.summary UDM field.
Category	security_result.summary	The category_id and category_tag fields are extracted from Category log field using the Grok pattern. If the category_id log field value is not empty then, category_tag extracted field is mapped to the security_result.summary UDM field. , Else Category log field is mapped to the security_result.summary UDM field.,
CurrentDirectory	additional.fields[current_directory]	If the EventID log field value is equal to 1 then, CurrentDirectory log field is mapped to the additional.fields.current_directory UDM field.
OriginalFileName	src.file.full_path	If the EventID log field value is equal to 1 then, OriginalFileName log field is mapped to the src.file.full_path UDM field.
TargetObject	src.registry.registry_key	If the EventID log field value is equal to 14 then, TargetObject log field is mapped to the src.registry.registry_key UDM field.
Name	target.application	If the EventID log field value is equal to 19 then, Name log field is mapped to the target.application UDM field. If the EventID log field value is equal to 255 then, the target.application UDM field is set to Microsoft Sysmon.
Description	target.asset.software.description	If the EventID log field value contain one of the following values:17 and if the Description log field value is not equal to - then, Description log field is mapped to the target.asset.software.description UDM field.
Product	target.asset.software.name	If the EventID log field value contain one of the following values:17 and if the Product log field value is not equal to - then, Product log field is mapped to the target.asset.software.name UDM field.
Company	target.asset.software.vendor_name	If the EventID log field value contain one of the following values:17 and if the Company log field value is not equal to - then, Company log field is mapped to the target.asset.software.vendor_name UDM field.
FileVersion	target.asset.software.version	If the EventID log field value contain one of the following values:17 and if the FileVersion log field value is not equal to - then, FileVersion log field is mapped to the target.asset.software.version UDM field.
EventNamespace	target.file.full_path	If the EventID log field value is equal to 19 then, EventNamespace log field is mapped to the target.file.full_path UDM field.
Device	target.file.full_path	If the EventID log field value is equal to 9 then, Device log field is mapped to the target.file.full_path UDM field.
TargetFilename	target.file.full_path	If the EventID log field value contain one of the following values:211152326 then, TargetFilename log field is mapped to the target.file.full_path UDM field.
DestinationHostname	target.asset.hostname	If the EventID log field value is equal to 3 then, DestinationHostname log field is mapped to the target.asset.hostname UDM field.
ClientInfo	target.asset.hostname	The host and user_id fields are extracted from ClientInfo log field using the Grok pattern. The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern. If the EventID log field value is equal to 24 then, host extracted field is mapped to the target.asset.hostname UDM field.
DestinationHostname	target.hostname	If the EventID log field value is equal to 3 then, DestinationHostname log field is mapped to the target.hostname UDM field.
ClientInfo	target.hostname	The host and user_id fields are extracted from ClientInfo log field using the Grok pattern. The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern. If the EventID log field value is equal to 24 then, host extracted field is mapped to the target.hostname UDM field.
ClientInfo	target.ip	The target_ip and host fields are extracted from ClientInfo log field using the Grok pattern. If the EventID log field value is equal to 24 then, target_ip extracted field is mapped to the target.ip UDM field.
DestinationIp	target.ip	If the EventID log field value is equal to 3 then, DestinationIp log field is mapped to the target.ip UDM field.
DestinationPort	target.port	If the EventID log field value is equal to 3 then, DestinationPort log field is mapped to the target.port UDM field.
CommandLine	target.process.command_line	If the EventID log field value is equal to 1 then, CommandLine log field is mapped to the target.process.command_line UDM field.
Configuration	target.process.command_line	If the EventID log field value is equal to 16 and if the ConfigurationFileHash log field value contain one of the following values:Empty- then, Configuration log field is mapped to the target.process.command_line UDM field.
ImageLoaded	target.process.file.full_path	If the EventID log field value is equal to 7 then, ImageLoaded log field is mapped to the target.process.file.full_path UDM field.
TargetImage	target.process.file.full_path	If the EventID log field value contain one of the following values:810 then, TargetImage log field is mapped to the target.process.file.full_path UDM field.
Image	target.process.file.full_path	If the EventID log field value contain one of the following values:1517182425 then, Image log field is mapped to the target.process.file.full_path UDM field.
Configuration	target.process.file.full_path	If the EventID log field value is equal to 16 and if the ConfigurationFileHash log field value does not contain one of the following values:Empty- then, Configuration log field is mapped to the target.process.file.full_path UDM field.
Hashes	target.process.file.md5	The KV filter is used to extract the MD5 from the Hashes log field., If the EventID log field value contain one of the following values:1671516232426 then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
Hash	target.process.file.md5	The KV filter is used to extract the MD5 from the Hashe log field., If the EventID log field value contain one of the following values:1671516232426 then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
ConfigurationFileHash	target.process.file.md5	The KV filter is used to extract the MD5 from the ConfigurationFileHash log field., If the EventID log field value contain one of the following values:1671516232426 then, MD5 extracted field is mapped to the target.process.file.md5 UDM field.
Hashes	target.process.file.sha1	The KV filter is used to extract the SHA1 from the Hashes log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
Hash	target.process.file.sha1	The KV filter is used to extract the SHA1 from the Hash log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
ConfigurationFileHash	target.process.file.sha1	The KV filter is used to extract the SHA1 from the ConfigurationFileHash log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA1 extracted field is mapped to the target.process.file.sha1 UDM field.
Hashes	target.process.file.sha256	The KV filter is used to extract the SHA256 from the Hashes log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
Hash	target.process.file.sha256	The KV filter is used to extract the SHA256 from the Hash log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
ConfigurationFileHash	target.process.file.sha256	The KV filter is used to extract the SHA256 from the ConfigurationFileHash log field., If the EventID log field value contain one of the following values:1671516232426 then, SHA256 extracted field is mapped to the target.process.file.sha256 UDM field.
Hashes	target.process.file.file_metadata.pe.import_hash	The KV filter is used to extract the IMPHASH from the Hashes log field., IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
Hash	target.process.file.file_metadata.pe.import_hash	The KV filter is used to extract the IMPHASH from the Hash log field., IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
ConfigurationFileHash	target.process.file.file_metadata.pe.import_hash	The KV filter is used to extract the IMPHASH from the ConfigurationFileHash log field., IMPHASH extracted field is mapped to the target.process.file.file_metadata.pe.import_hash UDM field.
Hashes	target.process.file.pe_file.imphash	The KV filter is used to extract the IMPHASH from the Hashes log field., IMPHASH extracted field is mapped to the target.process.file.pe_file.imphash UDM field.
Hash	target.process.file.pe_file.imphash	The KV filter is used to extract the IMPHASH from the Hash log field., IMPHASH extracted field is mapped to the target.process.file.pe_file.imphash UDM field.
ConfigurationFileHash	target.process.file.pe_file.imphash	The KV filter is used to extract the IMPHASH from the ConfigurationFileHash log field., IMPHASH extracted field is mapped to the target.process.file.pe_file.imphash UDM field.
TargetProcessId	target.process.pid	If the EventID log field value contain one of the following values:810 then, TargetProcessId log field is mapped to the target.process.pid UDM field.
ProcessId	target.process.pid	If the EventID log field value contain one of the following values:15161718 and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the target.process.pid UDM field. , Else ProcessId log field is mapped to the target.process.pid UDM field.,
ProcessID	target.process.pid	If the EventID log field value contain one of the following values:15161718 and if the ExecutionProcessID log field value is not empty then, ExecutionProcessID log field is mapped to the target.process.pid UDM field. , Else ProcessID log field is mapped to the target.process.pid UDM field.,
TargetProcessGuid	target.process.product_specific_process_id	If the EventID log field value is equal to 8 then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{TargetProcessGuid}.
TargetProcessGUID	target.process.product_specific_process_id	If the EventID log field value is equal to 10 then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{TargetProcessGUID}.
ProcessGuid	target.process.product_specific_process_id	If the EventID log field value contain one of the following values:117182425 then, the target.process.product_specific_process_id UDM field is set to SYSMON:%{ProcessGuid}.
NewName	target.registry.registry_key	If the EventID log field value is equal to 14 then, NewName log field is mapped to the target.registry.registry_key UDM field.
TargetObject	target.registry.registry_key	If the EventID log field value contain one of the following values:1213 then, TargetObject log field is mapped to the target.registry.registry_key UDM field.
Details	target.registry.registry_value_data	If the EventID log field value is equal to 13 then, Details log field is mapped to the target.registry.registry_value_data UDM field.
PreviousCreationUtcTime	target.resource.attribute.labels.key[PreviousCreationUtcTime]	If the EventID log field value is equal to 2 then, PreviousCreationUtcTime log field is mapped to the target.resource.attribute.labels UDM field.
Archived	target.resource.attribute.labels[Archived]	If the EventID log field value contain one of the following values:2324 then, Archived log field is mapped to the target.resource.attribute.labels UDM field.
Consumer	target.resource.attribute.labels[Consumer]	If the EventID log field value is equal to 21 then, Consumer log field is mapped to the target.resource.attribute.labels UDM field.
CreationUtcTime	target.resource.attribute.labels[CreationUtcTime]	If the EventID log field value contain one of the following values:215 then, CreationUtcTime log field is mapped to the target.resource.attribute.labels UDM field.
IsExecutable	target.resource.attribute.labels[IsExecutable]	If the EventID log field value contain one of the following values:2326 then, IsExecutable log field is mapped to the target.resource.attribute.labels UDM field.
Name	target.resource.attribute.labels[Name]	If the EventID log field value is equal to 20 then, Name log field is mapped to the target.resource.attribute.labels UDM field.
Operation	target.resource.attribute.labels[Operation]	If the EventID log field value contain one of the following values:192021 then, Operation log field is mapped to the target.resource.attribute.labels UDM field.
Signature	target.resource.attribute.labels[Signature]	If the EventID log field value contain one of the following values:67 then, Signature log field is mapped to the target.resource.attribute.labels UDM field.
SignatureStatus	target.resource.attribute.labels[SignatureStatus]	If the EventID log field value contain one of the following values:67 then, SignatureStatus log field is mapped to the target.resource.attribute.labels UDM field.
Signed	target.resource.attribute.labels[Signed]	If the EventID log field value contain one of the following values:67 then, Signed log field is mapped to the target.resource.attribute.labels UDM field.
Type	target.resource.attribute.labels[Type]	If the EventID log field value is equal to 20 then, Type log field is mapped to the target.resource.attribute.labels UDM field.
Type	additional.fields[Type]	If the EventID log field value is equal to 25 then, Type log field is mapped to the additional.fields UDM field.
State	target.resource.name	If the EventID log field value is equal to 4 then, State log field is mapped to the target.resource.name UDM field.
CreationUtcTime	target.resource.name	If the EventID log field value is equal to 11 then, CreationUtcTime log field is mapped to the target.resource.name UDM field.
PipeName	target.resource.name	If the EventID log field value contain one of the following values:1718 then, PipeName log field is mapped to the target.resource.name UDM field.
Filter	target.resource.name	If the EventID log field value is equal to 21 then, Filter log field is mapped to the target.resource.name UDM field.
Destination	target.resource.name	If the EventID log field value is equal to 20 then, Destination log field is mapped to the target.resource.name UDM field.
Query	target.resource.name	If the EventID log field value is equal to 19 then, Query log field is mapped to the target.resource.name UDM field.
GrantedAccess	target.resource.name	If the EventID log field value is equal to 10 and if the GrantedAccess log field value matches the regular expression pattern ^0x0080$ then, the target.resource.name UDM field is set to PROCESS_CREATE_PROCESS. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0002$ then, the target.resource.name UDM field is set to PROCESS_CREATE_THREAD. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0040$ then, the target.resource.name UDM field is set to PROCESS_DUP_HANDLE. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0400$ then, the target.resource.name UDM field is set to PROCESS_QUERY_INFORMATION. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x1000$ then, the target.resource.name UDM field is set to PROCESS_QUERY_LIMITED_INFORMATION. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0200$ then, the target.resource.name UDM field is set to PROCESS_SET_INFORMATION. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0100$ then, the target.resource.name UDM field is set to PROCESS_SET_QUOTA. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0800$ and if the GrantedAccess log field value matches the regular expression pattern ^0x0001$ then, the target.resource.name UDM field is set to PROCESS_TERMINATE. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0008$ then, the target.resource.name UDM field is set to PROCESS_VM_OPERATION. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0010$ then, the target.resource.name UDM field is set to PROCESS_VM_READ. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x0020$ then, the target.resource.name UDM field is set to PROCESS_VM_WRITE. , Else, If the GrantedAccess log field value matches the regular expression pattern ^0x00100000L$ then, the target.resource.name UDM field is set to SYNCHRONIZE.
	target.resource.resource_type	If the EventID log field value contain one of the following values:416 then, the target.resource.resource_type UDM field is set to SETTING. , Else, If EventID log field value contain one of the following values:1718 then, the target.resource.resource_type UDM field is set to PIPE.,
	target.resource.resource_subtype	If the EventID log field value is equal to 11 then, the target.resource.resource_subtype UDM field is set to CreationUtcTime. , Else, If EventID log field value is equal to 10 then, the target.resource.resource_subtype UDM field is set to GrantedAccess. , Else, If EventID log field value is equal to 4 then, the target.resource.resource_subtype UDM field is set to State.,
TargetUser	target.user.userid
	network.direction	If the EventID log field value is equal to 3 then, the network.direction UDM field is set to OUTBOUND.
	security_result.action	If the EventID log field value is equal to 3 then, the security_result.action UDM field is set to ALLOW.
ProviderGuid	observer.asset_id	ProviderGuid log field is mapped to the observer.asset_id UDM field.
Keywords	additional.fields[Keywords]
ThreadID	additional.fields[thread_id]
ThreadID	additional.fields[ThreadID]
Channel	additional.fields[channel]
Opcode	additional.fields[Opcode]
LogonId	principal.network.session_id
LogonGuid	additional.fields[LogonGuid]
TerminalSessionId	additional.fields[TerminalSessionId]
SourcePortName	additional.fields[SourcePortName]
SourceIsIpv6	additional.fields[SourceIsIpv6]
DestinationPortName	additional.fields[DestinationPortName]
DestinationIsIpv6	additional.fields[DestinationIsIpv6]
Initiated	additional.fields[Initiated]
SchemaVersion	additional.fields[SchemaVersion]
CallTrace	additional.fields[CallTrace]
	network.application_protocol	If the EventID log field value is equal to 22 then, the network.application_protocol UDM field is set to DNS.
NewThreadId	additional.fields[NewThreadId]
StartAddress	additional.fields[StartAddress]
StartFunction	additional.fields[StartFunction]
StartModule	additional.fields[StartModule]
ParentUser	additional.fields[ParentUser]
IntegrityLevel	target.process.integrity_level_rid	If the EventID log field value contain one of the following values:181716541 and if the IntegrityLevel log field value matches the regular expression pattern (?i)(Untrusted) then, the target.process.integrity_level_rid UDM field is set to 0. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Low) then, the target.process.integrity_level_rid UDM field is set to 4096. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Medium) then, the target.process.integrity_level_rid UDM field is set to 8192. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(High) then, the target.process.integrity_level_rid UDM field is set to 12288. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(System) then, the target.process.integrity_level_rid UDM field is set to 16384. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Protected) then, the target.process.integrity_level_rid UDM field is set to 20480.,
IntegrityLevel	principal.process.integrity_level_rid	If the EventID log field value does not contain one of the following values:181716541 and if the IntegrityLevel log field value matches the regular expression pattern (?i)(Untrusted) then, the principal.process.integrity_level_rid UDM field is set to 0. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Low) then, the principal.process.integrity_level_rid UDM field is set to 4096. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Medium) then, the principal.process.integrity_level_rid UDM field is set to 8192. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(High) then, the principal.process.integrity_level_rid UDM field is set to 12288. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(System) then, the principal.process.integrity_level_rid UDM field is set to 16384. , Else, if IntegrityLevel log field value matches the regular expression pattern (?i)(Protected) then, the principal.process.integrity_level_rid UDM field is set to 20480.,
Computer	additional.fields[Computer]	If the HostName log field value is not empty or the Hostname log field value is not empty then, Computer log field is mapped to the additional.fields.Computer UDM field.
Task	security_result.summary

Need more help? Get answers from Community members and Google SecOps professionals.