diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index d46dd205..f3c48790 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -468,12 +468,8 @@ fieldmappings:
     TargetOutboundUserName: winlog.event_data.TargetOutboundUserName
     TargetServerName: winlog.event_data.TargetServerName
     TargetSid: winlog.event_data.TargetSid
-    TargetUserName:
-        service=security: user.name
-        default: winlog.event_data.TargetUserName
-    TargetUserSid:
-        service=security: user.id
-        default: winlog.event_data.TargetUserSid
+    TargetUserName: winlog.event_data.TargetUserName
+    TargetUserSid: winlog.event_data.TargetUserSid
     TaskContent: winlog.event_data.TaskContent
     TaskName: winlog.event_data.TaskName
     TicketEncryptionType: winlog.event_data.TicketEncryptionType