title: ELK Windows Indices and Mappings
logsources:
  windows:
    product: windows
    index: logstash-windows-*
  windows-application:
    product: windows
    service: application
    conditions:
      EventLog: Application
  windows-security:
    product: windows
    service: security
    conditions:
      EventLog: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      EventLog: Microsoft-Windows-Sysmon
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      EventLog: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      EventLog: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-ntlm:
    product: windows
    service: ntlm
    conditions:
      EventLog: 'Microsoft-Windows-NTLM/Operational'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      EventLog:
        - 'Microsoft-Windows-AppLocker/MSI and Script'
        - 'Microsoft-Windows-AppLocker/EXE and DLL'
        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
  windows-msexchange-management:
    product: windows
    service: msexchange-management
    conditions:
      EventLog: 'MSExchange Management'
  windows-printservice-admin:
    product: windows
    service: printservice-admin
    conditions:
      EventLog: 'Microsoft-Windows-PrintService/Admin'
  windows-printservice-operational:
    product: windows
    service: printservice-operational
    conditions:
      EventLog: 'Microsoft-Windows-PrintService/Operational'
  windows-smbclient-security:
    product: windows
    service: smbclient-security
    conditions:
      log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: logstash-*