title: HELK index patterns and OSSEM field mappings
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
logsources:
  windows-application:
    product: windows
    service: application
    index: logs-endpoint-winevent-application-*
  windows-security:
    product: windows
    service: security
    index: logs-endpoint-winevent-security-*
  windows-sysmon:
    product: windows
    service: sysmon
    index: logs-endpoint-winevent-sysmon-*
  windows-system:
    product: windows
    service: system
    index: logs-endpoint-winevent-system-*
  windows-wmi:
    product: windows
    service: wmi
    index: logs-endpoint-winevent-wmiactivity-*
  windows-powershell:
    product: windows
    service: powershell
    index: logs-endpoint-winevent-powershell-*
  windows-powershell-classic:
    product: windows
    service: powershell-classic
    index: logs-endpoint-winevent-powershell-*
defaultindex: logs-*
fieldmappings:
    AccessMask: object_access_mask_requested
    AccountName: user_name
    AllowedToDelegateTo: user_attribute_allowed_todelegate
    AttributeLDAPDisplayName: dsobject_attribute_name
    AuditPolicyChanges: policy_changes
    AuthenticationPackageName: logon_authentication_package
    CallingProcessName: process_path
    CallTrace: process_call_trace
    ClientAddress: src_ip_addr
    ClientIPAddress: src_ip_addr
    ClientIP: src_ip_addr
    CommandLine: process_command_line
    Company: file_company
    ComputerName: host_name
    Configuration:
        EventID=16: sysmon_configuration
    ConnectedViaIPAddress: dst_nat_ip_addr
    CurrentDirectory: process_current_directory
    Description: file_description
    DestAddress: dst_ip_addr
    Destination:
        EventID=20: wmi_consumer_destination
    DestinationHostname: dst_host_name
    DestinationIp: dst_ip_addr
    DestinationPort: dst_port
    DestinationPortName: dst_port_name
    Details:
        EventID=13: registry_key_value
    Device: device_name
    EngineVersion: powershell.engine.version
    EventID: event_id
    EventType: event_type
    EventNamespace:
        EventID=19: wmi_namespace
    Filter:
        EventID=21: wmi_filter_path
    FailureCode: ticket_failure_code
    FileName: file_name
    FileVersion: file_version
    GrantedAccess: process_granted_access
    GroupName: group_name
    GroupSid: group_sid
    HiveName: hive_name
    HostVersion: powershell.host.version
    Image: process_path
    ImageLoaded:
        EventID=6: driver_loaded
        EventID=7: module_loaded
    Imphash: hash_imphash
    Initiated:
        EventID=3: network_initiated
    IntegrityLevel:
        EventID=1: process_integrity_level
    ipAddress: dst_ip_addr
    IpAddress: src_ip_addr
    IPString: src_ip_addr
    LaunchedViaIPAddress: dst_ip_addr
    LogonProcessName: logon_process_name
    LogonType: logon_type
    MachineIpAddress: dst_ip_addr
    MachineName: host_name
    Name:
        EventID=19: wmi_name
        EventID=20: wmi_name
    NewProcessName: process_path
    NewName:
        EventID=14: registry_key_new_name
    ObjectClass: dsobject_class
    ObjectName: object_name
    ObjectType: object_type
    ObjectValueName: object_value_name
    Operation:
        EventID=19: wmi_operation
        EventID=20: wmi_operation
        EventID=21: wmi_operation
    OperationType: object_operation_type
    OriginalFileName: file_name_original
    ParentImage: process_parent_path
    ParentProcessName: process_parent_path
    PasswordLastSet: user_attribute_password_lastset
    Path: process_path
    ParentCommandLine: process_parent_command_line
    PipeName: pipe_name
    ProcessName: process_path
    ProcessCommandLine: process_command_line
    Product: file_product
    Properties: object_properties
    Protocol:
        EventID=3: network_protocol
    Query:
        EventID=19: wmi_query
    RelativeTargetName: share_relative_target_name
    SourceAddress: src_ip_addr
    SchemaVersion:
        EventID=4: sysmon_schema_version
    ServiceFileName: service_image_path
    ServiceName: service_name
    ShareName: share_name
    Signature: signature
    SignatureStatus: signature_status
    Signed: signed
    Source: source_name
    SourceHostname: src_host_name
    SourceImage: process_path
    SourceIp: src_ip_addr
    SourcePort: src_port
    SourcePortName: src_port_name
    StartAddress: thread_start_address
    StartFunction: thread_start_function
    StartModule: thread_start_module
    Status: event_status
    State:
        EventID=4: service_state
        EventID=16: sysmon_configuration_state
    SubjectUserName:
        EventID=4624: user_reporter_name
        EventId=4648: user_name
        EventID=5140: user_name
    TargetServer: dst_ip_addr
    TaskName: task_name
    TicketEncryptionType: ticket_encryption_type
    TicketOptions: ticket_options
    TargetFilename: file_name
    TargetImage: target_process_path
    TargetProcessAddress: thread_start_address
    TargetObject: registry_key_path
    Type:
        EventID=20: wmi_consumer_type
    User: user_account
    UserName: user_name
    Value:
      EventID=1102: dst_ip_addr
    Version:
        EventID=4: sysmon_version
    Workstation: src_host_name
    WorkstationName: src_host_name