diff --git a/config/processors/api_list_ad_users.conf b/config/processors/api_list_ad_users.conf
index 590e9805..889f355a 100644
--- a/config/processors/api_list_ad_users.conf
+++ b/config/processors/api_list_ad_users.conf
@@ -13,8 +13,8 @@ filter {
   }
   mutate{
     add_field => {
-      "[event][module]" => "azure"
-      "[event][dataset]" => "azure.directory_users"
+      "[event][module]" => "active_directory"
+      "[event][dataset]" => "active_directory.users"
       "[log][source][hostname]" => "%{[agent][name]}"
     }
   }
diff --git a/config/processors/wef_audit_windows.events.conf b/config/processors/wef_audit_windows.events.conf
index a2e29c99..0ee43780 100644
--- a/config/processors/wef_audit_windows.events.conf
+++ b/config/processors/wef_audit_windows.events.conf
@@ -373,9 +373,15 @@ filter {
       }
     }
   }
+
+  # Copy any thing not mapped form "[winlog]" to [event][original] string  
+  ruby {
+    code => 'event.set("[event][original]", event.get("[winlog]").to_s)'
+  }
   mutate {
     remove_field => [ "[winlog]", "ecs", "tmp", "type", "ticket_encrypt", "ticket_option", "[fields]", "failure_code" ]
   }
+
 }
 output {
   pipeline { send_to => [enrichments] }