I am interesting in Windows Event ID 4648. Windows Security Log Event ID 4648 - A logon was attempted using explicit credentials. I would like to know which user is responsible for this action. I though ArcSight would use the sourceUserName field but this field is always empty. I checked additional data names but I didn't find one I could use. . List of items with an ID (6380) Item ID 200 Theons: 37712 25 Years Backpack: 39693 50 Theons: 37710 7197 Theons: 37711 Abacus: 8156 Abacus (Replica) 19151 Abandoned Imbuing Shrine: 25101, 25102 Abomination's Eye: 36792 Abomination's Tail: 36791 Abomination's Tongue: 36793 Abyss Hammer: 7414 Abyssador's Lash:.