Thanks @jstoner . That did point in the right direction. I am assuming all the logs parsed by default parser are going to have same fields and if not we will be able to leverage parser extension for it?

So each log type has its own parser but there is a default parser for each log type. The usage guide (https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage) in addition to the field list referenced above provides fields and guidance around the fields that will be populated. The usage guide calls out specific fields for each event_type but don't cover all the possible fields. If you find that the default parser for a specific log type doesn't have every field you want or you want to manipulate a certain field into another field within the UDM schema, a parser extension can then be leveraged that is unique to your tenant to accomplish this. Hope that helps!

->You can look for auth type to differentiate between system login or login's through any another source.

->Choose the right event ID

Windows 4768 A Kerberos authentication ticket (TGT) was requested
Windows 4769 A Kerberos service ticket was requested
Windows 4770 A Kerberos service ticket was renewed
Windows 4771 Kerberos pre-authentication failed
Windows 4772 A Kerberos authentication ticket request failed
Windows 4773 A Kerberos service ticket request failed
Windows 4774 An account was mapped for logon
Windows 4775 An account could not be mapped for logon
Windows 4776 The domain controller attempted to validate the credentials for an account
Windows 4777 The domain controller failed to validate the credentials for an account
Windows 4820 A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions

->Check for action status

Allowed are successful events and blocked are failure events, if you want to drilldown more you can user error codes further to identify such cases