logon.type has been a numeric value for windows logs in RSA NetWitness for a while, but it might not normally be indexed. Now with RSA NetWitness Endpoint Insights and the built in windows log parser (device.type='windows') the metakey logon.type is now indexed OOTB.
Having a feed to match all potential sources of values for that metakey maps a useful, analyst-friendly name that can significantly help illustrate what logon.type=2 means and why you should or should not care.
This feed was built from a Microsoft KB article and appears in a new meta key: logon.type.desc
It looks like this and currently flags on device.type='windows','nwendpoint','winevent_nic'
Here's my github link specifically for this feed which will reflect any changes made in the future.
