diff --git a/config/eid_subcategory_mapping-org.csv b/config/eid_subcategory_mapping-org.csv
new file mode 100644
index 00000000..17509876
--- /dev/null
+++ b/config/eid_subcategory_mapping-org.csv
@@ -0,0 +1,69 @@
+"Category","Subcategory","GUID"
+"System","","69979848-797A-11D9-BED3-505054503030"
+"System","Security State Change","0CCE9210-69AE-11D9-BED3-505054503030"
+"System","Security System Extension","0CCE9211-69AE-11D9-BED3-505054503030"
+"System","System Integrity","0CCE9212-69AE-11D9-BED3-505054503030"
+"System","IPsec Driver","0CCE9213-69AE-11D9-BED3-505054503030"
+"System","Other System Events","0CCE9214-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","","69979849-797A-11D9-BED3-505054503030"
+"Logon/Logoff","Logon","0CCE9215-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Logoff","0CCE9216-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Account Lockout","0CCE9217-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","IPsec Main Mode","0CCE9218-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","IPsec Quick Mode","0CCE9219-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","IPsec Extended Mode","0CCE921A-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Special Logon","0CCE921B-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Other Logon/Logoff Events","0CCE921C-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Network Policy Server","0CCE9243-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","User / Device Claims","0CCE9247-69AE-11D9-BED3-505054503030"
+"Logon/Logoff","Group Membership","0CCE9249-69AE-11D9-BED3-505054503030"
+"Object Access","","6997984A-797A-11D9-BED3-505054503030"
+"Object Access","File System","0CCE921D-69AE-11D9-BED3-505054503030"
+"Object Access","Registry","0CCE921E-69AE-11D9-BED3-505054503030"
+"Object Access","Kernel Object","0CCE921F-69AE-11D9-BED3-505054503030"
+"Object Access","SAM","0CCE9220-69AE-11D9-BED3-505054503030"
+"Object Access","Certification Services","0CCE9221-69AE-11D9-BED3-505054503030"
+"Object Access","Application Generated","0CCE9222-69AE-11D9-BED3-505054503030"
+"Object Access","Handle Manipulation","0CCE9223-69AE-11D9-BED3-505054503030"
+"Object Access","File Share","0CCE9224-69AE-11D9-BED3-505054503030"
+"Object Access","Filtering Platform Packet Drop","0CCE9225-69AE-11D9-BED3-505054503030"
+"Object Access","Filtering Platform Connection","0CCE9226-69AE-11D9-BED3-505054503030"
+"Object Access","Other Object Access Events","0CCE9227-69AE-11D9-BED3-505054503030"
+"Object Access","Detailed File Share","0CCE9244-69AE-11D9-BED3-505054503030"
+"Object Access","Removable Storage","0CCE9245-69AE-11D9-BED3-505054503030"
+"Object Access","Central Policy Staging","0CCE9246-69AE-11D9-BED3-505054503030"
+"Privilege Use","","6997984B-797A-11D9-BED3-505054503030"
+"Privilege Use","Sensitive Privilege Use","0CCE9228-69AE-11D9-BED3-505054503030"
+"Privilege Use","Non Sensitive Privilege Use","0CCE9229-69AE-11D9-BED3-505054503030"
+"Privilege Use","Other Privilege Use Events","0CCE922A-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","","6997984C-797A-11D9-BED3-505054503030"
+"Detailed Tracking","Process Creation","0CCE922B-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","Process Termination","0CCE922C-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","DPAPI Activity","0CCE922D-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","RPC Events","0CCE922E-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","Plug and Play Events","0CCE9248-69AE-11D9-BED3-505054503030"
+"Detailed Tracking","Token Right Adjusted Events","0CCE924A-69AE-11D9-BED3-505054503030"
+"Policy Change","","6997984D-797A-11D9-BED3-505054503030"
+"Policy Change","Audit Policy Change","0CCE922F-69AE-11D9-BED3-505054503030"
+"Policy Change","Authentication Policy Change","0CCE9230-69AE-11D9-BED3-505054503030"
+"Policy Change","Authorization Policy Change","0CCE9231-69AE-11D9-BED3-505054503030"
+"Policy Change","MPSSVC Rule-Level Policy Change","0CCE9232-69AE-11D9-BED3-505054503030"
+"Policy Change","Filtering Platform Policy Change","0CCE9233-69AE-11D9-BED3-505054503030"
+"Policy Change","Other Policy Change Events","0CCE9234-69AE-11D9-BED3-505054503030"
+"Account Management","","6997984E-797A-11D9-BED3-505054503030"
+"Account Management","User Account Management","0CCE9235-69AE-11D9-BED3-505054503030"
+"Account Management","Computer Account Management","0CCE9236-69AE-11D9-BED3-505054503030"
+"Account Management","Security Group Management","0CCE9237-69AE-11D9-BED3-505054503030"
+"Account Management","Distribution Group Management","0CCE9238-69AE-11D9-BED3-505054503030"
+"Account Management","Application Group Management","0CCE9239-69AE-11D9-BED3-505054503030"
+"Account Management","Other Account Management Events","0CCE923A-69AE-11D9-BED3-505054503030"
+"DS Access","","6997984F-797A-11D9-BED3-505054503030"
+"DS Access","Directory Service Access","0CCE923B-69AE-11D9-BED3-505054503030"
+"DS Access","Directory Service Changes","0CCE923C-69AE-11D9-BED3-505054503030"
+"DS Access","Directory Service Replication","0CCE923D-69AE-11D9-BED3-505054503030"
+"DS Access","Detailed Directory Service Replication","0CCE923E-69AE-11D9-BED3-505054503030"
+"Account Logon","","69979850-797A-11D9-BED3-505054503030"
+"Account Logon","Credential Validation","0CCE923F-69AE-11D9-BED3-505054503030"
+"Account Logon","Kerberos Service Ticket Operations","0CCE9240-69AE-11D9-BED3-505054503030"
+"Account Logon","Other Account Logon Events","0CCE9241-69AE-11D9-BED3-505054503030"
+"Account Logon","Kerberos Authentication Service","0CCE9242-69AE-11D9-BED3-505054503030"