diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt
index d9c80774..26fa1c93 100644
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -26,7 +26,7 @@ TicketEncryptionType,Event.EventData.TicketEncryptionType
 PreAuthType,Event.EventData.PreAuthType
 TaskName,Event.EventData.TaskName
 WorkStationName,Event.EventData.WorkStationName
-Workstation,Event.EventData.WorkStation
+Workstation,Event.EventData.WorkstationName
 UserName,Event.EventData.UserName
 ServiceFileName,Event.EventData.ServiceFileName
 ComputerName,Event.System.Computer
@@ -170,3 +170,6 @@ Workstation,Event.EventData.Workstation
 WorkstationName,Event.EventData.WorkstationName
 JobTitle,Event.EventData.name
 Url,Event.EventData.url
+IpPort,Event.EventData.IpPort
+SubStatus,Event.EventData.SubStatus
+TargetDomainName,Event.EventData.TargetDomainName
\ No newline at end of file
diff --git a/src/afterfact.rs b/src/afterfact.rs
index 0ccd6d2a..9ab837e5 100644
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -12,13 +12,13 @@ use std::process;
 #[serde(rename_all = "PascalCase")]
 pub struct CsvFormat<'a> {
     time: &'a str,
-    filepath: &'a str,
-    rulepath: &'a str,
-    level: &'a str,
     computername: &'a str,
     eventid: &'a str,
+    level: &'a str,
     alert: &'a str,
     details: &'a str,
+    rulepath: &'a str,
+    filepath: &'a str,
 }
 
 pub fn after_fact() {
@@ -152,25 +152,25 @@ fn test_emit_csv() {
         .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
         .unwrap();
     let expect_tz = expect_time.with_timezone(&Local);
-    let expect = "Time,Filepath,Rulepath,Level,Computername,Eventid,Alert,Details\n".to_string()
+    let expect = "Time,Computername,Eventid,Level,Alert,Details,Rulepath,Filepath\n".to_string()
         + &expect_tz
             .clone()
             .format("%Y-%m-%d %H:%M:%S%.3f %:z")
             .to_string()
         + ","
-        + &testfilepath.replace(".evtx", "").to_string()
-        + ","
-        + testrulepath
-        + ","
-        + test_level
-        + ","
         + test_computername
         + ","
         + test_eventid
         + ","
+        + test_level
+        + ","
         + test_title
         + ","
         + output
+        + ","
+        + testrulepath
+        + ","
+        + &testfilepath.replace(".evtx", "").to_string()
         + "\n";
 
     let mut file: Box<dyn io::Write> =
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index 428267a4..771f1f21 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -8,6 +8,7 @@ use crate::detections::print::AlertMessage;
 use crate::detections::print::MESSAGES;
 use crate::detections::rule;
 use crate::detections::rule::RuleNode;
+use crate::detections::utils::get_serde_number_to_string;
 use crate::yaml::ParseYaml;
 
 use std::sync::Arc;
@@ -156,11 +157,11 @@ impl Detection {
             record_info.evtx_filepath.to_string(),
             rule.rulepath.to_string(),
             &record_info.record,
-            rule.yaml["level"].as_str().unwrap_or("").to_string(),
+            rule.yaml["level"].as_str().unwrap_or("-").to_string(),
             record_info.record["Event"]["System"]["Computer"]
                 .to_string()
                 .replace("\"", ""),
-            record_info.record["Event"]["System"]["EventID"].to_string(),
+            get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]),
             rule.yaml["title"].as_str().unwrap_or("").to_string(),
             rule.yaml["output"].as_str().unwrap_or("").to_string(),
         );
diff --git a/src/detections/print.rs b/src/detections/print.rs
index cd2968ff..64300316 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -1,5 +1,6 @@
 extern crate lazy_static;
 use crate::detections::configs;
+use crate::detections::utils::get_serde_number_to_string;
 use chrono::{DateTime, TimeZone, Utc};
 use lazy_static::lazy_static;
 use regex::Regex;
@@ -125,7 +126,7 @@ impl Message {
                 }
                 hash_map.insert(
                     full_target_str.to_string(),
-                    tmp_event_record.as_str().unwrap_or("").to_string(),
+                    get_serde_number_to_string(tmp_event_record),
                 );
             }
         }
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index aada5520..59331832 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -89,6 +89,15 @@ pub fn get_event_id_key() -> String {
     return "Event.System.EventID".to_string();
 }
 
+/// serde:Valueの型を確認し、文字列を返します。
+pub fn get_serde_number_to_string(value: &serde_json::Value) -> String {
+    if value.is_string() {
+        return value.as_str().unwrap_or("").to_string();
+    } else {
+        return value.to_string();
+    }
+}
+
 // alias.txtについて、指定されたevent_keyに対応するaliasを取得します。
 pub fn get_alias(event_key: &String) -> Option<String> {
     let conf = configs::CONFIG.read().unwrap();