Auditbeat compared to Winlogbeat, Metricbeat

On Windows Auditbeat the system module exposes the host and processes datasets. In this setup the file integrity module is not used. On the same MS servers Winlogbeat with the security module as well as Metricbeat and Packetbeat are deployed. The SIEM app is important to the business in this setup.

My question is: do I miss any important events, especially in the SIEM app, by excluding the Auditbeat from the deployment on Windows. I have performed some tests, which indicate the Winlogbeat security module feeds the required data to SIEM.

How about the upcoming version 8.0 of Auditbeat - will it add more functionality on Windows compared to the current version?

(Moving post to SIEM category)

Regarding my first question I was able to find most of the answer in the SIEM guide SIEM Guide SIEM filed reference guide. . The guide lists all the ECS fields used by the SIEM app. However, I miss the mapping from the SIEM fields to the individual beats, and an indication of which beat index is used by SIEM, if a value can be fetched from more indices.

Regarding my second questions I hope someone from Elasticsearch will take they time to answer this. I understand that the beats will be updated to the Elasticsearch agent in release 8, and we are may looking forward to learn more about this.

Hi @fgjensen thanks for the questions. I know others that have asked similar questions. Let me try to provide some answers.

However, I miss the mapping from the SIEM fields to the individual beats

Good point, I don't know of a good single reference that provides this mapping, but you can piece it together from the various "exported fields" sections in the beats documentation. For example:

and an indication of which beat index is used by SIEM, if a value can be fetched from more indices.

There are two places you can see and change which index patterns are used by the SIEM App (now Security App in v7.9)

  1. In the Kibana Advanced Settings. Note this is the default for all in-app tables, widgets, etc.

  2. In the SIEM (Security) Detection Rule Definition (when creating or editing a detection rule). Note this selection applies only to this rule, and does not affect the other parts of the app.

How about the upcoming version 8.0 of Auditbeat - will it add more functionality on Windows compared to the current version?

This topic is under discussion, so I can't provide concrete answers about the future, but there is one additional Elastic Agent integration you should consider, which is the new-in-7.9 Elastic Endpoint Security integration for Agent, which (in addition to awesome on-endpoint protection against malware) also gathers a significant amount of event data from Windows endpoints. You can learn more about it here: https://www.elastic.co/guide/en/security/current/install-endpoint.html

Hope this helps!

Hi @Mike_Paquette,

Thanks for taking your time to answer my questions in details. I'll certainly take a closer view on the end-point protection.

I did some testing with Auditbeat processes dataset on Windows and Winlogbeat security events in the SIEM app. The conclusion is that Winlogbeat provides events for the host view, while Auditbeat provides events for the anormal processes view. So I concluded that I had to deploy Auditbeat, Metricbeat, Packetbeat and Winlogbeat on the Windows hosts in order to have all required data in SIEM.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.