Today i tested install auditbeat on windows with default configuration. It seem like it works with few questions and notes.
delivered dashboards are not so usable. I foud that user related audits are completely missing. Logon attempts etc. I tryed to find it in documentation but I failed. Informations are missing.
file intergrity is also very usefull module, but there are some things that i am missing. One thing is who is owner of changed file and much more important information is who performed update / delete. This information is missing. Please add it. It will make a sense to use it.
perfect information you can find with process monitoring.
amazing feature would be get list of installed roles, subroles and features. For system audit very useful information.
it was my first touch with Auditbeat on windows. I am already using winlogbeat and metricbeat.
Except point 4, i am able to get all information from winlog. point one is default in security log, point 2 after enabling auditing in NTFS, point 3 you can uses sysmon and then read infos in log.
point 4 only not at all. So for point 1-3 why to use auditmon? I can imagine only if you are not windows admin and you dont understand to GPO, eventlog, sysmon it can be much more easier.
What am I missing?