Below is a raw json object, but i have removed some privacy related stuff. Please let me know if you need some more information
{
"_index": "winlogbeat-7.8.0-2020.07.20",
"_type": "_doc",
"_id": "HO38anMBFI_Rqs2_n6pw",
"_version": 1,
"_score": null,
"_source": {
"log": {
"level": "information"
},
"winlog": {
"version": 2,
"provider_name": "Microsoft-Windows-Security-Auditing",
"logon": {
"id": "0x38e2849c",
"type": "Network"
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"record_id": 134091856,
"process": {
"thread": {
"id": 4200
},
"pid": 672
},
"event_id": 4624,
"opcode": "Info",
"api": "wineventlog",
"event_data": {
"TargetUserSid": "SID",
"ElevatedToken": "%%1842",
"TransmittedServices": "-",
"KeyLength": "128",
"SubjectLogonId": "0x0",
"SubjectUserName": "-",
"RestrictedAdminMode": "-",
"TargetLinkedLogonId": "-",
"TargetDomainName": "-",
"LogonProcessName": "NtLmSsp ",
"LmPackageName": "NTLM V2",
"TargetLogonId": "0x38e2849c",
"ImpersonationLevel": "%%1833",
"TargetUserName": "-",
"SubjectDomainName": "-",
"AuthenticationPackageName": "NTLM",
"LogonType": "3",
"SubjectUserSid": "-",
"TargetOutboundDomainName": "-",
"VirtualAccount": "%%1843",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"TargetOutboundUserName": "-"
},
"computer_name": "COMPUTERNAME",
"task": "Logon",
"keywords": [
"Audit Success"
],
"channel": "Security"
},
"ecs": {
"version": "1.5.0"
},
"source": {
"ip": "IP",
"domain": "HOSTNAME",
"port": 8227
},
"host": {
"ip": [
"ipv6",
"ipv4"
],
"os": {
"version": "10.0",
"family": "windows",
"name": "Windows Server 2019 Standard",
"build": "17763.1339",
"platform": "windows",
"kernel": "10.0.17763.1339 (WinBuild.160101.0800)"
},
"mac": [
"MAC-ADDRESS"
],
"name": "HOSTNAME",
"architecture": "x86_64",
"id": "ID",
"hostname": "HOSTNAME"
},
"user": {
"name": "USERNAME",
"domain": "DOMAIN",
"id": "SID"
},
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tSID\n\tAccount Name:\t\tUSERNAME\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x00000000\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\tHOSTNAME\n\tSource Network Address:\tIPV4\n\tSource Port:\t\t8227\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"process": {
"executable": "-",
"pid": 0,
"name": "-"
},
"agent": {
"version": "7.8.0",
"id": "4ffb909b-3a14-406f-a265-2b9e433848d4",
"name": "HOSTNAME",
"hostname": "HOSTNAME",
"ephemeral_id": "bde3d3a1-c561-45af-904f-6e5d654ff7f9",
"type": "winlogbeat"
},
"related": {
"user": "USERNAME"
},
"@version": "1",
"@timestamp": "2020-07-20T06:50:05.953Z",
"type": "wineventlog",
"event": {
"outcome": "success",
"module": "security",
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2020-07-20T06:50:06.387Z",
"category": "authentication",
"kind": "event",
"code": 4624,
"type": "start",
"action": "logged-in"
},
"tags": [
"winlogbeat",
"beats_input_codec_plain_applied"
]
},
"fields": {
"@timestamp": [
"2020-07-20T06:50:05.953Z"
],
"event.created": [
"2020-07-20T06:50:06.387Z"
],
"winlog.event_data.ProcessCreationTime": []
},
"sort": [
1595227805953
]
}