Here is my winlogbeat output;
type or paste code here
{"@timestamp":"2024-07-02T06:14:57.368Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"8.12.2"},"ecs":{"version":"8.0.0"},"agent":{"id":"5b29ed52-3822-4c30-84e5-d2ad3d2c94cb","name":"DESKTOP-AQ6N264","type":"winlogbeat","version":"8.12.2","ephemeral_id":"e8c68337-c4c5-4243-b79e-93a85a9da8bf"},"log":{"level":"information"},"message":"Process Create:\nRuleName: -\nUtcTime: 2024-07-02 06:14:57.367\nProcessGuid: {85b70ee6-9ae1-6683-8703-000000002100}\nProcessId: 2104\nImage: C:\\Windows\\System32\\conhost.exe\nFileVersion: 10.0.19041.4355 (WinBuild.160101.0800)\nDescription: Console Window Host\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: CONHOST.EXE\nCommandLine: \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\nCurrentDirectory: C:\\Windows\nUser: DESKTOP-AQ6N264\\Test\nLogonGuid: {85b70ee6-8e97-6683-b189-0a0000000000}\nLogonId: 0xA89B1\nTerminalSessionId: 2\nIntegrityLevel: High\nHashes: MD5=0F568F6C821565AB9FF45C7457953789,SHA256=CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1,IMPHASH=0F64302D3280DE299F4C51A78746F606\nParentProcessGuid: {85b70ee6-9ae1-6683-8603-000000002100}\nParentProcessId: 6536\nParentImage: C:\\Users\\Test\\AppData\\Local\\Temp\\1301460b-456a-4606-876b-92cf36163032\\idaq.exe\nParentCommandLine: \"C:\\Users\\Test\\AppData\\Local\\Temp\\1301460b-456a-4606-876b-92cf36163032\\idaq.exe\" -t -w 3600000 -4 1.1.1.1 \nParentUser: DESKTOP-AQ6N264\\Test","host":{"mac":["00-15-5D-"],"hostname":"desktop-aq6n264","architecture":"x86_64","os":{"name":"Windows 10 Pro","kernel":"10.0.19041.4522 (WinBuild.160101.0800)","build":"19045.4529","type":"windows","platform":"windows","version":"10.0","family":"windows"},"id":"85b70ee6-5b58-414e-8c6c-ee259a6d7b95","name":"desktop-aq6n264","ip":["fe80","172.25."]},"winlog":{"opcode":"Info","record_id":273333,"event_data":{"ParentCommandLine":"\"C:\\Users\\Test\\AppData\\Local\\Temp\\1301460b-456a-4606-876b-92cf36163032\\idaq.exe\" -t -w 3600000 -4 1.1.1.1 ","LogonGuid":"{85b70ee6-8e97-6683-b189-0a0000000000}","LogonId":"0xa89b1","Product":"Microsoft® Windows® Operating System","OriginalFileName":"CONHOST.EXE","UtcTime":"2024-07-02 06:14:57.367","Image":"C:\\Windows\\System32\\conhost.exe","ParentImage":"C:\\Users\\Test\\AppData\\Local\\Temp\\1301460b-456a-4606-876b-92cf36163032\\idaq.exe","ProcessGuid":"{85b70ee6-9ae1-6683-8703-000000002100}","FileVersion":"10.0.19041.4355 (WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows","RuleName":"-","Hashes":"MD5=0F568F6C821565AB9FF45C7457953789,SHA256=CC0A60CD15FA21E54615E46CD0F10CFBE86F496DC64D14B31D9F3B415D120EE1,IMPHASH=0F64302D3280DE299F4C51A78746F606","ParentUser":"DESKTOP-AQ6N264\\Test","Description":"Console Window Host","User":"DESKTOP-AQ6N264\\Test","Company":"Microsoft Corporation","CommandLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","TerminalSessionId":"2","ParentProcessGuid":"{85b70ee6-9ae1-6683-8603-000000002100}","IntegrityLevel":"High","ParentProcessId":"6536","ProcessId":"2104"},"provider_name":"Microsoft-Windows-Sysmon","task":"Process Create (rule: ProcessCreate)","user":{"type":"User","identifier":"S-1-5-18","domain":"NT AUTHORITY","name":"SYSTEM"},"channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"DESKTOP-AQ6N264","process":{"pid":3736,"thread":{"id":5132}},"event_id":"1","provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","version":5,"api":"wineventlog"},"event":{"code":"1","kind":"event","provider":"Microsoft-Windows-Sysmon","action":"Process Create (rule: ProcessCreate)","created":"2024-07-02T06:14:58.418Z"}}