Event Data field not created in Kibana

I am using filesystem auditing and logging event 4656.

Is there a way I can have beats create a field for "Accesses" from the data below? All other fields get created except for Accesses.

I want beats to only pickup logs that have DELETE in the Accesses field.
Why doesn't a field get automatically created called Accesses in Kibana?

Object Server: Security
Object Type: File
Object Name: Z:\Test1.txt
Handle ID: 0xba0
Resource Attributes: -

Process Information:
Process ID: 0x4f0
Process Name: C:\Windows\explorer.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.