I am using filesystem auditing and logging event 4656.
Is there a way I can have beats create a field for "Accesses" from the data below? All other fields get created except for Accesses.
I want beats to only pickup logs that have DELETE in the Accesses field.
Why doesn't a field get automatically created called Accesses in Kibana?
Object:
Object Server: Security
Object Type: File
Object Name: Z:\Test1.txt
Handle ID: 0xba0
Resource Attributes: -
Process Information:
Process ID: 0x4f0
Process Name: C:\Windows\explorer.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE