Fields not populated

I have installed the 7.2 versions of elasticsearch, logstash and kibana. Trying to follow this blog:

However when filtering down to event_id 4624 the TargetUserName and targetDomainName fields don't seem to be populated in kibana, they are populated in other events. The Blog seems to be aimed at the 5.x version. Has things changed that much that the blog is obsolete now ?

A lot of fields were renamed for the 7.0 release to avoid future conflicts with Elastic Common Schema. You can see a list of changes in the Breaking Changes docs. event_id is winlog.event_id. And anything under event_data is under winlog.event_data.

Winlogbeat 7.2 adds a module that's enabled by default for the Security log that maps fields to ECS. See https://www.elastic.co/guide/en/beats/winlogbeat/7.2/winlogbeat-module-security.html. Specifically it does some renames:

Thanks for the info. I knew about the the remapping to winlog. but the other field remapping I was unaware of. It is almost working as expected now!. Seems the wildcard filter *$ to filter out service accounts is not working.

There were some changes to Kibana to replace the Lucene query syntax with KQL (Kibana Query Language). Perhaps that is affecting the wildcard behavior. You can try turning off KQL in Kibana and then see if *$ works. There's a toggle on the right hand side of the search field IIRC.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.