Hi Badger,
This how it looks like
{
"_index": "winlogbeat-2018.04.02",
"_type": "doc",
"_id": "JdrxGLa3J",
"_version": 1,
"_score": null,
"_source": {
"computer_name": "Det.k",
"process_id": 540,
"keywords": [
"Audit Success"
],
"log_name": "Security",
"level": "Information",
"record_number": "854127",
"event_data": {
"ProcessName": "-",
"LogonGuid": "{000000-0000-0000-0000-000000000}",
"LogonType": "3",
"IpPort": "54579",
"TransmittedServices": "-",
"SubjectLogonId": "0x0",
"KeyLength": "128",
"LmPackageName": "NTLM V2",
"TargetLogonId": "0x1028a",
"SubjectUserName": "-",
"WorkstationName": "V40",
"IpAddress": "x.x.x.x",
"SubjectDomainName": "-",
"ProcessId": "0x0",
"TargetUserName": "trnc",
"TargetDomainName": "Vrf",
"LogonProcessName": "NtL",
"SubjectUserSid": "1-3-0-0",
"TargetUserSid": "S-114293-160-60-257",
"AuthenticationPackageName": "Neg"
},
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-128-198-600-257\n\tAccount Name:\t\t\n\tAccount Domain:\t\tV\n\tLogon ID:\t\t0x118a\n\tLogon GUID:\t\t{00000000-0000-0000-0000-00000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-AP0\n\tSource Network Address:\t10.11.29.143\n\tSource Port:\t\t54579\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"type": "wineventlog",
"opcode": "Info",
"tags": [
"beats_input_codec_plain_applied"
],
"thread_id": 42,
"@timestamp": "2018-04-02T15:24:13.439Z",
"event_id": 4624,
"task": "Logon",
"provider_guid": "{545-578-494-AA-3BC}",
"@version": "1",
"beat": {
"name": "VC19",
"hostname": "V19",
"version": "6.0.1"
},
"host": "V9",
"source_name": "Microsoft-Windows-Security-Auditing"
},
"fields": {
"@timestamp": [
"2018-04-02T15:24:13.439Z"
]
},
"sort": [
1522682653439
]
}
Thanks,
Raj