I renamed winlogbeat fields in logstash
filter {
if [event_id] == 4624 {
# https://github.com/MicrosoftDocs/windows-itpro-
docs/blob/master/windows/security/threat-protection/auditing/event-4624.md
mutate {
rename => {
"[event_data][SubjectUserSid]" => "user_reporter_sid"
"[event_data][SubjectUserName]" => "user_reporter_name"
"[event_data][SubjectDomainName]" => "user_reporter_domain"
"[event_data][SubjectLogonId]" => "reporter_logon_id"
"[event_data][TargetLogonId]" => "user_logon_id"
"[event_data][LogonType]" => "logon_type"
***Roberto Rodriguez is the man!!!!! @ Cyb3rWard0g
Buuuuut I keep getting ? in Kibana for the renamed fields
No matter how many times I refresh ...
Anything I can do... thanks!