Hi, I've been experimenting with ELK for reporting Windows security events. Whilst I'm able to get the data into logstash using Winlogbeats over TLS, I've yet to visualize the activity of users on servers.
These are the events https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Using a Kibana search I can see that that the [message] field contains the field [Account Name:] however the windows event ID that shows the act of logging on and off etc. is not so clearly presented in Kibana.
Has anyone used ELK for monitoring Windows security events? If so would appreciate knowing what you do to ID the Windows Security events (user accounts).