SIEM doesn't show any Winlogbeat events, despite ES receiving them

Hi,

New ELK stack user here. I just installed v7.6.1 on a Ubuntu Server 18.04 that I have running on an old Lenovo I had lying around. Took me a couple of hours to install, set up, and get working. One issue I can't seem to fix, nor explain, is that despite receiving Winlogbeat events, these aren't shown/reflected in the SIEM app, but other events (Filebeat and Packetbeat) are.

I'm using Logstash in the middle, so Filebeat, Packetbeat and Winlogbeat are sending events to Logstash, which outputs them to Elasticsearch.

My index patterns are all defined on the beat name:

filebeat-*
packetbeat-*
winlogbeat-*

Has anyone encountered this issue before and if so, how did you solve it?

Thank you!

No one has any idea as to why this is happening? I'll take any pointers or feedback you can give me.

Hi, thanks for checking out Elastic SIEM. There are several reasons that your winlogbeat events might not populate all the tables in the SIEM app. Often these can be related to how winlogbeat was set up, or whether winlogbeat "modules" have been configured (e.g., https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-security.html).

Questions:
You show that your SIEM overview page host events widget is not recognizing your winlogbeat events - can you see your winlogbeat events being populated in any other SIEM views, such as the Hosts views?

Can you see your winlogbeat events in Kibana Discover? If so, could you attach a JSON format representation of an event here? (Be sure to anonymize any private fields values before sharing)?

Sorry for the delay, it seems like this time it is I who forgot to check my notifications.

The Winlogbeat events aren't populating any other SIEM views, no.

I can see my Winlogbeat events in Kibana Discover, yes. And sure, here it is:

{
  "_index": "winlogbeat-7.6.1-2020.03.26",
  "_type": "_doc",
  "_id": "fSXqFHEBaYYLgoekEj_l",
  "_version": 1,
  "_score": null,
  "_source": {
    "ecs": {
      "version": "1.4.0"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "beat": {
      "ip": "192.168.1.10"
    },
    "agent": {
      "hostname": "MY-COMPUTER",
      "id": "e6f9c935-a991-4f62-89d2-495187cb36f1",
      "version": "7.6.1",
      "type": "winlogbeat",
      "ephemeral_id": "a73af4a2-625b-4a54-850c-d8acc209acaa"
    },
    "user": {
      "domain": "Window Manager",
      "id": "S-1-5-90-0-3",
      "name": "DWM-3"
    },
    "@timestamp": "2020-03-26T03:36:54.989Z",
    "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-90-0-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x956C7C0\n\nLogon Type:\t\t\t2\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
    "log": {
      "level": "information"
    },
    "@version": "1",
    "host": {
      "os": {
        "kernel": "10.0.18362.720 (WinBuild.160101.0800)",
        "name": "Windows 10 Pro",
        "platform": "windows",
        "family": "windows",
        "version": "10.0",
        "build": "18363.720"
      },
      "hostname": "MY-COMPUTER",
      "id": "477ecab9-ba80-47a6-92e2-8b0109f9059f",
      "architecture": "x86_64",
      "name": "MY-COMPUTER"
    },
    "winlog": {
      "logon": {
        "id": "0x956c7c0",
        "type": "Interactive"
      },
      "event_data": {
        "TargetDomainName": "Window Manager",
        "TargetUserSid": "S-1-5-90-0-3",
        "TargetUserName": "DWM-3",
        "TargetLogonId": "0x956c7c0",
        "LogonType": "2"
      },
      "task": "Logoff",
      "opcode": "Info",
      "provider_name": "Microsoft-Windows-Security-Auditing",
      "api": "wineventlog",
      "record_id": 498879,
      "computer_name": "MY-COMPUTER",
      "channel": "Security",
      "event_id": 4634,
      "keywords": [
        "Audit Success"
      ],
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "process": {
        "thread": {
          "id": 8040
        },
        "pid": 864
      }
    },
    "event": {
      "kind": "event",
      "module": "security",
      "code": 4634,
      "provider": "Microsoft-Windows-Security-Auditing",
      "action": "logged-out",
      "created": "2020-03-26T03:36:56.013Z"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-03-26T03:36:54.989Z"
    ],
    "event.created": [
      "2020-03-26T03:36:56.013Z"
    ]
  },
  "sort": [
    1585193814989
  ]
}