SIEM Parsing

we are trying to send windows event logs using winlogbeat 7.XX version , we are creating severals of dashboards based on the correlation rules of event built on top of event ,sysmon and security logs ex : event.id =1 AND winlog.event_data.Commandline=ipconfig.exe (this is a visualization).

we observered that events fields are changing across different winlogbetas version , this is impacting our dashboard ( ex 6.71 to 7.1) . This affect all our correlation rules and dashboards.
(Event_id ---> Event.code / Winlog.event_id is being append to mostly all fields)

We observed that in 7.XX we have ECS format that is being used or supported ,

Since we have many event_id being received from windows event viewer .

What is the recommended solution in such situation where we have many event_id being received from windows event viewer?

Should send the winlogbeat to Logstash to parse it based on event_id , in a continuous development upon any winlogbeat change , in a way the fields on kibana are intact ?

OR we should send automatically to Elastic and relay on Winlogbeat ECS format which might be a standard?

Hi @pinguin,

For migration from 6.7 to 7.x you can set migration.6_to_7.enabled: true before upgrading to 7. This should help with your dashboards, I'm not sure about your correlation rules (the field aliases the setting creates work for queries, but not for the actual document contents in _source). See also the documentation.

I would recommend keeping the events in ECS. There might be some inconsistency between 6.x and 7.x events (7.0 is the first release that had ECS) - but going forward we will keep ECS in place across data sources.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.