Hey there
We've observed a change in the populated fields from the system integration. Since about two weeks we have very different fields populated (or not) therefore leading to missing fields in our own and the predefined dashboards from the system integration. We've tracked down that there must have been a change in two places: Windows Advanced Auditing GPO and/or ingest logic of the system integration.
See the sudden change in the field "process.name" as it is not populated anymore
Comparing two original message fields from bevore and after gives us the exact same eventlog. However, since the upgrade of the system integration it seems as the Event from the document perspective (JSON) is parsed very different. Several ECS Fields are not filled correctly anymore
Just posting some JSON of two events from the old and new system integration - it's only the beginning of the event but as it seems there was a major change in the ingest/processing logic of the system integration.
{ "_index": ".ds-logs-system.security-DOMAIN.wur-2022.09.30-000007", "_id": "e1q5zIMB2u-w1RL7j-Wn", "_version": 1, "_score": 0, "_source": { "agent": { "name": "HOSTNAME", "id": "45ff16ed-7802-40b1-aea6-7d741bb1d1f9", "type": "filebeat", "ephemeral_id": "6eed1dbc-c840-41f6-8544-57ff6f72045f", "version": "8.4.3" }, "process": { "parent": { "name": "TraceConceptX.exe", "pid": 2380, "executable": "C:\\Program Files\\Common Files\\Siemens\\SimNetCom\\TraceConceptX.exe" }, "name": "TC.exe", "pid": 3900, "executable": "C:\\Program Files\\Common Files\\Siemens\\Automation\\Simatic OAM\\bin\\TC.exe" }, "winlog": { "computer_name": "HOSTNAME.DOMAIN.ch", "process": { "pid": 4, "thread": { "id": 5440 } }, "keywords": [ "Audit Success"
{ "_index": ".ds-logs-system.security-DOMAIN.wur-2022.09.30-000007", "_id": "MWH_FYQB_Oz0XDs3EBaI", "_version": 1, "_score": 0, "_source": { "input": { "type": "winlog" }, "agent": { "name": "HOSTNAME", "id": "45ff16ed-7802-40b1-aea6-7d741bb1d1f9", "ephemeral_id": "e66e6aeb-59f0-482b-b6ff-3d97192e6afa", "type": "filebeat", "version": "8.4.3" }, "@timestamp": "2022-10-26T20:32:26.126Z", "winlog": { "computer_name": "HOSTNAME.DOMAIN.ch", "process": { "pid": 4, "thread": { "id": 6828 } }, "keywords": [ "Audit Success"
Looking at the default provided dashboards: The event codes are parsed correctly but there are no fields like "user.name" populated correctly.
