Hello all,
I have been running into the issue, that after updating my On-Prem Elastic-Stack (Single-node cluster) from v. 8.18 to 8.19 and the system integration for fleet as well, that the Windows security logs are missing some fields, or to be precise everything with user.*. Logs are still sent, everything else works as expected, as far as I can tell. Only my custom Dashboards as well as the default Windows Security Dashboards shipped with the system integration are not usable anymore due to the mapped fields.
Currently I am running v. 8.19.3 and v. 2.6.0 for the system integration. I tried updating the stack to the newest version as well as the system integration and redeploying the agent on the domain controller. I am not sure how to proceed or further troubleshoot this.
Here are two logs, one before the update and one after.
Before:
{
"_index": ".ds-logs-system.security-windows-2025.08.13-000098",
"_id": "ubVK4ZgBgpOFjFAF0qdQ",
"_version": 1,
"_source": {
"agent": {
"name": "ALST-HH-DC1",
"id": "19ece9a4-9d82-4534-ad9a-5bf263707c49",
"ephemeral_id": "1f4c4def-e2d9-425d-8789-66d80d18677b",
"type": "filebeat",
"version": "8.18.2"
},
"winlog": {
"computer_name": "ALST-HH-DC1.domain.local",
"process": {
"pid": 788,
"thread": {
"id": 7012
}
},
"keywords": [
"Überwachung erfolgreich"
],
"logon": {
"id": "0x35aababe"
},
"channel": "Security",
"event_data": {
"SubjectUserName": "adminaccount",
"TargetSid": "S-1-5-21-338608204-2689096227-197484634-12682",
"SubjectDomainName": "DOMAIN",
"SubjectLogonId": "0x35aababe",
"TargetUserName": "NB-HH-0025$",
"TargetDomainName": "DOMAIN",
"SubjectUserSid": "S-1-5-21-338608204-2689096227-197484634-8760"
},
"opcode": "Info",
"record_id": "496577724",
"event_id": "4725",
"task": "User Account Management",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id": "{4549ccb9-10e1-0001-49cd-4945e110dc01}",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing"
},
"log": {
"level": "informationen"
},
"elastic_agent": {
"id": "19ece9a4-9d82-4534-ad9a-5bf263707c49",
"version": "8.18.2",
"snapshot": false
},
"message": "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-8760\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x35AABABE\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12682\n\tKontoname:\t\tNB-HH-0025$\n\tKontodomäne:\t\tDOMAIN",
"input": {
"type": "winlog"
},
"@timestamp": "2025-08-25T12:53:43.738Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"user": [
"adminaccount",
"NB-HH-0025$"
]
},
"data_stream": {
"namespace": "windows",
"type": "logs",
"dataset": "system.security"
},
"host": {
"hostname": "ALST-HH-DC1",
"os": {
"build": "20348.4052",
"kernel": "10.0.20348.4050 (WinBuild.160101.0800)",
"name": "Windows Server 2022 Datacenter",
"type": "windows",
"family": "windows",
"version": "10.0",
"platform": "windows"
},
"ip": [
"192.168.20.45"
],
"name": "alst-hh-dc1",
"id": "4fb6fc6a-8e37-48c1-8f38-1251e3389612",
"mac": [
"00-50-56-9A-E3-B7"
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"ingested": "2025-08-25T12:53:53Z",
"code": "4725",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
"created": "2025-08-25T12:53:44.860Z",
"action": "disabled-user-account",
"category": [
"iam"
],
"type": [
"user",
"deletion"
],
"dataset": "system.security",
"outcome": "success"
},
"user": {
"domain": "DOMAIN",
"name": "adminaccount",
"id": "S-1-5-21-338608204-2689096227-197484634-8760",
"target": {
"domain": "DOMAIN",
"name": "NB-HH-0025$",
"id": "S-1-5-21-338608204-2689096227-197484634-12682"
}
}
},
"fields": {
"elastic_agent.version": [
"8.18.2"
],
"event.category": [
"iam"
],
"host.os.name.text": [
"Windows Server 2022 Datacenter"
],
"winlog.provider_guid": [
"{54849625-5478-4994-a5ba-3e3b0328c30d}"
],
"winlog.provider_name": [
"Microsoft-Windows-Security-Auditing"
],
"host.name.text": [
"alst-hh-dc1"
],
"host.hostname": [
"ALST-HH-DC1"
],
"winlog.computer_name": [
"ALST-HH-DC1.domain.local"
],
"host.mac": [
"00-50-56-9A-E3-B7"
],
"user.target.id": [
"S-1-5-21-338608204-2689096227-197484634-12682"
],
"winlog.process.pid": [
788
],
"agent.name.text": [
"ALST-HH-DC1"
],
"host.os.version": [
"10.0"
],
"winlog.keywords": [
"Überwachung erfolgreich"
],
"winlog.record_id": [
"496577724"
],
"winlog.logon.id": [
"0x35aababe"
],
"host.os.name": [
"Windows Server 2022 Datacenter"
],
"log.level": [
"informationen"
],
"agent.name": [
"ALST-HH-DC1"
],
"host.name": [
"alst-hh-dc1"
],
"event.agent_id_status": [
"verified"
],
"user.target.name.text": [
"NB-HH-0025$"
],
"event.kind": [
"event"
],
"winlog.activity_id": [
"{4549ccb9-10e1-0001-49cd-4945e110dc01}"
],
"event.outcome": [
"success"
],
"winlog.event_data.TargetUserName": [
"NB-HH-0025$"
],
"host.os.type": [
"windows"
],
"user.id": [
"S-1-5-21-338608204-2689096227-197484634-8760"
],
"input.type": [
"winlog"
],
"data_stream.type": [
"logs"
],
"related.user": [
"adminaccount",
"NB-HH-0025$"
],
"user.target.name": [
"NB-HH-0025$"
],
"host.architecture": [
"x86_64"
],
"event.provider": [
"Microsoft-Windows-Security-Auditing"
],
"event.code": [
"4725"
],
"agent.id": [
"19ece9a4-9d82-4534-ad9a-5bf263707c49"
],
"ecs.version": [
"8.11.0"
],
"event.created": [
"2025-08-25T12:53:44.860Z"
],
"agent.version": [
"8.18.2"
],
"host.os.family": [
"windows"
],
"winlog.event_data.SubjectUserSid": [
"S-1-5-21-338608204-2689096227-197484634-8760"
],
"winlog.process.thread.id": [
7012
],
"user.name": [
"adminaccount"
],
"host.os.build": [
"20348.4052"
],
"host.ip": [
"192.168.20.45"
],
"agent.type": [
"filebeat"
],
"event.module": [
"system"
],
"winlog.event_data.SubjectLogonId": [
"0x35aababe"
],
"winlog.event_data.TargetSid": [
"S-1-5-21-338608204-2689096227-197484634-12682"
],
"host.os.kernel": [
"10.0.20348.4050 (WinBuild.160101.0800)"
],
"winlog.api": [
"wineventlog"
],
"user.target.domain": [
"DOMAIN"
],
"elastic_agent.snapshot": [
false
],
"user.domain": [
"DOMAIN"
],
"host.id": [
"4fb6fc6a-8e37-48c1-8f38-1251e3389612"
],
"winlog.task": [
"User Account Management"
],
"elastic_agent.id": [
"19ece9a4-9d82-4534-ad9a-5bf263707c49"
],
"data_stream.namespace": [
"windows"
],
"winlog.event_data.SubjectUserName": [
"adminaccount"
],
"message": [
"Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-8760\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x35AABABE\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12682\n\tKontoname:\t\tNB-HH-0025$\n\tKontodomäne:\t\tDOMAIN"
],
"winlog.event_id": [
"4725"
],
"event.action": [
"disabled-user-account"
],
"event.ingested": [
"2025-08-25T12:53:53.000Z"
],
"@timestamp": [
"2025-08-25T12:53:43.738Z"
],
"winlog.channel": [
"Security"
],
"host.os.platform": [
"windows"
],
"data_stream.dataset": [
"system.security"
],
"event.type": [
"user",
"deletion"
],
"winlog.event_data.TargetDomainName": [
"DOMAIN"
],
"winlog.opcode": [
"Info"
],
"agent.ephemeral_id": [
"1f4c4def-e2d9-425d-8789-66d80d18677b"
],
"winlog.event_data.SubjectDomainName": [
"DOMAIN"
],
"event.dataset": [
"system.security"
],
"user.name.text": [
"adminaccount"
]
}
}
After:
{
"_index": ".ds-logs-system.security-windows-2025.08.27-000099",
"_id": "vVTv9ZgBd7iXe8vO-Qpc",
"_version": 1,
"_ignored": [
"event.original.keyword",
"message.keyword"
],
"_source": {
"@timestamp": "2025-08-29T13:06:33.550Z",
"host": {
"name": "alst-hh-dc2",
"architecture": "x86_64",
"os": {
"type": "windows",
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows Server 2022 Datacenter",
"kernel": "10.0.20348.4050 (WinBuild.160101.0800)",
"build": "20348.4052"
},
"id": "596edf47-0f75-4550-b1f0-5f411df71934",
"ip": [
"192.168.20.48"
],
"mac": [
"00-50-56-9A-28-CC"
],
"hostname": "ALST-HH-DC2"
},
"log": {
"level": "informationen"
},
"message": "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN",
"input": {
"type": "winlog"
},
"elastic_agent": {
"id": "feac96be-3a6d-4f36-a001-f223c416a1ef",
"snapshot": false,
"version": "8.19.2"
},
"agent": {
"id": "feac96be-3a6d-4f36-a001-f223c416a1ef",
"ephemeral_id": "404fc75a-d67e-4a1e-8b8f-194f4b262ae8",
"name": "ALST-HH-DC2",
"type": "filebeat",
"version": "8.19.2"
},
"winlog": {
"channel": "Security",
"opcode": "Info",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_data": {
"SubjectDomainName": "DOMAIN",
"SubjectLogonId": "0x57c99044",
"TargetUserName": "useraccount",
"TargetDomainName": "DOMAIN",
"TargetSid": "S-1-5-21-338608204-2689096227-197484634-11695",
"SubjectUserSid": "S-1-5-21-338608204-2689096227-197484634-12233",
"SubjectUserName": "adminaccount"
},
"process": {
"pid": 804,
"thread": {
"id": 2612
}
},
"api": "wineventlog",
"task": "User Account Management",
"record_id": 547042761,
"computer_name": "ALST-HH-DC2.domain.local",
"event_id": "4725",
"provider_name": "Microsoft-Windows-Security-Auditing",
"keywords": [
"Überwachung erfolgreich"
]
},
"event": {
"outcome": "success",
"original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>",
"action": "User Account Management",
"created": "2025-08-29T13:06:34.655Z",
"code": "4725",
"kind": "event",
"dataset": "system.security",
"provider": "Microsoft-Windows-Security-Auditing"
},
"data_stream": {
"type": "logs",
"dataset": "system.security",
"namespace": "windows"
},
"ecs": {
"version": "8.0.0"
}
},
"fields": {
"agent.version.keyword": [
"8.19.2"
],
"elastic_agent.version": [
"8.19.2"
],
"host.name.keyword": [
"alst-hh-dc2"
],
"event.dataset.keyword": [
"system.security"
],
"event.outcome.keyword": [
"success"
],
"host.hostname": [
"ALST-HH-DC2"
],
"host.mac": [
"00-50-56-9A-28-CC"
],
"winlog.process.pid": [
804
],
"data_stream.namespace.keyword": [
"windows"
],
"winlog.event_data.TargetDomainName.keyword": [
"DOMAIN"
],
"host.os.version": [
"10.0"
],
"agent.name": [
"ALST-HH-DC2"
],
"event.outcome": [
"success"
],
"host.os.type": [
"windows"
],
"agent.id.keyword": [
"feac96be-3a6d-4f36-a001-f223c416a1ef"
],
"input.type": [
"winlog"
],
"host.architecture": [
"x86_64"
],
"event.provider": [
"Microsoft-Windows-Security-Auditing"
],
"event.code": [
"4725"
],
"agent.id": [
"feac96be-3a6d-4f36-a001-f223c416a1ef"
],
"winlog.provider_name.keyword": [
"Microsoft-Windows-Security-Auditing"
],
"winlog.event_data.SubjectUserSid": [
"S-1-5-21-338608204-2689096227-197484634-12233"
],
"winlog.api.keyword": [
"wineventlog"
],
"winlog.process.thread.id": [
2612
],
"input.type.keyword": [
"winlog"
],
"data_stream.dataset.keyword": [
"system.security"
],
"elastic_agent.version.keyword": [
"8.19.2"
],
"host.ip": [
"192.168.20.48"
],
"agent.type": [
"filebeat"
],
"host.os.kernel.keyword": [
"10.0.20348.4050 (WinBuild.160101.0800)"
],
"winlog.event_data.SubjectLogonId": [
"0x57c99044"
],
"winlog.event_data.TargetSid": [
"S-1-5-21-338608204-2689096227-197484634-11695"
],
"data_stream.type.keyword": [
"logs"
],
"winlog.api": [
"wineventlog"
],
"event.provider.keyword": [
"Microsoft-Windows-Security-Auditing"
],
"elastic_agent.snapshot": [
false
],
"host.id": [
"596edf47-0f75-4550-b1f0-5f411df71934"
],
"agent.type.keyword": [
"filebeat"
],
"agent.ephemeral_id.keyword": [
"404fc75a-d67e-4a1e-8b8f-194f4b262ae8"
],
"agent.name.keyword": [
"ALST-HH-DC2"
],
"elastic_agent.id": [
"feac96be-3a6d-4f36-a001-f223c416a1ef"
],
"event.action": [
"User Account Management"
],
"@timestamp": [
"2025-08-29T13:06:33.550Z"
],
"winlog.channel": [
"Security"
],
"host.os.platform": [
"windows"
],
"data_stream.dataset": [
"system.security"
],
"winlog.event_data.TargetDomainName": [
"DOMAIN"
],
"winlog.opcode": [
"Info"
],
"agent.ephemeral_id": [
"404fc75a-d67e-4a1e-8b8f-194f4b262ae8"
],
"winlog.event_data.SubjectDomainName": [
"DOMAIN"
],
"winlog.event_id.keyword": [
"4725"
],
"winlog.event_data.SubjectLogonId.keyword": [
"0x57c99044"
],
"host.architecture.keyword": [
"x86_64"
],
"elastic_agent.id.keyword": [
"feac96be-3a6d-4f36-a001-f223c416a1ef"
],
"winlog.provider_guid": [
"{54849625-5478-4994-a5ba-3e3b0328c30d}"
],
"winlog.provider_name": [
"Microsoft-Windows-Security-Auditing"
],
"host.os.build.keyword": [
"20348.4052"
],
"winlog.event_data.SubjectUserName.keyword": [
"adminaccount"
],
"event.code.keyword": [
"4725"
],
"winlog.computer_name": [
"ALST-HH-DC2.domain.local"
],
"ecs.version.keyword": [
"8.0.0"
],
"host.ip.keyword": [
"192.168.20.48"
],
"winlog.keywords": [
"Überwachung erfolgreich"
],
"winlog.record_id": [
547042761
],
"winlog.event_data.TargetUserName.keyword": [
"useraccount"
],
"winlog.keywords.keyword": [
"Überwachung erfolgreich"
],
"event.kind.keyword": [
"event"
],
"host.os.name": [
"Windows Server 2022 Datacenter"
],
"log.level": [
"informationen"
],
"event.action.keyword": [
"User Account Management"
],
"host.id.keyword": [
"596edf47-0f75-4550-b1f0-5f411df71934"
],
"host.name": [
"alst-hh-dc2"
],
"event.kind": [
"event"
],
"host.os.version.keyword": [
"10.0"
],
"winlog.event_data.TargetUserName": [
"useraccount"
],
"event.original": [
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>"
],
"winlog.event_data.SubjectDomainName.keyword": [
"DOMAIN"
],
"data_stream.type": [
"logs"
],
"ecs.version": [
"8.0.0"
],
"event.created": [
"2025-08-29T13:06:34.655Z"
],
"host.hostname.keyword": [
"ALST-HH-DC2"
],
"agent.version": [
"8.19.2"
],
"winlog.event_data.SubjectUserSid.keyword": [
"S-1-5-21-338608204-2689096227-197484634-12233"
],
"host.os.family": [
"windows"
],
"log.level.keyword": [
"informationen"
],
"winlog.computer_name.keyword": [
"ALST-HH-DC2.domain.local"
],
"host.os.build": [
"20348.4052"
],
"host.os.kernel": [
"10.0.20348.4050 (WinBuild.160101.0800)"
],
"host.os.name.keyword": [
"Windows Server 2022 Datacenter"
],
"winlog.provider_guid.keyword": [
"{54849625-5478-4994-a5ba-3e3b0328c30d}"
],
"winlog.task": [
"User Account Management"
],
"winlog.task.keyword": [
"User Account Management"
],
"host.mac.keyword": [
"00-50-56-9A-28-CC"
],
"data_stream.namespace": [
"windows"
],
"winlog.event_data.SubjectUserName": [
"adminaccount"
],
"message": [
"Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN"
],
"winlog.event_id": [
"4725"
],
"winlog.channel.keyword": [
"Security"
],
"host.os.family.keyword": [
"windows"
],
"host.os.type.keyword": [
"windows"
],
"host.os.platform.keyword": [
"windows"
],
"winlog.event_data.TargetSid.keyword": [
"S-1-5-21-338608204-2689096227-197484634-11695"
],
"winlog.opcode.keyword": [
"Info"
],
"event.dataset": [
"system.security"
]
},
"ignored_field_values": {
"message.keyword": [
"Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN"
],
"event.original.keyword": [
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>"
]
}
}
