I want event ID 4104 (PowerShell scriptblock logging) to populate the username in the user.name field. What is the best way to get the username to populate into the user.name field in Elasticsearch? Event IDs 4688 and 1 (process create native and Sysmon) put the username in the user.name field, but…

I found a solution: I added the following to the winlogbeat.yml processors section for the ForwardedEvents log. - copy_fields: when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational fields: - from: winlog.user.name to: user.name fail…

Discuss the Elastic Stack

User.name field for event ID 4104

Elastic Stack Beats

Topic		Replies	Views
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1713	September 3, 2019
User.id Not Populated by Powershell Module Beats winlogbeat	6	562	November 27, 2020
Finding User Name & more Beats winlogbeat	7	1317	August 14, 2018
Winlogbeat - no winlog.logon.id Beats winlogbeat	22	2849	September 14, 2020
Winlogbeat New ECS Fields and security module questions Beats ecs-elastic-common-schema , winlogbeat	16	2391	October 4, 2019

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

User.name field for event ID 4104

Related topics