Windows event fields parsing


we are trying to send windows event logs using winlogbeat 7.XX version , we are creating severals of dashboards based on the correlation rules of event built on top of event ,sysmon and security logs ex : =1 AND winlog.event_data.Commandline=ipconfig.exe (this is a visualization).

we observered that events fields are changing across different winlogbetas version , this is impacting our dashboard ( ex 6.71 to 7.1) . This affect all our correlation rules and dashboards.
(Event_id ---> Event.code / Winlog.event_id is being append to mostly all fields)

We observed that in 7.XX we have ECS format that is being used or supported ,

Since we have many event_id being received from windows event viewer .

What is the recommended solution in such situation where we have many event_id being received from windows event viewer?

Should send the winlogbeat to Logstash to parse it based on event_id , in a continuous development upon any winlogbeat change , in a way the fields on kibana are intact ?

OR we should send automatically to Elastic and relay on Winlogbeat ECS format which might be a standard?

I think this is a duplicate of SIEM Parsing? I've replied to it there, let's keep the discussion in the other thread.

True sorry for this

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.