Winlogbeat 7.9 not shipping logs in full ECS?

Elastic Security SIEM
1

Hello everyone,
I'mtrying to fill my Elastic SIEM with data, but it seems like Winlogbeat is not shipping logs in full ECS.
For example, authentications wiget is empty:

изображение
изображение1827×489 16.2 KB

And it is formed by such default request:

{
  "aggregations": {
    "eventActionGroup": {
      "terms": {
        "field": "event.outcome",
        "include": [
          "success",
          "failure"
        ],
        "order": {
          "_count": "desc"
        },
        "size": 2
      },
      "aggs": {
        "events": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "2700000ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1600625803013,
              "max": 1600712203013
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "must": [
              {
                "term": {
                  "event.category": "authentication"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-20T18:16:43.013Z",
              "lte": "2020-09-21T18:16:43.013Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

I have a plenty of auth events, such 4624 and 4625 Windows in same time window with such as wiget shows, but it somehow has event.action and no event.category:

изображение
изображение746×259 12.1 KB

And it is despite event.action is more narrow than event.category, so it be very straitfrward to have a category if action is here

изображение
изображение922×568 40.5 KB

May be I miss something? If no, SIEM is not so valuable out of the box...

2

Hi

This is interesting. For 7.9.0 I would expect the event section to look like this for a 4624:

"event": {
      "action": "logged-in",
      "category": "authentication",
      "code": 4624,
      "kind": "event",
      "module": "security",
      "outcome": "success",
      "provider": "Microsoft-Windows-Security-Auditing",
      "type": "start"
    },

So the fact that you don't have event.category and that your event.action value doesn't match is odd. Is there any chance your winlogbeat-security.js is older and not the one that shipped with 7.9.0? event.action = Logon would be from an older release of Winlogbeat.

3

Hi,
It seems like not consistent learning gone me into troubles.
Modules were turned off (not mentioned in config). The main problem - on the add data page for winlogbeat modules are not mentined (like any other additional settings) as required. May be it's a subject to change.

5

Hi again, nevermind my last post. I found an answer to my issues (which was exactly the same as yours) in this post.

(ELK 7.9.1) Security - Hosts and Security - Network missing data

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.