Winlogbeat 7.9 not shipping logs in full ECS?

Hello everyone,
I'mtrying to fill my Elastic SIEM with data, but it seems like Winlogbeat is not shipping logs in full ECS.
For example, authentications wiget is empty:

And it is formed by such default request:

{
  "aggregations": {
    "eventActionGroup": {
      "terms": {
        "field": "event.outcome",
        "include": [
          "success",
          "failure"
        ],
        "order": {
          "_count": "desc"
        },
        "size": 2
      },
      "aggs": {
        "events": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "2700000ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1600625803013,
              "max": 1600712203013
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "must": [
              {
                "term": {
                  "event.category": "authentication"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-20T18:16:43.013Z",
              "lte": "2020-09-21T18:16:43.013Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

I have a plenty of auth events, such 4624 and 4625 Windows in same time window with such as wiget shows, but it somehow has event.action and no event.category:

And it is despite event.action is more narrow than event.category, so it be very straitfrward to have a category if action is here

May be I miss something? If no, SIEM is not so valuable out of the box...

Hi

This is interesting. For 7.9.0 I would expect the event section to look like this for a 4624:

"event": {
      "action": "logged-in",
      "category": "authentication",
      "code": 4624,
      "kind": "event",
      "module": "security",
      "outcome": "success",
      "provider": "Microsoft-Windows-Security-Auditing",
      "type": "start"
    },

So the fact that you don't have event.category and that your event.action value doesn't match is odd. Is there any chance your winlogbeat-security.js is older and not the one that shipped with 7.9.0? event.action = Logon would be from an older release of Winlogbeat.

Hi,
It seems like not consistent learning gone me into troubles.
Modules were turned off (not mentioned in config). The main problem - on the add data page for winlogbeat modules are not mentined (like any other additional settings) as required. May be it's a subject to change.

Hi again, nevermind my last post. I found an answer to my issues (which was exactly the same as yours) in this post.

(ELK 7.9.1) Security - Hosts and Security - Network missing data

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.