Hello everyone,
I'mtrying to fill my Elastic SIEM with data, but it seems like Winlogbeat is not shipping logs in full ECS.
For example, authentications wiget is empty:
And it is formed by such default request:
{
"aggregations": {
"eventActionGroup": {
"terms": {
"field": "event.outcome",
"include": [
"success",
"failure"
],
"order": {
"_count": "desc"
},
"size": 2
},
"aggs": {
"events": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "2700000ms",
"min_doc_count": 0,
"extended_bounds": {
"min": 1600625803013,
"max": 1600712203013
}
}
}
}
}
},
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"match_all": {}
}
],
"should": [],
"must_not": []
}
},
{
"bool": {
"must": [
{
"term": {
"event.category": "authentication"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "2020-09-20T18:16:43.013Z",
"lte": "2020-09-21T18:16:43.013Z",
"format": "strict_date_optional_time"
}
}
}
]
}
},
"size": 0,
"track_total_hits": true
}
I have a plenty of auth events, such 4624 and 4625 Windows in same time window with such as wiget shows, but it somehow has event.action and no event.category:
And it is despite event.action is more narrow than event.category, so it be very straitfrward to have a category if action is here
May be I miss something? If no, SIEM is not so valuable out of the box...