Hello everyone, I'mtrying to fill my Elastic SIEM with data, but it seems like Winlogbeat is not shipping logs in full ECS. For example, authentications wiget is empty: [изображение] And it is formed by such default request: { "aggregations": { "eventActionGroup": { "terms": { …

Hi This is interesting. For 7.9.0 I would expect the event section to look like this for a 4624: "event": { "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", "module": "security", "outcome": "success", "provider": "Micros…

Winlogbeat 7.9 not shipping logs in full ECS?

Elastic Security SIEM

MartinL September 24, 2020, 11:28am 5

Hi again, nevermind my last post. I found an answer to my issues (which was exactly the same as yours) in this post.

(ELK 7.9.1) Security - Hosts and Security - Network missing data

Topic		Replies	Views
SIEM doesn't show any Winlogbeat events, despite ES receiving them SIEM	12	3487	May 8, 2020
Winlogbeat event.type has 0 records Beats	1	248	March 24, 2020
Populating SIEM SIEM	2	422	August 12, 2020
SIEM Parsing SIEM	2	1065	July 29, 2019
Active Directory logs and mapping to ECS (I am stumped) SIEM ecs-elastic-common-schema	7	7988	November 11, 2019

Winlogbeat 7.9 not shipping logs in full ECS?

(ELK 7.9.1) Security - Hosts and Security - Network missing data

Related topics