An update on this... Winlogbeat has been enhanced to report this data as a field so you will no longer need to grok the message. You can try the feature by using the development build. It will be released with v5. Screenshot here: Reporting Windows Security Events in Kibana