Hello,
Using the Winlogbeat 'security ' module I noticed event.code 4648 does not (yet) have an event.action defined:
var eventActionTypes = {
"4624": "logged-in",
"4625": "logon-failed",
"4634": "logged-out",
"4672": "logged-in-special",
"4688": "created-process",
"4689": "exited-process",
4624, 4625 and 4648
* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4648 - A logon was attempted using explicit credentials.
The result is that the 4648 events have 'Logon' as event.action.
The resulting histogram for event.action for logon events ooks like this:
So what event.action should a 4648 get?
special-logon-attempt ?
Grtz
Willem