Winlogbeat event.action for 4648


Using the Winlogbeat 'security ' module I noticed event.code 4648 does not (yet) have an event.action defined:

var eventActionTypes = {
    "4624": "logged-in",
    "4625": "logon-failed",
    "4634": "logged-out",
    "4672": "logged-in-special",
    "4688": "created-process",
    "4689": "exited-process",

4624, 4625 and 4648

* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4648 - A logon was attempted using explicit credentials.

The result is that the 4648 events have 'Logon' as event.action.
The resulting histogram for event.action for logon events ooks like this:


So what event.action should a 4648 get?

special-logon-attempt ?



hi @willemdh, maybe explicit-logon-attempt?
Also, feel free to add an enhancement issue/PR in the beats repo for a follow up.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.