I'm trying to get familiar with the SIEM. When I look at "Authentications" in the Hosts section, it is empty. If I look at the request, it appears to be looking for event.type:
"aggregations": {
"eventActionGroup": {
"terms": {
"field": "event.type",
"include": [
"authentication_success",
"authentication_failure"
],
However, I have 0 records containing that field when I search my Winlogbeat indices for event.type in the Discover tab.
I just recently upgraded Winlogbeats from 7.3.0 to 7.6.0. When I look at the mappings for 7.6.0, the field is defined (It is also defined in previous 7.3.0 indices as well).
Am I missing something? Is there something else I need to do to get this field logged other than the default mappings used in Winlogbeat? For example, logging specifically required events...