Hello,
We’re running a clean install of Winlogbeat with a pretty barebones configuration, but unfortunately we’re noticing logged events transfer with incorrect event.action values for the respective event.code(Such as event.code:4625 being assigned event.action (“Logon”, “Process Creation”, “Security Group Management”, and more, all unpredictably).
The content of the individual events appear to be what we expect, but event actions are incorrect, and I was having trouble finding info on how to resolve this.
Advice/Support would be greatly appreciated.