Hi Andrew,
I have been reading the modifications in the winlogbeat-security.js and I have a comment when populating the logon.id
var addLogonIds = function(evt) {
var id = evt.Get("winlog.event_data.SubjectLogonId");
if (id) {
evt.AppendTo("winlog.logon.id", id);
}
id = evt.Get("winlog.event_data.TargetLogonId");
if (id) {
evt.AppendTo("winlog.logon.id", id);
}
};
There are events, like 4624 that has both winlog.event_data.SubjectLogonId and winlog.event_data.TargetLogonId.
In this case as winlog.event_data.TargetLogonId is the last one assigned to winlog.logon.id so it has the proper information; but I do not know if there are others events in which this approach may not work
Regards
Ana