We have noticed that the Winlogbeat agent will read and ship up the event id 4732 (User added to local Security Group) but we noticed that it is missing the Member Security ID (which is the user that is getting added). In the Windows Event Log, we can see the Member - Security ID is cleartext but when ingesting into logstash we have the SID GUID instead.
On your event, could you click on Details > XML View.
What do you see for the mentioned field SID or name ?
What you see in the Event Viewer is not what is really shipped. this MMC likes to translate a lot of things to be more human readable, like SIDs -> Samaccountname...
The XML view is the real content of an event.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.