Winlogbeat security module - sometimes related.user field missing #34635
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
jamiehynds
added
Winlogbeat
needs_team
botelastic
bot
removed
the
needs_team
|
This issue doesn't have a |
|
@leweafan Can you provide scrubbed XML examples of these event types? |
|
Thanks, if you could provide XML samples that would be preferable. If not can you confirm that user in all cases of the event types you are concerned about is the TargetUserName or SubjectUserName? |
|
I can confirm that user in most cases is TargetUserName and in some cases SubjectUserName. |
|
You can export the XML from the Windows event viewer. Without knowing which of Target... or Subject... it's difficult to know which to put in |
|
I don't have access to windows hosts. I know that all event codes described on microsoft site and xml too. |
norrietaylor
added
Team:Security-Windows Platform
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
Describe the enhancement:
Add related.user for event codes 4627, 4800, 4797, 4742, 4801, 4793, 4696, 4738.
According to field description:
The problem not only with this one module. Seems like there is no autotest to check related.user in case user.name field exists. Created feature request to add the autotest for this case.
Describe a specific use case for the enhancement or feature:
Event codes 4627, 4800, 4797, 4742, 4801, 4793, 4696, 4738 has user.name field and related.user field missing it affects security issues discovery. All other event codes have user.name and related.user fields.
The text was updated successfully, but these errors were encountered: