diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
index 3b03dd192b5..b5d254be885 100644
--- a/packages/system/changelog.yml
+++ b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
# newer versions go on top
+- version: "2.5.0"
+ changes:
+ - description: Add support for more event ids in the security data stream pipeline.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/13828
- version: "2.4.0"
changes:
- description: Use Links panel in Dashboards
diff --git a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml
index a9dcaaa7837..d918091c23f 100644
--- a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml
+++ b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml
@@ -335,6 +335,12 @@ processors:
tag: set_ecs-version
field: ecs.version
value: 8.11.0
+ - convert:
+ tag: convert_procid
+ field: log.syslog.procid
+ type: string
+ ignore_missing: true
+ if: ctx.log?.syslog?.procid != null
- remove:
description: Remove the extra fields added by the Journald input
ignore_missing: true
diff --git a/packages/system/data_stream/auth/sample_event.json b/packages/system/data_stream/auth/sample_event.json
index 56ec3644440..e3897b774ec 100644
--- a/packages/system/data_stream/auth/sample_event.json
+++ b/packages/system/data_stream/auth/sample_event.json
@@ -1,53 +1,53 @@
{
"@timestamp": "2023-09-28T10:10:12.175Z",
"agent": {
- "ephemeral_id": "dd9836d3-6523-42dd-a41d-2ae39dee4512",
- "id": "a5c9a90f-3d55-4f2d-9611-0542c1c2e478",
- "name": "docker-fleet-agent",
+ "ephemeral_id": "37b63105-bf8c-40bd-9698-f79cddec37ba",
+ "id": "6eae09dd-ac20-43be-b710-080fcf41b943",
+ "name": "elastic-agent-99126",
"type": "filebeat",
- "version": "8.10.3"
+ "version": "8.18.0"
},
"data_stream": {
"dataset": "system.auth",
- "namespace": "ep",
+ "namespace": "44107",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
- "id": "a5c9a90f-3d55-4f2d-9611-0542c1c2e478",
+ "id": "6eae09dd-ac20-43be-b710-080fcf41b943",
"snapshot": false,
- "version": "8.10.3"
+ "version": "8.18.0"
},
"event": {
"agent_id_status": "verified",
"dataset": "system.auth",
- "ingested": "2023-10-23T09:54:41Z",
+ "ingested": "2025-07-18T10:05:01Z",
"kind": "event",
"original": "<30>1 2023-09-28T12:10:12.175599+02:00 test.lab.com systemd 153589 - - Stopped target Default.",
"timezone": "+00:00"
},
"host": {
- "architecture": "aarch64",
- "containerized": false,
- "hostname": "docker-fleet-agent",
- "id": "e68e16d5d74548f1949a49708e59eca0",
+ "architecture": "x86_64",
+ "containerized": true,
+ "hostname": "elastic-agent-99126",
"ip": [
- "192.168.112.7"
+ "192.168.240.2",
+ "192.168.253.7"
],
"mac": [
- "02-42-C0-A8-70-07"
+ "02-42-C0-A8-F0-02",
+ "02-42-C0-A8-FD-07"
],
- "name": "docker-fleet-agent",
+ "name": "elastic-agent-99126",
"os": {
- "codename": "focal",
- "family": "debian",
- "kernel": "5.15.49-linuxkit-pr",
- "name": "Ubuntu",
- "platform": "ubuntu",
+ "family": "",
+ "kernel": "3.10.0-1160.119.1.el7.x86_64",
+ "name": "Wolfi",
+ "platform": "wolfi",
"type": "linux",
- "version": "20.04.6 LTS (Focal Fossa)"
+ "version": "20230201"
}
},
"input": {
@@ -75,13 +75,16 @@
}
},
"message": "Stopped target Default.",
+ "process": {
+ "name": "systemd"
+ },
"related": {
"hosts": [
- "docker-fleet-agent"
+ "elastic-agent-99126"
]
},
"tags": [
"preserve_original_event",
"system-auth"
]
-}
\ No newline at end of file
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json
index 1ade49aba2b..e402a47aae4 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json
@@ -34,6 +34,9 @@
},
"level": "information"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json
index a241c097b00..98befd94d0a 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json
@@ -40,6 +40,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json
index bb7f698c58f..0fd3d4fcfa7 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json
@@ -34,6 +34,9 @@
},
"level": "error"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json
index ac2c3c41235..45796d1b924 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json
@@ -34,6 +34,9 @@
},
"level": "information"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json
new file mode 100644
index 00000000000..77bd1911580
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json
@@ -0,0 +1,64 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-05T12:53:42.125Z",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "winlog": {
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "TargetDomainName": "TEST1.LOCAL",
+ "SubjectDomainName": "-",
+ "LogonType": "3",
+ "EventIdx": "1",
+ "EventCountTotal": "1",
+ "SubjectLogonId": "0x0",
+ "TargetUserSid": "S-1-5-18",
+ "TargetUserName": "SERVER2$",
+ "GroupMembership": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-574}\n\t\t%{S-1-5-32-560}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-1000}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-516}\n\t\t%{S-1-5-9}\n\t\t%{S-1-18-1}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-517}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-571}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-572}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-553}\n\t\t%{S-1-16-16384}",
+ "SubjectUserName": "-",
+ "TargetLogonId": "0x7bf2cce",
+ "SubjectUserSid": "S-1-0-0"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 630235150,
+ "task": "Group Membership",
+ "event_id": 4627,
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 4192
+ }
+ }
+ },
+ "event": {
+ "kind": "event",
+ "code": 4627,
+ "action": "Group Membership",
+ "created": "2023-01-05T12:53:43.721Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Group membership information.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1.LOCAL\n\tLogon ID:\t\t0x7BF2CCE\n\nEvent in sequence:\t\t1 of 1\n\nGroup Membership:\t\t\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-574}\n\t\t%{S-1-5-32-560}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-1000}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-516}\n\t\t%{S-1-5-9}\n\t\t%{S-1-18-1}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-517}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-571}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-572}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-553}\n\t\t%{S-1-16-16384}\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThis event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json
new file mode 100644
index 00000000000..1afa03151f3
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json
@@ -0,0 +1,99 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-05T12:53:42.125Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "group-membership-info",
+ "category": [
+ "iam"
+ ],
+ "code": "4627",
+ "created": "2023-01-05T12:53:43.721Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "group": {
+ "domain": "TEST1.LOCAL",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Group membership information.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1.LOCAL\n\tLogon ID:\t\t0x7BF2CCE\n\nEvent in sequence:\t\t1 of 1\n\nGroup Membership:\t\t\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-574}\n\t\t%{S-1-5-32-560}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-1000}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-516}\n\t\t%{S-1-5-9}\n\t\t%{S-1-18-1}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-517}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-571}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-572}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-553}\n\t\t%{S-1-16-16384}\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThis event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1.LOCAL",
+ "effective": {
+ "domain": "TEST1.LOCAL",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "id": "S-1-0-0",
+ "name": "SERVER2$",
+ "target": {
+ "domain": "TEST1.LOCAL",
+ "name": "SERVER2$"
+ }
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "EventCountTotal": 1,
+ "EventIdx": 1,
+ "GroupMembership": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-574}\n\t\t%{S-1-5-32-560}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-1000}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-516}\n\t\t%{S-1-5-9}\n\t\t%{S-1-18-1}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-517}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-571}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-572}\n\t\t%{S-1-5-21-1280187532-2219128962-763009249-553}\n\t\t%{S-1-16-16384}",
+ "LogonType": "3",
+ "SubjectLogonId": "0x0",
+ "SubjectUserSid": "S-1-0-0",
+ "TargetDomainName": "TEST1.LOCAL",
+ "TargetLogonId": "0x7bf2cce",
+ "TargetUserName": "SERVER2$",
+ "TargetUserSid": "S-1-5-18"
+ },
+ "event_id": "4627",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x0",
+ "type": "Network"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 4192
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "630235150",
+ "task": "Group Membership"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json
new file mode 100644
index 00000000000..90d38dc30f6
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json
@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-06T05:50:32.050Z",
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The handle to an object was closed.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-20\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E4\n\nObject:\n\tObject Server:\t\tSecurity\n\tHandle ID:\t\t0x3b0\n\nProcess Information:\n\tProcess ID:\t\t0x92c\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "winlog": {
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "channel": "Security",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 2716
+ }
+ },
+ "event_data": {
+ "SubjectLogonId": "0x3e4",
+ "ObjectServer": "Security",
+ "HandleId": "0x3b0",
+ "ProcessId": "0x92c",
+ "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "SubjectUserSid": "S-1-5-20",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 633857954,
+ "task": "Removable Storage",
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_id": 4658,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4658,
+ "action": "Removable Storage",
+ "created": "2023-01-06T05:50:33.603Z"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json-expected.json
new file mode 100644
index 00000000000..4b22e2e6c93
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4658.json-expected.json
@@ -0,0 +1,86 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-06T05:50:32.050Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "handle-closed-object",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "4658",
+ "created": "2023-01-06T05:50:33.603Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The handle to an object was closed.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-20\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E4\n\nObject:\n\tObject Server:\t\tSecurity\n\tHandle ID:\t\t0x3b0\n\nProcess Information:\n\tProcess ID:\t\t0x92c\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "process": {
+ "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "name": "WmiPrvSE.exe",
+ "pid": 2348
+ },
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-20",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "HandleId": "0x3b0",
+ "ObjectServer": "Security",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e4",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-20"
+ },
+ "event_id": "4658",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e4"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 2716
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "633857954",
+ "task": "Removable Storage"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json
new file mode 100644
index 00000000000..dc1ddcfb9b9
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json
@@ -0,0 +1,65 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-04T04:51:18.033Z",
+ "event": {
+ "action": "File System",
+ "created": "2023-01-04T04:51:18.878Z",
+ "kind": "event",
+ "code": 4659
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A handle to an object was requested with intent to delete.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\statecache.lock\n\tHandle ID:\t0x0\n\nProcess Information:\n\tProcess ID:\t0x1884\n\nAccess Request Information:\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\n\tAccesses:\t-\n\tAccess Mask:\t0x0\n\tPrivileges Used for Access Check:\t-",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182"
+ },
+ "winlog": {
+ "task": "File System",
+ "api": "wineventlog",
+ "opcode": "Info",
+ "keywords": [
+ "Audit Success"
+ ],
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5012
+ }
+ },
+ "event_data": {
+ "SubjectDomainName": "TEST1",
+ "ObjectServer": "Security",
+ "HandleId": "0x0",
+ "AccessMask": "0x10000",
+ "SubjectLogonId": "0x56b3a",
+ "TransactionId": "{00000000-0000-0000-0000-000000000000}",
+ "PrivilegeList": "-",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "AccessList": "%%4417 %%4418",
+ "ProcessId": "0x1884",
+ "SubjectUserName": "administrator",
+ "ObjectType": "File",
+ "ObjectName": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\statecache.lock"
+ },
+ "channel": "Security",
+ "record_id": 623425676,
+ "event_id": 4659,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json-expected.json
new file mode 100644
index 00000000000..82b116a20e8
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4659.json-expected.json
@@ -0,0 +1,103 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-04T04:51:18.033Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "object-was-requested-with-intent-to-delete",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "4659",
+ "created": "2023-01-04T04:51:18.878Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "file": {
+ "path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\statecache.lock"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A handle to an object was requested with intent to delete.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\statecache.lock\n\tHandle ID:\t0x0\n\nProcess Information:\n\tProcess ID:\t0x1884\n\nAccess Request Information:\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\n\tAccesses:\t-\n\tAccess Mask:\t0x0\n\tPrivileges Used for Access Check:\t-",
+ "process": {
+ "pid": 6276
+ },
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "AccessList": [
+ "4417",
+ "4418"
+ ],
+ "AccessListDescription": [
+ "WriteData (or AddFile)",
+ "AppendData (or AddSubdirectory or CreatePipeInstance)"
+ ],
+ "AccessMask": [
+ "0x10000"
+ ],
+ "AccessMaskDescription": [
+ "DELETE"
+ ],
+ "HandleId": "0x0",
+ "ObjectName": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\statecache.lock",
+ "ObjectServer": "Security",
+ "ObjectType": "File",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4659",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x56b3a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 5012
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "623425676",
+ "task": "File System"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json
new file mode 100644
index 00000000000..55dd03b945d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json
@@ -0,0 +1,61 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-06T02:27:15.651Z",
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An object was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Server:\tSecurity\n\tHandle ID:\t0x1d0\n\nProcess Information:\n\tProcess ID:\t0x150\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}",
+ "winlog": {
+ "task": "Registry",
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_id": 4660,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 6196
+ }
+ },
+ "event_data": {
+ "TransactionId": "{00000000-0000-0000-0000-000000000000}",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "HandleId": "0x1d0",
+ "ProcessId": "0x150",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectLogonId": "0x56b3a",
+ "ObjectServer": "Security",
+ "ProcessName": "C:\\Windows\\System32\\taskhostw.exe"
+ },
+ "channel": "Security",
+ "record_id": 633138985,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "opcode": "Info"
+ },
+ "event": {
+ "action": "Registry",
+ "created": "2023-01-06T02:27:17.251Z",
+ "kind": "event",
+ "code": 4660
+ },
+ "agent": {
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json-expected.json
new file mode 100644
index 00000000000..fb5e4d9233b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4660.json-expected.json
@@ -0,0 +1,86 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-06T02:27:15.651Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "object-deleted",
+ "category": [
+ "file",
+ "registry"
+ ],
+ "code": "4660",
+ "created": "2023-01-06T02:27:17.251Z",
+ "kind": "event",
+ "type": [
+ "deletion"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An object was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Server:\tSecurity\n\tHandle ID:\t0x1d0\n\nProcess Information:\n\tProcess ID:\t0x150\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}",
+ "process": {
+ "executable": "C:\\Windows\\System32\\taskhostw.exe",
+ "name": "taskhostw.exe",
+ "pid": 336
+ },
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "HandleId": "0x1d0",
+ "ObjectServer": "Security",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4660",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x56b3a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 6196
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "633138985",
+ "task": "Registry"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json
index 63548fe5dde..32861c8f30d 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json
@@ -31,6 +31,9 @@
"dadmin"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json
index ad5ecc614f5..4a7fe29d2e3 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json
@@ -14,10 +14,20 @@
"version": "8.11.0"
},
"event": {
+ "action": "attempt-made-to-access-object",
+ "category": [
+ "authentication"
+ ],
"code": "4663",
"kind": "event",
"outcome": "success",
- "provider": "Microsoft-Windows-Security-Auditing"
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "path": "C:\\\\Documents\\\\HBI Data.txt"
},
"host": {
"name": "DC01.contoso.local"
@@ -32,6 +42,24 @@
"level": "information"
},
"message": " 4663101280000x8020000000000000273866SecurityDC01.contoso.localS-1-5-21-3457937927-2839227994-823803824-1104dadminCONTOSO0x4367bSecurityFileC:\\\\Documents\\\\HBI Data.txt0x1bc%%4417 %%44180x60x458C:\\\\Windows\\\\System32\\\\notepad.exeS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))",
+ "process": {
+ "executable": "C:\\\\Windows\\\\System32\\\\notepad.exe",
+ "name": "notepad.exe",
+ "pid": 1112
+ },
+ "related": {
+ "user": [
+ "dadmin"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "CONTOSO",
+ "id": "S-1-5-21-3457937927-2839227994-823803824-1104",
+ "name": "dadmin"
+ },
"winlog": {
"channel": "Security",
"computer_name": "DC01.contoso.local",
@@ -55,8 +83,6 @@
"ObjectName": "C:\\\\Documents\\\\HBI Data.txt",
"ObjectServer": "Security",
"ObjectType": "File",
- "ProcessId": "0x458",
- "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe",
"ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))",
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x4367b",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json
new file mode 100644
index 00000000000..3185515cc8d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json
@@ -0,0 +1,70 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-01T08:45:36.100Z",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "winlog": {
+ "record_id": 59575749,
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 3512
+ }
+ },
+ "event_data": {
+ "SubjectLogonId": "0x3e7",
+ "FileName": "C:\\Windows\\WinSxS\\msil_microsoft.jscript_b03f5f7f11d50a3a_10.0.14393.0_none_892dffbf233e9807\\Microsoft.JScript.dll",
+ "LinkName": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.JScript\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.JScript.dll",
+ "TransactionId": "{DE6E4B36-7134-11ED-8FBA-00505681211E}",
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1"
+ },
+ "task": "File System",
+ "api": "wineventlog",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "channel": "Security",
+ "event_id": 4664,
+ "opcode": "Info"
+ },
+ "event": {
+ "code": 4664,
+ "action": "File System",
+ "created": "2022-12-01T08:46:24.397Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An attempt was made to create a hard link.\n\nSubject:\n\tAccount Name:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nLink Information:\n\tFile Name:\tC:\\Windows\\WinSxS\\msil_microsoft.jscript_b03f5f7f11d50a3a_10.0.14393.0_none_892dffbf233e9807\\Microsoft.JScript.dll\n\tLink Name:\tC:\\Windows\\assembly\\GAC_MSIL\\Microsoft.JScript\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.JScript.dll\n\tTransaction ID:\t{DE6E4B36-7134-11ED-8FBA-00505681211E}",
+ "host": {
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json-expected.json
new file mode 100644
index 00000000000..3723446bee6
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4664.json-expected.json
@@ -0,0 +1,95 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-01T08:45:36.100Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "create-hard-link",
+ "category": [
+ "file"
+ ],
+ "code": "4664",
+ "created": "2022-12-01T08:46:24.397Z",
+ "kind": "event",
+ "type": [
+ "creation"
+ ]
+ },
+ "file": {
+ "path": "C:\\Windows\\WinSxS\\msil_microsoft.jscript_b03f5f7f11d50a3a_10.0.14393.0_none_892dffbf233e9807\\Microsoft.JScript.dll"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An attempt was made to create a hard link.\n\nSubject:\n\tAccount Name:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nLink Information:\n\tFile Name:\tC:\\Windows\\WinSxS\\msil_microsoft.jscript_b03f5f7f11d50a3a_10.0.14393.0_none_892dffbf233e9807\\Microsoft.JScript.dll\n\tLink Name:\tC:\\Windows\\assembly\\GAC_MSIL\\Microsoft.JScript\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.JScript.dll\n\tTransaction ID:\t{DE6E4B36-7134-11ED-8FBA-00505681211E}",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "FileName": "C:\\Windows\\WinSxS\\msil_microsoft.jscript_b03f5f7f11d50a3a_10.0.14393.0_none_892dffbf233e9807\\Microsoft.JScript.dll",
+ "LinkName": "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.JScript\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.JScript.dll",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18",
+ "TransactionId": "{DE6E4B36-7134-11ED-8FBA-00505681211E}"
+ },
+ "event_id": "4664",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 3512
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "59575749",
+ "task": "File System"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json
index 03cebea8bee..4dacb992772 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json
@@ -46,6 +46,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json
index d2d05a322ea..6b772f220fe 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json
@@ -49,6 +49,9 @@
"LOCAL SERVICE"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-19",
@@ -114,6 +117,9 @@
"admin"
]
},
+ "file": {
+ "path": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor"
+ },
"host": {
"name": "DC_TEST2k12.TEST.SAAS"
},
@@ -131,6 +137,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json
new file mode 100644
index 00000000000..0c1c9893467
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json
@@ -0,0 +1,68 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.674Z",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "winlog": {
+ "time_created": "2025-04-22T10:53:25.674Z",
+ "event_id": "4675",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "outcome": "failure",
+ "level": "information",
+ "event_data": {
+ "TargetUserSid": "S-1-5-21-3623811015-3361044348-30300820-1013",
+ "TargetUserName": "Administrator",
+ "TargetDomainName": "CORP",
+ "TdoDirection": "1",
+ "TdoAttributes": "1",
+ "TdoType": "1",
+ "TdoSid": "S-1-5-21-3623811015-3361044348-30300820-519",
+ "SidList": "S-1-5-32-544 S-1-5-32-545"
+ }
+ ,
+ "process": {
+ "pid": 496,
+ "thread": {
+ "id": 504
+ }
+ },
+ "channel": "Security",
+ "record_id": 1099680,
+ "computer_name": "DC01.contoso.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "code": "4675",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure"
+ },
+ "log": {
+ "file": {
+ "path": "/file/path/4675.xml"
+ },
+ "level": "information"
+ },
+ "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4675\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"TargetUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"TargetUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"TargetDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"TdoDirection\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"TdoAttributes\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"TdoType\"\u003e-\u003c/Data\u003e\u003cData Name=\"TdoSid\"\u003e-\u003c/Data\u003e\u003cData Name=\"SidList\"\u003e0x0\u003c/Data\u003e\u003c",
+ "input": {
+ "type": "log"
+ },
+ "ecs": {
+ "version": "1.11.0"
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ }
+ }
+ ]
+ }
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json
new file mode 100644
index 00000000000..e324aecda0c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json
@@ -0,0 +1,106 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.674Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "sids-filtered",
+ "category": [
+ "authentication"
+ ],
+ "code": "4675",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ },
+ "input": {
+ "type": "log"
+ },
+ "log": {
+ "file": {
+ "path": "/file/path/4675.xml"
+ },
+ "level": "information"
+ },
+ "message": "4675001305600x80100000000000001099680SecurityDC01.contoso.localS-1-5-19LOCAL SERVICENT AUTHORITY0x3e5LSA--0x0<",
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "CORP",
+ "effective": {
+ "domain": "CORP",
+ "id": "S-1-5-21-3623811015-3361044348-30300820-1013",
+ "name": "Administrator"
+ },
+ "id": "S-1-5-21-3623811015-3361044348-30300820-1013",
+ "name": "Administrator",
+ "target": {
+ "domain": "CORP",
+ "name": "Administrator"
+ }
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC01.contoso.local",
+ "event_data": {
+ "SidList": [
+ "S-1-5-32-544",
+ "S-1-5-32-545"
+ ],
+ "SidListDesc": [
+ "Administrators",
+ "Users"
+ ],
+ "TargetDomainName": "CORP",
+ "TargetUserName": "Administrator",
+ "TargetUserSid": "S-1-5-21-3623811015-3361044348-30300820-1013",
+ "TdoAttributes": "1",
+ "TdoDirection": "1",
+ "TdoSid": "S-1-5-21-3623811015-3361044348-30300820-519",
+ "TdoType": "1"
+ },
+ "event_id": "4675",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "failure",
+ "process": {
+ "pid": 496,
+ "thread": {
+ "id": 504
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "1099680",
+ "time_created": "2025-04-22T10:53:25.674Z",
+ "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+ "trustDirection": "TRUST_DIRECTION_INBOUND",
+ "trustType": "TRUST_TYPE_DOWNLEVEL"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json
new file mode 100644
index 00000000000..a2251e12139
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json
@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-08T11:35:00.259Z",
+ "message": "An attempt was made to duplicate a handle to an object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nSource Handle Information:\n\tSource Handle ID:\t0xcd4\n\tSource Process ID:\t0x1350\n\nNew Handle Information:\n\tTarget Handle ID:\t0x13f0\n\tTarget Process ID:\t0x4",
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "winlog": {
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 4344
+ }
+ },
+ "record_id": 645314388,
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "task": "Handle Manipulation",
+ "event_data": {
+ "TargetProcessId": "0x4",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SourceHandleId": "0xcd4",
+ "SourceProcessId": "0x1350",
+ "TargetHandleId": "0x13f0"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "event_id": 4690
+ },
+ "event": {
+ "action": "Handle Manipulation",
+ "created": "2023-01-08T11:35:00.968Z",
+ "kind": "event",
+ "code": 4690
+ },
+ "log": {
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json-expected.json
new file mode 100644
index 00000000000..11a50d1990e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4690.json-expected.json
@@ -0,0 +1,82 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-08T11:35:00.259Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "duplicate-handle-attempt",
+ "category": [
+ "process"
+ ],
+ "code": "4690",
+ "created": "2023-01-08T11:35:00.968Z",
+ "kind": "event",
+ "type": [
+ "access"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An attempt was made to duplicate a handle to an object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nSource Handle Information:\n\tSource Handle ID:\t0xcd4\n\tSource Process ID:\t0x1350\n\nNew Handle Information:\n\tTarget Handle ID:\t0x13f0\n\tTarget Process ID:\t0x4",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SourceHandleId": "0xcd4",
+ "SourceProcessId": "0x1350",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "TargetHandleId": "0x13f0",
+ "TargetProcessId": "0x4"
+ },
+ "event_id": "4690",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x56b3a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 4344
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "645314388",
+ "task": "Handle Manipulation"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json
new file mode 100644
index 00000000000..c1f5d8ca991
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json
@@ -0,0 +1,61 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-04T04:50:10.533Z",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Indirect access to an object was requested.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Type:\tKey\n\tObject Name:\t\\REGISTRY\\USER\\S-1-5-21-1280187532-2219128962-763009249-500_Classes\n\nProcess Information:\n\tProcess ID:\t0x1884\n\nAccess Request Information:\n\tAccesses:\tNotify about changes to keys\n\t\t\t\t\n\tAccess Mask:\t0x10",
+ "winlog": {
+ "record_id": 623413650,
+ "channel": "Security",
+ "event_data": {
+ "AccessList": "%%4436\n\t\t\t\t",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "ObjectName": "\\REGISTRY\\USER\\S-1-5-21-1280187532-2219128962-763009249-500_Classes",
+ "AccessMask": "0x10",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "ObjectType": "Key",
+ "ProcessId": "0x1884",
+ "SubjectLogonId": "0x56b3a"
+ },
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 6488
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "event_id": 4691,
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "task": "Other Object Access Events"
+ },
+ "event": {
+ "created": "2023-01-04T04:50:12.971Z",
+ "kind": "event",
+ "code": 4691,
+ "action": "Other Object Access Events"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json-expected.json
new file mode 100644
index 00000000000..c81ea7c9c98
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4691.json-expected.json
@@ -0,0 +1,95 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-04T04:50:10.533Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "indirect-object-access-requested",
+ "category": [
+ "process"
+ ],
+ "code": "4691",
+ "created": "2023-01-04T04:50:12.971Z",
+ "kind": "event",
+ "type": [
+ "access"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Indirect access to an object was requested.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nObject:\n\tObject Type:\tKey\n\tObject Name:\t\\REGISTRY\\USER\\S-1-5-21-1280187532-2219128962-763009249-500_Classes\n\nProcess Information:\n\tProcess ID:\t0x1884\n\nAccess Request Information:\n\tAccesses:\tNotify about changes to keys\n\t\t\t\t\n\tAccess Mask:\t0x10",
+ "process": {
+ "pid": 6276
+ },
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "AccessList": [
+ "4436"
+ ],
+ "AccessListDescription": [
+ "Notify about changes to keys"
+ ],
+ "AccessMask": [
+ "0x10"
+ ],
+ "AccessMaskDescription": [
+ "Read Property"
+ ],
+ "ObjectName": "\\REGISTRY\\USER\\S-1-5-21-1280187532-2219128962-763009249-500_Classes",
+ "ObjectType": "Key",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4691",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x56b3a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 6488
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "623413650",
+ "task": "Other Object Access Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json
new file mode 100644
index 00000000000..f53b7695d9f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json
@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-04T04:49:18.215Z",
+ "event": {
+ "kind": "event",
+ "code": 4692,
+ "action": "DPAPI Activity",
+ "created": "2023-01-04T04:49:24.671Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Backup of data protection master key was attempted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nKey Information:\n\tKey Identifier:\t42464b43-cf55-4a64-a82e-0c0431038b7c\n\tRecovery Server:\t\n\tRecovery Key ID:\t7416d98c-bb79-4c85-9bfd-ceb5890e1dfe\n\nStatus Information:\n\tStatus Code:\t0x0",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ },
+ "winlog": {
+ "task": "DPAPI Activity",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 6380
+ }
+ },
+ "opcode": "Info",
+ "event_id": 4692,
+ "record_id": 623337543,
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_data": {
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "MasterKeyId": "42464b43-cf55-4a64-a82e-0c0431038b7c",
+ "RecoveryKeyId": "7416d98c-bb79-4c85-9bfd-ceb5890e1dfe",
+ "FailureReason": "0x0"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "computer_name": "Server2.test1.local"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json-expected.json
new file mode 100644
index 00000000000..e78353a71e1
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4692.json-expected.json
@@ -0,0 +1,83 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-04T04:49:18.215Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "dpapi-master-key-backup-attempted",
+ "category": [
+ "configuration"
+ ],
+ "code": "4692",
+ "created": "2023-01-04T04:49:24.671Z",
+ "kind": "event",
+ "type": [
+ "access"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Backup of data protection master key was attempted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x56B3A\n\nKey Information:\n\tKey Identifier:\t42464b43-cf55-4a64-a82e-0c0431038b7c\n\tRecovery Server:\t\n\tRecovery Key ID:\t7416d98c-bb79-4c85-9bfd-ceb5890e1dfe\n\nStatus Information:\n\tStatus Code:\t0x0",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "FailureReasons": "0x0",
+ "FailureReasonsOutcome": "Success",
+ "MasterKeyId": "42464b43-cf55-4a64-a82e-0c0431038b7c",
+ "RecoveryKeyId": "7416d98c-bb79-4c85-9bfd-ceb5890e1dfe",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x56b3a",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4692",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x56b3a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 6380
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "623337543",
+ "task": "DPAPI Activity"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json
new file mode 100644
index 00000000000..68ee2ea5bf5
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json
@@ -0,0 +1,73 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-24T10:15:45.000Z",
+ "event": {
+ "code": 4695,
+ "action": "DPAPI Activity",
+ "created": "2022-11-24T10:15:45.574Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2"
+ },
+ "agent": {
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2"
+ },
+ "message": "Unprotection of auditable protected data was attempted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nProtected Data:\n\tData Description:\tPrivate Key\n\tKey Identifier:\tf3da18d9-1331-4d3c-a97e-dfb3cfdb0a05\n\tProtected Data Flags:\t0x0\n\tProtection Algorithms:\t3DES-192 , SHA1-160 \n\nStatus Information:\n\tStatus Code:\t0x0",
+ "winlog": {
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "record_id": 4518131,
+ "event_id": 4695,
+ "task": "DPAPI Activity",
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 88
+ }
+ },
+ "event_data": {
+ "SubjectDomainName": "TEST1",
+ "MasterKeyId": "Private Key",
+ "CryptoAlgorithms": "3DES-192 , SHA1-160 ",
+ "SubjectUserSid": "S-1-5-18",
+ "DataDescription": "f3da18d9-1331-4d3c-a97e-dfb3cfdb0a05",
+ "ProtectedDataFlags": "0x0",
+ "FailureReason": "0x0",
+ "SubjectUserName": "SERVER2$",
+ "SubjectLogonId": "0x3e7"
+ },
+ "channel": "Security"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json-expected.json
new file mode 100644
index 00000000000..2dfdf5d539b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4695.json-expected.json
@@ -0,0 +1,96 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-24T10:15:45.000Z",
+ "agent": {
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "auditable-data-unprotection-attempted",
+ "category": [
+ "configuration"
+ ],
+ "code": "4695",
+ "created": "2022-11-24T10:15:45.574Z",
+ "kind": "event",
+ "type": [
+ "access"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Unprotection of auditable protected data was attempted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nProtected Data:\n\tData Description:\tPrivate Key\n\tKey Identifier:\tf3da18d9-1331-4d3c-a97e-dfb3cfdb0a05\n\tProtected Data Flags:\t0x0\n\tProtection Algorithms:\t3DES-192 , SHA1-160 \n\nStatus Information:\n\tStatus Code:\t0x0",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "CryptoAlgorithms": "3DES-192 , SHA1-160 ",
+ "DataDescription": "f3da18d9-1331-4d3c-a97e-dfb3cfdb0a05",
+ "FailureReasons": "0x0",
+ "FailureReasonsOutcome": "Success",
+ "MasterKeyId": "Private Key",
+ "ProtectedDataFlags": "0x0",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18"
+ },
+ "event_id": "4695",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 88
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "4518131",
+ "task": "DPAPI Activity"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json
new file mode 100644
index 00000000000..3898d5deedf
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json
@@ -0,0 +1,59 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-21T09:48:56.442Z",
+ "message": "A user right was assigned.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\n\nNew Right:\n\tUser Right:\t\tSeAuditPrivilege",
+ "winlog": {
+ "event_data": {
+ "SubjectLogonId": "0x3e7",
+ "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
+ "PrivilegeList": "SeAuditPrivilege",
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1"
+ },
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "Authorization Policy Change",
+ "opcode": "Info",
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "event_id": 4704,
+ "record_id": 508945548,
+ "api": "wineventlog",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 3516
+ }
+ },
+ "computer_name": "Server2.test1.local",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "action": "Authorization Policy Change",
+ "created": "2022-12-21T09:48:57.579Z",
+ "kind": "event",
+ "code": 4704
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json-expected.json
new file mode 100644
index 00000000000..53c47407f0c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4704.json-expected.json
@@ -0,0 +1,87 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-21T09:48:56.442Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "user-right-assigned",
+ "category": [
+ "iam"
+ ],
+ "code": "4704",
+ "created": "2022-12-21T09:48:57.579Z",
+ "kind": "event",
+ "type": [
+ "change",
+ "user"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A user right was assigned.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\n\nNew Right:\n\tUser Right:\t\tSeAuditPrivilege",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$",
+ "target": {
+ "id": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415"
+ }
+ },
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "PrivilegeList": [
+ "SeAuditPrivilege"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18",
+ "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415"
+ },
+ "event_id": "4704",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 3516
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "508945548",
+ "task": "Authorization Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json
new file mode 100644
index 00000000000..3f14c95a834
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json
@@ -0,0 +1,59 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-21T09:52:52.996Z",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A user right was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\n\nRemoved Right:\n\tUser Right:\t\tSeAuditPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeAssignPrimaryTokenPrivilege",
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "record_id": 508959052,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "event_id": 4705,
+ "opcode": "Info",
+ "keywords": [
+ "Audit Success"
+ ],
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 8540
+ }
+ },
+ "event_data": {
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
+ "PrivilegeList": "SeAuditPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeAssignPrimaryTokenPrivilege"
+ },
+ "channel": "Security",
+ "task": "Authorization Policy Change",
+ "api": "wineventlog",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local"
+ },
+ "event": {
+ "code": 4705,
+ "action": "Authorization Policy Change",
+ "created": "2022-12-21T09:52:53.334Z",
+ "kind": "event"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json-expected.json
new file mode 100644
index 00000000000..91606164581
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4705.json-expected.json
@@ -0,0 +1,89 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-21T09:52:52.996Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "user-right-removed",
+ "category": [
+ "iam"
+ ],
+ "code": "4705",
+ "created": "2022-12-21T09:52:53.334Z",
+ "kind": "event",
+ "type": [
+ "change",
+ "user"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A user right was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nTarget Account:\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\n\nRemoved Right:\n\tUser Right:\t\tSeAuditPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeAssignPrimaryTokenPrivilege",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$",
+ "target": {
+ "id": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415"
+ }
+ },
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "PrivilegeList": [
+ "SeAuditPrivilege",
+ "SeIncreaseQuotaPrivilege",
+ "SeAssignPrimaryTokenPrivilege"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18",
+ "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415"
+ },
+ "event_id": "4705",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 8540
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "508959052",
+ "task": "Authorization Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json
index 3c493e029b3..e0fb49f54f6 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json
@@ -39,6 +39,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json
index 29e7dc4d864..1c013536c7e 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json
@@ -39,6 +39,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json
index 7438b543c62..6dbf47c05f2 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json
@@ -39,6 +39,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json
index f2a3f188fb7..160f70be317 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json
@@ -39,6 +39,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json
index 3030b10c5c8..46cb32fe506 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json
@@ -41,6 +41,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WORKGROUP",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json
index 12f33b6b83f..cbb01581a77 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json
@@ -41,6 +41,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WORKGROUP",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json
index 27490a05197..646529d2540 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json
@@ -41,6 +41,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json
index edd08ffda8e..ea309b4da69 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json
@@ -41,6 +41,9 @@
"WIN-41OB2LO92CR$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json
index 23dc5dcd9d3..ccba8dfdd87 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json
@@ -32,6 +32,9 @@
"anatest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json
index b7414dd9f86..75b0496afab 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json
@@ -39,6 +39,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json
index d9f9c256d0a..afcd9f6c1c9 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json
@@ -31,6 +31,9 @@
"ANONYMOUS LOGON"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-7",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json
index 954071d3d86..82054f38d12 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json
@@ -40,6 +40,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json
index 3c114d5bcc1..c8b15bbb320 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json
index c1cf35eb7e3..d12ab4c3b3d 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json
index 029fc43d889..3c2c75b7496 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json
index c060aff59dd..c7698e77813 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json
index 0e74526055d..68b73bad25b 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json
index a50742469e8..9cde582a568 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json
index ade2bb81e22..5545dab92eb 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json
index 04c94733121..108753103b4 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json
index 9cb9219a700..6a49767e66b 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json
index 4be4ec6b4e9..8fbcb417d42 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json
index d19ef991080..becae8e48a7 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json
index 5b4c548dc6e..d89db89a1e4 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json
index 76e2e19c5d0..7b1401de2ef 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json
index cec5897bf87..61bb2ea6f4c 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json
@@ -46,6 +46,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json
index 6919f37b598..a972d4ecb60 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json
@@ -45,6 +45,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json
new file mode 100644
index 00000000000..d4864bbf65e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json
@@ -0,0 +1,62 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-04-15T19:04:48.224Z",
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml"
+ },
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.8.0"
+ },
+ "host": {
+ "name": "DC_TEST2k12.TEST.SAAS"
+ },
+ "agent": {
+ "type": "filebeat",
+ "version": "8.0.0",
+ "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain"
+ },
+ "winlog": {
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 3707847,
+ "computer_name": "DC_TEST2k12.TEST.SAAS",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "level": "information",
+ "channel": "Security",
+ "event_id": 4793,
+ "process": {
+ "pid": 492,
+ "thread": {
+ "id": 1348
+ }
+ },
+ "outcome": "success",
+ "event_data": {
+ "TargetUserName": "testuni2",
+ "Status": "0x0",
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "Workstation": "SERVER2"
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "time_created": "2019-12-19T08:34:23.162Z"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4793,
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json-expected.json
new file mode 100644
index 00000000000..d411022b00f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4793.json-expected.json
@@ -0,0 +1,96 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2019-12-19T08:34:23.162Z",
+ "agent": {
+ "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342",
+ "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
+ "name": "Lees-MBP.localdomain",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "password-policy-checking-api-called",
+ "category": [
+ "api"
+ ],
+ "code": "4793",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "DC_TEST2k12.TEST.SAAS"
+ },
+ "log": {
+ "file": {
+ "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml"
+ },
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "testuni2",
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "effective": {
+ "name": "testuni2"
+ },
+ "id": "S-1-5-18",
+ "name": "SERVER2$",
+ "target": {
+ "name": "testuni2"
+ }
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC_TEST2k12.TEST.SAAS",
+ "event_data": {
+ "Status": "0x0",
+ "StatusDescription": "KDC_ERR_NONE",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18",
+ "TargetUserName": "testuni2",
+ "Workstation": "SERVER2"
+ },
+ "event_id": "4793",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "failure": {
+ "status": "Status OK."
+ },
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 492,
+ "thread": {
+ "id": 1348
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "3707847",
+ "time_created": "2019-12-19T08:34:23.162Z"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json
index b0d68719cfc..ea9e0582072 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json
@@ -31,6 +31,9 @@
"Guest"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -104,6 +107,9 @@
"WDAGUtilityAccount"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -177,6 +183,9 @@
"DefaultAccount"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -250,6 +259,9 @@
"contoso"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -323,6 +335,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json
new file mode 100644
index 00000000000..cba60107b82
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-23T09:07:40.036Z",
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The workstation was locked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34C07D18\n\tSession ID:\t1",
+ "winlog": {
+ "keywords": [
+ "Audit Success"
+ ],
+ "channel": "Security",
+ "event_id": 4800,
+ "record_id": 569937099,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "Other Logon/Logoff Events",
+ "api": "wineventlog",
+ "computer_name": "Server2.test1.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 632
+ }
+ },
+ "opcode": "Info",
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "event_data": {
+ "SessionId": "1",
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "TargetUserName": "administrator",
+ "TargetDomainName": "TEST1",
+ "TargetLogonId": "0x34c07d18"
+ }
+ },
+ "event": {
+ "created": "2022-12-23T09:07:41.047Z",
+ "kind": "event",
+ "code": 4800,
+ "action": "Other Logon/Logoff Events"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json
new file mode 100644
index 00000000000..ea3bbc37ab3
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json
@@ -0,0 +1,89 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-23T09:07:40.036Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "workstation-locked",
+ "category": [
+ "authentication"
+ ],
+ "code": "4800",
+ "created": "2022-12-23T09:07:41.047Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The workstation was locked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34C07D18\n\tSession ID:\t1",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "effective": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator",
+ "target": {
+ "domain": "TEST1",
+ "name": "administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SessionId": "1",
+ "TargetDomainName": "TEST1",
+ "TargetLogonId": "0x34c07d18",
+ "TargetUserName": "administrator",
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4800",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x34c07d18"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 632
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "569937099",
+ "task": "Other Logon/Logoff Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json
new file mode 100644
index 00000000000..acff0d885a1
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json
@@ -0,0 +1,69 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-30T09:54:09.983Z",
+ "agent": {
+ "ephemeral_id": "e82715b6-e60b-4870-a2ee-373516f6f032",
+ "hostname": "Server1",
+ "id": "27d0bac7-4de4-4ca5-97f7-1d1b7105b25a",
+ "version": "7.3.1",
+ "type": "winlogbeat"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "task": "Other Logon/Logoff Events",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "event_id": 4801,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_data": {
+ "TargetUserName": "administrator",
+ "TargetDomainName": "IT",
+ "TargetLogonId": "0x4c598",
+ "SessionId": "1",
+ "TargetUserSid": "S-1-5-21-3498697890-273193191-2741109841-500"
+ },
+ "channel": "Security",
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 6264
+ }
+ },
+ "activity_id": "{495DB8C8-FA7B-0001-D6B8-5D497BFAD801}",
+ "record_id": 62703266,
+ "computer_name": "Server1.it.local"
+ },
+ "event": {
+ "code": 4801,
+ "action": "Other Logon/Logoff Events",
+ "created": "2022-11-30T09:54:11.162Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The workstation was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3498697890-273193191-2741109841-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tIT\n\tLogon ID:\t\t0x4C598\n\tSession ID:\t1",
+ "host": {
+ "name": "Server1",
+ "architecture": "x86_64",
+ "os": {
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation"
+ },
+ "id": "76330334-9e18-4aad-9113-1f1ce3fd0ff0",
+ "hostname": "Server1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json
new file mode 100644
index 00000000000..a4fb573605a
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json
@@ -0,0 +1,100 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-30T09:54:09.983Z",
+ "agent": {
+ "ephemeral_id": "e82715b6-e60b-4870-a2ee-373516f6f032",
+ "hostname": "Server1",
+ "id": "27d0bac7-4de4-4ca5-97f7-1d1b7105b25a",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "workstation-unlocked",
+ "category": [
+ "authentication"
+ ],
+ "code": "4801",
+ "created": "2022-11-30T09:54:11.162Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server1",
+ "id": "76330334-9e18-4aad-9113-1f1ce3fd0ff0",
+ "name": "Server1",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The workstation was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3498697890-273193191-2741109841-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tIT\n\tLogon ID:\t\t0x4C598\n\tSession ID:\t1",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "IT",
+ "effective": {
+ "domain": "IT",
+ "id": "S-1-5-21-3498697890-273193191-2741109841-500",
+ "name": "administrator"
+ },
+ "id": "S-1-5-21-3498697890-273193191-2741109841-500",
+ "name": "administrator",
+ "target": {
+ "domain": "IT",
+ "name": "administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{495DB8C8-FA7B-0001-D6B8-5D497BFAD801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server1.it.local",
+ "event_data": {
+ "SessionId": "1",
+ "TargetDomainName": "IT",
+ "TargetLogonId": "0x4c598",
+ "TargetUserName": "administrator",
+ "TargetUserSid": "S-1-5-21-3498697890-273193191-2741109841-500"
+ },
+ "event_id": "4801",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x4c598"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 6264
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "62703266",
+ "task": "Other Logon/Logoff Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json
new file mode 100644
index 00000000000..a49ae4d666a
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-23T09:18:52.843Z",
+ "event": {
+ "code": 4802,
+ "action": "Other Logon/Logoff Events",
+ "created": "2022-12-23T09:18:53.503Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The screen saver was invoked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34F4B8E0\n\tSession ID:\t4",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "winlog": {
+ "record_id": 570450046,
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "event_data": {
+ "TargetLogonId": "0x34f4b8e0",
+ "SessionId": "4",
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "TargetUserName": "administrator",
+ "TargetDomainName": "TEST1"
+ },
+ "event_id": 4802,
+ "task": "Other Logon/Logoff Events",
+ "api": "wineventlog",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 8308
+ }
+ },
+ "channel": "Security",
+ "keywords": [
+ "Audit Success"
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json
new file mode 100644
index 00000000000..67ca6523c0b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-23T09:18:52.843Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "screen-saver-invoked",
+ "category": [
+ "process",
+ "session"
+ ],
+ "code": "4802",
+ "created": "2022-12-23T09:18:53.503Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The screen saver was invoked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34F4B8E0\n\tSession ID:\t4",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "effective": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator",
+ "target": {
+ "domain": "TEST1",
+ "name": "administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SessionId": "4",
+ "TargetDomainName": "TEST1",
+ "TargetLogonId": "0x34f4b8e0",
+ "TargetUserName": "administrator",
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4802",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x34f4b8e0"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 8308
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "570450046",
+ "task": "Other Logon/Logoff Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json
new file mode 100644
index 00000000000..9eb44c5621c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-23T09:22:26.695Z",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "winlog": {
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "api": "wineventlog",
+ "record_id": 570463565,
+ "task": "Other Logon/Logoff Events",
+ "process": {
+ "thread": {
+ "id": 7784
+ },
+ "pid": 644
+ },
+ "event_data": {
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "TargetUserName": "administrator",
+ "TargetDomainName": "TEST1",
+ "TargetLogonId": "0x34f4b8e0",
+ "SessionId": "4"
+ },
+ "computer_name": "Server2.test1.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "opcode": "Info",
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "event_id": 4803
+ },
+ "event": {
+ "kind": "event",
+ "code": 4803,
+ "action": "Other Logon/Logoff Events",
+ "created": "2022-12-23T09:22:27.502Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The screen saver was dismissed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34F4B8E0\n\tSession ID:\t4",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json
new file mode 100644
index 00000000000..a11f082d4f5
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-23T09:22:26.695Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "screen-saver-dismissed",
+ "category": [
+ "process",
+ "session"
+ ],
+ "code": "4803",
+ "created": "2022-12-23T09:22:27.502Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The screen saver was dismissed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x34F4B8E0\n\tSession ID:\t4",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "effective": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator",
+ "target": {
+ "domain": "TEST1",
+ "name": "administrator"
+ }
+ },
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SessionId": "4",
+ "TargetDomainName": "TEST1",
+ "TargetLogonId": "0x34f4b8e0",
+ "TargetUserName": "administrator",
+ "TargetUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4803",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x34f4b8e0"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 7784
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "570463565",
+ "task": "Other Logon/Logoff Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json
index b9eb60142f8..d33077ff676 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json
@@ -42,6 +42,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json
new file mode 100644
index 00000000000..b77d0e9fe3b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json
@@ -0,0 +1,69 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-28T05:34:27.711Z",
+ "log": {
+ "level": "information"
+ },
+ "host": {
+ "name": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation"
+ }
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "message": "The certificate manager denied a pending certificate request.\n\t\nRequest ID:\t15",
+ "winlog": {
+ "api": "wineventlog",
+ "event_data": {
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "RequestId": "15",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 6680
+ }
+ },
+ "keywords": [
+ "Audit Success"
+ ],
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "record_id": 6645197,
+ "computer_name": "Server2.test1.local",
+ "task": "Certification Services",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "event_id": 4868
+ },
+ "event": {
+ "kind": "event",
+ "code": 4868,
+ "action": "Certification Services",
+ "created": "2022-11-28T05:34:28.806Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json-expected.json
new file mode 100644
index 00000000000..9f828c7badb
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4868.json-expected.json
@@ -0,0 +1,91 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-28T05:34:27.711Z",
+ "agent": {
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "certificate-manager-denied-pending-certificate-request",
+ "category": [
+ "configuration"
+ ],
+ "code": "4868",
+ "created": "2022-11-28T05:34:28.806Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The certificate manager denied a pending certificate request.\n\t\nRequest ID:\t15",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "RequestId": "15",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4868",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x614a6"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 6680
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "6645197",
+ "task": "Certification Services"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json
new file mode 100644
index 00000000000..780cfdec07d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json
@@ -0,0 +1,69 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-24T10:14:08.447Z",
+ "host": {
+ "os": {
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "name": "Server2",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "winlog": {
+ "event_id": 4869,
+ "computer_name": "Server2.test1.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "task": "Certification Services",
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "event_data": {
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "RequestId": "7"
+ },
+ "record_id": 4516620,
+ "api": "wineventlog",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 6864
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info"
+ },
+ "event": {
+ "created": "2022-11-24T10:14:10.266Z",
+ "kind": "event",
+ "code": 4869,
+ "action": "Certification Services"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Certificate Services received a resubmitted certificate request.\n\t\nRequest ID:\t7",
+ "ecs": {
+ "version": "1.0.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json-expected.json
new file mode 100644
index 00000000000..7141e9a06a8
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4869.json-expected.json
@@ -0,0 +1,91 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-24T10:14:08.447Z",
+ "agent": {
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "certificate-services-received-resubmitted-certificate-request",
+ "category": [
+ "configuration"
+ ],
+ "code": "4869",
+ "created": "2022-11-24T10:14:10.266Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Certificate Services received a resubmitted certificate request.\n\t\nRequest ID:\t7",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "RequestId": "7",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4869",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x614a6"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 6864
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "4516620",
+ "task": "Certification Services"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json
new file mode 100644
index 00000000000..4622ba8645c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json
@@ -0,0 +1,69 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-24T10:02:33.517Z",
+ "log": {
+ "level": "information"
+ },
+ "message": "Certificate Services backup started.\n\nBackup Type:\t1",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "os": {
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be"
+ },
+ "winlog": {
+ "record_id": 4500283,
+ "event_id": 4876,
+ "opcode": "Info",
+ "process": {
+ "thread": {
+ "id": 5388
+ },
+ "pid": 644
+ },
+ "channel": "Security",
+ "task": "Certification Services",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "BackupType": "1"
+ }
+ },
+ "event": {
+ "created": "2022-11-24T10:02:33.979Z",
+ "kind": "event",
+ "code": 4876,
+ "action": "Certification Services"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json-expected.json
new file mode 100644
index 00000000000..e01b00252b7
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4876.json-expected.json
@@ -0,0 +1,92 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-24T10:02:33.517Z",
+ "agent": {
+ "ephemeral_id": "a1623ed9-bf19-4c82-93a1-8124108b43be",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "certificate-services-backup-started",
+ "category": [
+ "session"
+ ],
+ "code": "4876",
+ "created": "2022-11-24T10:02:33.979Z",
+ "kind": "event",
+ "type": [
+ "start"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Certificate Services backup started.\n\nBackup Type:\t1",
+ "related": {
+ "user": [
+ "administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "administrator"
+ },
+ "winlog": {
+ "activity_id": "{AE8DEF25-FE68-0000-4DEF-8DAE68FED801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "BackupType": "1",
+ "BackupTypeDescription": "full backup",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x614a6",
+ "SubjectUserName": "administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "4876",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x614a6"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 5388
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "4500283",
+ "task": "Certification Services"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json
index 4e9fd2a8a87..98bb2899b15 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json
@@ -36,6 +36,9 @@
},
"level": "information"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json
index c8b8037b945..0abce16b51b 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json
@@ -46,6 +46,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json
index 7188853d927..ab9b6146e7f 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json
@@ -44,6 +44,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json
index 70c828f5cd7..a6b09e9afc2 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json
@@ -36,6 +36,9 @@
},
"level": "information"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json
index c22d5f8da8d..1e3fa0ae109 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json
@@ -27,6 +27,9 @@
"change"
]
},
+ "file": {
+ "path": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1"
+ },
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
@@ -46,6 +49,9 @@
"WIN-BVM4LI1L1Q6$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json
new file mode 100644
index 00000000000..debd76a3db5
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json
@@ -0,0 +1,59 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-09T10:56:50.033Z",
+ "message": "An Active Directory replica destination naming context was modified.\n\nDestination DRA:\t123abc-123-4d22-12ab-1039b87eb9a4._msdcs.test1.local\nSource DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nDestination Address:\t-\nNaming Context:\tDC=test,DC=test1,DC=local\nOptions:\t\t7\nStatus Code:\t0",
+ "winlog": {
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "channel": "Security",
+ "event_id": 4931,
+ "record_id": 650931669,
+ "computer_name": "Server2.test1.local",
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 6232
+ }
+ },
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "event_data": {
+ "DestinationDRA": "123abc-123-4d22-12ab-1039b87eb9a4._msdcs.test1.local",
+ "SourceDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "SourceAddr": "-",
+ "NamingContext": "DC=test,DC=test1,DC=local",
+ "Options": "7",
+ "StatusCode": "0"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "Detailed Directory Service Replication"
+ },
+ "event": {
+ "created": "2023-01-09T10:56:51.941Z",
+ "kind": "event",
+ "code": 4931,
+ "action": "Detailed Directory Service Replication"
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json-expected.json
new file mode 100644
index 00000000000..3fbb8c83578
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4931.json-expected.json
@@ -0,0 +1,67 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-09T10:56:50.033Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "active-directory-replica-destination-naming-context-modified",
+ "category": [
+ "configuration"
+ ],
+ "code": "4931",
+ "created": "2023-01-09T10:56:51.941Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An Active Directory replica destination naming context was modified.\n\nDestination DRA:\t123abc-123-4d22-12ab-1039b87eb9a4._msdcs.test1.local\nSource DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nDestination Address:\t-\nNaming Context:\tDC=test,DC=test1,DC=local\nOptions:\t\t7\nStatus Code:\t0",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "DestinationDRA": "123abc-123-4d22-12ab-1039b87eb9a4._msdcs.test1.local",
+ "NamingContext": "DC=test,DC=test1,DC=local",
+ "Options": 7,
+ "SourceDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "StatusCode": 0
+ },
+ "event_id": "4931",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 6232
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "650931669",
+ "task": "Detailed Directory Service Replication"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json
new file mode 100644
index 00000000000..82fe234fd52
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json
@@ -0,0 +1,59 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-09T11:29:56.577Z",
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182"
+ },
+ "winlog": {
+ "event_id": 4932,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "event_data": {
+ "DestinationDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "SourceDRA": "CN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "NamingContext": "DC=test1,DC=local",
+ "Options": "19",
+ "SessionID": "0",
+ "StartUSN": "12838"
+ },
+ "process": {
+ "thread": {
+ "id": 7112
+ },
+ "pid": 652
+ },
+ "record_id": 651073392,
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "channel": "Security",
+ "task": "Directory Service Replication",
+ "api": "wineventlog",
+ "computer_name": "Server2.test1.local",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4932,
+ "action": "Directory Service Replication",
+ "created": "2023-01-09T11:29:58.351Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Synchronization of a replica of an Active Directory naming context has begun.\n\nDestination DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nSource DRA:\tCN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nNaming Context:\tDC=test1,DC=local\nOptions:\t\t19\nSession ID:\t0\nStart USN:\tá¡¿",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json-expected.json
new file mode 100644
index 00000000000..22c783dafb2
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4932.json-expected.json
@@ -0,0 +1,68 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-09T11:29:56.577Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "synchronization-of-replica-of-active-directory-naming-context-begun",
+ "category": [
+ "iam"
+ ],
+ "code": "4932",
+ "created": "2023-01-09T11:29:58.351Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Synchronization of a replica of an Active Directory naming context has begun.\n\nDestination DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nSource DRA:\tCN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nNaming Context:\tDC=test1,DC=local\nOptions:\t\t19\nSession ID:\t0\nStart USN:\tá¡¿",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "DestinationDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "NamingContext": "DC=test1,DC=local",
+ "Options": 19,
+ "SessionID": "0",
+ "SourceDRA": "CN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "StartUSN": 12838
+ },
+ "event_id": "4932",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 7112
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "651073392",
+ "task": "Directory Service Replication"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json
new file mode 100644
index 00000000000..11ab01e84c8
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json
@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-09T11:29:56.604Z",
+ "winlog": {
+ "task": "Directory Service Replication",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 7112
+ }
+ },
+ "event_data": {
+ "Options": "19",
+ "SessionID": "0",
+ "EndUSN": "á¡¿",
+ "StatusCode": "3145778",
+ "DestinationDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "SourceDRA": "CN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "NamingContext": "DC=test1,DC=local"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_id": 4933,
+ "opcode": "Info",
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "channel": "Security",
+ "record_id": 651073396,
+ "api": "wineventlog",
+ "computer_name": "Server2.test1.local"
+ },
+ "event": {
+ "kind": "event",
+ "code": 4933,
+ "action": "Directory Service Replication",
+ "created": "2023-01-09T11:29:58.351Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ },
+ "message": "Synchronization of a replica of an Active Directory naming context has ended.\n\nDestination DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nSource DRA:\tCN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nNaming Context:\tDC=test1,DC=local\nOptions:\t\t19\nSession ID:\t0\nEnd USN:\tá¡¿\nStatus Code:\t3145778"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json-expected.json
new file mode 100644
index 00000000000..4a727a35c24
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4933.json-expected.json
@@ -0,0 +1,69 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-09T11:29:56.604Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "synchronization-of-replica-of-active-directory-naming-context-ended",
+ "category": [
+ "iam"
+ ],
+ "code": "4933",
+ "created": "2023-01-09T11:29:58.351Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Synchronization of a replica of an Active Directory naming context has ended.\n\nDestination DRA:\tCN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nSource DRA:\tCN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local\nNaming Context:\tDC=test1,DC=local\nOptions:\t\t19\nSession ID:\t0\nEnd USN:\tá¡¿\nStatus Code:\t3145778",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{6804F410-1AA6-0002-28F4-0468A61AD901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "DestinationDRA": "CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "EndUSN": "á¡¿",
+ "NamingContext": "DC=test1,DC=local",
+ "Options": 19,
+ "SessionID": "0",
+ "SourceDRA": "CN=NTDS Settings,CN=CLIENT3,CN=Servers,CN=city,CN=Sites,CN=Configuration,DC=test1,DC=local",
+ "StatusCode": 3145778
+ },
+ "event_id": "4933",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 652,
+ "thread": {
+ "id": 7112
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "651073396",
+ "task": "Directory Service Replication"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json
new file mode 100644
index 00000000000..84ab6c5d99e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json
@@ -0,0 +1,67 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-30T12:20:19.209Z",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A rule was listed when the Windows Firewall started.\n\t\nProfile used:\tPublic\n\nRule:\n\tRule ID:\tKDSSVC-RPCSS-In-TCP\n\tRule Name:\tMicrosoft Key Distribution Service",
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 952
+ }
+ },
+ "channel": "Security",
+ "event_id": 4945,
+ "computer_name": "Server2.test1.local",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "MPSSVC Rule-Level Policy Change",
+ "api": "wineventlog",
+ "record_id": 42091336,
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "event_data": {
+ "ProfileUsed": "Public",
+ "RuleId": "KDSSVC-RPCSS-In-TCP",
+ "RuleName": "Microsoft Key Distribution Service"
+ }
+ },
+ "event": {
+ "code": 4945,
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2022-11-30T12:20:51.328Z",
+ "kind": "event"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "os": {
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json-expected.json
new file mode 100644
index 00000000000..e06c72fd59d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4945.json-expected.json
@@ -0,0 +1,80 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-30T12:20:19.209Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "rule-listed-when-windows-firewall-started",
+ "category": [
+ "configuration"
+ ],
+ "code": "4945",
+ "created": "2022-11-30T12:20:51.328Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A rule was listed when the Windows Firewall started.\n\t\nProfile used:\tPublic\n\nRule:\n\tRule ID:\tKDSSVC-RPCSS-In-TCP\n\tRule Name:\tMicrosoft Key Distribution Service",
+ "rule": {
+ "id": "KDSSVC-RPCSS-In-TCP",
+ "name": "Microsoft Key Distribution Service"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ProfileUsed": "Public",
+ "RuleId": "KDSSVC-RPCSS-In-TCP",
+ "RuleName": "Microsoft Key Distribution Service"
+ },
+ "event_id": "4945",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 952
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "42091336",
+ "task": "MPSSVC Rule-Level Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json
new file mode 100644
index 00000000000..d37e0561817
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json
@@ -0,0 +1,56 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-23T09:10:15.806Z",
+ "winlog": {
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "event_id": 4946,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "MPSSVC Rule-Level Policy Change",
+ "computer_name": "Server2.test1.local",
+ "keywords": [
+ "Audit Success"
+ ],
+ "api": "wineventlog",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 7740
+ }
+ },
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "event_data": {
+ "RuleId": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "RuleName": "@{xyz}",
+ "ProfileChanged": "Domain,Private,Public"
+ },
+ "record_id": 569962129
+ },
+ "event": {
+ "code": 4946,
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2022-12-23T09:10:16.682Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A change was made to the Windows Firewall exception list. A rule was added.\n\t\nProfile Changed:\tDomain,Private,Public\n\nAdded Rule:\n\tRule ID:\t{3F10XXX1-200X-4FB5-0000-121XX2X1473X}\n\tRule Name:\t@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json-expected.json
new file mode 100644
index 00000000000..a6624ac9f84
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4946.json-expected.json
@@ -0,0 +1,69 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-23T09:10:15.806Z",
+ "agent": {
+ "ephemeral_id": "a41cb01e-d7c9-49e3-a7a9-12e6903edc17",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "added-rule-to-windows-firewall-exception-list",
+ "category": [
+ "configuration"
+ ],
+ "code": "4946",
+ "created": "2022-12-23T09:10:16.682Z",
+ "kind": "event",
+ "type": [
+ "creation"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A change was made to the Windows Firewall exception list. A rule was added.\n\t\nProfile Changed:\tDomain,Private,Public\n\nAdded Rule:\n\tRule ID:\t{3F10XXX1-200X-4FB5-0000-121XX2X1473X}\n\tRule Name:\t@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}",
+ "rule": {
+ "id": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "name": "@{xyz}"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{693CCF6C-095B-0000-8DCF-3C695B09D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ProfileChanged": "Domain,Private,Public",
+ "RuleId": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "RuleName": "@{xyz}"
+ },
+ "event_id": "4946",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 644,
+ "thread": {
+ "id": 7740
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "569962129",
+ "task": "MPSSVC Rule-Level Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json
new file mode 100644
index 00000000000..671d343415d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json
@@ -0,0 +1,67 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-01T08:47:57.585Z",
+ "winlog": {
+ "channel": "Security",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_data": {
+ "ProfileChanged": "All",
+ "RuleId": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "RuleName": "Usermode Font Driver Host"
+ },
+ "opcode": "Info",
+ "event_id": 4948,
+ "record_id": 59603806,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 3276
+ }
+ },
+ "task": "MPSSVC Rule-Level Policy Change",
+ "computer_name": "Server2.test1.local"
+ },
+ "event": {
+ "code": 4948,
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2022-12-01T08:48:19.715Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "os": {
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "message": "A change was made to the Windows Firewall exception list. A rule was deleted.\n\t\nProfile Changed:\tAll\n\nDeleted Rule:\n\tRule ID:\t{3F10XXX1-200X-4FB5-0000-121XX2X1473X}\n\tRule Name:\tUsermode Font Driver Host"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json-expected.json
new file mode 100644
index 00000000000..86cd47dd38f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4948.json-expected.json
@@ -0,0 +1,80 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-01T08:47:57.585Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "deleted-rule-from-windows-firewall-exception-list",
+ "category": [
+ "configuration"
+ ],
+ "code": "4948",
+ "created": "2022-12-01T08:48:19.715Z",
+ "kind": "event",
+ "type": [
+ "deletion"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A change was made to the Windows Firewall exception list. A rule was deleted.\n\t\nProfile Changed:\tAll\n\nDeleted Rule:\n\tRule ID:\t{3F10XXX1-200X-4FB5-0000-121XX2X1473X}\n\tRule Name:\tUsermode Font Driver Host",
+ "rule": {
+ "id": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "name": "Usermode Font Driver Host"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ProfileChanged": "All",
+ "RuleId": "{3F10XXX1-200X-4FB5-0000-121XX2X1473X}",
+ "RuleName": "Usermode Font Driver Host"
+ },
+ "event_id": "4948",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 3276
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "59603806",
+ "task": "MPSSVC Rule-Level Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json
new file mode 100644
index 00000000000..a15b291e277
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json
@@ -0,0 +1,61 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "winlog": {
+ "event_data": {
+ "ReasonForRejection": "An error occurred.",
+ "RuleId": "WMPNetworkSvc-2",
+ "RuleName": "-",
+ "Profile": "All"
+ },
+ "activity_id": "{B32FCB94-B374-0000-2BCC-2FB374B3DB01}",
+ "task": "MPSSVC Rule-Level Policy Change",
+ "channel": "Security",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "record_id": 141730,
+ "event_id": "4953",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Host.admin.local",
+ "keywords": [
+ "Audit Failure"
+ ]
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows Firewall ignored a rule because it could not be parsed.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetwordkSvc-2\n\tName:\t-",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "code": "4953",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2025-04-29T05:18:09.559Z"
+ },
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json-expected.json
new file mode 100644
index 00000000000..65c811b4d97
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4953.json-expected.json
@@ -0,0 +1,72 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "ignored-rule-by-windows-firewall-because-it-could-not-parse-rule",
+ "category": [
+ "configuration"
+ ],
+ "code": "4953",
+ "created": "2025-04-29T05:18:09.559Z",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows Firewall ignored a rule because it could not be parsed.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetwordkSvc-2\n\tName:\t-",
+ "rule": {
+ "id": "WMPNetworkSvc-2"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{B32FCB94-B374-0000-2BCC-2FB374B3DB01}",
+ "channel": "Security",
+ "computer_name": "Host.admin.local",
+ "event_data": {
+ "Profile": "All",
+ "ReasonForRejection": "An error occurred.",
+ "RuleId": "WMPNetworkSvc-2"
+ },
+ "event_id": "4953",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "141730",
+ "task": "MPSSVC Rule-Level Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json
new file mode 100644
index 00000000000..2559113e4f7
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json
@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.674Z",
+ "log": {
+ "level": "information"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "agent": {
+ "ephemeral_id": "995b15fd-1174-492a-81fe-3425ef503124",
+ "id": "f093effa-9c17-4e29-bff4-cfa87e1bf4ae",
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "message": "Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tPrivateNetwork Inbound Default Rule\n\tName:\tPrivateNetwork Inbound Default Rule\n\nError Information:\n\tReason:\tRemote Addresses resolved to an empty set.",
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "winlog": {
+ "event_data": {
+ "RuleId": "PrivateNetwork Inbound Default Rule",
+ "RuleName": "PrivateNetwork Inbound Default Rule",
+ "RuleAttr": "Remote Addresses"
+ },
+ "record_id": 141735,
+ "channel": "Security",
+ "event_id": "4957",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Host.admin.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "activity_id": "{B32FCB94-B374-0000-2BCC-2FB374B3DB01}",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "task": "MPSSVC Rule-Level Policy Change"
+ },
+ "event": {
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2025-04-29T05:07:12.956Z",
+ "code": "4957",
+ "kind": "event"
+ }
+ }
+ ]
+ }
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json-expected.json
new file mode 100644
index 00000000000..d4acfcff86a
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4957.json-expected.json
@@ -0,0 +1,73 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.674Z",
+ "agent": {
+ "ephemeral_id": "995b15fd-1174-492a-81fe-3425ef503124",
+ "id": "f093effa-9c17-4e29-bff4-cfa87e1bf4ae",
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "windows-firewall-did-not-apply-following-rule",
+ "category": [
+ "configuration"
+ ],
+ "code": "4957",
+ "created": "2025-04-29T05:07:12.956Z",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows Firewall did not apply the following rule:\n\nRule Information:\n\tID:\tPrivateNetwork Inbound Default Rule\n\tName:\tPrivateNetwork Inbound Default Rule\n\nError Information:\n\tReason:\tRemote Addresses resolved to an empty set.",
+ "rule": {
+ "id": "PrivateNetwork Inbound Default Rule",
+ "name": "PrivateNetwork Inbound Default Rule"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{B32FCB94-B374-0000-2BCC-2FB374B3DB01}",
+ "channel": "Security",
+ "computer_name": "Host.admin.local",
+ "event_data": {
+ "RuleAttr": "Remote Addresses",
+ "RuleId": "PrivateNetwork Inbound Default Rule",
+ "RuleName": "PrivateNetwork Inbound Default Rule"
+ },
+ "event_id": "4957",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "141735",
+ "task": "MPSSVC Rule-Level Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json
new file mode 100644
index 00000000000..0f0069cce85
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "winlog": {
+ "event_data": {
+ "RemoteAddress": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "task": "12291",
+ "channel": "Security",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "record_id": 141730,
+ "event_id": "4962",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "keywords": [
+ "Audit Failure"
+ ]
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "code": "4962",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2025-04-29T05:18:09.559Z"
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json-expected.json
new file mode 100644
index 00000000000..644751b3591
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4962.json-expected.json
@@ -0,0 +1,82 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "ipsec-dropped-inbound-packet-that-failed-replay-check",
+ "category": [
+ "network"
+ ],
+ "code": "4962",
+ "created": "2025-04-29T05:18:09.559Z",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ]
+ },
+ "source": {
+ "address": "1.128.0.0",
+ "as": {
+ "number": 1221,
+ "organization": {
+ "name": "Telstra Pty Ltd"
+ }
+ },
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "event_data": {
+ "RemoteAddress_ip": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "event_id": "4962",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "141730",
+ "task": "12291"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json
new file mode 100644
index 00000000000..f45ade47814
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "winlog": {
+ "event_data": {
+ "RemoteAddress": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "task": "12291",
+ "channel": "Security",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "record_id": 141730,
+ "event_id": "4963",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "keywords": [
+ "Audit Failure"
+ ]
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows Firewall ignored a rule because it could not be parsed.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "code": "4963",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2025-04-29T05:18:09.559Z"
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json-expected.json
new file mode 100644
index 00000000000..f06562059e2
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4963.json-expected.json
@@ -0,0 +1,82 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "ipsec-dropped-inbound-clear-text-packet-that-should-have-been-secured",
+ "category": [
+ "network"
+ ],
+ "code": "4963",
+ "created": "2025-04-29T05:18:09.559Z",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Windows Firewall ignored a rule because it could not be parsed.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ]
+ },
+ "source": {
+ "address": "1.128.0.0",
+ "as": {
+ "number": 1221,
+ "organization": {
+ "name": "Telstra Pty Ltd"
+ }
+ },
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "event_data": {
+ "RemoteAddress_ip": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "event_id": "4963",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "141730",
+ "task": "12291"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json
new file mode 100644
index 00000000000..61ca00cfb2e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json
@@ -0,0 +1,58 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "winlog": {
+ "event_data": {
+ "RemoteAddress": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "task": "12291",
+ "channel": "Security",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "record_id": 141730,
+ "event_id": "4965",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "keywords": [
+ "Audit Failure"
+ ]
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "code": "4965",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "action": "MPSSVC Rule-Level Policy Change",
+ "created": "2025-04-29T05:18:09.559Z"
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json-expected.json
new file mode 100644
index 00000000000..9df91ece8c2
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4965.json-expected.json
@@ -0,0 +1,82 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-22T10:53:25.282Z",
+ "agent": {
+ "ephemeral_id": "54c21293-ed63-4744-b5e8-70189cff3838",
+ "id": "f3b57041-8be5-40bd-864d-2b2ffcdce741",
+ "name": "WIN2K19-0-0-00",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "ipsec-received-packet-from-remote-computer-wth-incorrect-spi",
+ "category": [
+ "network"
+ ],
+ "code": "4965",
+ "created": "2025-04-29T05:18:09.559Z",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "end"
+ ]
+ },
+ "host": {
+ "name": "WIN2K19-0-0-00.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.\n\t\nProfile:\tAll\n\nReason for Rejection:\tAn error occurred.\n\nRule:\n\tID:\tWMPNetworkSvc-2\n\tName:\t-",
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ]
+ },
+ "source": {
+ "address": "1.128.0.0",
+ "as": {
+ "number": 1221,
+ "organization": {
+ "name": "Telstra Pty Ltd"
+ }
+ },
+ "ip": "1.128.0.0"
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "WIN2K19-0-0-00.admin.local",
+ "event_data": {
+ "RemoteAddress_ip": "1.128.0.0",
+ "SPI": "12345678"
+ },
+ "event_id": "4965",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 808,
+ "thread": {
+ "id": 2416
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "141730",
+ "task": "12291"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json
new file mode 100644
index 00000000000..5d3e0b6437e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json
@@ -0,0 +1,65 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-24T10:22:57.563Z",
+ "log": {
+ "level": "information"
+ },
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "event": {
+ "action": "File System",
+ "created": "2025-04-25T12:22:17.555Z",
+ "code": "4985",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "message": "The state of a transaction has changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2746543596-3928915710-1011198476-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tADMIN0\n\tLogon ID:\t\t0x127i9236\n\nTransaction Information:\n\tRM Transaction ID:\t{21111247-1F67-11F0-83F3-005056831826}\n\tNew State:\t\t48\n\tResource Manager:\t{D8142110-8367-11EB-AEB0-AE30390335D2}\n\nProcess Information:\n\tProcess ID:\t\t0x1f38\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "winlog": {
+ "computer_name": "Host.admin.local",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "event_data": {
+ "NewState": "48",
+ "ResourceManager": "{D8142110-8367-11EB-AEB0-AE30390335D2}",
+ "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "SubjectUserSid": "S-1-5-21-2746543596-3928915710-1011198476-500",
+ "SubjectUserName": "Administrator",
+ "TransactionId": "{F1111247-1F67-11F0-83F3-005056831826}",
+ "ProcessId": "0x1f38",
+ "SubjectLogonId": "0x1279236",
+ "SubjectDomainName": "ADMIN0"
+ },
+ "event_id": "4985",
+ "task": "File System",
+ "channel": "Security",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 468
+ }
+ },
+ "record_id": 161329,
+ "keywords": [
+ "Audit Success"
+ ]
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "agent": {
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0",
+ "ephemeral_id": "f0ee0150-282d-4b89-bbcd-175a15ccff4d",
+ "id": "4799e1eb-3416-4bfb-ab51-cdb2fca3fdc6"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json-expected.json
new file mode 100644
index 00000000000..68c9006633a
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4985.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-24T10:22:57.563Z",
+ "agent": {
+ "ephemeral_id": "f0ee0150-282d-4b89-bbcd-175a15ccff4d",
+ "id": "4799e1eb-3416-4bfb-ab51-cdb2fca3fdc6",
+ "name": "Host",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "state-of-transaction-has-changed",
+ "category": [
+ "configuration"
+ ],
+ "code": "4985",
+ "created": "2025-04-25T12:22:17.555Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "name": "Host.admin.local"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The state of a transaction has changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2746543596-3928915710-1011198476-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tADMIN0\n\tLogon ID:\t\t0x127i9236\n\nTransaction Information:\n\tRM Transaction ID:\t{21111247-1F67-11F0-83F3-005056831826}\n\tNew State:\t\t48\n\tResource Manager:\t{D8142110-8367-11EB-AEB0-AE30390335D2}\n\nProcess Information:\n\tProcess ID:\t\t0x1f38\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "process": {
+ "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "name": "WmiPrvSE.exe",
+ "pid": 7992
+ },
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "ADMIN0",
+ "id": "S-1-5-21-2746543596-3928915710-1011198476-500",
+ "name": "Administrator"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "Host.admin.local",
+ "event_data": {
+ "NewState": "48",
+ "ResourceManager": "{D8142110-8367-11EB-AEB0-AE30390335D2}",
+ "SubjectDomainName": "ADMIN0",
+ "SubjectLogonId": "0x1279236",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-2746543596-3928915710-1011198476-500",
+ "TransactionId": "{F1111247-1F67-11F0-83F3-005056831826}"
+ },
+ "event_id": "4985",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x1279236"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 468
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "161329",
+ "task": "File System"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json
new file mode 100644
index 00000000000..82bbfe54fc3
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json
@@ -0,0 +1,56 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-03-31T12:11:59.727Z",
+ "log": {
+ "level": "information"
+ },
+ "message": "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\n\nFile Name:\t\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll\t",
+ "host": {
+ "name": "Host-ID"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "agent": {
+ "ephemeral_id": "be8d251b-20ae-4bbb-9d96-8bfbc5275c8c",
+ "id": "97eaaa07-37c4-45b6-8910-0349be183a03",
+ "name": "Host-ID",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "winlog": {
+ "event_data": {
+ "param1": "\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll"
+ },
+ "channel": "Security",
+ "record_id": 352882,
+ "task": "Logon",
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "event_id": "5038",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "computer_name": "Host-ID",
+ "keywords": ["Audit Failure"],
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 16716
+ }
+ }
+ },
+ "event": {
+ "created": "2025-04-22T12:46:25.910Z",
+ "code": "5038",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure",
+ "original": "5038001229000x8010000000000000352882SecurityHost-ID\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dllCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll InformationLogonInfoSecurityMicrosoft Windows security auditing.Audit Failure",
+ "action": "Logon"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json-expected.json
new file mode 100644
index 00000000000..40af315dea2
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5038.json-expected.json
@@ -0,0 +1,70 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-31T12:11:59.727Z",
+ "agent": {
+ "ephemeral_id": "be8d251b-20ae-4bbb-9d96-8bfbc5275c8c",
+ "id": "97eaaa07-37c4-45b6-8910-0349be183a03",
+ "name": "Host-ID",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "code-integrity-determined-that-image-hash-of-file-is-not-valid",
+ "category": [
+ "file"
+ ],
+ "code": "5038",
+ "created": "2025-04-22T12:46:25.910Z",
+ "kind": "event",
+ "original": "5038001229000x8010000000000000352882SecurityHost-ID\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dllCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll InformationLogonInfoSecurityMicrosoft Windows security auditing.Audit Failure",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "access"
+ ]
+ },
+ "file": {
+ "path": "\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll"
+ },
+ "host": {
+ "name": "Host-ID"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\n\nFile Name:\t\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll\t",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "Host-ID",
+ "event_data": {
+ "param1": "\\Device\\HarddiskVolume3\\Windows\\System32\\ScriptControl64_19409.dll"
+ },
+ "event_id": "5038",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 16716
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "352882",
+ "task": "Logon"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json
new file mode 100644
index 00000000000..990776850e8
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json
@@ -0,0 +1,70 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-04-10T08:14:21.278Z",
+ "log": {
+ "level": "information"
+ },
+ "message": "Key file operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1909377054-3469629671-4104191496-8991\n\tAccount Name:\t\tJohn.doe\n\tAccount Domain:\t\tTEMPYS\n\tLogon ID:\t\t0x124237\n\nProcess Information:\n\tProcess ID:\t\t9916\n\tProcess Creation Time:\t2025-04-10 08:14:20.7079392 +0000 UTC\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tUNKNOWN\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nKey File Operation Information:\n\tFile Path:\tC:\\Users\\John.doe\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8e1277be-8070-4f41-91ee-c3c1fcca618a\n\tOperation:\tRead persisted key from file.\n\tReturn Code:\t0x0",
+ "host": {
+ "name": "Host-ID"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "agent": {
+ "ephemeral_id": "62cd02b1-8419-4aae-a9f4-768f99cbb47b",
+ "id": "c84484dc-583d-4e71-9ccc-008c4837800b",
+ "name": "Host-ID",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "winlog": {
+ "version": 1,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "event_data": {
+ "KeyFilePath": "C:\\Users\\John.doe\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8e1277be-8070-4f41-91ee-c3c1fcca618a",
+ "SubjectUserSid": "S-1-5-21-1909377054-3469629671-4104191496-8991",
+ "SubjectUserName": "John.doe",
+ "Operation": "Read persisted key from file.",
+ "SubjectDomainName": "TEMPYS",
+ "SubjectLogonId": "0x124237",
+ "ProviderName": "Microsoft Software Key Storage Provider",
+ "ClientCreationTime": "2025-04-10 08:14:20.7079392 +0000 UTC",
+ "AlgorithmName": "UNKNOWN",
+ "KeyType": "User key.",
+ "ReturnCode": "0x0",
+ "ClientProcessId": "9916",
+ "KeyName": "Microsoft Connected Devices Platform device certificate"
+ },
+ "process": {
+ "pid": 1344,
+ "thread": {
+ "id": 1468
+ }
+ },
+ "channel": "Security",
+ "computer_name": "Host-ID",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "record_id": 367486,
+ "event_id": "5058",
+ "task": "Other System Events"
+ },
+ "event": {
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "action": "Other System Events",
+ "created": "2025-04-25T07:28:21.319Z",
+ "code": "5058"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json-expected.json
new file mode 100644
index 00000000000..aa83871a91d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5058.json-expected.json
@@ -0,0 +1,93 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-04-10T08:14:20.007Z",
+ "agent": {
+ "ephemeral_id": "62cd02b1-8419-4aae-a9f4-768f99cbb47b",
+ "id": "c84484dc-583d-4e71-9ccc-008c4837800b",
+ "name": "Host-ID",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "key-file-operation",
+ "category": [
+ "file"
+ ],
+ "code": "5058",
+ "created": "2025-04-25T07:28:21.319Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft Software Key Storage Provider",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "name": "Host-ID"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Key file operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1909377054-3469629671-4104191496-8991\n\tAccount Name:\t\tJohn.doe\n\tAccount Domain:\t\tTEMPYS\n\tLogon ID:\t\t0x124237\n\nProcess Information:\n\tProcess ID:\t\t9916\n\tProcess Creation Time:\t2025-04-10 08:14:20.7079392 +0000 UTC\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tUNKNOWN\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nKey File Operation Information:\n\tFile Path:\tC:\\Users\\John.doe\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8e1277be-8070-4f41-91ee-c3c1fcca618a\n\tOperation:\tRead persisted key from file.\n\tReturn Code:\t0x0",
+ "related": {
+ "user": [
+ "John.doe"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEMPYS",
+ "id": "S-1-5-21-1909377054-3469629671-4104191496-8991",
+ "name": "John.doe"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "Host-ID",
+ "event_data": {
+ "AlgorithmName": "UNKNOWN",
+ "ClientCreationTime": "2025-04-10 08:14:20.7079392 +0000 UTC",
+ "ClientProcessId": "9916",
+ "KeyFilePath": "C:\\Users\\John.doe\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8e1277be-8070-4f41-91ee-c3c1fcca618a",
+ "KeyName": "Microsoft Connected Devices Platform device certificate",
+ "KeyType": "User key.",
+ "Operation": "Read persisted key from file.",
+ "ProviderName": "Microsoft Software Key Storage Provider",
+ "ReturnCode": "0x0",
+ "ReturnCodeOutcome": "Success",
+ "SubjectDomainName": "TEMPYS",
+ "SubjectLogonId": "0x124237",
+ "SubjectUserName": "John.doe",
+ "SubjectUserSid": "S-1-5-21-1909377054-3469629671-4104191496-8991"
+ },
+ "event_id": "5058",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x124237"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 1344,
+ "thread": {
+ "id": 1468
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "367486",
+ "task": "Other System Events",
+ "version": 1
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json
new file mode 100644
index 00000000000..f4d5ceefdaf
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json
@@ -0,0 +1,70 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-03-19T05:33:46.294Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "agent": {
+ "version": "9.1.0",
+ "ephemeral_id": "1bae547c-b439-45c2-b87d-ea1964d048b7",
+ "id": "d7cc18f4-29b8-4c77-a07d-ea273d2890d6",
+ "name": "WIN2K19-50-13-53",
+ "type": "filebeat"
+ },
+ "event": {
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "action": "Other System Events",
+ "created": "2025-04-29T08:59:28.618Z",
+ "code": "5059"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Key migration operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e5\n\nProcess Information:\n\tProcess ID:\t\t688\n\tProcess Creation Time:\t2025-03-19 05:33:45.9196243 +0000 UTC\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tECDSA_P256\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nAdditional Information:\n\tOperation:\tExport of persistent cryptographic key.\n\tReturn Code:\t0x0",
+ "host": {
+ "name": "WIN-E9MOU404H15"
+ },
+ "winlog": {
+ "event_id": "5059",
+ "record_id": 13902,
+ "task": "Other System Events",
+ "computer_name": "WIN-E9MOU404H15",
+ "version": 1,
+ "activity_id": "{1FFBCAAB-9890-0000-CACB-FB1F9098DB01}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_data": {
+ "SubjectUserName": "LOCAL SERVICE",
+ "KeyType": "User key.",
+ "ReturnCode": "0x0",
+ "SubjectUserSid": "S-1-5-19",
+ "ClientCreationTime": "2025-03-19 05:33:45.9196243 +0000 UTC",
+ "ProviderName": "Microsoft Software Key Storage Provider",
+ "SubjectDomainName": "NT AUTHORITY",
+ "AlgorithmName": "ECDSA_P256",
+ "KeyName": "Microsoft Connected Devices Platform device certificate",
+ "Operation": "Export of persistent cryptographic key.",
+ "SubjectLogonId": "0x3e5",
+ "ClientProcessId": "688"
+ },
+ "process": {
+ "pid": 680,
+ "thread": {
+ "id": 808
+ }
+ },
+ "channel": "Security"
+ },
+ "input": {
+ "type": "winlog"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json-expected.json
new file mode 100644
index 00000000000..26dc7b6cf35
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5059.json-expected.json
@@ -0,0 +1,93 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-19T05:33:45.009Z",
+ "agent": {
+ "ephemeral_id": "1bae547c-b439-45c2-b87d-ea1964d048b7",
+ "id": "d7cc18f4-29b8-4c77-a07d-ea273d2890d6",
+ "name": "WIN2K19-50-13-53",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "key-migration-operation",
+ "category": [
+ "file"
+ ],
+ "code": "5059",
+ "created": "2025-04-29T08:59:28.618Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft Software Key Storage Provider",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "name": "WIN-E9MOU404H15"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Key migration operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e5\n\nProcess Information:\n\tProcess ID:\t\t688\n\tProcess Creation Time:\t2025-03-19 05:33:45.9196243 +0000 UTC\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tECDSA_P256\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nAdditional Information:\n\tOperation:\tExport of persistent cryptographic key.\n\tReturn Code:\t0x0",
+ "related": {
+ "user": [
+ "LOCAL SERVICE"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "NT AUTHORITY",
+ "id": "S-1-5-19",
+ "name": "LOCAL SERVICE"
+ },
+ "winlog": {
+ "activity_id": "{1FFBCAAB-9890-0000-CACB-FB1F9098DB01}",
+ "channel": "Security",
+ "computer_name": "WIN-E9MOU404H15",
+ "event_data": {
+ "AlgorithmName": "ECDSA_P256",
+ "ClientCreationTime": "2025-03-19 05:33:45.9196243 +0000 UTC",
+ "ClientProcessId": "688",
+ "KeyName": "Microsoft Connected Devices Platform device certificate",
+ "KeyType": "User key.",
+ "Operation": "Export of persistent cryptographic key.",
+ "ProviderName": "Microsoft Software Key Storage Provider",
+ "ReturnCode": "0x0",
+ "ReturnCodeOutcome": "Success",
+ "SubjectDomainName": "NT AUTHORITY",
+ "SubjectLogonId": "0x3e5",
+ "SubjectUserName": "LOCAL SERVICE",
+ "SubjectUserSid": "S-1-5-19"
+ },
+ "event_id": "5059",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e5"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 680,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "13902",
+ "task": "Other System Events",
+ "version": 1
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json
new file mode 100644
index 00000000000..e23e188377b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json
@@ -0,0 +1,67 @@
+{
+ "events": [
+ {
+ "@timestamp": "2025-03-19T05:33:46.125Z",
+ "message": "Cryptographic operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e5\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tECDSA_P256\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nCryptographic Operation:\n\tOperation:\tOpen Key.\n\tReturn Code:\t0x0",
+ "host": {
+ "name": "WIN-E9MOU404H15"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "agent": {
+ "version": "9.1.0",
+ "ephemeral_id": "fabdc554-d1ae-4d01-a90e-ec9df838baa0",
+ "id": "3893c188-c4fc-4d97-8a55-e11a368dc5a9",
+ "name": "WIN2K19-50-13-53",
+ "type": "filebeat"
+ },
+ "winlog": {
+ "event_id": "5061",
+ "event_data": {
+ "KeyType": "User key.",
+ "ReturnCode": "0x1",
+ "SubjectUserSid": "S-1-5-19",
+ "SubjectDomainName": "NT AUTHORITY",
+ "AlgorithmName": "ECDSA_P256",
+ "KeyName": "Microsoft Connected Devices Platform device certificate",
+ "Operation": "Open Key.",
+ "SubjectUserName": "LOCAL SERVICE",
+ "SubjectLogonId": "0x3e5",
+ "ProviderName": "Microsoft Software Key Storage Provider"
+ },
+ "activity_id": "{1FFBCAAB-9890-0000-CACB-FB1F9098DB01}",
+ "task": "System Integrity",
+ "opcode": "Info",
+ "process": {
+ "pid": 680,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "computer_name": "WIN-E9MOU404H15",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 13893,
+ "keywords": [
+ "Audit Success"
+ ]
+ },
+ "event": {
+ "created": "2025-04-29T08:57:28.307Z",
+ "code": "5061",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "success",
+ "action": "System Integrity"
+ },
+ "log": {
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json-expected.json
new file mode 100644
index 00000000000..9394058f36a
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5061.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-03-19T05:33:46.125Z",
+ "agent": {
+ "ephemeral_id": "fabdc554-d1ae-4d01-a90e-ec9df838baa0",
+ "id": "3893c188-c4fc-4d97-8a55-e11a368dc5a9",
+ "name": "WIN2K19-50-13-53",
+ "type": "filebeat",
+ "version": "9.1.0"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "cryptographic-operation",
+ "category": [
+ "file"
+ ],
+ "code": "5061",
+ "created": "2025-04-29T08:57:28.307Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft Software Key Storage Provider",
+ "type": [
+ "access"
+ ]
+ },
+ "host": {
+ "name": "WIN-E9MOU404H15"
+ },
+ "input": {
+ "type": "winlog"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Cryptographic operation.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e5\n\nCryptographic Parameters:\n\tProvider Name:\tMicrosoft Software Key Storage Provider\n\tAlgorithm Name:\tECDSA_P256\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\n\tKey Type:\tUser key.\n\nCryptographic Operation:\n\tOperation:\tOpen Key.\n\tReturn Code:\t0x0",
+ "related": {
+ "user": [
+ "LOCAL SERVICE"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "NT AUTHORITY",
+ "id": "S-1-5-19",
+ "name": "LOCAL SERVICE"
+ },
+ "winlog": {
+ "activity_id": "{1FFBCAAB-9890-0000-CACB-FB1F9098DB01}",
+ "channel": "Security",
+ "computer_name": "WIN-E9MOU404H15",
+ "event_data": {
+ "AlgorithmName": "ECDSA_P256",
+ "KeyName": "Microsoft Connected Devices Platform device certificate",
+ "KeyType": "User key.",
+ "Operation": "Open Key.",
+ "ProviderName": "Microsoft Software Key Storage Provider",
+ "ReturnCode": "0x1",
+ "ReturnCodeOutcome": "Failure",
+ "SubjectDomainName": "NT AUTHORITY",
+ "SubjectLogonId": "0x3e5",
+ "SubjectUserName": "LOCAL SERVICE",
+ "SubjectUserSid": "S-1-5-19"
+ },
+ "event_id": "5061",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e5"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 680,
+ "thread": {
+ "id": 808
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "13893",
+ "task": "System Integrity"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5136.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5136.json-expected.json
index 6c01789e0f9..6be53ad892f 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5136.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5136.json-expected.json
@@ -31,6 +31,9 @@
"dadmin"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json
new file mode 100644
index 00000000000..ea06705ff4c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json
@@ -0,0 +1,69 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-30T09:57:14.833Z",
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "os": {
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "name": "Server2",
+ "architecture": "x86_64"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "opcode": "Info",
+ "task": "File Share",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ShareLocalPath": "C:\\Users\\Administrator\\Downloads\\F2",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x16b304a",
+ "ShareName": "\\\\*\\F2"
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 39845139,
+ "channel": "Security",
+ "keywords": [
+ "Audit Success"
+ ],
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 1056
+ }
+ },
+ "event_id": 5142,
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "action": "File Share",
+ "created": "2022-11-30T09:58:09.118Z",
+ "kind": "event",
+ "code": 5142
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A network share object was added.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x16B304A\n\nShare Information:\t\n\tShare Name:\t\t\\\\*\\F2\n\tShare Path:\t\tC:\\Users\\Administrator\\Downloads\\F2"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json-expected.json
new file mode 100644
index 00000000000..206e75cce7f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5142.json-expected.json
@@ -0,0 +1,96 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-30T09:57:14.833Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "network-share-object-added",
+ "category": [
+ "network",
+ "file"
+ ],
+ "code": "5142",
+ "created": "2022-11-30T09:58:09.118Z",
+ "kind": "event",
+ "type": [
+ "info",
+ "creation"
+ ]
+ },
+ "file": {
+ "directory": "C:\\Users\\Administrator\\Downloads\\F2"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A network share object was added.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x16B304A\n\nShare Information:\t\n\tShare Name:\t\t\\\\*\\F2\n\tShare Path:\t\tC:\\Users\\Administrator\\Downloads\\F2",
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "Administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ShareLocalPath": "C:\\Users\\Administrator\\Downloads\\F2",
+ "ShareName": "\\\\*\\F2",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x16b304a",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "5142",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x16b304a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 1056
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "39845139",
+ "task": "File Share"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json
index 9db37fa760c..761ae64099f 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5152.json-expected.json
@@ -47,6 +47,9 @@
"ip": "10.47.0.122",
"port": 58231
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"activity_id": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"channel": "Security",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5156.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5156.json-expected.json
index 62936ba432a..223c97269d5 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5156.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5156.json-expected.json
@@ -50,6 +50,9 @@
"ip": "10.47.0.151",
"port": 49691
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}",
"channel": "Security",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5157.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5157.json-expected.json
index e65ab4e2ee6..3cadda0a528 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5157.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5157.json-expected.json
@@ -50,6 +50,9 @@
"ip": "10.47.0.110",
"port": 137
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}",
"channel": "Security",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5158.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5158.json-expected.json
index 9bb3b83ce8b..bc62d47ed0e 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5158.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5158.json-expected.json
@@ -41,6 +41,9 @@
"ip": "0.0.0.0",
"port": 50431
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"activity_id": "{1cd3afa7-265d-0001-54b0-d31c5d26d901}",
"channel": "Security",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json
index de768401775..79e8e1ad6c3 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json
@@ -30,6 +30,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -102,6 +105,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -174,6 +180,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -246,6 +255,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -318,6 +330,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json
index 2b2c7726ea9..58401fc88a1 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5380.json-expected.json
@@ -30,6 +30,9 @@
"USER1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -100,6 +103,9 @@
"USER1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -170,6 +176,9 @@
"USER1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -240,6 +249,9 @@
"USER1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -310,6 +322,9 @@
"USER1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json
index cf0bac3f5ca..1f422d5895b 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5381.json-expected.json
@@ -30,6 +30,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
@@ -98,6 +101,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
@@ -166,6 +172,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
@@ -234,6 +243,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
@@ -302,6 +314,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json
index 438fca4ae75..ef6e937b167 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5382.json-expected.json
@@ -30,6 +30,9 @@
"COMPUTER1$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-18",
@@ -102,6 +105,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -174,6 +180,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -246,6 +255,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
@@ -318,6 +330,9 @@
"user1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-000000000-000000000-000000000-00000",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json
new file mode 100644
index 00000000000..96f1a4ac268
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json
@@ -0,0 +1,78 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-29T12:19:39.877Z",
+ "event": {
+ "kind": "event",
+ "code": 5441,
+ "action": "Filtering Platform Policy Change",
+ "created": "2022-11-29T12:22:30.766Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\n\nProvider Information:\t\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nFilter Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tBoot Time Filter\n\tType:\t\tPersistent\n\tRun-Time ID:\t1170552\n\nLayer Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\tWeight:\t\t8791261184\n\t\nAdditional Information:\n\tConditions:\t\n\tCondition ID:\t{00000000-0000-0000-0000-000000000000}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000083\n\n\tCondition ID:\t{511166dc-7a8c-4aa7-b533-95ab59fb0340}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0000000e\n\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tNo flags set\n\tCondition value:\t0x00000001\n\n\tFilter Action:\tBlock\n\tCallout ID:\t{00000000-0000-0000-0000-000000000000}\n\tCallout Name:\t-",
+ "winlog": {
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "record_id": 23634754,
+ "opcode": "Info",
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 260
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "Weight": "8791261184",
+ "CalloutName": "-",
+ "ProviderName": "Microsoft Corporation",
+ "CalloutKey": "{00000000-XX00-0000-0000-000000000000}",
+ "Action": "%%16389",
+ "FilterKey": "{00000000-XX00-0000-0000-000000000000}",
+ "LayerId": "46",
+ "FilterName": "Boot Time Filter",
+ "ProviderKey": "{00000000-XX00-0000-0000-000000000000}",
+ "LayerKey": "{00000000-XX00-0000-0000-000000000000}",
+ "Conditions": "\n\tCondition ID:\t{00000000-0000-0000-0000-000000000000}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000083\n\n\tCondition ID:\t{511166dc-7a8c-4aa7-b533-95ab59fb0340}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0000000e\n\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tNo flags set\n\tCondition value:\t0x00000001",
+ "FilterId": "1170552",
+ "FilterType": "%%16387",
+ "LayerName": "ALE Receive/Accept v6 Layer"
+ },
+ "task": "Filtering Platform Policy Change",
+ "api": "wineventlog",
+ "channel": "Security",
+ "event_id": 5441
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.0.0 (rs1_release.161220-1747)",
+ "build": "14393.693"
+ },
+ "name": "Server2"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json-expected.json
new file mode 100644
index 00000000000..ccc5f6ab9dc
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5441.json-expected.json
@@ -0,0 +1,87 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-29T12:19:39.877Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "%%16389",
+ "category": [
+ "configuration"
+ ],
+ "code": "5441",
+ "created": "2022-11-29T12:22:30.766Z",
+ "kind": "event",
+ "provider": "Microsoft Corporation",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.0.0 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\n\nProvider Information:\t\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nFilter Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tBoot Time Filter\n\tType:\t\tPersistent\n\tRun-Time ID:\t1170552\n\nLayer Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\tALE Receive/Accept v6 Layer\n\tRun-Time ID:\t46\n\tWeight:\t\t8791261184\n\t\nAdditional Information:\n\tConditions:\t\n\tCondition ID:\t{00000000-0000-0000-0000-000000000000}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000083\n\n\tCondition ID:\t{511166dc-7a8c-4aa7-b533-95ab59fb0340}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0000000e\n\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tNo flags set\n\tCondition value:\t0x00000001\n\n\tFilter Action:\tBlock\n\tCallout ID:\t{00000000-0000-0000-0000-000000000000}\n\tCallout Name:\t-",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "Action": "%%16389",
+ "CalloutKey": "{00000000-XX00-0000-0000-000000000000}",
+ "Conditions": "\n\tCondition ID:\t{00000000-0000-0000-0000-000000000000}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000083\n\n\tCondition ID:\t{511166dc-7a8c-4aa7-b533-95ab59fb0340}\n\tMatch value:\tEqual to\n\tCondition value:\t0x0000000e\n\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tNo flags set\n\tCondition value:\t0x00000001",
+ "FilterId": "1170552",
+ "FilterKey": "{00000000-XX00-0000-0000-000000000000}",
+ "FilterName": "Boot Time Filter",
+ "FilterType": "%%16387",
+ "LayerId": "46",
+ "LayerKey": "{00000000-XX00-0000-0000-000000000000}",
+ "LayerName": "ALE Receive/Accept v6 Layer",
+ "ProviderKey": "{00000000-XX00-0000-0000-000000000000}",
+ "ProviderName": "Microsoft Corporation",
+ "Weight": "8791261184"
+ },
+ "event_id": "5441",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 260
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "23634754",
+ "task": "Filtering Platform Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json
new file mode 100644
index 00000000000..5b8d059d500
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json
@@ -0,0 +1,77 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-30T12:20:18.739Z",
+ "agent": {
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87"
+ },
+ "winlog": {
+ "task": "Filtering Platform Policy Change",
+ "api": "wineventlog",
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "event_data": {
+ "ProcessId": "1328",
+ "ProviderName": "Microsoft Corporation",
+ "CalloutKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "CalloutName": "Interface Binding Callout",
+ "CalloutId": "258",
+ "LayerName": "ALE Bind Redirect v4 Layer",
+ "LayerId": "68",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE",
+ "ChangeType": "%%16384",
+ "CalloutType": "%%16388",
+ "UserSid": "S-1-5-19",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "LayerKey": "{X0000000-XX00-0000-0000-000000000000}"
+ },
+ "channel": "Security",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "process": {
+ "thread": {
+ "id": 952
+ },
+ "pid": 648
+ },
+ "event_id": 5446,
+ "record_id": 42039357
+ },
+ "event": {
+ "kind": "event",
+ "code": 5446,
+ "action": "Filtering Platform Policy Change",
+ "created": "2022-11-30T12:20:19.782Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A Windows Filtering Platform callout has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nCallout Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tInterface Binding Callout\n\tType:\t\tNot persistent\n\tRun-Time ID:\t258\n\nLayer Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tALE Bind Redirect v4 Layer\n\tRun-Time ID:\t68",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "os": {
+ "kernel": "10.0.0.0 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "name": "Server2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json-expected.json
new file mode 100644
index 00000000000..1839c9759f1
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5446.json-expected.json
@@ -0,0 +1,99 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-30T12:20:18.739Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "windows-filtering-platform-callout-changed",
+ "category": [
+ "configuration"
+ ],
+ "code": "5446",
+ "created": "2022-11-30T12:20:19.782Z",
+ "kind": "event",
+ "provider": "Microsoft Corporation",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.0.0 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A Windows Filtering Platform callout has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nCallout Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tInterface Binding Callout\n\tType:\t\tNot persistent\n\tRun-Time ID:\t258\n\nLayer Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tALE Bind Redirect v4 Layer\n\tRun-Time ID:\t68",
+ "process": {
+ "pid": 1328
+ },
+ "related": {
+ "user": [
+ "S-1-5-19",
+ "NT AUTHORITY\\LOCAL SERVICE"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "S-1-5-19",
+ "name": "NT AUTHORITY\\LOCAL SERVICE"
+ },
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "CalloutId": "258",
+ "CalloutKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "CalloutName": "Interface Binding Callout",
+ "CalloutType": "%%16388",
+ "ChangeType": "%%16384",
+ "LayerId": "68",
+ "LayerKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "LayerName": "ALE Bind Redirect v4 Layer",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderName": "Microsoft Corporation",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE",
+ "UserSid": "S-1-5-19"
+ },
+ "event_id": "5446",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 952
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "42039357",
+ "task": "Filtering Platform Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json
new file mode 100644
index 00000000000..2b80b7df75d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json
@@ -0,0 +1,82 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-01T07:14:15.240Z",
+ "message": "A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tInternetClientServer Inbound Default Rule\n\tType:\t\tNot persistent\n\tRun-Time ID:\t1487992\n\nLayer Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t72058418671649276\t\n\tConditions:\t\n\tCondition ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tMatch value:\tNot equal to\n\tCondition value:\t-\n\n\tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045}\n\tMatch value:\tIn range\n\tCondition value:\t0xefffffff - 0xffffffff\n\n\tCondition ID:\t{46ea1551-2255-492b-8019-aabeee349f40}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{ab3033c9-c0e3-4759-937d-5758c65d4ae3}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)\n\n\n\tFilter Action:\tPermit",
+ "agent": {
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106"
+ },
+ "winlog": {
+ "event_data": {
+ "ChangeType": "%%16385",
+ "CalloutKey": "{00000000-0000-0000-0000-000000000000}",
+ "FilterName": "InternetClientServer Inbound Default Rule",
+ "Action": "%%16390",
+ "Conditions": "\n\tCondition ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tMatch value:\tNot equal to\n\tCondition value:\t-\n\n\tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045}\n\tMatch value:\tIn range\n\tCondition value:\t0xefffffff - 0xffffffff\n\n\tCondition ID:\t{46ea1551-2255-492b-8019-aabeee349f40}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{ab3033c9-c0e3-4759-937d-5758c65d4ae3}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)",
+ "LayerName": "ALE Receive/Accept v4 Layer",
+ "FilterKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "Weight": "72058418671649276",
+ "ProcessId": "1328",
+ "ProviderName": "Microsoft Corporation",
+ "FilterId": "1487992",
+ "UserSid": "S-1-5-19",
+ "LayerKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "LayerId": "44",
+ "CalloutName": "-",
+ "FilterType": "%%16388",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE"
+ },
+ "record_id": 58037978,
+ "opcode": "Info",
+ "task": "Other Policy Change Events",
+ "api": "wineventlog",
+ "computer_name": "Server2.test1.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "channel": "Security",
+ "event_id": 5447,
+ "keywords": [
+ "Audit Success"
+ ],
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 668
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing"
+ },
+ "event": {
+ "code": 5447,
+ "action": "Other Policy Change Events",
+ "created": "2022-12-01T07:14:47.189Z",
+ "kind": "event"
+ },
+ "log": {
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json-expected.json
new file mode 100644
index 00000000000..b89716c903f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5447.json-expected.json
@@ -0,0 +1,102 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-01T07:14:15.240Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "%%16390",
+ "category": [
+ "configuration"
+ ],
+ "code": "5447",
+ "created": "2022-12-01T07:14:47.189Z",
+ "kind": "event",
+ "provider": "Microsoft Corporation",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A Windows Filtering Platform filter has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tDelete\n\nFilter Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tInternetClientServer Inbound Default Rule\n\tType:\t\tNot persistent\n\tRun-Time ID:\t1487992\n\nLayer Information:\n\tID:\t\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\t\tALE Receive/Accept v4 Layer\n\tRun-Time ID:\t44\n\nCallout Information:\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\n\tName:\t\t-\n\nAdditional Information:\n\tWeight:\t72058418671649276\t\n\tConditions:\t\n\tCondition ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tMatch value:\tNot equal to\n\tCondition value:\t-\n\n\tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045}\n\tMatch value:\tIn range\n\tCondition value:\t0xefffffff - 0xffffffff\n\n\tCondition ID:\t{46ea1551-2255-492b-8019-aabeee349f40}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{ab3033c9-c0e3-4759-937d-5758c65d4ae3}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)\n\n\n\tFilter Action:\tPermit",
+ "process": {
+ "pid": 1328
+ },
+ "related": {
+ "user": [
+ "S-1-5-19",
+ "NT AUTHORITY\\LOCAL SERVICE"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "S-1-5-19",
+ "name": "NT AUTHORITY\\LOCAL SERVICE"
+ },
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "Action": "%%16390",
+ "ChangeType": "%%16385",
+ "Conditions": "\n\tCondition ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tMatch value:\tNot equal to\n\tCondition value:\t-\n\n\tCondition ID:\t{b235ae9a-1d64-49b8-a44c-5ff3d9095045}\n\tMatch value:\tIn range\n\tCondition value:\t0xefffffff - 0xffffffff\n\n\tCondition ID:\t{46ea1551-2255-492b-8019-aabeee349f40}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{ab3033c9-c0e3-4759-937d-5758c65d4ae3}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000003\n\n\tCondition ID:\t{af043a0a-b34d-4f86-979c-c90371af6e66}\n\tMatch value:\tEqual to\n\tCondition value:\t\nO:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)",
+ "FilterId": "1487992",
+ "FilterKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "FilterName": "InternetClientServer Inbound Default Rule",
+ "FilterType": "%%16388",
+ "LayerId": "44",
+ "LayerKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "LayerName": "ALE Receive/Accept v4 Layer",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderName": "Microsoft Corporation",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE",
+ "UserSid": "S-1-5-19",
+ "Weight": "72058418671649276"
+ },
+ "event_id": "5447",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 668
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "58037978",
+ "task": "Other Policy Change Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json
new file mode 100644
index 00000000000..95a92252299
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json
@@ -0,0 +1,73 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-30T12:20:18.739Z",
+ "message": "A Windows Filtering Platform provider context has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tProvider ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tProvider Name:\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nProvider Context:\n\tID:\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\tState Management Provider Context\n\tType:\tNot persistent",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106"
+ },
+ "agent": {
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2"
+ },
+ "winlog": {
+ "process": {
+ "thread": {
+ "id": 952
+ },
+ "pid": 648
+ },
+ "channel": "Security",
+ "event_id": 5449,
+ "opcode": "Info",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "task": "Filtering Platform Policy Change",
+ "keywords": [
+ "Audit Success"
+ ],
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "event_data": {
+ "UserSid": "S-1-5-19",
+ "ProviderContextKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderContextType": "%%16388",
+ "ProcessId": "1328",
+ "ProviderContextName": "State Management Provider Context",
+ "ProviderName": "Microsoft Corporation",
+ "ChangeType": "%%16384"
+ },
+ "record_id": 42039355,
+ "computer_name": "Server2.test1.local"
+ },
+ "event": {
+ "kind": "event",
+ "code": 5449,
+ "action": "Filtering Platform Policy Change",
+ "created": "2022-11-30T12:20:19.782Z"
+ },
+ "log": {
+ "level": "information"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json-expected.json
new file mode 100644
index 00000000000..9f8356a5698
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5449.json-expected.json
@@ -0,0 +1,95 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-30T12:20:18.739Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "windows-filtering-platform-provider-context-changed",
+ "category": [
+ "configuration"
+ ],
+ "code": "5449",
+ "created": "2022-11-30T12:20:19.782Z",
+ "kind": "event",
+ "provider": "Microsoft Corporation",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A Windows Filtering Platform provider context has been changed.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\n\nProcess Information:\n\tProcess ID:\t1328\n\nProvider Information:\n\tProvider ID:\t{X0000000-XX00-0000-0000-000000000000}\n\tProvider Name:\tMicrosoft Corporation\n\nChange Information:\n\tChange Type:\tAdd\n\nProvider Context:\n\tID:\t{X0000000-XX00-0000-0000-000000000000}\n\tName:\tState Management Provider Context\n\tType:\tNot persistent",
+ "process": {
+ "pid": 1328
+ },
+ "related": {
+ "user": [
+ "S-1-5-19",
+ "NT AUTHORITY\\LOCAL SERVICE"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "id": "S-1-5-19",
+ "name": "NT AUTHORITY\\LOCAL SERVICE"
+ },
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ChangeType": "%%16384",
+ "ProviderContextKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderContextName": "State Management Provider Context",
+ "ProviderContextType": "%%16388",
+ "ProviderKey": "{X0000000-XX00-0000-0000-000000000000}",
+ "ProviderName": "Microsoft Corporation",
+ "UserName": "NT AUTHORITY\\LOCAL SERVICE",
+ "UserSid": "S-1-5-19"
+ },
+ "event_id": "5449",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 952
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "42039355",
+ "task": "Filtering Platform Policy Change"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json
new file mode 100644
index 00000000000..728990f171f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json
@@ -0,0 +1,66 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-01T06:54:30.830Z",
+ "event": {
+ "code": 6144,
+ "action": "Other Policy Change Events",
+ "created": "2022-12-01T06:54:33.114Z",
+ "kind": "event"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server1",
+ "hostname": "Server1",
+ "architecture": "x86_64",
+ "os": {
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0"
+ },
+ "id": "76330334-9e18-4aad-9113-1f1ce3fd0ff0"
+ },
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "e82715b6-e60b-4870-a2ee-373516f6f032",
+ "hostname": "Server1",
+ "id": "27d0bac7-4de4-4ca5-97f7-1d1b7105b25a",
+ "version": "7.3.1"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Security policy in the group policy objects has been applied successfully. \n\nReturn Code:\t0\n\nGPO List:\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO1\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy",
+ "winlog": {
+ "record_id": 67036624,
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 6708
+ }
+ },
+ "event_data": {
+ "ErrorCode": "0",
+ "GPOList": "{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO1\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy"
+ },
+ "channel": "Security",
+ "event_id": 6144,
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "api": "wineventlog",
+ "task": "Other Policy Change Events",
+ "computer_name": "Server1.it.local",
+ "activity_id": "{495DB8C8-FA7B-0001-D6B8-5D497BFAD801}",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_name": "Microsoft-Windows-Security-Auditing"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json-expected.json
new file mode 100644
index 00000000000..5b0eec9609e
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6144.json-expected.json
@@ -0,0 +1,78 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-01T06:54:30.830Z",
+ "agent": {
+ "ephemeral_id": "e82715b6-e60b-4870-a2ee-373516f6f032",
+ "hostname": "Server1",
+ "id": "27d0bac7-4de4-4ca5-97f7-1d1b7105b25a",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "error": {
+ "code": "0"
+ },
+ "event": {
+ "action": "security-policy-in-group-policy-objects-applied-successfully",
+ "category": [
+ "configuration"
+ ],
+ "code": "6144",
+ "created": "2022-12-01T06:54:33.114Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server1",
+ "id": "76330334-9e18-4aad-9113-1f1ce3fd0ff0",
+ "name": "Server1",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "Security policy in the group policy objects has been applied successfully. \n\nReturn Code:\t0\n\nGPO List:\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO1\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{495DB8C8-FA7B-0001-D6B8-5D497BFAD801}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server1.it.local",
+ "event_data": {
+ "ErrorCode": "0",
+ "GPOList": "{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO1\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy"
+ },
+ "event_id": "6144",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 6708
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "67036624",
+ "task": "Other Policy Change Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json
new file mode 100644
index 00000000000..78d23bb4596
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json
@@ -0,0 +1,66 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-12-01T07:14:14.840Z",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 4076
+ }
+ },
+ "event_data": {
+ "ErrorCode": "1332",
+ "GPOList": "{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO2\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy"
+ },
+ "record_id": 57985005,
+ "task": "Other Policy Change Events",
+ "api": "wineventlog",
+ "event_id": 6145,
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}"
+ },
+ "event": {
+ "action": "Other Policy Change Events",
+ "created": "2022-12-01T07:14:15.416Z",
+ "kind": "event",
+ "code": 6145
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "One or more errors occured while processing security policy in the group policy objects.\n\nError Code:\t1332\nGPO List:\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO2\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "os": {
+ "kernel": "1Kernel",
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json-expected.json
new file mode 100644
index 00000000000..f5afbae2036
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6145.json-expected.json
@@ -0,0 +1,78 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-12-01T07:14:14.840Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "error": {
+ "code": "1332"
+ },
+ "event": {
+ "action": "one-or-more-errors-occured-while-processing-security-policy-in-group-policy-objects",
+ "category": [
+ "configuration"
+ ],
+ "code": "6145",
+ "created": "2022-12-01T07:14:15.416Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "1Kernel",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "One or more errors occured while processing security policy in the group policy objects.\n\nError Code:\t1332\nGPO List:\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO2\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy",
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "winlog": {
+ "activity_id": "{D5C4EEEF-03EC-0001-01EF-C4D5EC03D901}",
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ErrorCode": "1332",
+ "GPOList": "{00000000-0000-0000-0000-000000000000}\tDefault Domain Policy\n{00000000-0000-0000-0000-000000000000}\tGPO2\n{00000000-0000-0000-0000-000000000000}\tDefault Domain Controllers Policy"
+ },
+ "event_id": "6145",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 648,
+ "thread": {
+ "id": 4076
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "57985005",
+ "task": "Other Policy Change Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json
new file mode 100644
index 00000000000..ec3e62af971
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json
@@ -0,0 +1,64 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-01-09T07:04:28.811Z",
+ "winlog": {
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "task": "Plug and Play Events",
+ "api": "wineventlog",
+ "event_data": {
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "ClassId": "{00000000-0000-0000-0000-000000000000}",
+ "DeviceDescription": "Fax (redirected 2)",
+ "CompatibleIds": "\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t",
+ "VendorIds": "\n\t\tPRINTENUM\\microsoftmicrosoft_s7d14\n\t\tPRINTENUM\\LocalPrintQueue\n\t\tmicrosoftmicrosoft_s7d14\n\t\t\n\t\t",
+ "LocationInformation": "-",
+ "SubjectUserName": "SERVER2$",
+ "DeviceId": "SWD\\PRINTENUM\\{00000000-0000-0000-0000-000000000000}",
+ "ClassName": "PrintQueue",
+ "SubjectUserSid": "S-1-5-18"
+ },
+ "channel": "Security",
+ "event_id": 6416,
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "process": {
+ "thread": {
+ "id": 6988
+ },
+ "pid": 4
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 650005840,
+ "keywords": [
+ "Audit Success"
+ ],
+ "version": 1
+ },
+ "event": {
+ "kind": "event",
+ "code": 6416,
+ "action": "Plug and Play Events",
+ "created": "2023-01-09T07:04:42.013Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A new external device was recognized by the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tSWD\\PRINTENUM\\{00000000-0000-0000-0000-000000000000}\n\nDevice Name:\tFax (redirected 2)\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tPrintQueue\n\nVendor IDs:\t\n\t\tPRINTENUM\\microsoftmicrosoft_s7d14\n\t\tPRINTENUM\\LocalPrintQueue\n\t\tmicrosoftmicrosoft_s7d14\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json-expected.json
new file mode 100644
index 00000000000..e5768d14b1f
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6416.json-expected.json
@@ -0,0 +1,90 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-01-09T07:04:28.811Z",
+ "agent": {
+ "ephemeral_id": "7af11293-39b6-4555-82f1-2653ee510182",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "device": {
+ "id": "SWD\\PRINTENUM\\{00000000-0000-0000-0000-000000000000}",
+ "model": {
+ "name": "Fax (redirected 2)"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "new-external-device-recognized-by-system",
+ "category": [
+ "process"
+ ],
+ "code": "6416",
+ "created": "2023-01-09T07:04:42.013Z",
+ "kind": "event",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "name": "Server2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A new external device was recognized by the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tSWD\\PRINTENUM\\{00000000-0000-0000-0000-000000000000}\n\nDevice Name:\tFax (redirected 2)\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tPrintQueue\n\nVendor IDs:\t\n\t\tPRINTENUM\\microsoftmicrosoft_s7d14\n\t\tPRINTENUM\\LocalPrintQueue\n\t\tmicrosoftmicrosoft_s7d14\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ClassName": "PrintQueue",
+ "CompatibleIds": "\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t",
+ "DeviceDescription": "Fax (redirected 2)",
+ "DeviceId": "SWD\\PRINTENUM\\{00000000-0000-0000-0000-000000000000}",
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18",
+ "VendorIds": "\n\t\tPRINTENUM\\microsoftmicrosoft_s7d14\n\t\tPRINTENUM\\LocalPrintQueue\n\t\tmicrosoftmicrosoft_s7d14\n\t\t\n\t\t"
+ },
+ "event_id": "6416",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 6988
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "650005840",
+ "task": "Plug and Play Events",
+ "version": 1
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json
new file mode 100644
index 00000000000..84dc96caa8b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json
@@ -0,0 +1,74 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-29T12:51:31.286Z",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "architecture": "x86_64",
+ "os": {
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693",
+ "platform": "windows"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "name": "Server2"
+ },
+ "winlog": {
+ "channel": "Security",
+ "process": {
+ "pid": 5016,
+ "thread": {
+ "id": 5392
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 24515072,
+ "keywords": [
+ "Audit Success"
+ ],
+ "event_data": {
+ "CompatibleIds": "SCSI\\Disk",
+ "ClassName": "Mouse",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectUserName": "Administrator",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "SubjectLogonId": "0x4f88a",
+ "HardwareIds": "\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "LocationInformation": "-",
+ "SubjectDomainName": "TEST1",
+ "ClassId": "{0000000X-0000-0000-0000-000000000000}"
+ },
+ "event_id": 6419,
+ "task": "Plug and Play Events",
+ "computer_name": "Server2.test1.local",
+ "opcode": "Info",
+ "api": "wineventlog",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "kind": "event",
+ "code": 6419,
+ "action": "Plug and Play Events",
+ "created": "2022-11-29T12:51:32.624Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A request was made to disable a device.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x4F88A\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "agent": {
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json-expected.json
new file mode 100644
index 00000000000..f40b1667506
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6419.json-expected.json
@@ -0,0 +1,108 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-29T12:51:31.286Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "device": {
+ "id": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "model": {
+ "name": "VMware USB Pointing Device"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "request-was-made-to-disable-device",
+ "category": [
+ "configuration"
+ ],
+ "code": "6419",
+ "created": "2022-11-29T12:51:32.624Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A request was made to disable a device.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x4F88A\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "Administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ClassId": "{0000000X-0000-0000-0000-000000000000}",
+ "ClassName": "Mouse",
+ "CompatibleIds": "SCSI\\Disk",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "HardwareIds": [
+ "HID\\VID_0E0F&PID_0003&REV_0102&MI_01",
+ "HID\\VID_0E0F&PID_0003&MI_01",
+ "HID\\VID_0E0F&UP:0001_U:0002",
+ "HID_DEVICE_SYSTEM_MOUSE",
+ "HID_DEVICE_UP:0001_U:0002",
+ "HID_DEVICE"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x4f88a",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "6419",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x4f88a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 5016,
+ "thread": {
+ "id": 5392
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "24515072",
+ "task": "Plug and Play Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json
new file mode 100644
index 00000000000..2e4f90b8d1c
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json
@@ -0,0 +1,74 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-29T12:51:31.287Z",
+ "winlog": {
+ "event_id": 6420,
+ "computer_name": "Server2.test1.local",
+ "channel": "Security",
+ "process": {
+ "thread": {
+ "id": 3480
+ },
+ "pid": 4
+ },
+ "event_data": {
+ "HardwareIds": "\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t",
+ "SubjectUserSid": "S-1-5-18",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1",
+ "LocationInformation": "-",
+ "SubjectLogonId": "0x3e7",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "ClassId": "{0000000X-0000-000X-0000-000000000000}",
+ "CompatibleIds": "SCSI\\Disk",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "ClassName": "Mouse"
+ },
+ "api": "wineventlog",
+ "opcode": "Info",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "task": "Plug and Play Events",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "record_id": 24515074
+ },
+ "event": {
+ "kind": "event",
+ "code": 6420,
+ "action": "Plug and Play Events",
+ "created": "2022-11-29T12:51:32.624Z"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A device was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106"
+ },
+ "agent": {
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json-expected.json
new file mode 100644
index 00000000000..519fbafecd2
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6420.json-expected.json
@@ -0,0 +1,109 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-29T12:51:31.287Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "device": {
+ "id": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "model": {
+ "name": "VMware USB Pointing Device"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "device-was-disabled",
+ "category": [
+ "process"
+ ],
+ "code": "6420",
+ "created": "2022-11-29T12:51:32.624Z",
+ "kind": "event",
+ "type": [
+ "change",
+ "end"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A device was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ClassId": "{0000000X-0000-000X-0000-000000000000}",
+ "ClassName": "Mouse",
+ "CompatibleIds": "SCSI\\Disk",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "HardwareIds": [
+ "HID\\VID_0E0F&PID_0003&REV_0102&MI_01",
+ "HID\\VID_0E0F&PID_0003&MI_01",
+ "HID\\VID_0E0F&UP:0001_U:0002",
+ "HID_DEVICE_SYSTEM_MOUSE",
+ "HID_DEVICE_UP:0001_U:0002",
+ "HID_DEVICE"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18"
+ },
+ "event_id": "6420",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 3480
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "24515074",
+ "task": "Plug and Play Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json
new file mode 100644
index 00000000000..543276ae08d
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json
@@ -0,0 +1,74 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-29T12:51:35.820Z",
+ "event": {
+ "action": "Plug and Play Events",
+ "created": "2022-11-29T12:51:36.810Z",
+ "kind": "event",
+ "code": 6421
+ },
+ "log": {
+ "level": "information"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "host": {
+ "name": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "hostname": "Server2",
+ "architecture": "x86_64",
+ "os": {
+ "build": "14393.693",
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)"
+ }
+ },
+ "agent": {
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat",
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2"
+ },
+ "message": "A request was made to enable a device.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x4F88A\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "winlog": {
+ "event_id": 6421,
+ "opcode": "Info",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "SubjectUserName": "Administrator",
+ "SubjectDomainName": "TEST1",
+ "ClassName": "Mouse",
+ "LocationInformation": "-",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "ClassId": "{0000000X-0000-X000-0000-000000000000}",
+ "HardwareIds": "\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t",
+ "CompatibleIds": "SCSI\\Disk",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "SubjectLogonId": "0x4f88a",
+ "DeviceDescription": "VMware USB Pointing Device"
+ },
+ "record_id": 24518238,
+ "task": "Plug and Play Events",
+ "api": "wineventlog",
+ "keywords": [
+ "Audit Success"
+ ],
+ "process": {
+ "thread": {
+ "id": 5392
+ },
+ "pid": 5016
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json-expected.json
new file mode 100644
index 00000000000..a1850e63cf6
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6421.json-expected.json
@@ -0,0 +1,108 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-29T12:51:35.820Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "device": {
+ "id": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "model": {
+ "name": "VMware USB Pointing Device"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "request-was-made-to-enable-device",
+ "category": [
+ "configuration"
+ ],
+ "code": "6421",
+ "created": "2022-11-29T12:51:36.810Z",
+ "kind": "event",
+ "type": [
+ "change"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A request was made to enable a device.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1280187532-2219128962-763009249-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x4F88A\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "related": {
+ "user": [
+ "Administrator"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-21-1280187532-2219128962-763009249-500",
+ "name": "Administrator"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ClassId": "{0000000X-0000-X000-0000-000000000000}",
+ "ClassName": "Mouse",
+ "CompatibleIds": "SCSI\\Disk",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95BC71C&0&0000",
+ "HardwareIds": [
+ "HID\\VID_0E0F&PID_0003&REV_0102&MI_01",
+ "HID\\VID_0E0F&PID_0003&MI_01",
+ "HID\\VID_0E0F&UP:0001_U:0002",
+ "HID_DEVICE_SYSTEM_MOUSE",
+ "HID_DEVICE_UP:0001_U:0002",
+ "HID_DEVICE"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x4f88a",
+ "SubjectUserName": "Administrator",
+ "SubjectUserSid": "S-1-5-21-1280187532-2219128962-763009249-500"
+ },
+ "event_id": "6421",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x4f88a"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 5016,
+ "thread": {
+ "id": 5392
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "24518238",
+ "task": "Plug and Play Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json
new file mode 100644
index 00000000000..dc7369cc6ad
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json
@@ -0,0 +1,74 @@
+{
+ "events": [
+ {
+ "@timestamp": "2022-11-29T12:51:35.820Z",
+ "host": {
+ "os": {
+ "platform": "windows",
+ "version": "10.0",
+ "family": "windows",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "build": "14393.693"
+ },
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "hostname": "Server2",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "version": "7.3.1",
+ "type": "winlogbeat"
+ },
+ "ecs": {
+ "version": "1.0.1"
+ },
+ "winlog": {
+ "event_id": 6422,
+ "channel": "Security",
+ "api": "wineventlog",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 312
+ }
+ },
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "computer_name": "Server2.test1.local",
+ "keywords": [
+ "Audit Success"
+ ],
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "task": "Plug and Play Events",
+ "opcode": "Info",
+ "event_data": {
+ "CompatibleIds": "SCSI\\Disk",
+ "LocationInformation": "-",
+ "SubjectUserSid": "S-1-5-18",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "SubjectLogonId": "0x3e7",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "HardwareIds": "\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t",
+ "SubjectUserName": "SERVER2$",
+ "SubjectDomainName": "TEST1",
+ "ClassId": "{0000000X-0000-X000-0000-000000000000}",
+ "ClassName": "Mouse"
+ },
+ "record_id": 24518240
+ },
+ "event": {
+ "action": "Plug and Play Events",
+ "created": "2022-11-29T12:51:36.810Z",
+ "kind": "event",
+ "code": 6422
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A device was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json-expected.json
new file mode 100644
index 00000000000..9f5fb5465e5
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-6422.json-expected.json
@@ -0,0 +1,109 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2022-11-29T12:51:35.820Z",
+ "agent": {
+ "ephemeral_id": "8c3cefcf-c4db-469b-96eb-94772dc04d87",
+ "hostname": "Server2",
+ "id": "e01362f3-fc45-4ba1-ac8a-52501b2c3abb",
+ "type": "winlogbeat",
+ "version": "7.3.1"
+ },
+ "device": {
+ "id": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "model": {
+ "name": "VMware USB Pointing Device"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "device-was-enabled",
+ "category": [
+ "process"
+ ],
+ "code": "6422",
+ "created": "2022-11-29T12:51:36.810Z",
+ "kind": "event",
+ "type": [
+ "change",
+ "end"
+ ]
+ },
+ "host": {
+ "architecture": "x86_64",
+ "hostname": "Server2",
+ "id": "8dd6afca-a113-4b43-900f-46b24b7de106",
+ "name": "Server2",
+ "os": {
+ "build": "14393.693",
+ "family": "windows",
+ "kernel": "10.0.14393.693 (rs1_release.161220-1747)",
+ "name": "Windows Server 2016 Standard Evaluation",
+ "platform": "windows",
+ "version": "10.0"
+ }
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A device was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSERVER2$\n\tAccount Domain:\t\tTEST1\n\tLogon ID:\t\t0x3E7\n\nDevice ID:\tHID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000\n\nDevice Name:\tVMware USB Pointing Device\n\nClass ID:\t\t{00000000-0000-0000-0000-000000000000}\n\nClass Name:\tMouse\n\nHardware IDs:\t\n\t\tHID\\VID_0E0F&PID_0003&REV_0102&MI_01\n\t\tHID\\VID_0E0F&PID_0003&MI_01\n\t\tHID\\VID_0E0F&UP:0001_U:0002\n\t\tHID_DEVICE_SYSTEM_MOUSE\n\t\tHID_DEVICE_UP:0001_U:0002\n\t\tHID_DEVICE\n\t\t\n\t\t\n\nCompatible IDs:\t\n\t\t\n\t\t\n\nLocation Information:\t-",
+ "related": {
+ "user": [
+ "SERVER2$"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "TEST1",
+ "id": "S-1-5-18",
+ "name": "SERVER2$"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Security",
+ "computer_name": "Server2.test1.local",
+ "event_data": {
+ "ClassId": "{0000000X-0000-X000-0000-000000000000}",
+ "ClassName": "Mouse",
+ "CompatibleIds": "SCSI\\Disk",
+ "DeviceDescription": "VMware USB Pointing Device",
+ "DeviceId": "HID\\VID_0E0F&PID_0003&MI_01\\8&95bc71c&0&0000",
+ "HardwareIds": [
+ "HID\\VID_0E0F&PID_0003&REV_0102&MI_01",
+ "HID\\VID_0E0F&PID_0003&MI_01",
+ "HID\\VID_0E0F&UP:0001_U:0002",
+ "HID_DEVICE_SYSTEM_MOUSE",
+ "HID_DEVICE_UP:0001_U:0002",
+ "HID_DEVICE"
+ ],
+ "SubjectDomainName": "TEST1",
+ "SubjectLogonId": "0x3e7",
+ "SubjectUserName": "SERVER2$",
+ "SubjectUserSid": "S-1-5-18"
+ },
+ "event_id": "6422",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x3e7"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 4,
+ "thread": {
+ "id": 312
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "24518240",
+ "task": "Plug and Play Events"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-common-config.yml b/packages/system/data_stream/security/_dev/test/pipeline/test-common-config.yml
index e071d397ddf..02574821640 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-common-config.yml
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-common-config.yml
@@ -1,2 +1,5 @@
dynamic_fields:
"event.ingested": ".*"
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json
new file mode 100644
index 00000000000..f6306cfbd5b
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json
@@ -0,0 +1,54 @@
+{
+ "events": [
+ {
+ "event": {
+ "code": "5136",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing"
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ },
+ "log": {
+ "level": "information"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC01.contoso.local",
+ "event_data": {
+ "SubjectDomainName": "CONTOSO",
+ "SubjectLogonId": "0x32004",
+ "SubjectUserName": "dadmin",
+ "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104",
+ "DSName": "sample.com",
+ "DSType": "Active Directory Domain Services",
+ "ObjectDN": "cn={0AB54C97-8836-43BB-9B53- 87556DD51F30},cn=policies,cn=system,DC=sample,DC=com",
+ "ObjectGUID": "CN={0AB54C97-8836-43BB-9B53- 87556DD51F30},CN=Policies,CN=System,DC=acme,DC=com",
+ "ObjectClass": "groupPolicyContainer",
+ "AttributeLDAPDisplayName": "versionNumber",
+ "AttributeSyntaxOID": "2.5.5.9",
+ "AttributeValue": "4",
+ "OperationType": "Value Added",
+ "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}",
+ "AppCorrelationID": "{ff320a1e-447a}"
+ },
+ "event_id": "5136",
+ "keywords": [
+ "Audit Success"
+ ],
+ "opcode": "Info",
+ "process": {
+ "pid": 516,
+ "thread": {
+ "id": 4020
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 410204,
+ "time_created": "2015-08-28T17:36:04.1294726Z"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json
new file mode 100644
index 00000000000..00d8ccced14
--- /dev/null
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json
@@ -0,0 +1,83 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2015-08-28T17:36:04.129Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "directory-service-object-modified",
+ "category": [
+ "iam",
+ "configuration"
+ ],
+ "code": "5136",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "admin",
+ "change"
+ ]
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ },
+ "log": {
+ "level": "information"
+ },
+ "related": {
+ "user": [
+ "dadmin"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
+ "user": {
+ "domain": "CONTOSO",
+ "id": "S-1-5-21-3457937927-2839227994-823803824-1104",
+ "name": "dadmin"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC01.contoso.local",
+ "event_data": {
+ "AppCorrelationID": "{ff320a1e-447a}",
+ "AttributeLDAPDisplayName": "versionNumber",
+ "AttributeSyntaxOID": "2.5.5.9",
+ "AttributeValue": "4",
+ "DSName": "sample.com",
+ "DSType": "Active Directory Domain Services",
+ "ObjectClass": "groupPolicyContainer",
+ "ObjectDN": "cn={0AB54C97-8836-43BB-9B53- 87556DD51F30},cn=policies,cn=system,DC=sample,DC=com",
+ "ObjectGUID": "CN={0AB54C97-8836-43BB-9B53- 87556DD51F30},CN=Policies,CN=System,DC=acme,DC=com",
+ "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}",
+ "OperationType": "Value Added",
+ "SubjectDomainName": "CONTOSO",
+ "SubjectLogonId": "0x32004",
+ "SubjectUserName": "dadmin",
+ "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104"
+ },
+ "event_id": "5136",
+ "keywords": [
+ "Audit Success"
+ ],
+ "logon": {
+ "id": "0x32004"
+ },
+ "opcode": "Info",
+ "process": {
+ "pid": 516,
+ "thread": {
+ "id": 4020
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "410204",
+ "time_created": "2015-08-28T17:36:04.1294726Z"
+ }
+ }
+ ]
+}
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json
index ac1572d23a1..b66bac4af98 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json
@@ -42,6 +42,9 @@
"ip": "10.0.0.100",
"port": 49212
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
@@ -140,6 +143,9 @@
"ip": "fe80::31ea:6c3c:f40d:1973",
"port": 49212
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json
index b99c7c4369c..f7ab0e0649d 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json
@@ -44,6 +44,9 @@
"DC_TEST2K12$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json
index f8bed44ed23..85d23491324 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json
@@ -45,6 +45,9 @@
"name": "winlogbeat",
"type": "Win32 Own Process"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json
index b641ad08251..79563e42c4a 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json
@@ -49,6 +49,9 @@
"ip": "::1",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST.SAAS",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json
index bbf1e0caf84..08930ae5cb7 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json
@@ -49,6 +49,9 @@
"ip": "::1",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST.SAAS",
"name": "at_adm"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json
index 427452bca85..763fcd04aab 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json
@@ -49,6 +49,9 @@
"ip": "::1",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST.SAAS",
"name": "DC_TEST2K12$"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json
index 2e1dd01712e..cd776469e75 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json
@@ -49,6 +49,9 @@
"ip": "192.168.5.44",
"port": 53366
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"id": "S-1-5-21-1717121054-434620538-60925301-3057",
"name": "MPUIG"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json
index ddce5ba2696..99c7765923e 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json
@@ -39,6 +39,9 @@
"at_adm"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"name": "at_adm"
},
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json
index b9d5e0fa252..c8ec8d65c1d 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json
@@ -62,6 +62,9 @@
},
"ip": "216.160.83.57"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"name": "at_adm"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json
index 6f2fc0c7ed1..13902f6ded3 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json
@@ -47,6 +47,9 @@
"domain": "EQP01777",
"ip": "127.0.0.1"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"name": "at_adm"
@@ -127,6 +130,9 @@
"source": {
"domain": "EQP01777"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "TEST",
"name": "at_adm"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json
index a618d3b898f..09eac3124ef 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json
@@ -45,6 +45,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -137,6 +140,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -237,6 +243,9 @@
"ip": "127.0.0.1",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -329,6 +338,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -418,6 +430,9 @@
"ANONYMOUS LOGON"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-7",
@@ -506,6 +521,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -594,6 +612,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -682,6 +703,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -773,6 +797,9 @@
"source": {
"domain": "127.0.0.1"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -864,6 +891,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "Window Manager",
"id": "S-1-5-90-2",
@@ -964,6 +994,9 @@
"ip": "10.0.2.2",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-5-21-3541430928-2051711210-1391384369-1001",
@@ -1056,6 +1089,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "Window Manager",
"id": "S-1-5-90-3",
@@ -1148,6 +1184,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -1240,6 +1279,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -1332,6 +1374,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -1424,6 +1469,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -1516,6 +1564,9 @@
"VAGRANT-2012-R2$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-5-18",
@@ -1615,6 +1666,9 @@
"ip": "::1",
"port": 0
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT-2012-R2",
"id": "S-1-0-0",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
index 88b3471ddf5..c40cd4ae824 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
@@ -41,6 +41,9 @@
"audittest"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
@@ -127,6 +130,9 @@
"audittest0609"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
index aacdf05811b..11eb6aa8acc 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
@@ -40,6 +40,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
@@ -125,6 +128,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
index 12a879901b8..d8bb60ccf73 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
@@ -41,6 +41,9 @@
"elastictest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
@@ -127,6 +130,9 @@
"audittest0609"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
index 922fffa1c0e..5c7fadeb49e 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
@@ -41,6 +41,9 @@
"audittest"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
@@ -127,6 +130,9 @@
"audittest0609"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
index 6cf094afdea..8622e552d2c 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
@@ -41,6 +41,9 @@
"audittest23"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
@@ -127,6 +130,9 @@
"audittest"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json
index 90ee02d21e5..103ea1e7567 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json
@@ -45,6 +45,9 @@
"WIN-41OB2LO92CR$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json
index 17aa87cbc7e..665c5855388 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json
index 0a16a592164..bf2781a632e 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json
index 85f61688a60..6a77e73a6c7 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json
index 5bae61ab9e3..7ffb44a3533 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json
index 9c853cd5f5c..8a1cbf44a1d 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json
index e24c7ef55ac..27485568350 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json
index f60b6f7cdc3..850b46a73f6 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json
index 91c8e46c385..2ead9842ad8 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json
index 8d64962560e..fe382467766 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json
index c7c493ef182..73ca8052145 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json
@@ -41,6 +41,9 @@
"elastictest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json
index 2623b01f123..fa609900438 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json
@@ -41,6 +41,9 @@
"elastictest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WORKGROUP",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json
index 5069c45ce7d..f5cff7d831a 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json
index 227e3ce2655..320233440b7 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json
index ad171debfa0..e43109aaaf2 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json
index d52e2227066..497b0b44f71 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json
index 7a46e2cebcb..0678dd5f2bf 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json
index 9ba105712ed..1bcfd580df0 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json
@@ -45,6 +45,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json
index 23533ee58ec..9a138836226 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json
@@ -41,6 +41,9 @@
"elastictest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json
index 373f23cb0d4..3c7fd9ba138 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json
@@ -42,6 +42,9 @@
"audittest0609"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"changes": {
"name": "audittest06"
@@ -131,6 +134,9 @@
"audittest06"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"changes": {
"name": "audittest0609"
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json
index f69456fe105..8583defaeed 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json
@@ -41,6 +41,9 @@
"elastictest1"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WORKGROUP",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json
index f7946dfb388..5a2bf6ae435 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json
@@ -45,6 +45,9 @@
"WIN-41OB2LO92CR$"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WORKGROUP",
"id": "S-1-5-18",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json
index 6fa72025ae3..1a17a1fe77b 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json
@@ -39,6 +39,9 @@
"audittest"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000",
@@ -116,6 +119,9 @@
"Administrator"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
index 5871f217502..8b8454dbb9f 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
@@ -55,6 +55,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT",
"effective": {
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json
index c7e8abbec9a..9aaef71810f 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json
@@ -44,6 +44,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT",
"id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
@@ -125,6 +128,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT",
"id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
@@ -206,6 +212,9 @@
"vagrant"
]
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"user": {
"domain": "VAGRANT",
"id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json
index d322689be4f..a91a5a8af99 100644
--- a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json
+++ b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json
@@ -14,6 +14,9 @@
"log": {
"level": "information"
},
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ],
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
diff --git a/packages/system/data_stream/security/agent/stream/winlog.yml.hbs b/packages/system/data_stream/security/agent/stream/winlog.yml.hbs
index 88aec1d7400..cfe1ba2177d 100644
--- a/packages/system/data_stream/security/agent/stream/winlog.yml.hbs
+++ b/packages/system/data_stream/security/agent/stream/winlog.yml.hbs
@@ -9,21 +9,19 @@ ignore_older: {{ignore_older}}
{{#if language}}
language: {{language}}
{{/if}}
-{{#if tags.length}}
tags:
-{{#each tags as |tag|}}
+{{#each tags as |tag i|}}
- {{tag}}
{{/each}}
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
-{{else}}
-{{#if preserve_original_event}}
-tags:
- - preserve_original_event
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
{{/if}}
-{{/if}}
-{{#if preserve_original_event}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
include_xml: true
{{/if}}
{{#if processors.length}}
diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
index 640e6423172..e5aacd09fc1 100644
--- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
@@ -6,10 +6,11 @@ processors:
type: string
ignore_missing: true
- script:
+ tag: remove_empty_values_from_event_data
description: Remove all empty values from event_data.
lang: painless
source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue()))
- if: ctx.winlog?.event_data != null
+ if: ctx.winlog?.event_data instanceof Map
- pipeline:
name: '{{ IngestPipeline "standard" }}'
if: 'ctx.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)'
@@ -87,10 +88,79 @@ processors:
ignore_missing: true
ignore_failure: true
if: ctx.winlog?.event_data != null && ctx.winlog.event_data.size() == 0
-on_failure:
+ - remove:
+ field:
+ - winlog.event_data.SubjectUserSid
+ - winlog.event_data.SubjectUserName
+ - winlog.event_data.SubjectDomainName
+ - winlog.event_data.ProviderName
+ - winlog.event_data.ProcessName
+ - winlog.event_data.RemoteAddress_ip
+ - winlog.event_data.RemoteAddress_name
+ - winlog.event_data.UserSid
+ - winlog.event_data.UserName
+ - winlog.event_data.RuleId
+ - winlog.event_data.RuleName
+ - winlog.event_data.ErrorCode
+ - winlog.event_data.DeviceId
+ - winlog.event_data.DeviceDescription
+ - winlog.event_data.ShareName
+ - winlog.event_data.ShareLocalPath
+ - winlog.event_data.TargetUserSid
+ - winlog.event_data.TargetUserName
+ - winlog.event_data.TargetDomainName
+ - winlog.event_data.Param1
+ - winlog.event_data.FileName
+ ignore_missing: true
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values
+ lang: painless
+ source: |
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) || (v instanceof String && ((String) v).trim() == '')
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) || (v instanceof String && ((String) v).trim() == '')
+ });
+ }
+ handleMap(ctx);
- set:
field: event.kind
+ tag: set_pipeline_error_into_event_kind
value: pipeline_error
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null
+on_failure:
- append:
field: error.message
- value: "{{ _ingest.on_failure_message }}"
+ value: >-
+ Processor '{{{ _ingest.on_failure_processor_type }}}'
+ {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+ {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+ - set:
+ field: event.kind
+ tag: set_pipeline_error_to_event_kind
+ value: pipeline_error
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
index 081cebe11e5..1b385942cf9 100644
--- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
+++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -80,6 +80,12 @@ processors:
type:
- start
action: logon-failed
+ "4627":
+ category:
+ - iam
+ type:
+ - info
+ action: group-membership-info
"4634":
category:
- authentication
@@ -105,6 +111,33 @@ processors:
type:
- change
action: registry-value-modified
+ "4658":
+ category:
+ - iam
+ - configuration
+ type:
+ - change
+ action: handle-closed-object
+ "4659":
+ category:
+ - iam
+ - configuration
+ type:
+ - change
+ action: object-was-requested-with-intent-to-delete
+ "4660":
+ category:
+ - file
+ - registry
+ type:
+ - deletion
+ action: object-deleted
+ "4664":
+ category:
+ - file
+ type:
+ - creation
+ action: create-hard-link
"4662":
category:
- iam
@@ -113,6 +146,12 @@ processors:
- admin
- change
action: object-operation-performed
+ "4663":
+ category:
+ - authentication
+ type:
+ - info
+ action: attempt-made-to-access-object
"4670":
category:
- iam
@@ -139,6 +178,12 @@ processors:
type:
- admin
action: privileged-operation
+ "4675":
+ category:
+ - authentication
+ type:
+ - info
+ action: sids-filtered
"4688":
category:
- process
@@ -151,6 +196,30 @@ processors:
type:
- end
action: exited-process
+ "4690":
+ category:
+ - process
+ type:
+ - access
+ action: duplicate-handle-attempt
+ "4691":
+ category:
+ - process
+ type:
+ - access
+ action: indirect-object-access-requested
+ "4692":
+ category:
+ - configuration
+ type:
+ - access
+ action: dpapi-master-key-backup-attempted
+ "4695":
+ category:
+ - configuration
+ type:
+ - access
+ action: auditable-data-unprotection-attempted
"4697":
category:
- iam
@@ -199,6 +268,20 @@ processors:
- change
- admin
action: scheduled-task-updated
+ "4704":
+ category:
+ - iam
+ type:
+ - change
+ - user
+ action: user-right-assigned
+ "4705":
+ category:
+ - iam
+ type:
+ - change
+ - user
+ action: user-right-removed
"4706":
category:
- configuration
@@ -617,6 +700,12 @@ processors:
- user
- change
action: renamed-user-account
+ "4793":
+ category:
+ - api
+ type:
+ - info
+ action: password-policy-checking-api-called
"4797":
category:
- iam
@@ -638,6 +727,32 @@ processors:
- group
- info
action: user-member-enumerated
+ "4800":
+ category:
+ - authentication
+ type:
+ - info
+ action: workstation-locked
+ "4801":
+ category:
+ - authentication
+ type:
+ - info
+ action: workstation-unlocked
+ "4802":
+ category:
+ - process
+ - session
+ type:
+ - info
+ action: screen-saver-invoked
+ "4803":
+ category:
+ - process
+ - session
+ type:
+ - info
+ action: screen-saver-dismissed
"4817":
category:
- iam
@@ -646,6 +761,24 @@ processors:
- admin
- change
action: object-audit-changed
+ "4868":
+ category:
+ - configuration
+ type:
+ - change
+ action: certificate-manager-denied-pending-certificate-request
+ "4869":
+ category:
+ - configuration
+ type:
+ - info
+ action: certificate-services-received-resubmitted-certificate-request
+ "4876":
+ category:
+ - session
+ type:
+ - start
+ action: certificate-services-backup-started
"4902":
category:
- iam
@@ -702,18 +835,78 @@ processors:
- admin
- change
action: per-user-audit-policy-changed
+ "4931":
+ category:
+ - configuration
+ type:
+ - change
+ action: active-directory-replica-destination-naming-context-modified
+ "4932":
+ category:
+ - iam
+ type:
+ - info
+ action: synchronization-of-replica-of-active-directory-naming-context-begun
+ "4933":
+ category:
+ - iam
+ type:
+ - info
+ action: synchronization-of-replica-of-active-directory-naming-context-ended
+ "4945":
+ category:
+ - configuration
+ type:
+ - info
+ action: rule-listed-when-windows-firewall-started
+ "4946":
+ category:
+ - configuration
+ type:
+ - creation
+ action: added-rule-to-windows-firewall-exception-list
+ "4948":
+ category:
+ - configuration
+ type:
+ - deletion
+ action: deleted-rule-from-windows-firewall-exception-list
"4950":
category:
- configuration
type:
- change
action: windows-firewall-setting-changed
+ "4953":
+ category:
+ - configuration
+ type:
+ - info
+ action: ignored-rule-by-windows-firewall-because-it-could-not-parse-rule
"4954":
category:
- configuration
type:
- change
action: windows-firewall-group-policy-changed
+ "4957":
+ category:
+ - configuration
+ type:
+ - info
+ action: windows-firewall-did-not-apply-following-rule
+ "4962":
+ category:
+ - network
+ type:
+ - end
+ action: ipsec-dropped-inbound-packet-that-failed-replay-check
+ "4963":
+ category:
+ - network
+ type:
+ - end
+ action: ipsec-dropped-inbound-clear-text-packet-that-should-have-been-secured
"4964":
category:
- iam
@@ -721,6 +914,18 @@ processors:
- admin
- group
action: logged-in-special
+ "4965":
+ category:
+ - network
+ type:
+ - end
+ action: ipsec-received-packet-from-remote-computer-wth-incorrect-spi
+ "4985":
+ category:
+ - configuration
+ type:
+ - change
+ action: state-of-transaction-has-changed
"5024":
category:
- process
@@ -751,6 +956,30 @@ processors:
type:
- end
action: windows-firewall-driver-error
+ "5038":
+ category:
+ - file
+ type:
+ - access
+ action: code-integrity-determined-that-image-hash-of-file-is-not-valid
+ "5058":
+ category:
+ - file
+ type:
+ - change
+ action: key-file-operation
+ "5059":
+ category:
+ - file
+ type:
+ - change
+ action: key-migration-operation
+ "5061":
+ category:
+ - file
+ type:
+ - access
+ action: cryptographic-operation
"5136":
category:
- iam
@@ -767,6 +996,14 @@ processors:
- info
- access
action: network-share-object-accessed
+ "5142":
+ category:
+ - network
+ - file
+ type:
+ - info
+ - creation
+ action: network-share-object-added
"5145":
category:
- network
@@ -833,6 +1070,74 @@ processors:
- user
- info
action: vault-credentials-were-read
+ "5441":
+ category:
+ - configuration
+ type:
+ - info
+ action: following-filter-present-when-windows-filtering-platform-base-filtering-engine-started
+ "5446":
+ category:
+ - configuration
+ type:
+ - change
+ action: windows-filtering-platform-callout-changed
+ "5447":
+ category:
+ - configuration
+ type:
+ - change
+ action: windows-filtering-platform-filter-changed
+ "5449":
+ category:
+ - configuration
+ type:
+ - change
+ action: windows-filtering-platform-provider-context-changed
+ "6144":
+ category:
+ - configuration
+ type:
+ - info
+ action: security-policy-in-group-policy-objects-applied-successfully
+ "6145":
+ category:
+ - configuration
+ type:
+ - change
+ action: one-or-more-errors-occured-while-processing-security-policy-in-group-policy-objects
+ "6416":
+ category:
+ - process
+ type:
+ - info
+ action: new-external-device-recognized-by-system
+ "6419":
+ category:
+ - configuration
+ type:
+ - change
+ action: request-was-made-to-disable-device
+ "6420":
+ category:
+ - process
+ type:
+ - change
+ - end
+ action: device-was-disabled
+ "6421":
+ category:
+ - configuration
+ type:
+ - change
+ action: request-was-made-to-enable-device
+ "6422":
+ category:
+ - process
+ type:
+ - change
+ - end
+ action: device-was-enabled
source: |-
if (ctx.event?.code == null || params.get(ctx.event.code) == null) {
return;
@@ -1071,10 +1376,65 @@ processors:
source: |-
if (ctx.winlog?.event_data?.Status == null ||
ctx.event?.code == null ||
- !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) {
+ !["4768", "4769", "4770", "4771", "4793"].contains(ctx.event.code)) {
return;
}
ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]);
+ - date:
+ field: winlog.event_data.ClientCreationTime
+ tag: date_clientcreationtime
+ formats:
+ - yyyy-MM-dd HH:mm:ss.n Z z
+ if: ctx.winlog?.event_data?.ClientCreationTime != null && ctx.winlog.event_data.ClientCreationTime != ''
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ field: source.address
+ tag: set_source_address
+ copy_from: winlog.event_data.RemoteAddress
+ if: ctx.event?.code != null && ["4962", "4963", "4965"].contains(ctx.event.code)
+ ignore_empty_value: true
+ - convert:
+ field: winlog.event_data.RemoteAddress
+ tag: convert_remoteaddress
+ type: ip
+ target_field: winlog.event_data.RemoteAddress_ip
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.RemoteAddress != '' && ctx.event?.code != null && ["4962", "4963", "4965"].contains(ctx.event.code)
+ on_failure:
+ - rename:
+ field: winlog.event_data.RemoteAddress
+ tag: rename_remoteaddress
+ target_field: winlog.event_data.RemoteAddress_name
+ ignore_missing: true
+ - set:
+ field: source.ip
+ tag: set_source_ip
+ copy_from: winlog.event_data.RemoteAddress_ip
+ if: ctx.winlog?.event_data?.RemoteAddress_ip != null
+ ignore_empty_value: true
+ - append:
+ field: related.ip
+ tag: append_related_ip
+ value: '{{{winlog.event_data.RemoteAddress_ip}}}'
+ allow_duplicates: false
+ if: ctx.winlog?.event_data?.RemoteAddress_ip != null
+ - remove:
+ field: winlog.event_data.RemoteAddress
+ tag: remove_remoteaddress
+ ignore_missing: true
+ - set:
+ field: rule.id
+ tag: set_rule_id
+ copy_from: winlog.event_data.RuleId
+ ignore_empty_value: true
+ - set:
+ field: rule.name
+ tag: set_rule_name
+ copy_from: winlog.event_data.RuleName
+ ignore_empty_value: true
- script:
lang: painless
ignore_failure: false
@@ -1179,6 +1539,25 @@ processors:
}
ctx.winlog.event_data.put("Category", params[subCatGuid][1]);
ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]);
+ - rename:
+ field: winlog.event_data.FailureReason
+ tag: rename_failurereason
+ target_field: winlog.event_data.FailureReasons
+ ignore_missing: true
+ if: (ctx.event?.code != null && (ctx.event.code == '4695' || ctx.event.code == '4692') && ctx.winlog?.event_data?.FailureReason.contains("x"))
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set_failurereason_outcome
+ description: Set FailureReason Outcome
+ source: |-
+ if (ctx.winlog?.event_data?.FailureReasons != null) {
+ if (ctx.winlog.event_data.FailureReasons == "0x0") {
+ ctx.winlog.event_data.put("FailureReasonsOutcome", "Success");
+ } else {
+ ctx.winlog.event_data.put("FailureReasonsOutcome", "Failure");
+ }
+ }
- script:
lang: painless
ignore_failure: false
@@ -3015,7 +3394,7 @@ processors:
source: |-
if (ctx.winlog?.event_data?.Status == null ||
ctx.event?.code == null ||
- !["4625", "4776"].contains(ctx.event.code)) {
+ !["4625", "4776", "4793"].contains(ctx.event.code)) {
return;
}
if (params.containsKey(ctx.winlog.event_data.Status)) {
@@ -3198,8 +3577,9 @@ processors:
description: Copy Target User
source: |-
if (ctx.event?.code == null ||
- !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770",
- "4771", "4776", "4964"].contains(ctx.event.code)) {
+ !["4624", "4625", "4627", "4634", "4647", "4648", "4675", "4704",
+ "4705", "4768", "4769", "4770", "4771", "4776", "4793", "4800",
+ "4801", "4802", "4803", "4964"].contains(ctx.event.code)) {
return;
}
@@ -3269,6 +3649,45 @@ processors:
ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName);
}
}
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: copy_user_sid_and_user_name
+ description: Copy UserSid and UserName
+ source: |-
+ if (ctx.event?.code == null || !["5446", "5447", "5449"].contains(ctx.event.code)) {
+ return;
+ }
+
+ //UserSid to user.id
+ def userId = ctx.winlog?.event_data?.UserSid;
+ if (userId != null) {
+ ctx.user = ctx.user ?: [:];
+ if (ctx.user?.id == null) {
+ ctx.user.put("id", userId);
+ }
+ }
+
+ //UserName to user.name
+ def userName = ctx.winlog?.event_data?.UserName;
+ if (userName != null) {
+ ctx.user = ctx.user ?: [:];
+ if (ctx.user?.name == null) {
+ ctx.user.put("name", userName);
+ }
+ }
+
+ ctx.related = ctx.related ?: [:];
+ if (ctx.related?.user == null) {
+ ArrayList al = new ArrayList();
+ ctx.related.put("user", al);
+ }
+ if (userId != null && !ctx.related.user.contains(userId)) {
+ ctx.related.user.add(userId);
+ }
+ if (userName != null && !ctx.related.user.contains(userName)) {
+ ctx.related.user.add(userName);
+ }
# split member name into parts based on comma ignoring escaped commas
# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
- split:
@@ -3284,10 +3703,10 @@ processors:
description: Copy MemberName to User and User to Group
source: |-
if (ctx.event?.code == null ||
- !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735",
- "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751",
- "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760",
- "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) {
+ !["4627", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734",
+ "4735", "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750",
+ "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759",
+ "4760", "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) {
return;
}
if (ctx._temp?.MemberNameParts != null) {
@@ -3354,10 +3773,10 @@ processors:
}
if (ctx.group?.id != null) {
ctx.user.target.group.put("id", ctx.group.id);
- }
+ }
if (ctx.group?.name != null) {
ctx.user.target.group.put("name", ctx.group.name);
- }
+ }
if (ctx.group?.domain != null) {
ctx.user.target.group.put("domain", ctx.group.domain);
}
@@ -3399,7 +3818,7 @@ processors:
field: winlog.logon.id
copy_from: winlog.event_data.TargetLogonId
ignore_failure: false
- if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code)
+ if: ctx.event?.code != null && ["4627", "4634", "4647", "4800", "4801", "4802", "4803", "4964"].contains(ctx.event.code)
- script:
lang: painless
@@ -3408,15 +3827,17 @@ processors:
description: Copy Subject User from Event Data
source: |-
if (ctx.event?.code == null ||
- !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697",
- "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717",
- "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728",
- "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739",
- "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749",
- "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759",
- "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799",
- "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380",
- "5381", "5382"].contains(ctx.event.code)) {
+ !["4627", "4648", "4657", "4658", "4659", "4660", "4662", "4663", "4664", "4670",
+ "4672", "4673", "4674", "4688", "4689", "4690", "4691", "4692", "4695", "4697",
+ "4698", "4699", "4700", "4701", "4702", "4704", "4705", "4706", "4707", "4713",
+ "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726",
+ "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737",
+ "4738", "4739", "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747",
+ "4748", "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757",
+ "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4793",
+ "4797", "4798", "4799", "4817", "4868", "4869", "4876", "4904", "4905", "4907",
+ "4912", "4985", "5058", "5059", "5061", "5136", "5140", "5142", "5145", "5379",
+ "5380", "5381", "5382", "6416", "6419", "6420", "6421", "6422"].contains(ctx.event.code)) {
return;
}
if (ctx.winlog?.event_data?.SubjectUserSid != null) {
@@ -3459,9 +3880,10 @@ processors:
description: Copy Target User to Target
source: |-
if (ctx.event?.code == null ||
- !["4670", "4720", "4722", "4723", "4724", "4725",
- "4726", "4738", "4740", "4767", "4798", "4817",
- "4907", "4797"].contains(ctx.event.code)) {
+ !["4627", "4670", "4675", "4704", "4705", "4720",
+ "4722", "4723", "4724", "4725", "4726", "4738",
+ "4740", "4767", "4793", "4797", "4798", "4800",
+ "4817", "4907", "4801", "4802", "4803"].contains(ctx.event.code)) {
return;
}
if (ctx.user == null) {
@@ -3500,7 +3922,7 @@ processors:
description: Copy Target User to Effective
source: |-
if (ctx.event?.code == null ||
- !["4648", "4688"].contains(ctx.event.code)) {
+ !["4627", "4648", "4675", "4688", "4793", "4800", "4801", "4802", "4803"].contains(ctx.event.code)) {
return;
}
if (ctx.user == null) {
@@ -3575,10 +3997,60 @@ processors:
ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName);
}
+ - split:
+ field: winlog.event_data.HardwareIds
+ separator: "\\s+"
+ ignore_missing: true
+ if: |-
+ ctx.event?.code != null &&
+ ["6419", "6420", "6421", "6422"].contains(ctx.event.code) &&
+ ctx.winlog?.event_data?.HardwareIds != null
+ on_failure:
+ - remove:
+ field: winlog.event_data.HardwareIds
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
- set:
field: winlog.logon.id
copy_from: winlog.event_data.SubjectLogonId
ignore_failure: true
+ - set:
+ field: error.code
+ tag: set_error_code
+ copy_from: winlog.event_data.ErrorCode
+ ignore_failure: true
+ - set:
+ field: device.id
+ tag: set_device_id
+ copy_from: winlog.event_data.DeviceId
+ ignore_failure: true
+ - set:
+ field: device.model.name
+ tag: set_device_model_name
+ copy_from: winlog.event_data.DeviceDescription
+ ignore_failure: true
+ - set:
+ field: file.path
+ tag: set_file_path
+ copy_from: winlog.event_data.param1
+ ignore_failure: true
+ - set:
+ field: file.path
+ tag: set_file_path
+ copy_from: winlog.event_data.FileName
+ if: |-
+ ctx.event?.code != null &&
+ ["4664"].contains(ctx.event.code)
+ ignore_failure: true
+ - set:
+ field: file.path
+ tag: set_file_path_from_object_name
+ copy_from: winlog.event_data.ObjectName
+ if: ctx.winlog?.event_data?.ObjectType != null && ctx.winlog.event_data.ObjectType == "File"
+ ignore_failure: true
- set:
field: winlog.logon.id
@@ -3588,6 +4060,24 @@ processors:
ctx.event?.code != null &&
["1102"].contains(ctx.event.code)
+ - script:
+ lang: painless
+ ignore_failure: false
+ tag: Set_returncode_outcome
+ description: Set ReturnCode Outcome
+ source: |-
+ if (ctx.event?.code == null ||
+ !["5058", "5059", "5061"].contains(ctx.event.code)) {
+ return;
+ }
+ if (ctx.winlog?.event_data?.ReturnCode != null) {
+ if (ctx.winlog.event_data.ReturnCode == "0x0") {
+ ctx.winlog.event_data.put("ReturnCodeOutcome", "Success");
+ } else {
+ ctx.winlog.event_data.put("ReturnCodeOutcome", "Failure");
+ }
+ }
+
- script:
lang: painless
ignore_failure: false
@@ -3595,15 +4085,16 @@ processors:
description: Rename Common Auth Fields
source: |-
if (ctx.event?.code == null ||
- !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625",
- "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722",
- "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730",
- "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740",
- "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748",
- "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756",
- "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764",
- "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817",
- "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) {
+ !["1100", "1102", "1104", "1105", "1108", "4624", "4625", "4648",
+ "4658", "4659", "4660", "4663", "4670", "4673", "4674", "4689",
+ "4691", "4697", "4719", "4720", "4722", "4723", "4724", "4725",
+ "4726", "4727", "4728", "4729", "4730", "4731", "4732", "4733",
+ "4734", "4735", "4737", "4738", "4740", "4741", "4742", "4743",
+ "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751",
+ "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759",
+ "4760", "4761", "4762", "4763", "4764", "4767", "4768", "4769",
+ "4770", "4771", "4798", "4799", "4817", "4904", "4905", "4907",
+ "4912", "4985", "5059", "5140", "5145", "5446", "5447", "5449"].contains(ctx.event.code)) {
return;
}
if (ctx.winlog?.event_data?.ProcessId != null) {
@@ -3681,7 +4172,7 @@ processors:
!["5152", "5156", "5157", "5158"].contains(ctx.event.code)) {
return;
}
-
+
// DestAddress to destination.ip and related.ip
if (ctx.winlog?.event_data?.DestAddress != null &&
ctx.winlog.event_data.DestAddress != "-") {
@@ -3882,7 +4373,7 @@ processors:
allow_duplicates: false
if: |-
ctx.event?.code != null &&
- ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) &&
+ ["4624", "4627", "4648", "4662", "4663", "4793", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.SubjectUserName != null &&
ctx.winlog.event_data.SubjectUserName != "-"
@@ -3892,19 +4383,28 @@ processors:
allow_duplicates: false
if: |-
ctx.event?.code != null &&
- ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738",
- "4740", "4767", "4797", "4798"].contains(ctx.event.code) &&
+ ["4627", "4675", "4688", "4720", "4722", "4723", "4724", "4725",
+ "4726", "4738", "4740", "4767", "4793", "4797", "4798", "4800",
+ "4801", "4802", "4803"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.TargetUserName != null &&
ctx.winlog.event_data.TargetUserName != "-"
- split:
field: winlog.event_data.PrivilegeList
separator: "\\s+"
+ ignore_missing: true
if: |-
ctx.event?.code != null &&
- ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) &&
+ ["4672", "4673", "4674", "4704", "4705", "4741", "4742", "4743", "4659"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.PrivilegeList != null
-
+ on_failure:
+ - remove:
+ field: winlog.event_data.PrivilegeList
+ ignore_missing: true
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
- set:
field: user.target.name
copy_from: winlog.event_data.OldTargetUserName
@@ -4260,21 +4760,22 @@ processors:
void splitSidList(def sids, def params, def ctx) {
ArrayList al = new ArrayList();
- def sidList = sids.splitOnToken(" ");
+ def sidsArray = sids.splitOnToken(" ");
+ ArrayList sidList = new ArrayList(Arrays.asList(sidsArray));
ctx.winlog.event_data.put("SidList", sidList);
for (def i = 0; i < sidList.length; i++ ) {
al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params));
}
ctx.winlog.event_data.put("SidListDesc", al);
}
- if (ctx.winlog?.event_data?.RemoteMachineID != null) {
+ if (ctx.winlog?.event_data?.RemoteMachineID != null) {
ctx.winlog.event_data.put("RemoteMachineDescription", params.AccountSIDDescription[ctx.winlog.event_data.RemoteMachineID]);
}
- if (ctx.winlog?.event_data?.RemoteUserID != null) {
+ if (ctx.winlog?.event_data?.RemoteUserID != null) {
ctx.winlog.event_data.put("RemoteUserDescription", params.AccountSIDDescription[ctx.winlog.event_data.RemoteUserID]);
}
if (ctx.event?.code == null ||
- !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) {
+ !["4670", "4817", "4907", "4908", "4675"].contains(ctx.event.code)) {
return;
}
if (ctx.winlog?.event_data?.OldSd != null) {
@@ -4286,9 +4787,82 @@ processors:
if (ctx.winlog?.event_data?.SidList != null) {
splitSidList(ctx.winlog.event_data.SidList, params, ctx);
}
-
+ - set:
+ field: event.provider
+ tag: set_event_provider
+ copy_from: winlog.event_data.ProviderName
+ ignore_empty_value: true
+ - set:
+ field: event.action
+ tag: set_event_provider
+ copy_from: winlog.event_data.Action
+ ignore_empty_value: true
+ - lowercase:
+ field: event.action
+ tag: lowercase_event_action
+ ignore_missing: true
+ - convert:
+ field: winlog.event_data.EventIdx
+ tag: convert_event_idx
+ type: long
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.EventIdx != ''
+ on_failure:
+ - remove:
+ field: winlog.event_data.EventIdx
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: winlog.event_data.EventCountTotal
+ tag: convert_event_count_total
+ type: long
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.EventCountTotal != ''
+ on_failure:
+ - remove:
+ field: winlog.event_data.EventCountTotal
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: winlog.event_data.Options
+ tag: convert_options
+ type: long
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.Options != ''
+ on_failure:
+ - remove:
+ field: winlog.event_data.Options
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: winlog.event_data.StatusCode
+ tag: convert_status_code
+ type: long
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.StatusCode != ''
+ on_failure:
+ - remove:
+ field: winlog.event_data.StatusCode
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ field: winlog.event_data.StartUSN
+ tag: convert_start_usn
+ type: long
+ ignore_missing: true
+ if: ctx.winlog?.event_data?.StartUSN != ''
+ on_failure:
+ - remove:
+ field: winlog.event_data.StartUSN
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
#
- # Populate network.transport from network.iana_number.
+ # Populate network.transport from network.iana_number.
#
- script:
if: "ctx.network?.iana_number != null && ctx.network?.transport == null"
@@ -4324,7 +4898,6 @@ processors:
return;
}
ctx.network.put("transport", t)
-
- set:
field: file.name
copy_from: winlog.event_data.RelativeTargetName
@@ -4338,21 +4911,13 @@ processors:
copy_from: winlog.event_data.ShareLocalPath
if: |-
ctx.event?.code != null &&
- ["5140", "5145"].contains(ctx.event.code) &&
+ ["5140", "5142", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareLocalPath != null &&
ctx.winlog.event_data.ShareLocalPath != ""
- set:
field: file.path
value: "{{file.directory}}\\{{file.name}}"
if: ctx.file?.name != null && ctx.file?.directory != null
- - set:
- field: file.directory
- copy_from: winlog.event_data.ShareLocalPath
- if: |-
- ctx.event?.code != null &&
- ["5140", "5145"].contains(ctx.event.code) &&
- ctx.winlog?.event_data?.ShareLocalPath != null &&
- ctx.winlog.event_data.ShareLocalPath != ""
- set:
field: file.target_path
value: "{{winlog.event_data.ShareName}}\\{{file.name}}"
@@ -4378,6 +4943,18 @@ processors:
- lowercase:
field: network.direction
ignore_missing: true
+ - set:
+ field: winlog.event_data.BackupTypeDescription
+ tag: set_backup_type_description_full_backup
+ value: full backup
+ if: ctx.winlog?.event_data?.BackupType == "1"
+ ignore_failure: true
+ - set:
+ field: winlog.event_data.BackupTypeDescription
+ tag: set_backup_type_description_logs_only
+ value: logs only
+ if: ctx.winlog?.event_data?.BackupType == "0"
+ ignore_failure: true
- community_id:
ignore_missing: true
ignore_failure: true
@@ -4385,7 +4962,7 @@ processors:
field:
- _temp
ignore_missing: true
-
+
on_failure:
- set:
field: error.message
diff --git a/packages/system/data_stream/security/fields/winlog.yml b/packages/system/data_stream/security/fields/winlog.yml
index 204d5841564..63e5351c164 100644
--- a/packages/system/data_stream/security/fields/winlog.yml
+++ b/packages/system/data_stream/security/fields/winlog.yml
@@ -67,14 +67,30 @@
type: keyword
- name: AccountName
type: keyword
+ - name: Action
+ type: keyword
+ - name: AdditionalInfo
+ type: keyword
+ - name: AdditionalInfo2
+ type: keyword
+ - name: AlgorithmName
+ type: keyword
- name: AllowedToDelegateTo
type: keyword
+ - name: AppCorrelationID
+ type: keyword
+ - name: Application
+ type: keyword
+ - name: AttributeLDAPDisplayName
+ type: keyword
+ - name: AttributeSyntaxOID
+ type: keyword
- name: AttributeValue
type: keyword
ignore_above: 5120
multi_fields:
- - name: wildcard
- type: wildcard
+ - name: wildcard
+ type: wildcard
- name: AuditPolicyChanges
type: keyword
- name: AuditPolicyChangesDescription
@@ -83,7 +99,9 @@
type: keyword
- name: AuthenticationPackageName
type: keyword
- - name: Application
+ - name: BackupType
+ type: keyword
+ - name: BackupTypeDescription
type: keyword
- name: Binary
type: keyword
@@ -99,24 +117,42 @@
type: keyword
- name: CallerProcessName
type: keyword
+ - name: CalloutId
+ type: keyword
+ - name: CalloutKey
+ type: keyword
+ - name: CalloutName
+ type: keyword
+ - name: CalloutType
+ type: keyword
- name: Category
type: keyword
- name: CategoryId
type: keyword
+ - name: ChangeType
+ type: keyword
+ - name: ClassId
+ type: keyword
+ - name: ClassName
+ type: keyword
- name: ClientAddress
type: keyword
+ - name: ClientCreationTime
+ type: date
- name: ClientName
type: keyword
- name: ClientProcessId
type: keyword
- - name: CurrentProfile
- type: keyword
- name: CommandLine
type: keyword
- name: Company
type: keyword
+ - name: CompatibleIds
+ type: keyword
- name: ComputerAccountChange
type: keyword
+ - name: Conditions
+ type: keyword
- name: CorruptionActionState
type: keyword
- name: CountOfCredentialsReturned
@@ -125,16 +161,28 @@
type: keyword
- name: CreationUtcTime
type: keyword
+ - name: CurrentProfile
+ type: keyword
+ - name: CryptoAlgorithms
+ type: keyword
+ - name: DataDescription
+ type: keyword
+ - name: DSName
+ type: keyword
+ - name: DSType
+ type: keyword
- name: Description
type: keyword
- name: DestAddress
type: keyword
- name: DestPort
type: keyword
- - name: Direction
- type: keyword
- name: Detail
type: keyword
+ - name: DeviceDescription
+ type: keyword
+ - name: DeviceId
+ type: keyword
- name: DeviceName
type: keyword
- name: DeviceNameLength
@@ -145,6 +193,8 @@
type: keyword
- name: DeviceVersionMinor
type: keyword
+ - name: Direction
+ type: keyword
- name: DisplayName
type: keyword
- name: DnsHostName
@@ -171,6 +221,12 @@
type: keyword
- name: EntryCount
type: keyword
+ - name: ErrorCode
+ type: keyword
+ - name: EventCountTotal
+ type: long
+ - name: EventIdx
+ type: long
- name: EventSourceId
type: keyword
- name: ExtraInfo
@@ -181,31 +237,49 @@
type: keyword
- name: FailureReason
type: keyword
+ - name: FailureReasons
+ type: keyword
+ - name: FailureReasonsOutcome
+ type: keyword
+ - name: FileName
+ type: keyword
- name: FileVersion
type: keyword
+ - name: FilterId
+ type: keyword
+ - name: FilterKey
+ type: keyword
+ - name: FilterName
+ type: keyword
- name: FilterOrigin
type: keyword
- name: FilterRTID
type: keyword
+ - name: FilterType
+ type: keyword
- name: FinalStatus
type: keyword
- name: Flags
type: keyword
+ - name: GPOList
+ type: keyword
- name: Group
type: keyword
- - name: GroupTypeChange
+ - name: GroupMembership
type: keyword
- - name: HasRemoteDynamicKeywordAddress
+ - name: GroupTypeChange
type: keyword
- name: HandleId
type: keyword
+ - name: HasRemoteDynamicKeywordAddress
+ type: keyword
- name: HomeDirectory
type: keyword
- name: HomePath
type: keyword
- - name: Identity
+ - name: HardwareIds
type: keyword
- - name: InterfaceIndex
+ - name: Identity
type: keyword
- name: IdleImplementation
type: keyword
@@ -215,40 +289,58 @@
type: keyword
- name: IntegrityLevel
type: keyword
- - name: IsLoopback
+ - name: InterfaceIndex
type: keyword
- name: IpAddress
type: keyword
- name: IpPort
type: keyword
+ - name: IsLoopback
+ type: keyword
- name: KerberosPolicyChange
type: keyword
+ - name: KeyFilePath
+ type: keyword
- name: KeyLength
type: keyword
+ - name: KeyName
+ type: keyword
+ - name: KeyType
+ type: keyword
+ - name: LastBootGood
+ type: keyword
+ - name: LastShutdownGood
+ type: keyword
+ - name: LayerId
+ type: keyword
+ - name: LayerKey
+ type: keyword
- name: LayerName
type: keyword
- name: LayerNameDescription
type: keyword
- name: LayerRTID
type: keyword
- - name: LastBootGood
- type: keyword
- - name: LastShutdownGood
+ - name: LinkName
type: keyword
- name: LmPackageName
type: keyword
+ - name: LocationInformation
+ type: keyword
- name: LogonGuid
type: keyword
- name: LogonHours
type: keyword
- - name: LogonId
- type: keyword
- name: LogonID
type: keyword
+ - name: LogonId
+ type: keyword
- name: LogonProcessName
type: keyword
- name: LogonType
type: keyword
+ - name: MasterKeyId
+ type: keyword
- name: MachineAccountQuota
type: keyword
- name: MajorVersion
@@ -269,6 +361,8 @@
type: keyword
- name: MixedDomainMode
type: keyword
+ - name: NamingContext
+ type: keyword
- name: NewProcessId
type: keyword
- name: NewProcessName
@@ -289,6 +383,8 @@
type: keyword
- name: NewSdSacl2
type: keyword
+ - name: NewState
+ type: keyword
- name: NewTargetUserName
type: keyword
- name: NewTime
@@ -301,6 +397,12 @@
type: keyword
- name: Number
type: keyword
+ - name: ObjectClass
+ type: keyword
+ - name: ObjectDN
+ type: keyword
+ - name: ObjectGUID
+ type: keyword
- name: ObjectName
type: keyword
- name: ObjectServer
@@ -331,39 +433,47 @@
type: keyword
- name: OldUacValue
type: keyword
+ - name: OpCorrelationID
+ type: keyword
+ - name: Operation
+ type: keyword
+ - name: OperationType
+ type: keyword
+ - name: Options
+ type: long
- name: OriginalFileName
type: keyword
- name: OriginalProfile
type: keyword
- name: PackageName
type: keyword
- - name: PasswordLastSet
+ - name: ParentProcessName
type: keyword
- name: PasswordHistoryLength
type: keyword
- - name: Path
+ - name: PasswordLastSet
type: keyword
- - name: ParentProcessName
+ - name: Path
type: keyword
- name: PerformanceImplementation
type: keyword
- - name: PreviousCreationUtcTime
- type: keyword
- name: PreAuthType
type: keyword
+ - name: PreviousCreationUtcTime
+ type: keyword
- name: PreviousTime
type: keyword
- name: PrimaryGroupId
type: keyword
- name: PrivilegeList
type: keyword
- - name: ProcessCreationTime
+ - name: ProtectedDataFlags
type: keyword
- - name: ProcessId
+ - name: ProcessCreationTime
type: keyword
- name: ProcessID
type: keyword
- - name: Protocol
+ - name: ProcessId
type: keyword
- name: ProcessName
type: keyword
@@ -373,8 +483,28 @@
type: keyword
- name: Product
type: keyword
+ - name: Profile
+ type: keyword
+ - name: ProfileChanged
+ type: keyword
- name: ProfilePath
type: keyword
+ - name: ProfileUsed
+ type: keyword
+ - name: Properties
+ type: keyword
+ - name: Protocol
+ type: keyword
+ - name: ProviderContextKey
+ type: keyword
+ - name: ProviderContextName
+ type: keyword
+ - name: ProviderContextType
+ type: keyword
+ - name: ProviderKey
+ type: keyword
+ - name: ProviderName
+ type: keyword
- name: PuaCount
type: keyword
- name: PuaPolicyId
@@ -385,22 +515,46 @@
type: keyword
- name: Reason
type: keyword
+ - name: ReasonForRejection
+ type: keyword
- name: RelativeTargetName
type: keyword
- - name: Resource
+ - name: RecoveryServer
type: keyword
- - name: ResourceAttributes
+ - name: RecoveryKeyId
type: keyword
- - name: RemoteMachineID
+ - name: RemoteAddress_ip
+ type: ip
+ - name: RemoteAddress_name
type: keyword
- name: RemoteMachineDescription
type: keyword
- - name: RemoteUserID
+ - name: RemoteMachineID
type: keyword
- name: RemoteUserDescription
type: keyword
+ - name: RemoteUserID
+ type: keyword
+ - name: RequestId
+ type: keyword
+ - name: Resource
+ type: keyword
+ - name: ResourceAttributes
+ type: keyword
+ - name: ResourceManager
+ type: keyword
+ - name: ReturnCodeOutcome
+ type: keyword
- name: ReturnCode
type: keyword
+ - name: RuleAttr
+ type: keyword
+ - name: RuleId
+ type: keyword
+ - name: RuleName
+ type: keyword
+ - name: SPI
+ type: keyword
- name: SamAccountName
type: keyword
- name: Schema
@@ -409,14 +563,12 @@
type: keyword
- name: SchemaVersion
type: keyword
+ - name: ScriptBlockText
+ type: keyword
- name: ScriptPath
type: keyword
- name: SearchString
type: keyword
- - name: SidHistory
- type: keyword
- - name: ScriptBlockText
- type: keyword
- name: Service
type: keyword
- name: ServiceAccount
@@ -435,6 +587,8 @@
type: keyword
- name: ServiceVersion
type: keyword
+ - name: SessionId
+ type: keyword
- name: SessionName
type: keyword
- name: ShareLocalPath
@@ -449,18 +603,28 @@
type: keyword
- name: SidFilteringEnabled
type: keyword
+ - name: SidHistory
+ type: keyword
- name: Signature
type: keyword
- name: SignatureStatus
type: keyword
- name: Signed
type: keyword
+ - name: SourceAddress
+ type: keyword
+ - name: SourcePort
+ type: keyword
- name: StartTime
type: keyword
+ - name: StartUSN
+ type: long
- name: State
type: keyword
- name: Status
type: keyword
+ - name: StatusCode
+ type: long
- name: StatusDescription
type: keyword
- name: StopTime
@@ -469,10 +633,12 @@
type: keyword
- name: SubCategoryGuid
type: keyword
- - name: SubcategoryGuid
- type: keyword
- name: SubCategoryId
type: keyword
+ - name: SubStatus
+ type: keyword
+ - name: SubcategoryGuid
+ type: keyword
- name: SubcategoryId
type: keyword
- name: SubjectDomainName
@@ -483,12 +649,6 @@
type: keyword
- name: SubjectUserSid
type: keyword
- - name: SubStatus
- type: keyword
- - name: SourceAddress
- type: keyword
- - name: SourcePort
- type: keyword
- name: TSId
type: keyword
- name: TargetDomainName
@@ -513,6 +673,8 @@
type: keyword
- name: TdoDirection
type: keyword
+ - name: TdoSid
+ type: keyword
- name: TdoType
type: keyword
- name: TerminalSessionId
@@ -527,12 +689,16 @@
type: keyword
- name: TokenElevationType
type: keyword
+ - name: TransactionId
+ type: keyword
- name: TransmittedServices
type: keyword
- name: Type
type: keyword
- name: UserAccountControl
type: keyword
+ - name: UserName
+ type: keyword
- name: UserParameters
type: keyword
- name: UserPrincipalName
@@ -541,8 +707,12 @@
type: keyword
- name: UserWorkstations
type: keyword
+ - name: VendorIds
+ type: keyword
- name: Version
type: keyword
+ - name: Weight
+ type: keyword
- name: Workstation
type: keyword
- name: WorkstationName
@@ -563,6 +733,7 @@
type: keyword
- name: param8
type: keyword
+
- name: event_id
type: keyword
description: >
diff --git a/packages/system/data_stream/security/manifest.yml b/packages/system/data_stream/security/manifest.yml
index ff3af176a9d..967e133634a 100644
--- a/packages/system/data_stream/security/manifest.yml
+++ b/packages/system/data_stream/security/manifest.yml
@@ -44,6 +44,13 @@ streams:
title: Tags
multi: true
show_user: false
+ - name: preserve_duplicate_custom_fields
+ required: false
+ show_user: false
+ title: Preserve duplicate custom fields
+ description: Preserve winlog.event_data fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
- name: processors
type: yaml
title: Processors
diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
index d2d0ec50f84..ba80509240d 100644
--- a/packages/system/docs/README.md
+++ b/packages/system/docs/README.md
@@ -555,14 +555,23 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.AccountDomain | | keyword |
| winlog.event_data.AccountExpires | | keyword |
| winlog.event_data.AccountName | | keyword |
+| winlog.event_data.Action | | keyword |
+| winlog.event_data.AdditionalInfo | | keyword |
+| winlog.event_data.AdditionalInfo2 | | keyword |
+| winlog.event_data.AlgorithmName | | keyword |
| winlog.event_data.AllowedToDelegateTo | | keyword |
+| winlog.event_data.AppCorrelationID | | keyword |
| winlog.event_data.Application | | keyword |
+| winlog.event_data.AttributeLDAPDisplayName | | keyword |
+| winlog.event_data.AttributeSyntaxOID | | keyword |
| winlog.event_data.AttributeValue | | keyword |
| winlog.event_data.AttributeValue.wildcard | Multi-field of `winlog.event_data.AttributeValue`. | wildcard |
| winlog.event_data.AuditPolicyChanges | | keyword |
| winlog.event_data.AuditPolicyChangesDescription | | keyword |
| winlog.event_data.AuditSourceName | | keyword |
| winlog.event_data.AuthenticationPackageName | | keyword |
+| winlog.event_data.BackupType | | keyword |
+| winlog.event_data.BackupTypeDescription | | keyword |
| winlog.event_data.Binary | | keyword |
| winlog.event_data.BitlockerUserInputTime | | keyword |
| winlog.event_data.BootMode | | keyword |
@@ -570,23 +579,39 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.BuildVersion | | keyword |
| winlog.event_data.CallerProcessId | | keyword |
| winlog.event_data.CallerProcessName | | keyword |
+| winlog.event_data.CalloutId | | keyword |
+| winlog.event_data.CalloutKey | | keyword |
+| winlog.event_data.CalloutName | | keyword |
+| winlog.event_data.CalloutType | | keyword |
| winlog.event_data.Category | | keyword |
| winlog.event_data.CategoryId | | keyword |
+| winlog.event_data.ChangeType | | keyword |
+| winlog.event_data.ClassId | | keyword |
+| winlog.event_data.ClassName | | keyword |
| winlog.event_data.ClientAddress | | keyword |
+| winlog.event_data.ClientCreationTime | | date |
| winlog.event_data.ClientName | | keyword |
| winlog.event_data.ClientProcessId | | keyword |
| winlog.event_data.CommandLine | | keyword |
| winlog.event_data.Company | | keyword |
+| winlog.event_data.CompatibleIds | | keyword |
| winlog.event_data.ComputerAccountChange | | keyword |
+| winlog.event_data.Conditions | | keyword |
| winlog.event_data.CorruptionActionState | | keyword |
| winlog.event_data.CountOfCredentialsReturned | | keyword |
| winlog.event_data.CrashOnAuditFailValue | | keyword |
| winlog.event_data.CreationUtcTime | | keyword |
+| winlog.event_data.CryptoAlgorithms | | keyword |
| winlog.event_data.CurrentProfile | | keyword |
+| winlog.event_data.DSName | | keyword |
+| winlog.event_data.DSType | | keyword |
+| winlog.event_data.DataDescription | | keyword |
| winlog.event_data.Description | | keyword |
| winlog.event_data.DestAddress | | keyword |
| winlog.event_data.DestPort | | keyword |
| winlog.event_data.Detail | | keyword |
+| winlog.event_data.DeviceDescription | | keyword |
+| winlog.event_data.DeviceId | | keyword |
| winlog.event_data.DeviceName | | keyword |
| winlog.event_data.DeviceNameLength | | keyword |
| winlog.event_data.DeviceTime | | keyword |
@@ -606,19 +631,32 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.DwordVal | | keyword |
| winlog.event_data.EnabledPrivilegeList | | keyword |
| winlog.event_data.EntryCount | | keyword |
+| winlog.event_data.ErrorCode | | keyword |
+| winlog.event_data.EventCountTotal | | long |
+| winlog.event_data.EventIdx | | long |
| winlog.event_data.EventSourceId | | keyword |
| winlog.event_data.ExtraInfo | | keyword |
| winlog.event_data.FailureName | | keyword |
| winlog.event_data.FailureNameLength | | keyword |
| winlog.event_data.FailureReason | | keyword |
+| winlog.event_data.FailureReasons | | keyword |
+| winlog.event_data.FailureReasonsOutcome | | keyword |
+| winlog.event_data.FileName | | keyword |
| winlog.event_data.FileVersion | | keyword |
+| winlog.event_data.FilterId | | keyword |
+| winlog.event_data.FilterKey | | keyword |
+| winlog.event_data.FilterName | | keyword |
| winlog.event_data.FilterOrigin | | keyword |
| winlog.event_data.FilterRTID | | keyword |
+| winlog.event_data.FilterType | | keyword |
| winlog.event_data.FinalStatus | | keyword |
| winlog.event_data.Flags | | keyword |
+| winlog.event_data.GPOList | | keyword |
| winlog.event_data.Group | | keyword |
+| winlog.event_data.GroupMembership | | keyword |
| winlog.event_data.GroupTypeChange | | keyword |
| winlog.event_data.HandleId | | keyword |
+| winlog.event_data.HardwareIds | | keyword |
| winlog.event_data.HasRemoteDynamicKeywordAddress | | keyword |
| winlog.event_data.HomeDirectory | | keyword |
| winlog.event_data.HomePath | | keyword |
@@ -632,13 +670,20 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.IpPort | | keyword |
| winlog.event_data.IsLoopback | | keyword |
| winlog.event_data.KerberosPolicyChange | | keyword |
+| winlog.event_data.KeyFilePath | | keyword |
| winlog.event_data.KeyLength | | keyword |
+| winlog.event_data.KeyName | | keyword |
+| winlog.event_data.KeyType | | keyword |
| winlog.event_data.LastBootGood | | keyword |
| winlog.event_data.LastShutdownGood | | keyword |
+| winlog.event_data.LayerId | | keyword |
+| winlog.event_data.LayerKey | | keyword |
| winlog.event_data.LayerName | | keyword |
| winlog.event_data.LayerNameDescription | | keyword |
| winlog.event_data.LayerRTID | | keyword |
+| winlog.event_data.LinkName | | keyword |
| winlog.event_data.LmPackageName | | keyword |
+| winlog.event_data.LocationInformation | | keyword |
| winlog.event_data.LogonGuid | | keyword |
| winlog.event_data.LogonHours | | keyword |
| winlog.event_data.LogonID | | keyword |
@@ -648,6 +693,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.MachineAccountQuota | | keyword |
| winlog.event_data.MajorVersion | | keyword |
| winlog.event_data.MandatoryLabel | | keyword |
+| winlog.event_data.MasterKeyId | | keyword |
| winlog.event_data.MaximumPerformancePercent | | keyword |
| winlog.event_data.MemberName | | keyword |
| winlog.event_data.MemberSid | | keyword |
@@ -655,6 +701,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.MinimumThrottlePercent | | keyword |
| winlog.event_data.MinorVersion | | keyword |
| winlog.event_data.MixedDomainMode | | keyword |
+| winlog.event_data.NamingContext | | keyword |
| winlog.event_data.NewProcessId | | keyword |
| winlog.event_data.NewProcessName | | keyword |
| winlog.event_data.NewSchemeGuid | | keyword |
@@ -665,12 +712,16 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.NewSdSacl0 | | keyword |
| winlog.event_data.NewSdSacl1 | | keyword |
| winlog.event_data.NewSdSacl2 | | keyword |
+| winlog.event_data.NewState | | keyword |
| winlog.event_data.NewTargetUserName | | keyword |
| winlog.event_data.NewTime | | keyword |
| winlog.event_data.NewUACList | | keyword |
| winlog.event_data.NewUacValue | | keyword |
| winlog.event_data.NominalFrequency | | keyword |
| winlog.event_data.Number | | keyword |
+| winlog.event_data.ObjectClass | | keyword |
+| winlog.event_data.ObjectDN | | keyword |
+| winlog.event_data.ObjectGUID | | keyword |
| winlog.event_data.ObjectName | | keyword |
| winlog.event_data.ObjectServer | | keyword |
| winlog.event_data.ObjectType | | keyword |
@@ -686,6 +737,10 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.OldTargetUserName | | keyword |
| winlog.event_data.OldTime | | keyword |
| winlog.event_data.OldUacValue | | keyword |
+| winlog.event_data.OpCorrelationID | | keyword |
+| winlog.event_data.Operation | | keyword |
+| winlog.event_data.OperationType | | keyword |
+| winlog.event_data.Options | | long |
| winlog.event_data.OriginalFileName | | keyword |
| winlog.event_data.OriginalProfile | | keyword |
| winlog.event_data.PackageName | | keyword |
@@ -706,21 +761,43 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.ProcessPath | | keyword |
| winlog.event_data.ProcessPid | | keyword |
| winlog.event_data.Product | | keyword |
+| winlog.event_data.Profile | | keyword |
+| winlog.event_data.ProfileChanged | | keyword |
| winlog.event_data.ProfilePath | | keyword |
+| winlog.event_data.ProfileUsed | | keyword |
+| winlog.event_data.Properties | | keyword |
+| winlog.event_data.ProtectedDataFlags | | keyword |
| winlog.event_data.Protocol | | keyword |
+| winlog.event_data.ProviderContextKey | | keyword |
+| winlog.event_data.ProviderContextName | | keyword |
+| winlog.event_data.ProviderContextType | | keyword |
+| winlog.event_data.ProviderKey | | keyword |
+| winlog.event_data.ProviderName | | keyword |
| winlog.event_data.PuaCount | | keyword |
| winlog.event_data.PuaPolicyId | | keyword |
| winlog.event_data.QfeVersion | | keyword |
| winlog.event_data.ReadOperation | | keyword |
| winlog.event_data.Reason | | keyword |
+| winlog.event_data.ReasonForRejection | | keyword |
+| winlog.event_data.RecoveryKeyId | | keyword |
+| winlog.event_data.RecoveryServer | | keyword |
| winlog.event_data.RelativeTargetName | | keyword |
+| winlog.event_data.RemoteAddress_ip | | ip |
+| winlog.event_data.RemoteAddress_name | | keyword |
| winlog.event_data.RemoteMachineDescription | | keyword |
| winlog.event_data.RemoteMachineID | | keyword |
| winlog.event_data.RemoteUserDescription | | keyword |
| winlog.event_data.RemoteUserID | | keyword |
+| winlog.event_data.RequestId | | keyword |
| winlog.event_data.Resource | | keyword |
| winlog.event_data.ResourceAttributes | | keyword |
+| winlog.event_data.ResourceManager | | keyword |
| winlog.event_data.ReturnCode | | keyword |
+| winlog.event_data.ReturnCodeOutcome | | keyword |
+| winlog.event_data.RuleAttr | | keyword |
+| winlog.event_data.RuleId | | keyword |
+| winlog.event_data.RuleName | | keyword |
+| winlog.event_data.SPI | | keyword |
| winlog.event_data.SamAccountName | | keyword |
| winlog.event_data.Schema | | keyword |
| winlog.event_data.SchemaFriendlyName | | keyword |
@@ -737,6 +814,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.ServiceStartType | | keyword |
| winlog.event_data.ServiceType | | keyword |
| winlog.event_data.ServiceVersion | | keyword |
+| winlog.event_data.SessionId | | keyword |
| winlog.event_data.SessionName | | keyword |
| winlog.event_data.ShareLocalPath | | keyword |
| winlog.event_data.ShareName | | keyword |
@@ -751,8 +829,10 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.SourceAddress | | keyword |
| winlog.event_data.SourcePort | | keyword |
| winlog.event_data.StartTime | | keyword |
+| winlog.event_data.StartUSN | | long |
| winlog.event_data.State | | keyword |
| winlog.event_data.Status | | keyword |
+| winlog.event_data.StatusCode | | long |
| winlog.event_data.StatusDescription | | keyword |
| winlog.event_data.StopTime | | keyword |
| winlog.event_data.SubCategory | | keyword |
@@ -777,6 +857,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.TargetUserSid | | keyword |
| winlog.event_data.TdoAttributes | | keyword |
| winlog.event_data.TdoDirection | | keyword |
+| winlog.event_data.TdoSid | | keyword |
| winlog.event_data.TdoType | | keyword |
| winlog.event_data.TerminalSessionId | | keyword |
| winlog.event_data.TicketEncryptionType | | keyword |
@@ -784,14 +865,18 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| winlog.event_data.TicketOptions | | keyword |
| winlog.event_data.TicketOptionsDescription | | keyword |
| winlog.event_data.TokenElevationType | | keyword |
+| winlog.event_data.TransactionId | | keyword |
| winlog.event_data.TransmittedServices | | keyword |
| winlog.event_data.Type | | keyword |
| winlog.event_data.UserAccountControl | | keyword |
+| winlog.event_data.UserName | | keyword |
| winlog.event_data.UserParameters | | keyword |
| winlog.event_data.UserPrincipalName | | keyword |
| winlog.event_data.UserSid | | keyword |
| winlog.event_data.UserWorkstations | | keyword |
+| winlog.event_data.VendorIds | | keyword |
| winlog.event_data.Version | | keyword |
+| winlog.event_data.Weight | | keyword |
| winlog.event_data.Workstation | | keyword |
| winlog.event_data.WorkstationName | | keyword |
| winlog.event_data.param1 | | keyword |
diff --git a/packages/system/img/directory-and-account-monitoring-dashboard.png b/packages/system/img/directory-and-account-monitoring-dashboard.png
new file mode 100644
index 00000000000..ae616a54f29
Binary files /dev/null and b/packages/system/img/directory-and-account-monitoring-dashboard.png differ
diff --git a/packages/system/img/logon-activity-dashboard.png b/packages/system/img/logon-activity-dashboard.png
new file mode 100644
index 00000000000..3ffd63fd544
Binary files /dev/null and b/packages/system/img/logon-activity-dashboard.png differ
diff --git a/packages/system/img/policy-and-object-monitoring-dashboard.png b/packages/system/img/policy-and-object-monitoring-dashboard.png
new file mode 100644
index 00000000000..4fbc3acac50
Binary files /dev/null and b/packages/system/img/policy-and-object-monitoring-dashboard.png differ
diff --git a/packages/system/img/system-and-process-activity-dashboard.png b/packages/system/img/system-and-process-activity-dashboard.png
new file mode 100644
index 00000000000..f8d53a2c01c
Binary files /dev/null and b/packages/system/img/system-and-process-activity-dashboard.png differ
diff --git a/packages/system/kibana/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9.json b/packages/system/kibana/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9.json
new file mode 100644
index 00000000000..85316d878c9
--- /dev/null
+++ b/packages/system/kibana/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9.json
@@ -0,0 +1,2442 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Navigation\n\n#### System\n\n[Logon Activity](#/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af) \n[Directory \u0026 Account Monitoring](#/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12) \n**System \u0026 Process Activity** \n[Policy \u0026 Object Monitoring](#/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a)\n\n#### Description\n\nThis dashboard offers visibility into critical system and process activities, with a focus on file and cryptographic operations.\n\nIt highlights key and file operations by provider, top affected file paths, and device connection trends over time. Saved searches provide detailed insights into cryptographic events, key migrations, and file operations, supporting analysis of system behavior and potential security impacts.\n\n\n**[Integration Page](/app/integrations/detail/system/overview)**",
+ "openLinksInNewTab": false
+ },
+ "title": "Table of Contents",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 29,
+ "i": "f77c89df-b8b3-49b0-a5f8-ae4002252df4",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "f77c89df-b8b3-49b0-a5f8-ae4002252df4",
+ "title": "Table of Contents",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0aa841d9-0915-4abc-b0f2-ec3ad7937720",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "0aa841d9-0915-4abc-b0f2-ec3ad7937720": {
+ "columnOrder": [
+ "5c3c6230-0626-4073-836a-991fa760a4dd",
+ "9039a45e-e99b-4635-a788-3821c0dccd2f"
+ ],
+ "columns": {
+ "5c3c6230-0626-4073-836a-991fa760a4dd": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Cryptographic Operation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9039a45e-e99b-4635-a788-3821c0dccd2f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.Operation"
+ },
+ "9039a45e-e99b-4635-a788-3821c0dccd2f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5061"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5061"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "0aa841d9-0915-4abc-b0f2-ec3ad7937720",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "9039a45e-e99b-4635-a788-3821c0dccd2f"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "5c3c6230-0626-4073-836a-991fa760a4dd"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5061"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5061"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "19ee2033-aac0-4a03-a367-e29a4f32161d",
+ "w": 19,
+ "x": 29,
+ "y": 0
+ },
+ "panelIndex": "19ee2033-aac0-4a03-a367-e29a4f32161d",
+ "title": "Cryptographic Operation by Provider [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-a68af72a-5407-49b5-8abd-76b2d05f8dad",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "a68af72a-5407-49b5-8abd-76b2d05f8dad": {
+ "columnOrder": [
+ "a1e65f8c-5fdf-42cf-9a68-5140e6949545",
+ "7691562c-dc56-4ede-a150-c7e3e59da833",
+ "6128fb79-0ca8-48ef-ad09-fa874fd5059b"
+ ],
+ "columns": {
+ "6128fb79-0ca8-48ef-ad09-fa874fd5059b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7691562c-dc56-4ede-a150-c7e3e59da833": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "a1e65f8c-5fdf-42cf-9a68-5140e6949545": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Class Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "6128fb79-0ca8-48ef-ad09-fa874fd5059b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ClassName"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "6416"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "6416"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "6128fb79-0ca8-48ef-ad09-fa874fd5059b"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "a68af72a-5407-49b5-8abd-76b2d05f8dad",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "a1e65f8c-5fdf-42cf-9a68-5140e6949545",
+ "xAccessor": "7691562c-dc56-4ede-a150-c7e3e59da833"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "6416"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "6416"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f4a9fdc2-646a-4ae5-a57c-1a939c4801b9",
+ "w": 19,
+ "x": 29,
+ "y": 14
+ },
+ "panelIndex": "f4a9fdc2-646a-4ae5-a57c-1a939c4801b9",
+ "title": "Device Connection Events Over Time [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4c2798b0-bada-477c-8edd-0c9a18546375",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "4c2798b0-bada-477c-8edd-0c9a18546375": {
+ "columnOrder": [
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744",
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2"
+ ],
+ "columns": {
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count ",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Key Operation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9131fb27-a5a6-44d1-80d0-f2d19cb941a2",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.Operation"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5058"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5058"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "4c2798b0-bada-477c-8edd-0c9a18546375",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metrics": [
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5058"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5058"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "ba8ed409-bfde-4988-8479-18944b30fd2c",
+ "w": 17,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "ba8ed409-bfde-4988-8479-18944b30fd2c",
+ "title": "Key File Operation by Provider [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4c2798b0-bada-477c-8edd-0c9a18546375",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "4c2798b0-bada-477c-8edd-0c9a18546375": {
+ "columnOrder": [
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744",
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2"
+ ],
+ "columns": {
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count ",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Key Operation",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9131fb27-a5a6-44d1-80d0-f2d19cb941a2",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.Operation"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5059"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5059"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "4c2798b0-bada-477c-8edd-0c9a18546375",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metrics": [
+ "9131fb27-a5a6-44d1-80d0-f2d19cb941a2"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "d0bc11cc-fcfb-4fd0-88c8-a656ce00c744"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5059"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5059"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9c2cf9cd-e1de-4edc-a402-bd90d8b80aeb",
+ "w": 17,
+ "x": 12,
+ "y": 14
+ },
+ "panelIndex": "9c2cf9cd-e1de-4edc-a402-bd90d8b80aeb",
+ "title": "Key Migration Operation by Provider [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "c9b8b334-9830-4880-8577-716dc69bdae2",
+ "w": 48,
+ "x": 0,
+ "y": 71
+ },
+ "panelIndex": "c9b8b334-9830-4880-8577-716dc69bdae2",
+ "panelRefName": "panel_c9b8b334-9830-4880-8577-716dc69bdae2",
+ "title": "Cryptographic Key File Operation Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "4262d294-d2b9-4567-8960-736f958f97f3",
+ "w": 48,
+ "x": 0,
+ "y": 85
+ },
+ "panelIndex": "4262d294-d2b9-4567-8960-736f958f97f3",
+ "panelRefName": "panel_4262d294-d2b9-4567-8960-736f958f97f3",
+ "title": "Key Migration Operation Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 12,
+ "i": "a9197bd3-3d4e-4b91-82eb-54b1fe4731be",
+ "w": 48,
+ "x": 0,
+ "y": 98
+ },
+ "panelIndex": "a9197bd3-3d4e-4b91-82eb-54b1fe4731be",
+ "panelRefName": "panel_a9197bd3-3d4e-4b91-82eb-54b1fe4731be",
+ "title": "Cryptographic Operation Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "79dc3341-186f-4660-b774-2d53b777ee5b",
+ "w": 48,
+ "x": 0,
+ "y": 58
+ },
+ "panelIndex": "79dc3341-186f-4660-b774-2d53b777ee5b",
+ "panelRefName": "panel_79dc3341-186f-4660-b774-2d53b777ee5b",
+ "title": "Key File Operation Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-23e9d6ca-2cd8-4dbf-b9a6-809b067d893b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "23e9d6ca-2cd8-4dbf-b9a6-809b067d893b": {
+ "columnOrder": [
+ "6f63e043-745c-420b-8bab-a9e5f501584e",
+ "07b549c0-663a-4b8a-a95f-6f400ecaeed3"
+ ],
+ "columns": {
+ "07b549c0-663a-4b8a-a95f-6f400ecaeed3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "6f63e043-745c-420b-8bab-a9e5f501584e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "File Path",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "07b549c0-663a-4b8a-a95f-6f400ecaeed3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "file.path"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5038"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5038"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "07b549c0-663a-4b8a-a95f-6f400ecaeed3"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "23e9d6ca-2cd8-4dbf-b9a6-809b067d893b",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "6f63e043-745c-420b-8bab-a9e5f501584e"
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5038"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5038"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "1a9a9643-b8ed-4ec1-ab4a-0fe4be7dbfb8",
+ "w": 48,
+ "x": 0,
+ "y": 29
+ },
+ "panelIndex": "1a9a9643-b8ed-4ec1-ab4a-0fe4be7dbfb8",
+ "title": "Top Affected File Paths [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c0a15892-6491-449a-b551-792b22510953",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "c0a15892-6491-449a-b551-792b22510953": {
+ "columnOrder": [
+ "aac02e82-5806-48c0-8173-aa02450e97f8",
+ "3c3bb4ad-259c-4cf2-9e63-2418b0be3c8c"
+ ],
+ "columns": {
+ "3c3bb4ad-259c-4cf2-9e63-2418b0be3c8c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "aac02e82-5806-48c0-8173-aa02450e97f8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Location Information",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3c3bb4ad-259c-4cf2-9e63-2418b0be3c8c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.LocationInformation"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "6416"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "6416"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "3c3bb4ad-259c-4cf2-9e63-2418b0be3c8c"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "c0a15892-6491-449a-b551-792b22510953",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "aac02e82-5806-48c0-8173-aa02450e97f8"
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "6416"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "6416"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "e8629942-0785-4a86-8dc4-4053b0a38c03",
+ "w": 48,
+ "x": 0,
+ "y": 43
+ },
+ "panelIndex": "e8629942-0785-4a86-8dc4-4053b0a38c03",
+ "title": "Device Connection Events by Location [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 18,
+ "i": "ac99a443-7466-4b70-b0c9-6dd20a33486c",
+ "w": 48,
+ "x": 0,
+ "y": 148
+ },
+ "panelIndex": "ac99a443-7466-4b70-b0c9-6dd20a33486c",
+ "panelRefName": "panel_ac99a443-7466-4b70-b0c9-6dd20a33486c",
+ "title": "Device Operation Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-6f6f2f47-b7f4-4f1f-864e-d931283d668f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "6f6f2f47-b7f4-4f1f-864e-d931283d668f": {
+ "columnOrder": [
+ "dfe93474-20c0-4482-aac1-aa4807f84ca8",
+ "1931d3c1-ba5e-4df9-804f-02bb838170a7",
+ "caffaf3f-321d-4ff6-af4d-2d24f6b05790"
+ ],
+ "columns": {
+ "1931d3c1-ba5e-4df9-804f-02bb838170a7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Class Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "caffaf3f-321d-4ff6-af4d-2d24f6b05790",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ClassName"
+ },
+ "caffaf3f-321d-4ff6-af4d-2d24f6b05790": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "dfe93474-20c0-4482-aac1-aa4807f84ca8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "caffaf3f-321d-4ff6-af4d-2d24f6b05790",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ],
+ "type": "phrases",
+ "value": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "6419"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6420"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6421"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6422"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "caffaf3f-321d-4ff6-af4d-2d24f6b05790"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "6f6f2f47-b7f4-4f1f-864e-d931283d668f",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "splitAccessor": "dfe93474-20c0-4482-aac1-aa4807f84ca8",
+ "xAccessor": "1931d3c1-ba5e-4df9-804f-02bb838170a7"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ],
+ "type": "phrases",
+ "value": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "6419"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6420"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6421"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6422"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "d0123eba-a44f-499c-a307-644bee2b0e33",
+ "w": 48,
+ "x": 0,
+ "y": 110
+ },
+ "panelIndex": "d0123eba-a44f-499c-a307-644bee2b0e33",
+ "title": "Device Operation by Class Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-f1ae93a9-2d4e-4c18-bb13-c51908770774",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "f1ae93a9-2d4e-4c18-bb13-c51908770774": {
+ "columnOrder": [
+ "88115a6b-7edc-4948-8170-939a47415ef7",
+ "c313d898-238f-4375-b680-92f8355a5ce6",
+ "9993177d-6742-4f1a-964e-1e48803b1ec8"
+ ],
+ "columns": {
+ "88115a6b-7edc-4948-8170-939a47415ef7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9993177d-6742-4f1a-964e-1e48803b1ec8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "9993177d-6742-4f1a-964e-1e48803b1ec8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c313d898-238f-4375-b680-92f8355a5ce6": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Subject Username",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9993177d-6742-4f1a-964e-1e48803b1ec8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ],
+ "type": "phrases",
+ "value": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "6419"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6420"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6421"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6422"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "9993177d-6742-4f1a-964e-1e48803b1ec8"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "f1ae93a9-2d4e-4c18-bb13-c51908770774",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "splitAccessor": "88115a6b-7edc-4948-8170-939a47415ef7",
+ "xAccessor": "c313d898-238f-4375-b680-92f8355a5ce6"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ],
+ "type": "phrases",
+ "value": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "6419"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6420"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6421"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6422"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "19c02f00-67ac-4230-b734-1b68a6743888",
+ "w": 48,
+ "x": 0,
+ "y": 124
+ },
+ "panelIndex": "19c02f00-67ac-4230-b734-1b68a6743888",
+ "title": "Device Operation by User Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 16,
+ "i": "6cfcf0d7-4127-4b49-aefd-b13175c6abab",
+ "w": 48,
+ "x": 0,
+ "y": 166
+ },
+ "panelIndex": "6cfcf0d7-4127-4b49-aefd-b13175c6abab",
+ "panelRefName": "panel_6cfcf0d7-4127-4b49-aefd-b13175c6abab",
+ "title": "Protected Data Decryption Attempt Essential Details",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-ca5140a6-4384-4be1-93a4-a824a789fa71",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "ca5140a6-4384-4be1-93a4-a824a789fa71": {
+ "columnOrder": [
+ "ccf0ac76-976c-47f5-845b-1865e85e256f",
+ "ffbcab7b-c4ad-4f57-b4d9-732945106a5e"
+ ],
+ "columns": {
+ "ccf0ac76-976c-47f5-845b-1865e85e256f": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Subject Username",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ffbcab7b-c4ad-4f57-b4d9-732945106a5e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "ffbcab7b-c4ad-4f57-b4d9-732945106a5e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4695"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4695"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "ccf0ac76-976c-47f5-845b-1865e85e256f",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "ffbcab7b-c4ad-4f57-b4d9-732945106a5e",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "ca5140a6-4384-4be1-93a4-a824a789fa71",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4695"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4695"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 10,
+ "i": "d396dbfa-6e20-42e3-87c0-b8295161cabc",
+ "w": 48,
+ "x": 0,
+ "y": 138
+ },
+ "panelIndex": "d396dbfa-6e20-42e3-87c0-b8295161cabc",
+ "title": "Top 10 Accounts With Decryption of Protected Data [Logs System Windows Security]",
+ "type": "lens"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System Windows Security] System \u0026 Process Activity",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:32:20.579Z",
+ "id": "system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-7af1e82c-155c-4f5b-813e-a2b6c3e5bc75",
+ "name": "c9b8b334-9830-4880-8577-716dc69bdae2:panel_c9b8b334-9830-4880-8577-716dc69bdae2",
+ "type": "search"
+ },
+ {
+ "id": "system-3f35f4fe-f01a-44a7-8892-cd64f88d0a61",
+ "name": "4262d294-d2b9-4567-8960-736f958f97f3:panel_4262d294-d2b9-4567-8960-736f958f97f3",
+ "type": "search"
+ },
+ {
+ "id": "system-94378112-04db-4813-a95f-2b157d6d4bb7",
+ "name": "a9197bd3-3d4e-4b91-82eb-54b1fe4731be:panel_a9197bd3-3d4e-4b91-82eb-54b1fe4731be",
+ "type": "search"
+ },
+ {
+ "id": "system-906dc8d0-0330-46c1-831c-beda2868b383",
+ "name": "79dc3341-186f-4660-b774-2d53b777ee5b:panel_79dc3341-186f-4660-b774-2d53b777ee5b",
+ "type": "search"
+ },
+ {
+ "id": "system-71c28785-7ab7-4210-833b-6d65de60940a",
+ "name": "ac99a443-7466-4b70-b0c9-6dd20a33486c:panel_ac99a443-7466-4b70-b0c9-6dd20a33486c",
+ "type": "search"
+ },
+ {
+ "id": "system-99f8b490-4f75-418e-bd91-4ef4bb7851de",
+ "name": "6cfcf0d7-4127-4b49-aefd-b13175c6abab:panel_6cfcf0d7-4127-4b49-aefd-b13175c6abab",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "19ee2033-aac0-4a03-a367-e29a4f32161d:indexpattern-datasource-layer-0aa841d9-0915-4abc-b0f2-ec3ad7937720",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f4a9fdc2-646a-4ae5-a57c-1a939c4801b9:indexpattern-datasource-layer-a68af72a-5407-49b5-8abd-76b2d05f8dad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ba8ed409-bfde-4988-8479-18944b30fd2c:indexpattern-datasource-layer-4c2798b0-bada-477c-8edd-0c9a18546375",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9c2cf9cd-e1de-4edc-a402-bd90d8b80aeb:indexpattern-datasource-layer-4c2798b0-bada-477c-8edd-0c9a18546375",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1a9a9643-b8ed-4ec1-ab4a-0fe4be7dbfb8:indexpattern-datasource-layer-23e9d6ca-2cd8-4dbf-b9a6-809b067d893b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e8629942-0785-4a86-8dc4-4053b0a38c03:indexpattern-datasource-layer-c0a15892-6491-449a-b551-792b22510953",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0123eba-a44f-499c-a307-644bee2b0e33:indexpattern-datasource-layer-6f6f2f47-b7f4-4f1f-864e-d931283d668f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "19c02f00-67ac-4230-b734-1b68a6743888:indexpattern-datasource-layer-f1ae93a9-2d4e-4c18-bb13-c51908770774",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d396dbfa-6e20-42e3-87c0-b8295161cabc:indexpattern-datasource-layer-ca5140a6-4384-4be1-93a4-a824a789fa71",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json b/packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json
new file mode 100644
index 00000000000..fe19b7a04ca
--- /dev/null
+++ b/packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json
@@ -0,0 +1,1781 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fb590394-eec8-414a-8bf3-85f3977cf5eb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "fb590394-eec8-414a-8bf3-85f3977cf5eb": {
+ "columnOrder": [
+ "70902a62-0711-44bd-a9f7-16ce6a766626",
+ "453a5350-cca3-408d-843d-6cb3ae154f40"
+ ],
+ "columns": {
+ "453a5350-cca3-408d-843d-6cb3ae154f40": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "70902a62-0711-44bd-a9f7-16ce6a766626": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Account Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "453a5350-cca3-408d-843d-6cb3ae154f40",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.target.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4627"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4627"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "70902a62-0711-44bd-a9f7-16ce6a766626",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "alignment": "right",
+ "columnId": "453a5350-cca3-408d-843d-6cb3ae154f40",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "fb590394-eec8-414a-8bf3-85f3977cf5eb",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4627"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4627"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "5b47ff7f-3f29-4f6c-b7bb-99dddbb2115a",
+ "w": 18,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "5b47ff7f-3f29-4f6c-b7bb-99dddbb2115a",
+ "title": "Top 10 Account Name by Logons of Group Membership [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e362d233-594a-4d68-bcff-8209b864486b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "e362d233-594a-4d68-bcff-8209b864486b": {
+ "columnOrder": [
+ "3d734f80-0b33-47a7-bcf8-e78b045a1613",
+ "0993ac01-4e14-4a7a-a662-68ac51249eeb"
+ ],
+ "columns": {
+ "0993ac01-4e14-4a7a-a662-68ac51249eeb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "3d734f80-0b33-47a7-bcf8-e78b045a1613": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Account Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0993ac01-4e14-4a7a-a662-68ac51249eeb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.target.name"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "3d734f80-0b33-47a7-bcf8-e78b045a1613",
+ "isTransposed": false
+ },
+ {
+ "columnId": "0993ac01-4e14-4a7a-a662-68ac51249eeb",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "e362d233-594a-4d68-bcff-8209b864486b",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "112f7518-2660-4ae0-ab75-8d3ef80c87fb",
+ "w": 18,
+ "x": 30,
+ "y": 0
+ },
+ "panelIndex": "112f7518-2660-4ae0-ab75-8d3ef80c87fb",
+ "title": "Top 10 Users With Locked Workstation [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Navigation\n\n#### System\n\n**Logon Activity** \n[Directory \u0026 Account Monitoring](#/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12) \n[System \u0026 Process Activity](#/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9) \n[Policy \u0026 Object Monitoring](#/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a) \n\n#### Description\n\nThis dashboard is designed to provide focused visibility into logon and logoff activities using the Security data stream.\n\nIt highlights the top 10 group membership logons by account name, visualizes group membership events by logon type and user, and presents detailed insights into trust direction filtering. The dashboard also tracks workstation lock events across users, security IDs, and account domains to support monitoring of authentication patterns and identification of unusual behavior.\n\n**[Integration Page](/app/integrations/detail/system/overview)**",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 37,
+ "i": "2cc86ba4-b15f-46a8-b426-a82ed3c7a3e0",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "2cc86ba4-b15f-46a8-b426-a82ed3c7a3e0",
+ "title": "Table of Contents",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-4f83992d-172a-4a5f-ab81-88607946e7cf",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "4f83992d-172a-4a5f-ab81-88607946e7cf": {
+ "columnOrder": [
+ "0d3b7625-54a0-469d-a840-2e1c131931ba",
+ "8cb1c40d-201f-49c4-b237-0c27b7dd53bc"
+ ],
+ "columns": {
+ "0d3b7625-54a0-469d-a840-2e1c131931ba": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target User Domain",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8cb1c40d-201f-49c4-b237-0c27b7dd53bc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.target.domain"
+ },
+ "8cb1c40d-201f-49c4-b237-0c27b7dd53bc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "0d3b7625-54a0-469d-a840-2e1c131931ba",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "8cb1c40d-201f-49c4-b237-0c27b7dd53bc",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "4f83992d-172a-4a5f-ab81-88607946e7cf",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3d09d29b-9b1d-4a6f-a2c3-2f4f1fc049d1",
+ "w": 24,
+ "x": 0,
+ "y": 37
+ },
+ "panelIndex": "3d09d29b-9b1d-4a6f-a2c3-2f4f1fc049d1",
+ "title": "Top 10 Account Domain With Locked Workstation [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5edac639-4c1d-431a-bfd5-0f10592a5079",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "5edac639-4c1d-431a-bfd5-0f10592a5079": {
+ "columnOrder": [
+ "54f91bc8-1257-435d-99e0-50ec043c58e9",
+ "45d1e1b2-99fa-4417-9ab7-f937320cdc63"
+ ],
+ "columns": {
+ "45d1e1b2-99fa-4417-9ab7-f937320cdc63": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "54f91bc8-1257-435d-99e0-50ec043c58e9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target User SID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "45d1e1b2-99fa-4417-9ab7-f937320cdc63",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.id"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "54f91bc8-1257-435d-99e0-50ec043c58e9",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "45d1e1b2-99fa-4417-9ab7-f937320cdc63",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "5edac639-4c1d-431a-bfd5-0f10592a5079",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4800"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4800"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "38371138-d5ca-4507-8a52-ecd722a5a064",
+ "w": 24,
+ "x": 24,
+ "y": 37
+ },
+ "panelIndex": "38371138-d5ca-4507-8a52-ecd722a5a064",
+ "title": "Top 10 Security ID With Locked Workstation [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-19b4caf4-f8c5-4051-a48a-99445ff7c4bd",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "19b4caf4-f8c5-4051-a48a-99445ff7c4bd": {
+ "columnOrder": [
+ "0226a1c0-dabe-48f8-9d4d-61ea32b389d7",
+ "cb54f07b-6914-4b88-93d4-d8c1fffa1c40"
+ ],
+ "columns": {
+ "0226a1c0-dabe-48f8-9d4d-61ea32b389d7": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "LogonType",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cb54f07b-6914-4b88-93d4-d8c1fffa1c40",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.logon.type"
+ },
+ "cb54f07b-6914-4b88-93d4-d8c1fffa1c40": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4627"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4627"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "19b4caf4-f8c5-4051-a48a-99445ff7c4bd",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "cb54f07b-6914-4b88-93d4-d8c1fffa1c40"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "0226a1c0-dabe-48f8-9d4d-61ea32b389d7"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4627"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4627"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "5be93de3-49dd-4bca-9481-1b0ab45836eb",
+ "w": 24,
+ "x": 0,
+ "y": 52
+ },
+ "panelIndex": "5be93de3-49dd-4bca-9481-1b0ab45836eb",
+ "title": "Group Membership Information Events by Logon Type [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c5ea7b91-22a1-48b6-a196-2f9511eec402",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "c5ea7b91-22a1-48b6-a196-2f9511eec402": {
+ "columnOrder": [
+ "2c25cdc5-9381-422f-8540-e3c089fdb90c",
+ "8f1a4f61-5bf1-4123-9b46-531a54c96318"
+ ],
+ "columns": {
+ "2c25cdc5-9381-422f-8540-e3c089fdb90c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Trust Direction",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": false,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8f1a4f61-5bf1-4123-9b46-531a54c96318",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.trustDirection"
+ },
+ "8f1a4f61-5bf1-4123-9b46-531a54c96318": {
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count of records",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4675"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4675"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "c5ea7b91-22a1-48b6-a196-2f9511eec402",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metrics": [
+ "8f1a4f61-5bf1-4123-9b46-531a54c96318"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "2c25cdc5-9381-422f-8540-e3c089fdb90c"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4675"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4675"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "5c1d2d20-1946-40cb-8078-4f3c1a25ad9c",
+ "w": 24,
+ "x": 24,
+ "y": 52
+ },
+ "panelIndex": "5c1d2d20-1946-40cb-8078-4f3c1a25ad9c",
+ "title": "Filtered Events by Trust Direction [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 22,
+ "i": "d6c77d99-7454-499d-a5d3-561e601351e8",
+ "w": 36,
+ "x": 12,
+ "y": 15
+ },
+ "panelIndex": "d6c77d99-7454-499d-a5d3-561e601351e8",
+ "panelRefName": "panel_d6c77d99-7454-499d-a5d3-561e601351e8",
+ "title": "Group Membership by User [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-1e34fcd3-d821-4752-b4ab-899b17539967",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "1e34fcd3-d821-4752-b4ab-899b17539967": {
+ "columnOrder": [
+ "1db28ec5-5ea4-49bb-98f7-fe778921a743",
+ "33c0de3b-a0b0-4c8b-a5a9-bd9bb0cbb39b"
+ ],
+ "columns": {
+ "1db28ec5-5ea4-49bb-98f7-fe778921a743": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target User Domains",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "33c0de3b-a0b0-4c8b-a5a9-bd9bb0cbb39b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.domain"
+ },
+ "33c0de3b-a0b0-4c8b-a5a9-bd9bb0cbb39b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4801"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4801"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "1db28ec5-5ea4-49bb-98f7-fe778921a743",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "alignment": "right",
+ "columnId": "33c0de3b-a0b0-4c8b-a5a9-bd9bb0cbb39b",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "1e34fcd3-d821-4752-b4ab-899b17539967",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4801"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4801"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "ba59dfe7-0a83-4fd7-9016-f8fb1941fd74",
+ "w": 24,
+ "x": 0,
+ "y": 67
+ },
+ "panelIndex": "ba59dfe7-0a83-4fd7-9016-f8fb1941fd74",
+ "title": "Top 10 Account Domains With Unlocked Workstations [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2e524cd5-669f-4879-9d8c-9a80a1f3e37b",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "2e524cd5-669f-4879-9d8c-9a80a1f3e37b": {
+ "columnOrder": [
+ "a0522b2d-98d8-4834-8698-64c60c358705",
+ "50223c10-a345-4521-b5a1-ac6ec1b3ccad"
+ ],
+ "columns": {
+ "50223c10-a345-4521-b5a1-ac6ec1b3ccad": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a0522b2d-98d8-4834-8698-64c60c358705": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target Usernames",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "50223c10-a345-4521-b5a1-ac6ec1b3ccad",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4801"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4801"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "a0522b2d-98d8-4834-8698-64c60c358705",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "alignment": "right",
+ "columnId": "50223c10-a345-4521-b5a1-ac6ec1b3ccad",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "2e524cd5-669f-4879-9d8c-9a80a1f3e37b",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4801"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4801"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "297fec75-5e9a-4657-b281-e830ca40d82c",
+ "w": 24,
+ "x": 24,
+ "y": 67
+ },
+ "panelIndex": "297fec75-5e9a-4657-b281-e830ca40d82c",
+ "title": "Top 10 Users With Unlocked Workstations [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "9d6d15a6-abc0-4108-8f7c-c579578023c6",
+ "w": 48,
+ "x": 0,
+ "y": 82
+ },
+ "panelIndex": "9d6d15a6-abc0-4108-8f7c-c579578023c6",
+ "panelRefName": "panel_9d6d15a6-abc0-4108-8f7c-c579578023c6",
+ "title": "Essential Trust Filtering Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "2a8cdd2e-5bd3-4346-808a-2af212decb1b",
+ "w": 48,
+ "x": 0,
+ "y": 97
+ },
+ "panelIndex": "2a8cdd2e-5bd3-4346-808a-2af212decb1b",
+ "panelRefName": "panel_2a8cdd2e-5bd3-4346-808a-2af212decb1b",
+ "title": "Workstation Unlock Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f4f9dbf2-7ed5-440a-8661-a85b3f00a16b",
+ "w": 48,
+ "x": 0,
+ "y": 112
+ },
+ "panelIndex": "f4f9dbf2-7ed5-440a-8661-a85b3f00a16b",
+ "panelRefName": "panel_f4f9dbf2-7ed5-440a-8661-a85b3f00a16b",
+ "title": "Screen Saver Essential Details [Logs System Windows Security]",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System Windows Security] Logon Activity",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:32:44.695Z",
+ "id": "system-2c4debf0-ef4f-4379-99a1-c57c307f23af",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c",
+ "name": "d6c77d99-7454-499d-a5d3-561e601351e8:panel_d6c77d99-7454-499d-a5d3-561e601351e8",
+ "type": "search"
+ },
+ {
+ "id": "system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5",
+ "name": "9d6d15a6-abc0-4108-8f7c-c579578023c6:panel_9d6d15a6-abc0-4108-8f7c-c579578023c6",
+ "type": "search"
+ },
+ {
+ "id": "system-e629186d-6a2a-4469-a060-bac42926f5d3",
+ "name": "2a8cdd2e-5bd3-4346-808a-2af212decb1b:panel_2a8cdd2e-5bd3-4346-808a-2af212decb1b",
+ "type": "search"
+ },
+ {
+ "id": "system-ac59de7d-ca7d-4182-a3ec-d9a4ab69713d",
+ "name": "f4f9dbf2-7ed5-440a-8661-a85b3f00a16b:panel_f4f9dbf2-7ed5-440a-8661-a85b3f00a16b",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "5b47ff7f-3f29-4f6c-b7bb-99dddbb2115a:indexpattern-datasource-layer-fb590394-eec8-414a-8bf3-85f3977cf5eb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "112f7518-2660-4ae0-ab75-8d3ef80c87fb:indexpattern-datasource-layer-e362d233-594a-4d68-bcff-8209b864486b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3d09d29b-9b1d-4a6f-a2c3-2f4f1fc049d1:indexpattern-datasource-layer-4f83992d-172a-4a5f-ab81-88607946e7cf",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "38371138-d5ca-4507-8a52-ecd722a5a064:indexpattern-datasource-layer-5edac639-4c1d-431a-bfd5-0f10592a5079",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5be93de3-49dd-4bca-9481-1b0ab45836eb:indexpattern-datasource-layer-19b4caf4-f8c5-4051-a48a-99445ff7c4bd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5c1d2d20-1946-40cb-8078-4f3c1a25ad9c:indexpattern-datasource-layer-c5ea7b91-22a1-48b6-a196-2f9511eec402",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ba59dfe7-0a83-4fd7-9016-f8fb1941fd74:indexpattern-datasource-layer-1e34fcd3-d821-4752-b4ab-899b17539967",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "297fec75-5e9a-4657-b281-e830ca40d82c:indexpattern-datasource-layer-2e524cd5-669f-4879-9d8c-9a80a1f3e37b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12.json b/packages/system/kibana/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12.json
new file mode 100644
index 00000000000..3215ffcea69
--- /dev/null
+++ b/packages/system/kibana/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12.json
@@ -0,0 +1,2787 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-47a6c4b0-49d9-4b22-b155-d7584b8cbe6c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2af706fb-3c16-4c3f-8e96-b881469a63c0",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "47a6c4b0-49d9-4b22-b155-d7584b8cbe6c": {
+ "columnOrder": [
+ "23a9a025-8ae4-4980-9dd4-62c8900896ab",
+ "7bab71f5-4b33-4549-8488-4dfbe70c5721"
+ ],
+ "columns": {
+ "23a9a025-8ae4-4980-9dd4-62c8900896ab": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "7bab71f5-4b33-4549-8488-4dfbe70c5721",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "7bab71f5-4b33-4549-8488-4dfbe70c5721": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "2af706fb-3c16-4c3f-8e96-b881469a63c0",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "23a9a025-8ae4-4980-9dd4-62c8900896ab",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "7bab71f5-4b33-4549-8488-4dfbe70c5721",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "47a6c4b0-49d9-4b22-b155-d7584b8cbe6c",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "0ed51e99-f244-49cf-880c-4ba083703093",
+ "w": 24,
+ "x": 0,
+ "y": 59
+ },
+ "panelIndex": "0ed51e99-f244-49cf-880c-4ba083703093",
+ "title": "Top 10 Users Attempting to Access Objects [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-af13b238-e9e7-431f-8b5e-ed280ae32ffd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "74b24cfd-3287-4f8b-a4b8-acab5e7e326c",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "af13b238-e9e7-431f-8b5e-ed280ae32ffd": {
+ "columnOrder": [
+ "deb3677c-da0b-4463-98d9-3374a2c01155",
+ "af4b7cd5-33b6-4eba-b141-fe6a88fea4af"
+ ],
+ "columns": {
+ "af4b7cd5-33b6-4eba-b141-fe6a88fea4af": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "deb3677c-da0b-4463-98d9-3374a2c01155": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Domain",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "af4b7cd5-33b6-4eba-b141-fe6a88fea4af",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.domain"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "74b24cfd-3287-4f8b-a4b8-acab5e7e326c",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "deb3677c-da0b-4463-98d9-3374a2c01155",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "af4b7cd5-33b6-4eba-b141-fe6a88fea4af",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "af13b238-e9e7-431f-8b5e-ed280ae32ffd",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "8d9fdac3-cb16-4cb0-a039-d04786167f96",
+ "w": 24,
+ "x": 24,
+ "y": 59
+ },
+ "panelIndex": "8d9fdac3-cb16-4cb0-a039-d04786167f96",
+ "title": "Top 10 Domains Involved in Object Access Attempts [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0b0a83a7-0821-4e26-8d2a-4ee54b598b76",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8e059cc5-6c8a-425e-9394-00db36d4a219",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "0b0a83a7-0821-4e26-8d2a-4ee54b598b76": {
+ "columnOrder": [
+ "6deae5a5-fbea-482b-826b-f949730ceee8",
+ "00fbb547-6f65-468e-b967-7d0abb38c950"
+ ],
+ "columns": {
+ "00fbb547-6f65-468e-b967-7d0abb38c950": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "6deae5a5-fbea-482b-826b-f949730ceee8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Directory Object Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "00fbb547-6f65-468e-b967-7d0abb38c950",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ObjectName"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "8e059cc5-6c8a-425e-9394-00db36d4a219",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "6deae5a5-fbea-482b-826b-f949730ceee8",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "00fbb547-6f65-468e-b967-7d0abb38c950",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "0b0a83a7-0821-4e26-8d2a-4ee54b598b76",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4662"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4662"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "90e2bcd3-d15d-4f30-88ed-e21120c55ad7",
+ "w": 24,
+ "x": 0,
+ "y": 74
+ },
+ "panelIndex": "90e2bcd3-d15d-4f30-88ed-e21120c55ad7",
+ "title": "Top 10 Active Directory Objects with Changes [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-79e4cb5e-6c04-4ab8-b2f0-56a1fb65b442",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "79e4cb5e-6c04-4ab8-b2f0-56a1fb65b442": {
+ "columnOrder": [
+ "15a2e6ca-a4eb-48f3-88e8-f46722639353",
+ "d65a0b37-0076-40fa-b95b-d2b3abb64f13",
+ "ff176a8a-d132-4455-b11f-e8ca2e74cfc7"
+ ],
+ "columns": {
+ "15a2e6ca-a4eb-48f3-88e8-f46722639353": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ff176a8a-d132-4455-b11f-e8ca2e74cfc7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "d65a0b37-0076-40fa-b95b-d2b3abb64f13": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ff176a8a-d132-4455-b11f-e8ca2e74cfc7",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.id"
+ },
+ "ff176a8a-d132-4455-b11f-e8ca2e74cfc7": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "15a2e6ca-a4eb-48f3-88e8-f46722639353"
+ },
+ {
+ "columnId": "ff176a8a-d132-4455-b11f-e8ca2e74cfc7"
+ },
+ {
+ "columnId": "d65a0b37-0076-40fa-b95b-d2b3abb64f13",
+ "isMetric": false,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "79e4cb5e-6c04-4ab8-b2f0-56a1fb65b442",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "6a412b43-1e7c-48e3-8897-1b114451f419",
+ "w": 24,
+ "x": 24,
+ "y": 74
+ },
+ "panelIndex": "6a412b43-1e7c-48e3-8897-1b114451f419",
+ "title": "Top 10 Accounts that Triggered Password Policy Checks [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "85b46e94-2f84-478a-9953-fa8e1f16ac92": {
+ "columnOrder": [
+ "9f36fa22-f36d-4401-b8a8-2beb91215702",
+ "88b88c5d-9250-4b15-adca-8b9aaaabdda8"
+ ],
+ "columns": {
+ "88b88c5d-9250-4b15-adca-8b9aaaabdda8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "9f36fa22-f36d-4401-b8a8-2beb91215702": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Workstation",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "88b88c5d-9250-4b15-adca-8b9aaaabdda8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.Workstation"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "9f36fa22-f36d-4401-b8a8-2beb91215702"
+ },
+ {
+ "columnId": "88b88c5d-9250-4b15-adca-8b9aaaabdda8"
+ }
+ ],
+ "layerId": "85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b1184349-e64d-453d-8d35-50ff67f79e62",
+ "w": 24,
+ "x": 0,
+ "y": 89
+ },
+ "panelIndex": "b1184349-e64d-453d-8d35-50ff67f79e62",
+ "title": "Top 10 Caller Workstations for Password Policy Checks [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "85b46e94-2f84-478a-9953-fa8e1f16ac92": {
+ "columnOrder": [
+ "9f36fa22-f36d-4401-b8a8-2beb91215702",
+ "88b88c5d-9250-4b15-adca-8b9aaaabdda8"
+ ],
+ "columns": {
+ "88b88c5d-9250-4b15-adca-8b9aaaabdda8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "9f36fa22-f36d-4401-b8a8-2beb91215702": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Domain",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "88b88c5d-9250-4b15-adca-8b9aaaabdda8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.domain"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "9f36fa22-f36d-4401-b8a8-2beb91215702"
+ },
+ {
+ "columnId": "88b88c5d-9250-4b15-adca-8b9aaaabdda8"
+ }
+ ],
+ "layerId": "85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "33b6e159-87c5-4d2b-a2d7-0b1e19977397",
+ "w": 24,
+ "x": 24,
+ "y": 89
+ },
+ "panelIndex": "33b6e159-87c5-4d2b-a2d7-0b1e19977397",
+ "title": "Top 10 Domains That Triggered Password Policy Checks [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "f993ba0e-f273-4c9b-8eca-ff024b7e2254",
+ "w": 48,
+ "x": 0,
+ "y": 119
+ },
+ "panelIndex": "f993ba0e-f273-4c9b-8eca-ff024b7e2254",
+ "panelRefName": "panel_f993ba0e-f273-4c9b-8eca-ff024b7e2254",
+ "title": "AD Replica Destination Modification Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "7ec13244-dc07-4571-b8e4-25b0485b334d",
+ "w": 48,
+ "x": 0,
+ "y": 133
+ },
+ "panelIndex": "7ec13244-dc07-4571-b8e4-25b0485b334d",
+ "panelRefName": "panel_7ec13244-dc07-4571-b8e4-25b0485b334d",
+ "title": "AD Replication Sync Start Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 16,
+ "i": "925b3d77-d000-49c8-8b0c-5a43d991cdec",
+ "w": 48,
+ "x": 0,
+ "y": 148
+ },
+ "panelIndex": "925b3d77-d000-49c8-8b0c-5a43d991cdec",
+ "panelRefName": "panel_925b3d77-d000-49c8-8b0c-5a43d991cdec",
+ "title": "AD Replication Sync End Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "59c9bf2f-4936-4c92-a2bc-350698269380",
+ "w": 48,
+ "x": 0,
+ "y": 104
+ },
+ "panelIndex": "59c9bf2f-4936-4c92-a2bc-350698269380",
+ "panelRefName": "panel_59c9bf2f-4936-4c92-a2bc-350698269380",
+ "title": "Detailed Password Policy Check Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Navigation\n\n#### System\n\n[Logon Activity](#/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af) \n**Directory \u0026 Account Monitoring** \n[System \u0026 Process Activity](#/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9) \n[Policy \u0026 Object Monitoring](#/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a) \n\n#### Description\nThis dashboard focuses on monitoring directory changes and account activities.\n\nIt highlights top users, domains, and Active Directory objects involved in modifications, along with trends in attribute changes and replication events. Password policy checks are tracked by user, workstation, and domain, with detailed logs providing insight into replication syncs and policy enforcement, helping ensure directory integrity and account security.\n\n\n**[Integration Page](/app/integrations/detail/system/overview)**",
+ "openLinksInNewTab": false
+ },
+ "title": "Table of Contents",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 31,
+ "i": "651b21c2-2498-45c7-96ae-4a273b91c1d5",
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "651b21c2-2498-45c7-96ae-4a273b91c1d5",
+ "title": "Table of Contents",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "db631bd8-63a9-4798-8984-a824629d5345",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "7ba00b82-c7c9-4058-9742-4f00be5afaf5": {
+ "columnOrder": [
+ "507fe337-f982-4793-8b94-2aed9e941c3f",
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e"
+ ],
+ "columns": {
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "507fe337-f982-4793-8b94-2aed9e941c3f": {
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "winlog.event_data.Options",
+ "operationType": "range",
+ "params": {
+ "includeEmptyRows": false,
+ "maxBars": "auto",
+ "ranges": [
+ {
+ "from": 0,
+ "label": "",
+ "to": 1000
+ }
+ ],
+ "type": "histogram"
+ },
+ "scale": "interval",
+ "sourceField": "winlog.event_data.Options"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "db631bd8-63a9-4798-8984-a824629d5345",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4931"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4931"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4932"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4932"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4933"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4933"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "507fe337-f982-4793-8b94-2aed9e941c3f"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4931"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4931"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4932"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4932"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4933"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4933"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "76286f8b-59d9-4b3b-9e75-bed427074dda",
+ "w": 18,
+ "x": 12,
+ "y": 0
+ },
+ "panelIndex": "76286f8b-59d9-4b3b-9e75-bed427074dda",
+ "title": "Events by Replication Options [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "7ba00b82-c7c9-4058-9742-4f00be5afaf5": {
+ "columnOrder": [
+ "507fe337-f982-4793-8b94-2aed9e941c3f",
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e"
+ ],
+ "columns": {
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "507fe337-f982-4793-8b94-2aed9e941c3f": {
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "winlog.event_data.StatusCode",
+ "operationType": "range",
+ "params": {
+ "includeEmptyRows": false,
+ "maxBars": "auto",
+ "ranges": [
+ {
+ "from": 0,
+ "label": "",
+ "to": 1000
+ }
+ ],
+ "type": "histogram"
+ },
+ "scale": "interval",
+ "sourceField": "winlog.event_data.StatusCode"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4931"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4931"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4933"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4933"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "0da4d082-f5fe-4fa0-9949-c59609c3d09e"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "507fe337-f982-4793-8b94-2aed9e941c3f"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4931"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4931"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4933"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4933"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "ae2babb0-a43f-413e-8f9c-19268c9e4197",
+ "w": 18,
+ "x": 30,
+ "y": 0
+ },
+ "panelIndex": "ae2babb0-a43f-413e-8f9c-19268c9e4197",
+ "title": "Events by Replication Status [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fe07973b-5127-4520-87d6-d32fcd19902f",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "fe07973b-5127-4520-87d6-d32fcd19902f": {
+ "columnOrder": [
+ "0dbc6a64-c5be-4495-9d5b-8f931dd810d2",
+ "ef8c49f2-1bd0-4ec8-aa80-db05224a7fef"
+ ],
+ "columns": {
+ "0dbc6a64-c5be-4495-9d5b-8f931dd810d2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status Description",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ef8c49f2-1bd0-4ec8-aa80-db05224a7fef",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.StatusDescription"
+ },
+ "ef8c49f2-1bd0-4ec8-aa80-db05224a7fef": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "fe07973b-5127-4520-87d6-d32fcd19902f",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "ef8c49f2-1bd0-4ec8-aa80-db05224a7fef"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "0dbc6a64-c5be-4495-9d5b-8f931dd810d2"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "7cb0e143-adc2-46ad-8caa-95bd878adf75",
+ "w": 18,
+ "x": 30,
+ "y": 15
+ },
+ "panelIndex": "7cb0e143-adc2-46ad-8caa-95bd878adf75",
+ "title": "Status Distribution for Password Policy Checks [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-130a6a67-b7c4-48bc-87cb-eba8e133cde5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "130a6a67-b7c4-48bc-87cb-eba8e133cde5": {
+ "columnOrder": [
+ "a7f0cd9c-7106-4aa7-a92c-c699ab8fd63d",
+ "47ffe3ac-fd97-4895-b79b-094e19e1803f"
+ ],
+ "columns": {
+ "47ffe3ac-fd97-4895-b79b-094e19e1803f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a7f0cd9c-7106-4aa7-a92c-c699ab8fd63d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Object Class",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "47ffe3ac-fd97-4895-b79b-094e19e1803f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ObjectClass"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5136"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5136"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "130a6a67-b7c4-48bc-87cb-eba8e133cde5",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "47ffe3ac-fd97-4895-b79b-094e19e1803f"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "a7f0cd9c-7106-4aa7-a92c-c699ab8fd63d"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5136"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5136"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "a4b62aa5-7d81-4407-8ec8-7cf2b9d150fc",
+ "w": 18,
+ "x": 12,
+ "y": 15
+ },
+ "panelIndex": "a4b62aa5-7d81-4407-8ec8-7cf2b9d150fc",
+ "title": "Modifications by Object Class [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-aad42305-1fd1-4cee-aeba-4e0b7a07d781",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "aad42305-1fd1-4cee-aeba-4e0b7a07d781": {
+ "columnOrder": [
+ "8ba6c37b-d094-4301-9cb0-674932cb24b8",
+ "3882efc4-5b85-4b0f-b9a8-adeac03d6edb"
+ ],
+ "columns": {
+ "3882efc4-5b85-4b0f-b9a8-adeac03d6edb": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "8ba6c37b-d094-4301-9cb0-674932cb24b8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "LDAP Display Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "3882efc4-5b85-4b0f-b9a8-adeac03d6edb",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.AttributeLDAPDisplayName"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "faf9d9da-d64c-4c73-9287-4e4779579fef",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5136"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5136"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "3882efc4-5b85-4b0f-b9a8-adeac03d6edb"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "aad42305-1fd1-4cee-aeba-4e0b7a07d781",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "8ba6c37b-d094-4301-9cb0-674932cb24b8"
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "faf9d9da-d64c-4c73-9287-4e4779579fef",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5136"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5136"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "e6666505-ca54-44cf-9940-669c1433e538",
+ "w": 48,
+ "x": 0,
+ "y": 31
+ },
+ "panelIndex": "e6666505-ca54-44cf-9940-669c1433e538",
+ "title": "Attribute Modifications [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-00a6873e-b1b6-4219-80dc-ba50405641f7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "00a6873e-b1b6-4219-80dc-ba50405641f7": {
+ "columnOrder": [
+ "f66aef54-0c79-4114-aa61-2af29f631801",
+ "b132285f-1bac-467a-8c3f-61de1c2aa880",
+ "dcccf956-aa16-4ad4-a803-7d2a9b3ec332"
+ ],
+ "columns": {
+ "b132285f-1bac-467a-8c3f-61de1c2aa880": {
+ "dataType": "date",
+ "isBucketed": true,
+ "label": "@timestamp",
+ "operationType": "date_histogram",
+ "params": {
+ "dropPartials": false,
+ "includeEmptyRows": true,
+ "interval": "auto"
+ },
+ "scale": "interval",
+ "sourceField": "@timestamp"
+ },
+ "dcccf956-aa16-4ad4-a803-7d2a9b3ec332": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f66aef54-0c79-4114-aa61-2af29f631801": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Operation Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "dcccf956-aa16-4ad4-a803-7d2a9b3ec332",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.OperationType"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "accessors": [
+ "dcccf956-aa16-4ad4-a803-7d2a9b3ec332"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "00a6873e-b1b6-4219-80dc-ba50405641f7",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "line",
+ "showGridlines": false,
+ "splitAccessor": "f66aef54-0c79-4114-aa61-2af29f631801",
+ "xAccessor": "b132285f-1bac-467a-8c3f-61de1c2aa880"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "line",
+ "title": "Empty XY chart",
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "238c1269-d339-49ff-8987-58c7e388822a",
+ "w": 48,
+ "x": 0,
+ "y": 45
+ },
+ "panelIndex": "238c1269-d339-49ff-8987-58c7e388822a",
+ "title": "Modifications Over Time [Logs System Windows Security]",
+ "type": "lens"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System Windows Security] Directory \u0026 Account Monitoring",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-07T09:14:39.231Z",
+ "id": "system-3c46ecdb-0a41-4be3-907e-722de8edac12",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-67574c86-e986-4efa-bd94-e052e7510475",
+ "name": "f993ba0e-f273-4c9b-8eca-ff024b7e2254:panel_f993ba0e-f273-4c9b-8eca-ff024b7e2254",
+ "type": "search"
+ },
+ {
+ "id": "system-b624ecd1-b43d-4ab1-829c-b22f2fcb5662",
+ "name": "7ec13244-dc07-4571-b8e4-25b0485b334d:panel_7ec13244-dc07-4571-b8e4-25b0485b334d",
+ "type": "search"
+ },
+ {
+ "id": "system-2b944fd9-7be6-4128-951b-a023df492fa6",
+ "name": "925b3d77-d000-49c8-8b0c-5a43d991cdec:panel_925b3d77-d000-49c8-8b0c-5a43d991cdec",
+ "type": "search"
+ },
+ {
+ "id": "system-5dd71405-86d2-4eab-a3d5-088f71889e94",
+ "name": "59c9bf2f-4936-4c92-a2bc-350698269380:panel_59c9bf2f-4936-4c92-a2bc-350698269380",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "0ed51e99-f244-49cf-880c-4ba083703093:indexpattern-datasource-layer-47a6c4b0-49d9-4b22-b155-d7584b8cbe6c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0ed51e99-f244-49cf-880c-4ba083703093:2af706fb-3c16-4c3f-8e96-b881469a63c0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8d9fdac3-cb16-4cb0-a039-d04786167f96:indexpattern-datasource-layer-af13b238-e9e7-431f-8b5e-ed280ae32ffd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8d9fdac3-cb16-4cb0-a039-d04786167f96:74b24cfd-3287-4f8b-a4b8-acab5e7e326c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "90e2bcd3-d15d-4f30-88ed-e21120c55ad7:indexpattern-datasource-layer-0b0a83a7-0821-4e26-8d2a-4ee54b598b76",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "90e2bcd3-d15d-4f30-88ed-e21120c55ad7:8e059cc5-6c8a-425e-9394-00db36d4a219",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6a412b43-1e7c-48e3-8897-1b114451f419:indexpattern-datasource-layer-79e4cb5e-6c04-4ab8-b2f0-56a1fb65b442",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b1184349-e64d-453d-8d35-50ff67f79e62:indexpattern-datasource-layer-85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "33b6e159-87c5-4d2b-a2d7-0b1e19977397:indexpattern-datasource-layer-85b46e94-2f84-478a-9953-fa8e1f16ac92",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "76286f8b-59d9-4b3b-9e75-bed427074dda:indexpattern-datasource-layer-7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "76286f8b-59d9-4b3b-9e75-bed427074dda:db631bd8-63a9-4798-8984-a824629d5345",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ae2babb0-a43f-413e-8f9c-19268c9e4197:indexpattern-datasource-layer-7ba00b82-c7c9-4058-9742-4f00be5afaf5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7cb0e143-adc2-46ad-8caa-95bd878adf75:indexpattern-datasource-layer-fe07973b-5127-4520-87d6-d32fcd19902f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a4b62aa5-7d81-4407-8ec8-7cf2b9d150fc:indexpattern-datasource-layer-130a6a67-b7c4-48bc-87cb-eba8e133cde5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e6666505-ca54-44cf-9940-669c1433e538:indexpattern-datasource-layer-aad42305-1fd1-4cee-aeba-4e0b7a07d781",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "238c1269-d339-49ff-8987-58c7e388822a:indexpattern-datasource-layer-00a6873e-b1b6-4219-80dc-ba50405641f7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a.json b/packages/system/kibana/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a.json
new file mode 100644
index 00000000000..9336127a938
--- /dev/null
+++ b/packages/system/kibana/dashboard/system-db94459a-7232-4d1b-aa0c-b80dece8bc3a.json
@@ -0,0 +1,6857 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-e91e304b-3576-4201-9d95-d0f97f7e2816",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "e91e304b-3576-4201-9d95-d0f97f7e2816": {
+ "columnOrder": [
+ "28955331-fbd7-4f91-81c4-d8c8a1f74035",
+ "c8507a5c-d6aa-4279-b4f6-82bb0a3ec9b1"
+ ],
+ "columns": {
+ "28955331-fbd7-4f91-81c4-d8c8a1f74035": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filter Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "c8507a5c-d6aa-4279-b4f6-82bb0a3ec9b1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.FilterName"
+ },
+ "c8507a5c-d6aa-4279-b4f6-82bb0a3ec9b1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5447"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5447"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "28955331-fbd7-4f91-81c4-d8c8a1f74035"
+ },
+ {
+ "columnId": "c8507a5c-d6aa-4279-b4f6-82bb0a3ec9b1"
+ }
+ ],
+ "layerId": "e91e304b-3576-4201-9d95-d0f97f7e2816",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5447"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5447"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "5e584419-1eec-4a7a-9263-6d29610da8d9",
+ "w": 24,
+ "x": 0,
+ "y": 159
+ },
+ "panelIndex": "5e584419-1eec-4a7a-9263-6d29610da8d9",
+ "title": "Top 10 Frequently Changed Filters [Logs System Windows Security] ",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "fbdc97dc-b140-4594-878c-f66ebf1e0da9",
+ "w": 48,
+ "x": 0,
+ "y": 392
+ },
+ "panelIndex": "fbdc97dc-b140-4594-878c-f66ebf1e0da9",
+ "panelRefName": "panel_fbdc97dc-b140-4594-878c-f66ebf1e0da9",
+ "title": "Detailed Object Access Logs [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-682333cf-f496-444c-b8eb-b0ca1d606276",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "682333cf-f496-444c-b8eb-b0ca1d606276": {
+ "columnOrder": [
+ "c7e96598-7f0a-4672-9470-215b1dc44a7e",
+ "335974a6-9fed-4834-bce2-04597b017a47",
+ "cb4444f3-742d-4037-9ffd-9720b6e1fb6f"
+ ],
+ "columns": {
+ "335974a6-9fed-4834-bce2-04597b017a47": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Change Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cb4444f3-742d-4037-9ffd-9720b6e1fb6f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ChangeType"
+ },
+ "c7e96598-7f0a-4672-9470-215b1dc44a7e": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Provider",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "cb4444f3-742d-4037-9ffd-9720b6e1fb6f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.provider"
+ },
+ "cb4444f3-742d-4037-9ffd-9720b6e1fb6f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5449"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5449"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "cb4444f3-742d-4037-9ffd-9720b6e1fb6f"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "682333cf-f496-444c-b8eb-b0ca1d606276",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "335974a6-9fed-4834-bce2-04597b017a47",
+ "xAccessor": "c7e96598-7f0a-4672-9470-215b1dc44a7e"
+ }
+ ],
+ "legend": {
+ "isInside": false,
+ "isVisible": true,
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5449"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5449"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "4e569ff3-c9b0-4989-81b4-6a4f976c3d6d",
+ "w": 24,
+ "x": 0,
+ "y": 26
+ },
+ "panelIndex": "4e569ff3-c9b0-4989-81b4-6a4f976c3d6d",
+ "title": "Windows Filtered Platforms Provider Context by Change Type [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "5261ea64-ae47-418f-9fc3-4a38efc18785": {
+ "columnOrder": [
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a",
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ ],
+ "columns": {
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "1df6c287-de25-4763-bccc-13d6b3e62a6a"
+ },
+ {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ }
+ ],
+ "layerId": "5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "54fc7f8b-34ff-44aa-a7f4-be6f57d896c3",
+ "w": 24,
+ "x": 24,
+ "y": 175
+ },
+ "panelIndex": "54fc7f8b-34ff-44aa-a7f4-be6f57d896c3",
+ "title": "Top 10 Users Attempting to Access Objects [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "5261ea64-ae47-418f-9fc3-4a38efc18785": {
+ "columnOrder": [
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a",
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ ],
+ "columns": {
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.executable"
+ },
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "1df6c287-de25-4763-bccc-13d6b3e62a6a"
+ },
+ {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ }
+ ],
+ "layerId": "5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "c8a04880-9e26-4b15-a7bb-2e53997b6745",
+ "w": 24,
+ "x": 0,
+ "y": 175
+ },
+ "panelIndex": "c8a04880-9e26-4b15-a7bb-2e53997b6745",
+ "title": "Top 10 Processes Accessing Objects [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "hidePanelTitles": false,
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "### Navigation\n\n#### System\n\n[Logon Activity](#/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af) \n[Directory \u0026 Account Monitoring](#/dashboard/system-3c46ecdb-0a41-4be3-907e-722de8edac12) \n[System \u0026 Process Activity](#/dashboard/system-0e70e1bd-9a57-4f17-9d96-cc97e3d3a4f9) \n**Policy \u0026 Object Monitoring**\n\n#### Description\n\nThis dashboard provides focused visibility into policy enforcement and object access activities.\n\nIt showcases the top users, domains, and processes involved in object access attempts, along with access permissions and firewall rule usage. Key visualizations highlight rule modifications, failures, and filtering behaviors. Detailed logs and saved searches offer insights into share access, transaction state changes, and firewall filter changes, helping identify policy violations and strengthen host-level security.\n\n**[Integration Page](/app/integrations/detail/system/overview)**",
+ "openLinksInNewTab": false
+ },
+ "title": "Table of Contents",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 26,
+ "i": "d6c44e03-0ade-400d-9463-c7c035a20e7b",
+ "w": 11,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "d6c44e03-0ade-400d-9463-c7c035a20e7b",
+ "title": "Table of Contents",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b67d75dd-ac3e-4a9f-92e6-8293b693eaeb",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "b67d75dd-ac3e-4a9f-92e6-8293b693eaeb": {
+ "columnOrder": [
+ "16553711-c2b5-46f1-a965-b27181381737",
+ "73786aa6-51be-462b-9361-d23badbb0043"
+ ],
+ "columns": {
+ "16553711-c2b5-46f1-a965-b27181381737": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Profile Used",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "73786aa6-51be-462b-9361-d23badbb0043",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ProfileUsed"
+ },
+ "73786aa6-51be-462b-9361-d23badbb0043": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "b67d75dd-ac3e-4a9f-92e6-8293b693eaeb",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "73786aa6-51be-462b-9361-d23badbb0043"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "16553711-c2b5-46f1-a965-b27181381737"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "904519b9-68f9-4add-bb9f-260b3599b9e3",
+ "w": 18,
+ "x": 11,
+ "y": 0
+ },
+ "panelIndex": "904519b9-68f9-4add-bb9f-260b3599b9e3",
+ "title": "Events by Firewall Profile Usage [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf1a883f-b8f8-4747-a825-ee8488ddb447",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b8060bf6-9181-4b5f-86c2-44000c32e8c3": {
+ "columnOrder": [
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9",
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603"
+ ],
+ "columns": {
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Change Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0445b0c2-85fd-4d76-a4c4-c30cb7b12603",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ChangeType"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "cf1a883f-b8f8-4747-a825-ee8488ddb447",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5446"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5446"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5446"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5446"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "76bbbc70-ddba-4679-90df-96e4915419a5",
+ "w": 19,
+ "x": 29,
+ "y": 0
+ },
+ "panelIndex": "76bbbc70-ddba-4679-90df-96e4915419a5",
+ "title": "Windows Filtering Callout by Change Type [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "b8060bf6-9181-4b5f-86c2-44000c32e8c3": {
+ "columnOrder": [
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9",
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603"
+ ],
+ "columns": {
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Filter Type",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "0445b0c2-85fd-4d76-a4c4-c30cb7b12603",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.FilterType"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5441"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5441"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "0445b0c2-85fd-4d76-a4c4-c30cb7b12603"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "e9d21331-3c7a-498c-aff3-5316edbf1cc9"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5441"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5441"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "a8911fa8-e178-4087-8786-5af3aa2f4a91",
+ "w": 18,
+ "x": 11,
+ "y": 13
+ },
+ "panelIndex": "a8911fa8-e178-4087-8786-5af3aa2f4a91",
+ "title": "Windows Filter by Type [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-38d1ad0f-19f1-443f-8399-e9f345153400",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "38d1ad0f-19f1-443f-8399-e9f345153400": {
+ "columnOrder": [
+ "5986efaa-798e-4f96-8745-a936b3e51469",
+ "8080399e-153e-4f86-adcd-92d50993f007"
+ ],
+ "columns": {
+ "5986efaa-798e-4f96-8745-a936b3e51469": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Provider",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8080399e-153e-4f86-adcd-92d50993f007",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "event.provider"
+ },
+ "8080399e-153e-4f86-adcd-92d50993f007": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5447"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5447"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "38d1ad0f-19f1-443f-8399-e9f345153400",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "8080399e-153e-4f86-adcd-92d50993f007"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "5986efaa-798e-4f96-8745-a936b3e51469"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5447"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5447"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 13,
+ "i": "a2fbbc1c-7348-443d-9c2d-b231b945e150",
+ "w": 19,
+ "x": 29,
+ "y": 13
+ },
+ "panelIndex": "a2fbbc1c-7348-443d-9c2d-b231b945e150",
+ "title": "Windows Filtered Platforms by Provider Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-df21f88f-c1ce-407e-8cc3-8a29e5fb498a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "df21f88f-c1ce-407e-8cc3-8a29e5fb498a": {
+ "columnOrder": [
+ "b8341f06-a758-48a5-bfac-8fd4ede1fcd9",
+ "ba21ad1e-6942-40fc-b9c9-25ecc725d013"
+ ],
+ "columns": {
+ "b8341f06-a758-48a5-bfac-8fd4ede1fcd9": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ba21ad1e-6942-40fc-b9c9-25ecc725d013",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.name"
+ },
+ "ba21ad1e-6942-40fc-b9c9-25ecc725d013": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "initialContext": null,
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4953"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4953"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4957"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4957"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "df21f88f-c1ce-407e-8cc3-8a29e5fb498a",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "legendSize": "large",
+ "metrics": [
+ "ba21ad1e-6942-40fc-b9c9-25ecc725d013"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "b8341f06-a758-48a5-bfac-8fd4ede1fcd9"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4953"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4953"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4957"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4957"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "a519d3dd-432b-45dc-9c00-74ccfb685000",
+ "w": 24,
+ "x": 24,
+ "y": 26
+ },
+ "panelIndex": "a519d3dd-432b-45dc-9c00-74ccfb685000",
+ "title": "Firewall Failure by Rule Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-0006a94e-6410-43ec-98a7-cceb2c1ed815",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "0006a94e-6410-43ec-98a7-cceb2c1ed815": {
+ "columnOrder": [
+ "3a8e6bf3-9b2d-4cc4-9f9e-1c1292463318",
+ "88e5c4b3-6184-473d-874f-b0630223fccc"
+ ],
+ "columns": {
+ "3a8e6bf3-9b2d-4cc4-9f9e-1c1292463318": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "Source IP",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "88e5c4b3-6184-473d-874f-b0630223fccc",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "source.ip"
+ },
+ "88e5c4b3-6184-473d-874f-b0630223fccc": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4962"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4962"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4963"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4963"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4965"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4965"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "3a8e6bf3-9b2d-4cc4-9f9e-1c1292463318"
+ },
+ {
+ "columnId": "88e5c4b3-6184-473d-874f-b0630223fccc"
+ }
+ ],
+ "layerId": "0006a94e-6410-43ec-98a7-cceb2c1ed815",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4962"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4962"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4963"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4963"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4965"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4965"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "2eccb3d2-f274-4c3c-a7c4-03746c21cfdb",
+ "w": 24,
+ "x": 24,
+ "y": 159
+ },
+ "panelIndex": "2eccb3d2-f274-4c3c-a7c4-03746c21cfdb",
+ "title": "Top 10 Source IP with Failed IPsec Packet Validation [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "a35e2a32-1534-4068-bf18-b7a794d675a5",
+ "w": 48,
+ "x": 0,
+ "y": 365
+ },
+ "panelIndex": "a35e2a32-1534-4068-bf18-b7a794d675a5",
+ "panelRefName": "panel_a35e2a32-1534-4068-bf18-b7a794d675a5",
+ "title": "Host-Level Firewall Filter Changes [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "edaae5a6-e5be-48d5-96b0-2f3d3bd0a59d",
+ "w": 48,
+ "x": 0,
+ "y": 350
+ },
+ "panelIndex": "edaae5a6-e5be-48d5-96b0-2f3d3bd0a59d",
+ "panelRefName": "panel_edaae5a6-e5be-48d5-96b0-2f3d3bd0a59d",
+ "title": "Windows Filtered Platforms Provider Essential Details [Logs System Windows Security] ",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "d13b3203-d072-4aeb-990f-0db5495c21c2",
+ "w": 48,
+ "x": 0,
+ "y": 321
+ },
+ "panelIndex": "d13b3203-d072-4aeb-990f-0db5495c21c2",
+ "panelRefName": "panel_d13b3203-d072-4aeb-990f-0db5495c21c2",
+ "title": "Share Object Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f37207f9-8299-4e06-9be7-b1cfdd51f00e",
+ "w": 48,
+ "x": 0,
+ "y": 335
+ },
+ "panelIndex": "f37207f9-8299-4e06-9be7-b1cfdd51f00e",
+ "panelRefName": "panel_f37207f9-8299-4e06-9be7-b1cfdd51f00e",
+ "title": "Windows Firewall Exception List Addition Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "88c8d7d9-2b37-401f-9014-a0332e06b5e6",
+ "w": 48,
+ "x": 0,
+ "y": 308
+ },
+ "panelIndex": "88c8d7d9-2b37-401f-9014-a0332e06b5e6",
+ "panelRefName": "panel_88c8d7d9-2b37-401f-9014-a0332e06b5e6",
+ "title": "Windows Filtering Callout Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "75978348-9527-46ce-9e42-cefb04b24f3f",
+ "w": 48,
+ "x": 0,
+ "y": 295
+ },
+ "panelIndex": "75978348-9527-46ce-9e42-cefb04b24f3f",
+ "panelRefName": "panel_75978348-9527-46ce-9e42-cefb04b24f3f",
+ "title": "Windows Filtering Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "1240d84a-78d8-4a07-b266-84791a333ee4",
+ "w": 48,
+ "x": 0,
+ "y": 282
+ },
+ "panelIndex": "1240d84a-78d8-4a07-b266-84791a333ee4",
+ "panelRefName": "panel_1240d84a-78d8-4a07-b266-84791a333ee4",
+ "title": "Firewall Failure Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 13,
+ "i": "b26a471f-7624-4abb-9f57-18f8ae7c0e97",
+ "w": 48,
+ "x": 0,
+ "y": 379
+ },
+ "panelIndex": "b26a471f-7624-4abb-9f57-18f8ae7c0e97",
+ "panelRefName": "panel_b26a471f-7624-4abb-9f57-18f8ae7c0e97",
+ "title": "Transaction State Changes Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "5261ea64-ae47-418f-9fc3-4a38efc18785": {
+ "columnOrder": [
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a",
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ ],
+ "columns": {
+ "1df6c287-de25-4763-bccc-13d6b3e62a6a": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.domain"
+ },
+ "b3ab6047-2823-4f2c-a270-debd52fdd87f": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "1df6c287-de25-4763-bccc-13d6b3e62a6a"
+ },
+ {
+ "columnId": "b3ab6047-2823-4f2c-a270-debd52fdd87f"
+ }
+ ],
+ "layerId": "5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "4560b69e-c515-48e8-8146-7bc803d88f7d",
+ "w": 24,
+ "x": 0,
+ "y": 191
+ },
+ "panelIndex": "4560b69e-c515-48e8-8146-7bc803d88f7d",
+ "title": "Top 10 Domains Involved in Object Access Attempts [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-927baa9c-0982-4ed7-8687-4d0a9aad2746",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "927baa9c-0982-4ed7-8687-4d0a9aad2746": {
+ "columnOrder": [
+ "c62abe11-4e55-47ef-a9c0-5af2ec65c2e1",
+ "e6df09e5-7f4d-409f-a06b-0dd300274e62",
+ "aa75d4da-0db3-4763-86ee-72ce0e44e709"
+ ],
+ "columns": {
+ "aa75d4da-0db3-4763-86ee-72ce0e44e709": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "c62abe11-4e55-47ef-a9c0-5af2ec65c2e1": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "aa75d4da-0db3-4763-86ee-72ce0e44e709",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.name"
+ },
+ "e6df09e5-7f4d-409f-a06b-0dd300274e62": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "aa75d4da-0db3-4763-86ee-72ce0e44e709",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "c62abe11-4e55-47ef-a9c0-5af2ec65c2e1"
+ },
+ {
+ "alignment": "right",
+ "columnId": "aa75d4da-0db3-4763-86ee-72ce0e44e709"
+ },
+ {
+ "columnId": "e6df09e5-7f4d-409f-a06b-0dd300274e62",
+ "isMetric": false,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "927baa9c-0982-4ed7-8687-4d0a9aad2746",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "1747b7b2-251f-4c0f-a24a-108598e9afaf",
+ "w": 24,
+ "x": 0,
+ "y": 143
+ },
+ "panelIndex": "1747b7b2-251f-4c0f-a24a-108598e9afaf",
+ "title": "Top 10 Rules Listed by Firewall Events [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b714e70d-ce94-44d3-83e0-f36c917c29e7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "b714e70d-ce94-44d3-83e0-f36c917c29e7": {
+ "columnOrder": [
+ "814b4824-92d6-448d-9429-22992cf0ebb3",
+ "98c525a8-28ec-442f-bf1b-97aa177a99ba",
+ "2dea0f5c-e0b5-49e3-a055-a1e1762b2f5b"
+ ],
+ "columns": {
+ "2dea0f5c-e0b5-49e3-a055-a1e1762b2f5b": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "814b4824-92d6-448d-9429-22992cf0ebb3": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule Name",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2dea0f5c-e0b5-49e3-a055-a1e1762b2f5b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.name"
+ },
+ "98c525a8-28ec-442f-bf1b-97aa177a99ba": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule ID",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2dea0f5c-e0b5-49e3-a055-a1e1762b2f5b",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4953"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4953"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4957"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4957"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "814b4824-92d6-448d-9429-22992cf0ebb3",
+ "isTransposed": false
+ },
+ {
+ "columnId": "98c525a8-28ec-442f-bf1b-97aa177a99ba",
+ "isTransposed": false
+ },
+ {
+ "columnId": "2dea0f5c-e0b5-49e3-a055-a1e1762b2f5b",
+ "isTransposed": false
+ }
+ ],
+ "layerId": "b714e70d-ce94-44d3-83e0-f36c917c29e7",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "index": "logs-*",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4953"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4953"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4957"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4957"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "ecc77943-5989-41c2-be09-9716319a4635",
+ "w": 24,
+ "x": 24,
+ "y": 143
+ },
+ "panelIndex": "ecc77943-5989-41c2-be09-9716319a4635",
+ "title": "Top 10 Failed Firewall Rules [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-efaf7aba-6dc5-492e-b5f1-50a7f995a7f3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "efaf7aba-6dc5-492e-b5f1-50a7f995a7f3": {
+ "columnOrder": [
+ "7e836e01-1847-46e6-af75-503d34b59463",
+ "69e7de58-c47a-4ebe-b0f0-930723a1cfd5"
+ ],
+ "columns": {
+ "69e7de58-c47a-4ebe-b0f0-930723a1cfd5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "7e836e01-1847-46e6-af75-503d34b59463": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Rule ID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "69e7de58-c47a-4ebe-b0f0-930723a1cfd5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "rule.id"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "69e7de58-c47a-4ebe-b0f0-930723a1cfd5"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "efaf7aba-6dc5-492e-b5f1-50a7f995a7f3",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "7e836e01-1847-46e6-af75-503d34b59463"
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "4c809eea-d798-47ee-ace3-e8c5ae4e866f",
+ "w": 48,
+ "x": 0,
+ "y": 76
+ },
+ "panelIndex": "4c809eea-d798-47ee-ace3-e8c5ae4e866f",
+ "title": "Firewall Rules by Rule ID [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-7f27aa91-44e6-4281-832d-d48b169f4a66",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "7f27aa91-44e6-4281-832d-d48b169f4a66": {
+ "columnOrder": [
+ "6909aa33-a9aa-445b-9529-713e5bf25f87",
+ "79399fb0-9164-4d25-9dea-4079af3f93e4"
+ ],
+ "columns": {
+ "6909aa33-a9aa-445b-9529-713e5bf25f87": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Profile Used",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "79399fb0-9164-4d25-9dea-4079af3f93e4",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ProfileUsed"
+ },
+ "79399fb0-9164-4d25-9dea-4079af3f93e4": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "79399fb0-9164-4d25-9dea-4079af3f93e4"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "7f27aa91-44e6-4281-832d-d48b169f4a66",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "xAccessor": "6909aa33-a9aa-445b-9529-713e5bf25f87"
+ }
+ ],
+ "legend": {
+ "isVisible": false,
+ "position": "right",
+ "showSingleSeries": false
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4945"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4945"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "97eb3a5d-d803-432b-a15d-cca8cebc446b",
+ "w": 48,
+ "x": 0,
+ "y": 92
+ },
+ "panelIndex": "97eb3a5d-d803-432b-a15d-cca8cebc446b",
+ "title": "Firewall Rules by Profile Used [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 17,
+ "i": "4919f104-fe5c-461b-bd36-9dc1b7a51ada",
+ "w": 48,
+ "x": 0,
+ "y": 419
+ },
+ "panelIndex": "4919f104-fe5c-461b-bd36-9dc1b7a51ada",
+ "panelRefName": "panel_4919f104-fe5c-461b-bd36-9dc1b7a51ada",
+ "title": "Data Protection Key Backup Essential Detail [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b5dba375-b147-4a65-ad8e-bf076836dea1",
+ "w": 48,
+ "x": 0,
+ "y": 451
+ },
+ "panelIndex": "b5dba375-b147-4a65-ad8e-bf076836dea1",
+ "panelRefName": "panel_b5dba375-b147-4a65-ad8e-bf076836dea1",
+ "title": "Certificate Backup Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-c3206b8a-5351-4565-8b85-2e57dc150b02",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e5361003-e91f-4027-ab46-ecae00ad0eb3",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "c3206b8a-5351-4565-8b85-2e57dc150b02": {
+ "columnOrder": [
+ "fd11fd44-6456-424c-9971-9fca8cb42cbb",
+ "2349a1e4-fa45-4d42-8665-73f71a17964c",
+ "4f18693d-0baa-4e58-92b7-ce1765ba1bf9"
+ ],
+ "columns": {
+ "2349a1e4-fa45-4d42-8665-73f71a17964c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "4f18693d-0baa-4e58-92b7-ce1765ba1bf9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "4f18693d-0baa-4e58-92b7-ce1765ba1bf9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "fd11fd44-6456-424c-9971-9fca8cb42cbb": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Privilege List",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "4f18693d-0baa-4e58-92b7-ce1765ba1bf9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.PrivilegeList"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "e5361003-e91f-4027-ab46-ecae00ad0eb3",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4704",
+ "4705"
+ ],
+ "type": "phrases",
+ "value": [
+ "4704",
+ "4705"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4704"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4705"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "4f18693d-0baa-4e58-92b7-ce1765ba1bf9"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "c3206b8a-5351-4565-8b85-2e57dc150b02",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_horizontal_stacked",
+ "showGridlines": false,
+ "splitAccessor": "2349a1e4-fa45-4d42-8665-73f71a17964c",
+ "xAccessor": "fd11fd44-6456-424c-9971-9fca8cb42cbb"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4704",
+ "4705"
+ ],
+ "type": "phrases",
+ "value": [
+ "4704",
+ "4705"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4704"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4705"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 19,
+ "i": "bd192628-caf6-4329-a136-42e2219551ab",
+ "w": 48,
+ "x": 0,
+ "y": 124
+ },
+ "panelIndex": "bd192628-caf6-4329-a136-42e2219551ab",
+ "title": "Privilege Changes by Privilege Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fa421420-8e4c-4fee-9504-c8eddd74fb1d",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "fa421420-8e4c-4fee-9504-c8eddd74fb1d": {
+ "columnOrder": [
+ "09f1e7f5-dc00-48df-b98e-2991d8f105f4",
+ "a3178ae8-fd60-4f1b-b283-cff240d3125d"
+ ],
+ "columns": {
+ "09f1e7f5-dc00-48df-b98e-2991d8f105f4": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Failure Reasons Outcome",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a3178ae8-fd60-4f1b-b283-cff240d3125d",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.FailureReasonsOutcome"
+ },
+ "a3178ae8-fd60-4f1b-b283-cff240d3125d": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4692"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4692"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "fa421420-8e4c-4fee-9504-c8eddd74fb1d",
+ "layerType": "data",
+ "legendDisplay": "show",
+ "metrics": [
+ "a3178ae8-fd60-4f1b-b283-cff240d3125d"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "09f1e7f5-dc00-48df-b98e-2991d8f105f4"
+ ],
+ "truncateLegend": false
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4692"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4692"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "20517fed-37c8-49a7-abce-9954b8676707",
+ "w": 24,
+ "x": 0,
+ "y": 43
+ },
+ "panelIndex": "20517fed-37c8-49a7-abce-9954b8676707",
+ "title": "Data Protection Key Backup Attempts by Failure Reason [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-56024671-eef3-40b9-82ad-6472b842fe48",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b8f5ff7a-0e76-4fa4-bf44-32d4e1fcec9a",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "56024671-eef3-40b9-82ad-6472b842fe48": {
+ "columnOrder": [
+ "56b13506-a19b-4e09-86f9-61e27ede4717",
+ "317123d0-bb74-40c4-9775-282dfbba2dfc",
+ "87c2b826-b8f8-4c3f-a4a0-b454e210af7e"
+ ],
+ "columns": {
+ "317123d0-bb74-40c4-9775-282dfbba2dfc": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "87c2b826-b8f8-4c3f-a4a0-b454e210af7e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "56b13506-a19b-4e09-86f9-61e27ede4717": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "87c2b826-b8f8-4c3f-a4a0-b454e210af7e",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "secondaryFields": [],
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ },
+ "87c2b826-b8f8-4c3f-a4a0-b454e210af7e": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "b8f5ff7a-0e76-4fa4-bf44-32d4e1fcec9a",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4868",
+ "4869"
+ ],
+ "type": "phrases",
+ "value": [
+ "4868",
+ "4869"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4868"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4869"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "87c2b826-b8f8-4c3f-a4a0-b454e210af7e"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "56024671-eef3-40b9-82ad-6472b842fe48",
+ "layerType": "data",
+ "seriesType": "bar_stacked",
+ "splitAccessor": "317123d0-bb74-40c4-9775-282dfbba2dfc",
+ "xAccessor": "56b13506-a19b-4e09-86f9-61e27ede4717"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "xlarge",
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_percentage_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4868",
+ "4869"
+ ],
+ "type": "phrases",
+ "value": [
+ "4868",
+ "4869"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4868"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4869"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "898dddb5-9d55-4120-ad9a-4a131a9aa7a4",
+ "w": 48,
+ "x": 0,
+ "y": 59
+ },
+ "panelIndex": "898dddb5-9d55-4120-ad9a-4a131a9aa7a4",
+ "title": "Certificate Request Activities by User Name [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-41c53ffa-a9a1-4229-ab83-717aaec28e9f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "cf3a313d-e6c2-415e-9282-61453c206895",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "41c53ffa-a9a1-4229-ab83-717aaec28e9f": {
+ "columnOrder": [
+ "44c64a05-c791-4686-ab9b-38c9b05c2f27",
+ "ed63e55f-c522-4f0f-ae8c-489d3ebf3df8"
+ ],
+ "columns": {
+ "44c64a05-c791-4686-ab9b-38c9b05c2f27": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User ID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "ed63e55f-c522-4f0f-ae8c-489d3ebf3df8",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.id"
+ },
+ "ed63e55f-c522-4f0f-ae8c-489d3ebf3df8": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "cf3a313d-e6c2-415e-9282-61453c206895",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4692"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4692"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "44c64a05-c791-4686-ab9b-38c9b05c2f27"
+ },
+ {
+ "columnId": "ed63e55f-c522-4f0f-ae8c-489d3ebf3df8"
+ }
+ ],
+ "layerId": "41c53ffa-a9a1-4229-ab83-717aaec28e9f",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4692"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4692"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "d3eacf1a-c0cd-4705-a1d6-c7e3f9588d8e",
+ "w": 24,
+ "x": 24,
+ "y": 191
+ },
+ "panelIndex": "d3eacf1a-c0cd-4705-a1d6-c7e3f9588d8e",
+ "title": "Top 10 Accounts Triggering Backup of Master Key [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-fb4e0d17-a6d6-443e-8ce4-5ec465619969",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6403d8be-3680-40cb-9dfa-cd383693f138",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "fb4e0d17-a6d6-443e-8ce4-5ec465619969": {
+ "columnOrder": [
+ "52e659a3-8591-4d0f-9ba4-3740d8ec92a8",
+ "be3b0612-4acd-4ed4-8c9a-c6e747e31599",
+ "9dea4286-85f4-47a2-8ab9-00418e0df2c0"
+ ],
+ "columns": {
+ "52e659a3-8591-4d0f-9ba4-3740d8ec92a8": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Object Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9dea4286-85f4-47a2-8ab9-00418e0df2c0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ObjectName"
+ },
+ "9dea4286-85f4-47a2-8ab9-00418e0df2c0": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "be3b0612-4acd-4ed4-8c9a-c6e747e31599": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Object Type",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "9dea4286-85f4-47a2-8ab9-00418e0df2c0",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ObjectType"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "6403d8be-3680-40cb-9dfa-cd383693f138",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4691"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4691"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "be3b0612-4acd-4ed4-8c9a-c6e747e31599",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "9dea4286-85f4-47a2-8ab9-00418e0df2c0"
+ },
+ {
+ "columnId": "52e659a3-8591-4d0f-9ba4-3740d8ec92a8",
+ "isMetric": false,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "fb4e0d17-a6d6-443e-8ce4-5ec465619969",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4691"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4691"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "20676349-8467-4be7-8032-10aaf19ab79f",
+ "w": 24,
+ "x": 0,
+ "y": 207
+ },
+ "panelIndex": "20676349-8467-4be7-8032-10aaf19ab79f",
+ "title": "Top 10 Object With Indirect Object Access [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "88140a37-58bb-42bf-8676-35b96cfed70e",
+ "w": 48,
+ "x": 0,
+ "y": 268
+ },
+ "panelIndex": "88140a37-58bb-42bf-8676-35b96cfed70e",
+ "panelRefName": "panel_88140a37-58bb-42bf-8676-35b96cfed70e",
+ "title": "Hard Link Essential Detail [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "fc113b0f-034e-426f-a1c5-4151af5864ba",
+ "w": 48,
+ "x": 0,
+ "y": 481
+ },
+ "panelIndex": "fc113b0f-034e-426f-a1c5-4151af5864ba",
+ "panelRefName": "panel_fc113b0f-034e-426f-a1c5-4151af5864ba",
+ "title": "Object Deletion Activities Essential Detail [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-03a838fc-3fb2-483e-9942-0c716424ffec",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f622fb49-4a25-41a1-bd60-8779663f83f1",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "03a838fc-3fb2-483e-9942-0c716424ffec": {
+ "columnOrder": [
+ "a13e8f2e-69c5-450f-8bb7-2dde89cf16f5",
+ "2961a114-2496-4892-9cb4-baf0406acfb3"
+ ],
+ "columns": {
+ "2961a114-2496-4892-9cb4-baf0406acfb3": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a13e8f2e-69c5-450f-8bb7-2dde89cf16f5": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "File Path",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "2961a114-2496-4892-9cb4-baf0406acfb3",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "file.path"
+ }
+ },
+ "ignoreGlobalFilters": false,
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "f622fb49-4a25-41a1-bd60-8779663f83f1",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4664"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4664"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "a13e8f2e-69c5-450f-8bb7-2dde89cf16f5",
+ "isMetric": false,
+ "isTransposed": false
+ },
+ {
+ "columnId": "2961a114-2496-4892-9cb4-baf0406acfb3",
+ "isMetric": true,
+ "isTransposed": false
+ }
+ ],
+ "layerId": "03a838fc-3fb2-483e-9942-0c716424ffec",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4664"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4664"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 16,
+ "i": "6c484ae2-2e8e-4171-8009-c04a4cbea851",
+ "w": 24,
+ "x": 24,
+ "y": 207
+ },
+ "panelIndex": "6c484ae2-2e8e-4171-8009-c04a4cbea851",
+ "title": "Top 10 Linked File Targets With Hard Link [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-3711f614-66ec-4102-b1ec-4a5428105595",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "3711f614-66ec-4102-b1ec-4a5428105595": {
+ "columnOrder": [
+ "f500d2bd-ceec-4c6b-bf36-e226640d5bc6",
+ "22318d6e-d333-4642-b3cd-e9914432be4c"
+ ],
+ "columns": {
+ "22318d6e-d333-4642-b3cd-e9914432be4c": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "f500d2bd-ceec-4c6b-bf36-e226640d5bc6": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": true,
+ "label": "Process ID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "22318d6e-d333-4642-b3cd-e9914432be4c",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.pid"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4659",
+ "4660"
+ ],
+ "type": "phrases",
+ "value": [
+ "4659",
+ "4660"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4659"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4660"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "alignment": "left",
+ "columnId": "f500d2bd-ceec-4c6b-bf36-e226640d5bc6"
+ },
+ {
+ "columnId": "22318d6e-d333-4642-b3cd-e9914432be4c"
+ }
+ ],
+ "layerId": "3711f614-66ec-4102-b1ec-4a5428105595",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4659",
+ "4660"
+ ],
+ "type": "phrases",
+ "value": [
+ "4659",
+ "4660"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4659"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4660"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "16a7fe5c-4712-42d6-b92b-afd80a5ec644",
+ "w": 24,
+ "x": 0,
+ "y": 223
+ },
+ "panelIndex": "16a7fe5c-4712-42d6-b92b-afd80a5ec644",
+ "title": "Top 10 Processes Involved in Object Deletion Activities [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-725c1598-488b-4317-9e6b-aca53e8b6d59",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {
+ "725c1598-488b-4317-9e6b-aca53e8b6d59": {
+ "columnOrder": [
+ "a6973863-23b6-4ee2-816d-ff3de3daf480",
+ "7bb371cb-5659-452d-b2d0-1c2982005a3d",
+ "a11d847b-68c8-4624-911f-99d2ab075082"
+ ],
+ "columns": {
+ "7bb371cb-5659-452d-b2d0-1c2982005a3d": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Event Action",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a11d847b-68c8-4624-911f-99d2ab075082",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "event.action"
+ },
+ "a11d847b-68c8-4624-911f-99d2ab075082": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "a6973863-23b6-4ee2-816d-ff3de3daf480": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Object Server",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a11d847b-68c8-4624-911f-99d2ab075082",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.ObjectServer"
+ }
+ },
+ "incompleteColumns": {},
+ "indexPatternId": "logs-*",
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "currentIndexPatternId": "logs-*",
+ "layers": {}
+ },
+ "textBased": {
+ "indexPatternRefs": [
+ {
+ "id": "logs-*",
+ "timeField": "@timestamp",
+ "title": "logs-*"
+ }
+ ],
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4659",
+ "4660"
+ ],
+ "type": "phrases",
+ "value": [
+ "4659",
+ "4660"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4659"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4660"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "axisTitlesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "fittingFunction": "Linear",
+ "gridlinesVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "labelsOrientation": {
+ "x": 0,
+ "yLeft": 0,
+ "yRight": 0
+ },
+ "layers": [
+ {
+ "accessors": [
+ "a11d847b-68c8-4624-911f-99d2ab075082"
+ ],
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "725c1598-488b-4317-9e6b-aca53e8b6d59",
+ "layerType": "data",
+ "position": "top",
+ "seriesType": "bar_stacked",
+ "showGridlines": false,
+ "splitAccessor": "7bb371cb-5659-452d-b2d0-1c2982005a3d",
+ "xAccessor": "a6973863-23b6-4ee2-816d-ff3de3daf480"
+ }
+ ],
+ "legend": {
+ "isVisible": true,
+ "legendSize": "large",
+ "position": "right",
+ "shouldTruncate": false,
+ "showSingleSeries": true
+ },
+ "preferredSeriesType": "bar_stacked",
+ "tickLabelsVisibilitySettings": {
+ "x": true,
+ "yLeft": true,
+ "yRight": true
+ },
+ "valueLabels": "hide"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsXY"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4659",
+ "4660"
+ ],
+ "type": "phrases",
+ "value": [
+ "4659",
+ "4660"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4659"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4660"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 17,
+ "i": "67599e09-fd1d-4147-b45d-82eac0b9f274",
+ "w": 48,
+ "x": 0,
+ "y": 107
+ },
+ "panelIndex": "67599e09-fd1d-4147-b45d-82eac0b9f274",
+ "title": "Object Deletion Activities by Object Server [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "96ecc043-4ef9-4d63-b445-224a009dca75",
+ "w": 48,
+ "x": 0,
+ "y": 436
+ },
+ "panelIndex": "96ecc043-4ef9-4d63-b445-224a009dca75",
+ "panelRefName": "panel_96ecc043-4ef9-4d63-b445-224a009dca75",
+ "title": "Indirect Object Access Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-02cf2a37-a04f-4705-9821-0652840c7380",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8385f88a-0f80-4e1d-8077-a2425700f474",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "02cf2a37-a04f-4705-9821-0652840c7380": {
+ "columnOrder": [
+ "2815f07f-757a-4aa7-99cc-bc9779c9fb33",
+ "bef7ce3d-a3f9-4347-bb5c-3d8d68d699d5"
+ ],
+ "columns": {
+ "2815f07f-757a-4aa7-99cc-bc9779c9fb33": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User ID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "bef7ce3d-a3f9-4347-bb5c-3d8d68d699d5",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.id"
+ },
+ "bef7ce3d-a3f9-4347-bb5c-3d8d68d699d5": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "8385f88a-0f80-4e1d-8077-a2425700f474",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4876"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4876"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "2815f07f-757a-4aa7-99cc-bc9779c9fb33"
+ },
+ {
+ "columnId": "bef7ce3d-a3f9-4347-bb5c-3d8d68d699d5"
+ }
+ ],
+ "layerId": "02cf2a37-a04f-4705-9821-0652840c7380",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4876"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4876"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "0c0d53a7-1edb-4e37-9fc9-f145ee5aaee9",
+ "w": 24,
+ "x": 0,
+ "y": 238
+ },
+ "panelIndex": "0c0d53a7-1edb-4e37-9fc9-f145ee5aaee9",
+ "title": "Top 10 Users With Initiating Backups [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-a7423e91-d629-41af-a331-a7902b0172a1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "510fd988-8851-4ec6-94b6-5eb601fedfc5",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "a7423e91-d629-41af-a331-a7902b0172a1": {
+ "columnOrder": [
+ "0ca8f7aa-9a79-442e-98f4-e64b4794ab73",
+ "8f036e48-5508-43a3-ba81-c045a0449116"
+ ],
+ "columns": {
+ "0ca8f7aa-9a79-442e-98f4-e64b4794ab73": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Target Process ID",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "8f036e48-5508-43a3-ba81-c045a0449116",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.TargetProcessId"
+ },
+ "8f036e48-5508-43a3-ba81-c045a0449116": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "510fd988-8851-4ec6-94b6-5eb601fedfc5",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4690"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4690"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "0ca8f7aa-9a79-442e-98f4-e64b4794ab73"
+ },
+ {
+ "columnId": "8f036e48-5508-43a3-ba81-c045a0449116"
+ }
+ ],
+ "layerId": "a7423e91-d629-41af-a331-a7902b0172a1",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4690"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4690"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "b3ff0a89-d96f-4afe-83b1-ac6784c891de",
+ "w": 24,
+ "x": 24,
+ "y": 223
+ },
+ "panelIndex": "b3ff0a89-d96f-4afe-83b1-ac6784c891de",
+ "title": "Top 10 Target Processes Involved in Duplication Handle [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-6e9a853e-d2e2-42bd-b8f8-6e6eb28c5f1c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3837cc-c5b9-4517-a42e-075045e80f11",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6e9a853e-d2e2-42bd-b8f8-6e6eb28c5f1c": {
+ "columnOrder": [
+ "1575678a-1a7f-4e4e-8f34-b08d0cca1ee2",
+ "472cc244-dc04-4207-a0be-d4fda6b4f4e9"
+ ],
+ "columns": {
+ "1575678a-1a7f-4e4e-8f34-b08d0cca1ee2": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Source Process Id",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "472cc244-dc04-4207-a0be-d4fda6b4f4e9",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "winlog.event_data.SourceProcessId"
+ },
+ "472cc244-dc04-4207-a0be-d4fda6b4f4e9": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "4d3837cc-c5b9-4517-a42e-075045e80f11",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4690"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4690"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "1575678a-1a7f-4e4e-8f34-b08d0cca1ee2"
+ },
+ {
+ "columnId": "472cc244-dc04-4207-a0be-d4fda6b4f4e9"
+ }
+ ],
+ "layerId": "6e9a853e-d2e2-42bd-b8f8-6e6eb28c5f1c",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4690"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4690"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "d5207953-6865-4cf4-8fc9-db4c8586d6bd",
+ "w": 24,
+ "x": 24,
+ "y": 238
+ },
+ "panelIndex": "d5207953-6865-4cf4-8fc9-db4c8586d6bd",
+ "title": "Top 10 Source Processes Involved in Duplication Handle [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 16,
+ "i": "46333519-36c7-45f2-b7a5-fa339dff7e4a",
+ "w": 24,
+ "x": 24,
+ "y": 43
+ },
+ "panelIndex": "46333519-36c7-45f2-b7a5-fa339dff7e4a",
+ "panelRefName": "panel_46333519-36c7-45f2-b7a5-fa339dff7e4a",
+ "title": "Windows Firewall Exception List Deletion Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "605472ae-96b3-4047-a00f-56207acedbdc",
+ "w": 48,
+ "x": 0,
+ "y": 405
+ },
+ "panelIndex": "605472ae-96b3-4047-a00f-56207acedbdc",
+ "panelRefName": "panel_605472ae-96b3-4047-a00f-56207acedbdc",
+ "title": "Privilege Changes Essential Detail [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "489bda95-dee2-4a57-b9e3-2f819e454fa2",
+ "w": 48,
+ "x": 0,
+ "y": 466
+ },
+ "panelIndex": "489bda95-dee2-4a57-b9e3-2f819e454fa2",
+ "panelRefName": "panel_489bda95-dee2-4a57-b9e3-2f819e454fa2",
+ "title": "Certificate Request Activities Essential Details [Logs System Windows Security]",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-6aa0c6dc-23e5-4b66-b128-5759285cd8dd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "43544cd5-d53e-4707-a608-b9de1266dbc7",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "6aa0c6dc-23e5-4b66-b128-5759285cd8dd": {
+ "columnOrder": [
+ "740b76a9-5fcc-4f85-9c82-128a2e50e605",
+ "eec4edba-e1da-49f8-9f7b-44b67c26b682"
+ ],
+ "columns": {
+ "740b76a9-5fcc-4f85-9c82-128a2e50e605": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Process Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "eec4edba-e1da-49f8-9f7b-44b67c26b682",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "process.executable"
+ },
+ "eec4edba-e1da-49f8-9f7b-44b67c26b682": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "43544cd5-d53e-4707-a608-b9de1266dbc7",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4658"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4658"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "740b76a9-5fcc-4f85-9c82-128a2e50e605"
+ },
+ {
+ "columnId": "eec4edba-e1da-49f8-9f7b-44b67c26b682"
+ }
+ ],
+ "layerId": "6aa0c6dc-23e5-4b66-b128-5759285cd8dd",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4658"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4658"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "411c90f5-cc57-45d9-8516-de0e6469cadd",
+ "w": 24,
+ "x": 0,
+ "y": 253
+ },
+ "panelIndex": "411c90f5-cc57-45d9-8516-de0e6469cadd",
+ "title": "Top 10 Processes that Closed Object Handles [Logs System Windows Security]",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-b706fb49-0fdd-4811-92da-c75e6f05972a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8667527a-f0bf-4dcb-981a-0c048409c8f8",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "b706fb49-0fdd-4811-92da-c75e6f05972a": {
+ "columnOrder": [
+ "fce96f3c-36fd-4dcf-b881-2deb73adc59c",
+ "a8008827-d6b6-4fcd-a5d6-4f87afa55ce1"
+ ],
+ "columns": {
+ "a8008827-d6b6-4fcd-a5d6-4f87afa55ce1": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "___records___"
+ },
+ "fce96f3c-36fd-4dcf-b881-2deb73adc59c": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "User Name",
+ "operationType": "terms",
+ "params": {
+ "accuracyMode": true,
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "a8008827-d6b6-4fcd-a5d6-4f87afa55ce1",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "user.name"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "8667527a-f0bf-4dcb-981a-0c048409c8f8",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4658"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4658"
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "fce96f3c-36fd-4dcf-b881-2deb73adc59c"
+ },
+ {
+ "alignment": "right",
+ "columnId": "a8008827-d6b6-4fcd-a5d6-4f87afa55ce1"
+ }
+ ],
+ "layerId": "b706fb49-0fdd-4811-92da-c75e6f05972a",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4658"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4658"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "a02b6845-214c-43a8-a9bc-39c739ab01d1",
+ "w": 24,
+ "x": 24,
+ "y": 253
+ },
+ "panelIndex": "a02b6845-214c-43a8-a9bc-39c739ab01d1",
+ "title": "Top 10 Users that Closed Object Handles [Logs System Windows Security]",
+ "type": "lens"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs System Windows Security] Policy \u0026 Object Monitoring",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:14:40.603Z",
+ "id": "system-db94459a-7232-4d1b-aa0c-b80dece8bc3a",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-72966c9a-d594-48f4-9838-aac38d5d4bee",
+ "name": "fbdc97dc-b140-4594-878c-f66ebf1e0da9:panel_fbdc97dc-b140-4594-878c-f66ebf1e0da9",
+ "type": "search"
+ },
+ {
+ "id": "system-1e5f6375-b6ac-4bab-a495-4c97c316bbfc",
+ "name": "a35e2a32-1534-4068-bf18-b7a794d675a5:panel_a35e2a32-1534-4068-bf18-b7a794d675a5",
+ "type": "search"
+ },
+ {
+ "id": "system-b856c615-5136-4e02-9c3b-14c6576e16e1",
+ "name": "edaae5a6-e5be-48d5-96b0-2f3d3bd0a59d:panel_edaae5a6-e5be-48d5-96b0-2f3d3bd0a59d",
+ "type": "search"
+ },
+ {
+ "id": "system-4c34518b-de35-4ffb-a11f-2da89fb028d7",
+ "name": "d13b3203-d072-4aeb-990f-0db5495c21c2:panel_d13b3203-d072-4aeb-990f-0db5495c21c2",
+ "type": "search"
+ },
+ {
+ "id": "system-5d27d5fd-8fd3-4954-83ee-9c89862bcadf",
+ "name": "f37207f9-8299-4e06-9be7-b1cfdd51f00e:panel_f37207f9-8299-4e06-9be7-b1cfdd51f00e",
+ "type": "search"
+ },
+ {
+ "id": "system-9efb946b-528d-4cd9-b3ef-4040859570ba",
+ "name": "88c8d7d9-2b37-401f-9014-a0332e06b5e6:panel_88c8d7d9-2b37-401f-9014-a0332e06b5e6",
+ "type": "search"
+ },
+ {
+ "id": "system-a9c32a08-b008-463a-800a-f46730fed42b",
+ "name": "75978348-9527-46ce-9e42-cefb04b24f3f:panel_75978348-9527-46ce-9e42-cefb04b24f3f",
+ "type": "search"
+ },
+ {
+ "id": "system-00757d92-6a5f-48d9-b9a9-37dcee0389e2",
+ "name": "1240d84a-78d8-4a07-b266-84791a333ee4:panel_1240d84a-78d8-4a07-b266-84791a333ee4",
+ "type": "search"
+ },
+ {
+ "id": "system-cc7c88b4-22c4-4f42-8b5b-3466000a3b32",
+ "name": "b26a471f-7624-4abb-9f57-18f8ae7c0e97:panel_b26a471f-7624-4abb-9f57-18f8ae7c0e97",
+ "type": "search"
+ },
+ {
+ "id": "system-dd3e3d90-8f72-4f04-ba7d-de0051bc1749",
+ "name": "4919f104-fe5c-461b-bd36-9dc1b7a51ada:panel_4919f104-fe5c-461b-bd36-9dc1b7a51ada",
+ "type": "search"
+ },
+ {
+ "id": "system-2d98c0f5-b501-4581-bc34-e90e82ef6295",
+ "name": "b5dba375-b147-4a65-ad8e-bf076836dea1:panel_b5dba375-b147-4a65-ad8e-bf076836dea1",
+ "type": "search"
+ },
+ {
+ "id": "system-ba83542b-5838-41ce-a569-bc7b9c8c0a87",
+ "name": "88140a37-58bb-42bf-8676-35b96cfed70e:panel_88140a37-58bb-42bf-8676-35b96cfed70e",
+ "type": "search"
+ },
+ {
+ "id": "system-1b9117c8-e5a6-44ec-a237-2dbbdde131ea",
+ "name": "fc113b0f-034e-426f-a1c5-4151af5864ba:panel_fc113b0f-034e-426f-a1c5-4151af5864ba",
+ "type": "search"
+ },
+ {
+ "id": "system-00025874-1cfb-47f8-a766-6af263f47fab",
+ "name": "96ecc043-4ef9-4d63-b445-224a009dca75:panel_96ecc043-4ef9-4d63-b445-224a009dca75",
+ "type": "search"
+ },
+ {
+ "id": "system-b6ff5e31-6c94-479a-b567-729def3b6b5b",
+ "name": "46333519-36c7-45f2-b7a5-fa339dff7e4a:panel_46333519-36c7-45f2-b7a5-fa339dff7e4a",
+ "type": "search"
+ },
+ {
+ "id": "system-135250ac-861d-43cf-9bfb-ce04a39c2ed9",
+ "name": "605472ae-96b3-4047-a00f-56207acedbdc:panel_605472ae-96b3-4047-a00f-56207acedbdc",
+ "type": "search"
+ },
+ {
+ "id": "system-31950df9-7171-4672-87e4-36cd20decb6d",
+ "name": "489bda95-dee2-4a57-b9e3-2f819e454fa2:panel_489bda95-dee2-4a57-b9e3-2f819e454fa2",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "5e584419-1eec-4a7a-9263-6d29610da8d9:indexpattern-datasource-layer-e91e304b-3576-4201-9d95-d0f97f7e2816",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4e569ff3-c9b0-4989-81b4-6a4f976c3d6d:indexpattern-datasource-layer-682333cf-f496-444c-b8eb-b0ca1d606276",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "54fc7f8b-34ff-44aa-a7f4-be6f57d896c3:indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c8a04880-9e26-4b15-a7bb-2e53997b6745:indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "904519b9-68f9-4add-bb9f-260b3599b9e3:indexpattern-datasource-layer-b67d75dd-ac3e-4a9f-92e6-8293b693eaeb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "76bbbc70-ddba-4679-90df-96e4915419a5:indexpattern-datasource-layer-b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "76bbbc70-ddba-4679-90df-96e4915419a5:cf1a883f-b8f8-4747-a825-ee8488ddb447",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a8911fa8-e178-4087-8786-5af3aa2f4a91:indexpattern-datasource-layer-b8060bf6-9181-4b5f-86c2-44000c32e8c3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a2fbbc1c-7348-443d-9c2d-b231b945e150:indexpattern-datasource-layer-38d1ad0f-19f1-443f-8399-e9f345153400",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a519d3dd-432b-45dc-9c00-74ccfb685000:indexpattern-datasource-layer-df21f88f-c1ce-407e-8cc3-8a29e5fb498a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2eccb3d2-f274-4c3c-a7c4-03746c21cfdb:indexpattern-datasource-layer-0006a94e-6410-43ec-98a7-cceb2c1ed815",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4560b69e-c515-48e8-8146-7bc803d88f7d:indexpattern-datasource-layer-5261ea64-ae47-418f-9fc3-4a38efc18785",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "1747b7b2-251f-4c0f-a24a-108598e9afaf:indexpattern-datasource-layer-927baa9c-0982-4ed7-8687-4d0a9aad2746",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ecc77943-5989-41c2-be09-9716319a4635:indexpattern-datasource-layer-b714e70d-ce94-44d3-83e0-f36c917c29e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4c809eea-d798-47ee-ace3-e8c5ae4e866f:indexpattern-datasource-layer-efaf7aba-6dc5-492e-b5f1-50a7f995a7f3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "97eb3a5d-d803-432b-a15d-cca8cebc446b:indexpattern-datasource-layer-7f27aa91-44e6-4281-832d-d48b169f4a66",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bd192628-caf6-4329-a136-42e2219551ab:indexpattern-datasource-layer-c3206b8a-5351-4565-8b85-2e57dc150b02",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bd192628-caf6-4329-a136-42e2219551ab:e5361003-e91f-4027-ab46-ecae00ad0eb3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20517fed-37c8-49a7-abce-9954b8676707:indexpattern-datasource-layer-fa421420-8e4c-4fee-9504-c8eddd74fb1d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "898dddb5-9d55-4120-ad9a-4a131a9aa7a4:indexpattern-datasource-layer-56024671-eef3-40b9-82ad-6472b842fe48",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "898dddb5-9d55-4120-ad9a-4a131a9aa7a4:b8f5ff7a-0e76-4fa4-bf44-32d4e1fcec9a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d3eacf1a-c0cd-4705-a1d6-c7e3f9588d8e:indexpattern-datasource-layer-41c53ffa-a9a1-4229-ab83-717aaec28e9f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d3eacf1a-c0cd-4705-a1d6-c7e3f9588d8e:cf3a313d-e6c2-415e-9282-61453c206895",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20676349-8467-4be7-8032-10aaf19ab79f:indexpattern-datasource-layer-fb4e0d17-a6d6-443e-8ce4-5ec465619969",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "20676349-8467-4be7-8032-10aaf19ab79f:6403d8be-3680-40cb-9dfa-cd383693f138",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6c484ae2-2e8e-4171-8009-c04a4cbea851:indexpattern-datasource-layer-03a838fc-3fb2-483e-9942-0c716424ffec",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6c484ae2-2e8e-4171-8009-c04a4cbea851:f622fb49-4a25-41a1-bd60-8779663f83f1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "16a7fe5c-4712-42d6-b92b-afd80a5ec644:indexpattern-datasource-layer-3711f614-66ec-4102-b1ec-4a5428105595",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "67599e09-fd1d-4147-b45d-82eac0b9f274:indexpattern-datasource-layer-725c1598-488b-4317-9e6b-aca53e8b6d59",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0c0d53a7-1edb-4e37-9fc9-f145ee5aaee9:indexpattern-datasource-layer-02cf2a37-a04f-4705-9821-0652840c7380",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0c0d53a7-1edb-4e37-9fc9-f145ee5aaee9:8385f88a-0f80-4e1d-8077-a2425700f474",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b3ff0a89-d96f-4afe-83b1-ac6784c891de:indexpattern-datasource-layer-a7423e91-d629-41af-a331-a7902b0172a1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b3ff0a89-d96f-4afe-83b1-ac6784c891de:510fd988-8851-4ec6-94b6-5eb601fedfc5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d5207953-6865-4cf4-8fc9-db4c8586d6bd:indexpattern-datasource-layer-6e9a853e-d2e2-42bd-b8f8-6e6eb28c5f1c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d5207953-6865-4cf4-8fc9-db4c8586d6bd:4d3837cc-c5b9-4517-a42e-075045e80f11",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "411c90f5-cc57-45d9-8516-de0e6469cadd:indexpattern-datasource-layer-6aa0c6dc-23e5-4b66-b128-5759285cd8dd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "411c90f5-cc57-45d9-8516-de0e6469cadd:43544cd5-d53e-4707-a608-b9de1266dbc7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a02b6845-214c-43a8-a9bc-39c739ab01d1:indexpattern-datasource-layer-b706fb49-0fdd-4811-92da-c75e6f05972a",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a02b6845-214c-43a8-a9bc-39c739ab01d1:8667527a-f0bf-4dcb-981a-0c048409c8f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-00025874-1cfb-47f8-a766-6af263f47fab.json b/packages/system/kibana/search/system-00025874-1cfb-47f8-a766-6af263f47fab.json
new file mode 100644
index 00000000000..04a1e166ebd
--- /dev/null
+++ b/packages/system/kibana/search/system-00025874-1cfb-47f8-a766-6af263f47fab.json
@@ -0,0 +1,86 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.event_data.ObjectType",
+ "winlog.event_data.ObjectName",
+ "process.pid",
+ "winlog.event_data.AccessList",
+ "winlog.event_data.AccessListDescription",
+ "winlog.event_data.AccessMask",
+ "winlog.event_data.AccessMaskDescription"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4691"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4691"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Indirect Object Access Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-00025874-1cfb-47f8-a766-6af263f47fab",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-00757d92-6a5f-48d9-b9a9-37dcee0389e2.json b/packages/system/kibana/search/system-00757d92-6a5f-48d9-b9a9-37dcee0389e2.json
new file mode 100644
index 00000000000..e3d36d23791
--- /dev/null
+++ b/packages/system/kibana/search/system-00757d92-6a5f-48d9-b9a9-37dcee0389e2.json
@@ -0,0 +1,113 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "rule.id",
+ "rule.name",
+ "winlog.event_data.ReasonForRejection"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4953"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4953"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4957"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4957"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Firewall Failure Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-00757d92-6a5f-48d9-b9a9-37dcee0389e2",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-135250ac-861d-43cf-9bfb-ce04a39c2ed9.json b/packages/system/kibana/search/system-135250ac-861d-43cf-9bfb-ce04a39c2ed9.json
new file mode 100644
index 00000000000..fc89522f061
--- /dev/null
+++ b/packages/system/kibana/search/system-135250ac-861d-43cf-9bfb-ce04a39c2ed9.json
@@ -0,0 +1,101 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "user.target.id",
+ "winlog.logon.id",
+ "winlog.event_data.PrivilegeList"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4704",
+ "4705"
+ ],
+ "type": "phrases",
+ "value": [
+ "4704",
+ "4705"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4704"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4705"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Privilege Changes Essential Detail [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T11:31:34.639Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "system-135250ac-861d-43cf-9bfb-ce04a39c2ed9",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-1b9117c8-e5a6-44ec-a237-2dbbdde131ea.json b/packages/system/kibana/search/system-1b9117c8-e5a6-44ec-a237-2dbbdde131ea.json
new file mode 100644
index 00000000000..fe463530683
--- /dev/null
+++ b/packages/system/kibana/search/system-1b9117c8-e5a6-44ec-a237-2dbbdde131ea.json
@@ -0,0 +1,98 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.HandleId",
+ "process.pid",
+ "winlog.event_data.ObjectServer",
+ "file.path"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4659",
+ "4660"
+ ],
+ "type": "phrases",
+ "value": [
+ "4659",
+ "4660"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4659"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4660"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Object Deletion Activities Essential Detail [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:41:34.347Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "system-1b9117c8-e5a6-44ec-a237-2dbbdde131ea",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-1e5f6375-b6ac-4bab-a495-4c97c316bbfc.json b/packages/system/kibana/search/system-1e5f6375-b6ac-4bab-a495-4c97c316bbfc.json
new file mode 100644
index 00000000000..815c7000cd7
--- /dev/null
+++ b/packages/system/kibana/search/system-1e5f6375-b6ac-4bab-a495-4c97c316bbfc.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.provider",
+ "user.name",
+ "winlog.event_data.ChangeType",
+ "winlog.event_data.FilterType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5447"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5447"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": "event.code : 5447"
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Host-Level Firewall Filter Changes [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-1e5f6375-b6ac-4bab-a495-4c97c316bbfc",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-2b944fd9-7be6-4128-951b-a023df492fa6.json b/packages/system/kibana/search/system-2b944fd9-7be6-4128-951b-a023df492fa6.json
new file mode 100644
index 00000000000..e607a0a5380
--- /dev/null
+++ b/packages/system/kibana/search/system-2b944fd9-7be6-4128-951b-a023df492fa6.json
@@ -0,0 +1,87 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.DestinationDRA",
+ "winlog.event_data.SourceDRA",
+ "winlog.event_data.NamingContext",
+ "winlog.event_data.Options",
+ "winlog.event_data.SessionID",
+ "winlog.event_data.StatusCode",
+ "winlog.event_data.StartUSN"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4933"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4933"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "AD Replication Sync End Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-07T09:14:17.833Z",
+ "id": "system-2b944fd9-7be6-4128-951b-a023df492fa6",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-2d98c0f5-b501-4581-bc34-e90e82ef6295.json b/packages/system/kibana/search/system-2d98c0f5-b501-4581-bc34-e90e82ef6295.json
new file mode 100644
index 00000000000..46eb51866d8
--- /dev/null
+++ b/packages/system/kibana/search/system-2d98c0f5-b501-4581-bc34-e90e82ef6295.json
@@ -0,0 +1,82 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.BackupType",
+ "winlog.event_data.BackupTypeDescription"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4876"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4876"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Certificate Backup Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-2d98c0f5-b501-4581-bc34-e90e82ef6295",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-31950df9-7171-4672-87e4-36cd20decb6d.json b/packages/system/kibana/search/system-31950df9-7171-4672-87e4-36cd20decb6d.json
new file mode 100644
index 00000000000..a077dd9fe18
--- /dev/null
+++ b/packages/system/kibana/search/system-31950df9-7171-4672-87e4-36cd20decb6d.json
@@ -0,0 +1,100 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.RequestId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4868",
+ "4869"
+ ],
+ "type": "phrases",
+ "value": [
+ "4868",
+ "4869"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4868"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4869"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Certificate Request Activities Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T11:43:22.287Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "system-31950df9-7171-4672-87e4-36cd20decb6d",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-3f35f4fe-f01a-44a7-8892-cd64f88d0a61.json b/packages/system/kibana/search/system-3f35f4fe-f01a-44a7-8892-cd64f88d0a61.json
new file mode 100644
index 00000000000..054cd39e3db
--- /dev/null
+++ b/packages/system/kibana/search/system-3f35f4fe-f01a-44a7-8892-cd64f88d0a61.json
@@ -0,0 +1,111 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.provider",
+ "winlog.event_data.AlgorithmName",
+ "winlog.event_data.KeyName",
+ "winlog.event_data.KeyType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5059"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5059"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Key Migration Operation Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-3f35f4fe-f01a-44a7-8892-cd64f88d0a61",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-4c34518b-de35-4ffb-a11f-2da89fb028d7.json b/packages/system/kibana/search/system-4c34518b-de35-4ffb-a11f-2da89fb028d7.json
new file mode 100644
index 00000000000..dfa46121208
--- /dev/null
+++ b/packages/system/kibana/search/system-4c34518b-de35-4ffb-a11f-2da89fb028d7.json
@@ -0,0 +1,86 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.ShareName",
+ "winlog.event_data.ShareLocalPath"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5142"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5142"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Share Object Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-4c34518b-de35-4ffb-a11f-2da89fb028d7",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-5d27d5fd-8fd3-4954-83ee-9c89862bcadf.json b/packages/system/kibana/search/system-5d27d5fd-8fd3-4954-83ee-9c89862bcadf.json
new file mode 100644
index 00000000000..a04b17b8617
--- /dev/null
+++ b/packages/system/kibana/search/system-5d27d5fd-8fd3-4954-83ee-9c89862bcadf.json
@@ -0,0 +1,83 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "rule.id",
+ "rule.name",
+ "winlog.event_data.ProfileChanged"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4946"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4946"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Detailed Rule Addition to Windows Firewall exception list Log [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-5d27d5fd-8fd3-4954-83ee-9c89862bcadf",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-5dd71405-86d2-4eab-a3d5-088f71889e94.json b/packages/system/kibana/search/system-5dd71405-86d2-4eab-a3d5-088f71889e94.json
new file mode 100644
index 00000000000..45436245408
--- /dev/null
+++ b/packages/system/kibana/search/system-5dd71405-86d2-4eab-a3d5-088f71889e94.json
@@ -0,0 +1,87 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.Workstation",
+ "user.target.name",
+ "winlog.event_data.StatusDescription"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4793"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4793"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Detailed Password Policy Check Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-07T09:14:17.833Z",
+ "id": "system-5dd71405-86d2-4eab-a3d5-088f71889e94",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-67574c86-e986-4efa-bd94-e052e7510475.json b/packages/system/kibana/search/system-67574c86-e986-4efa-bd94-e052e7510475.json
new file mode 100644
index 00000000000..2bbbf500c11
--- /dev/null
+++ b/packages/system/kibana/search/system-67574c86-e986-4efa-bd94-e052e7510475.json
@@ -0,0 +1,85 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.DestinationDRA",
+ "winlog.event_data.SourceDRA",
+ "winlog.event_data.NamingContext",
+ "winlog.event_data.Options",
+ "winlog.event_data.StatusCode"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4931"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4931"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "AD Replica Destination Modification Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-07T09:14:17.833Z",
+ "id": "system-67574c86-e986-4efa-bd94-e052e7510475",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-71c28785-7ab7-4210-833b-6d65de60940a.json b/packages/system/kibana/search/system-71c28785-7ab7-4210-833b-6d65de60940a.json
new file mode 100644
index 00000000000..deec0928d62
--- /dev/null
+++ b/packages/system/kibana/search/system-71c28785-7ab7-4210-833b-6d65de60940a.json
@@ -0,0 +1,144 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "device.id",
+ "device.model.name",
+ "winlog.event_data.ClassName",
+ "winlog.event_data.ClassId",
+ "winlog.event_data.HardwareIds",
+ "winlog.event_data.CompatibleIds",
+ "winlog.event_data.LocationInformation"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ],
+ "type": "phrases",
+ "value": [
+ "6419",
+ "6420",
+ "6421",
+ "6422"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "6419"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6420"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6421"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "6422"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Device Operation Essential Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-71c28785-7ab7-4210-833b-6d65de60940a",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-72966c9a-d594-48f4-9838-aac38d5d4bee.json b/packages/system/kibana/search/system-72966c9a-d594-48f4-9838-aac38d5d4bee.json
new file mode 100644
index 00000000000..13fc4c91817
--- /dev/null
+++ b/packages/system/kibana/search/system-72966c9a-d594-48f4-9838-aac38d5d4bee.json
@@ -0,0 +1,118 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "process.executable",
+ "process.pid",
+ "winlog.event_data.ObjectType",
+ "winlog.event_data.ObjectName",
+ "winlog.event_data.AccessList",
+ "winlog.event_data.AccessMaskDescription",
+ "winlog.event_data.HandleId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4663"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4663"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Detailed Object Access Logs [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-72966c9a-d594-48f4-9838-aac38d5d4bee",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-7af1e82c-155c-4f5b-813e-a2b6c3e5bc75.json b/packages/system/kibana/search/system-7af1e82c-155c-4f5b-813e-a2b6c3e5bc75.json
new file mode 100644
index 00000000000..f2a76449669
--- /dev/null
+++ b/packages/system/kibana/search/system-7af1e82c-155c-4f5b-813e-a2b6c3e5bc75.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.provider",
+ "winlog.event_data.AlgorithmName",
+ "winlog.event_data.KeyName",
+ "winlog.event_data.KeyType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5058"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5058"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Cryptographic Key File Operation Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-7af1e82c-155c-4f5b-813e-a2b6c3e5bc75",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-8947d1c6-6a3a-4b5d-890e-6f59d3d8f1e9.json b/packages/system/kibana/search/system-8947d1c6-6a3a-4b5d-890e-6f59d3d8f1e9.json
new file mode 100644
index 00000000000..caa081051e5
--- /dev/null
+++ b/packages/system/kibana/search/system-8947d1c6-6a3a-4b5d-890e-6f59d3d8f1e9.json
@@ -0,0 +1,139 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "user.target.id",
+ "winlog.logon.id",
+ "winlog.event_data.PrivilegeList"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4704"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4704"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4705"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4705"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Privilege Changes Essential Detail [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-8947d1c6-6a3a-4b5d-890e-6f59d3d8f1e9",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-906dc8d0-0330-46c1-831c-beda2868b383.json b/packages/system/kibana/search/system-906dc8d0-0330-46c1-831c-beda2868b383.json
new file mode 100644
index 00000000000..10a55c3daf6
--- /dev/null
+++ b/packages/system/kibana/search/system-906dc8d0-0330-46c1-831c-beda2868b383.json
@@ -0,0 +1,83 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.KeyFilePath",
+ "winlog.event_data.Operation",
+ "winlog.event_data.ReturnCodeOutcome"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5058"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5058"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "File Operation Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-906dc8d0-0330-46c1-831c-beda2868b383",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-94378112-04db-4813-a95f-2b157d6d4bb7.json b/packages/system/kibana/search/system-94378112-04db-4813-a95f-2b157d6d4bb7.json
new file mode 100644
index 00000000000..b33d39b9e59
--- /dev/null
+++ b/packages/system/kibana/search/system-94378112-04db-4813-a95f-2b157d6d4bb7.json
@@ -0,0 +1,111 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.provider",
+ "winlog.event_data.AlgorithmName",
+ "winlog.event_data.KeyName",
+ "winlog.event_data.KeyType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5061"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5061"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Cryptographic Operation Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-94378112-04db-4813-a95f-2b157d6d4bb7",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-99f8b490-4f75-418e-bd91-4ef4bb7851de.json b/packages/system/kibana/search/system-99f8b490-4f75-418e-bd91-4ef4bb7851de.json
new file mode 100644
index 00000000000..6e0f8abb190
--- /dev/null
+++ b/packages/system/kibana/search/system-99f8b490-4f75-418e-bd91-4ef4bb7851de.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.name",
+ "user.domain",
+ "winlog.event_data.DataDescription",
+ "winlog.event_data.MasterKeyId",
+ "winlog.event_data.CryptoAlgorithms",
+ "winlog.event_data.FailureReasons",
+ "winlog.event_data.FailureReasonsOutcome"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4695"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4695"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Protected Data Decryption Attempt Essential Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:48:48.360Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "system-99f8b490-4f75-418e-bd91-4ef4bb7851de",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-9efb946b-528d-4cd9-b3ef-4040859570ba.json b/packages/system/kibana/search/system-9efb946b-528d-4cd9-b3ef-4040859570ba.json
new file mode 100644
index 00000000000..7bb6685744d
--- /dev/null
+++ b/packages/system/kibana/search/system-9efb946b-528d-4cd9-b3ef-4040859570ba.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.CalloutKey",
+ "winlog.event_data.CalloutId",
+ "winlog.event_data.CalloutName",
+ "winlog.event_data.CalloutType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5446"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5446"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Windows Filtering Callout Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-9efb946b-528d-4cd9-b3ef-4040859570ba",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-a9c32a08-b008-463a-800a-f46730fed42b.json b/packages/system/kibana/search/system-a9c32a08-b008-463a-800a-f46730fed42b.json
new file mode 100644
index 00000000000..33b3250f9e5
--- /dev/null
+++ b/packages/system/kibana/search/system-a9c32a08-b008-463a-800a-f46730fed42b.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.FilterId",
+ "winlog.event_data.FilterName",
+ "winlog.event_data.FilterType",
+ "winlog.event_data.FilterKey"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5441"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5441"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Windows Filtering Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-a9c32a08-b008-463a-800a-f46730fed42b",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-ac59de7d-ca7d-4182-a3ec-d9a4ab69713d.json b/packages/system/kibana/search/system-ac59de7d-ca7d-4182-a3ec-d9a4ab69713d.json
new file mode 100644
index 00000000000..f9b0efa9bec
--- /dev/null
+++ b/packages/system/kibana/search/system-ac59de7d-ca7d-4182-a3ec-d9a4ab69713d.json
@@ -0,0 +1,130 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.SessionId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": [
+ "4802",
+ "4803"
+ ],
+ "type": "phrases",
+ "value": [
+ "4802",
+ "4803"
+ ]
+ },
+ "query": {
+ "bool": {
+ "minimum_should_match": 1,
+ "should": [
+ {
+ "match_phrase": {
+ "event.code": "4802"
+ }
+ },
+ {
+ "match_phrase": {
+ "event.code": "4803"
+ }
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Screen Saver Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-ac59de7d-ca7d-4182-a3ec-d9a4ab69713d",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-b624ecd1-b43d-4ab1-829c-b22f2fcb5662.json b/packages/system/kibana/search/system-b624ecd1-b43d-4ab1-829c-b22f2fcb5662.json
new file mode 100644
index 00000000000..28d22306e12
--- /dev/null
+++ b/packages/system/kibana/search/system-b624ecd1-b43d-4ab1-829c-b22f2fcb5662.json
@@ -0,0 +1,85 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.DestinationDRA",
+ "winlog.event_data.SourceDRA",
+ "winlog.event_data.NamingContext",
+ "winlog.event_data.Options",
+ "winlog.event_data.StartUSN"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4932"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4932"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "AD Replication Sync Start Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-07T09:14:17.833Z",
+ "id": "system-b624ecd1-b43d-4ab1-829c-b22f2fcb5662",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-b6ff5e31-6c94-479a-b567-729def3b6b5b.json b/packages/system/kibana/search/system-b6ff5e31-6c94-479a-b567-729def3b6b5b.json
new file mode 100644
index 00000000000..09b690f8ceb
--- /dev/null
+++ b/packages/system/kibana/search/system-b6ff5e31-6c94-479a-b567-729def3b6b5b.json
@@ -0,0 +1,83 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "rule.id",
+ "rule.name",
+ "winlog.event_data.ProfileChanged"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4948"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4948"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Detailed Rule Deletion to Windows Firewall exception list Log [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-b6ff5e31-6c94-479a-b567-729def3b6b5b",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-b856c615-5136-4e02-9c3b-14c6576e16e1.json b/packages/system/kibana/search/system-b856c615-5136-4e02-9c3b-14c6576e16e1.json
new file mode 100644
index 00000000000..633f973e4a0
--- /dev/null
+++ b/packages/system/kibana/search/system-b856c615-5136-4e02-9c3b-14c6576e16e1.json
@@ -0,0 +1,83 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.ProviderContextKey",
+ "winlog.event_data.ProviderContextName",
+ "winlog.event_data.ProviderContextType"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "5449"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "5449"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Windows Filtered Platforms Provider Essential Details [ Logs System Windows Security ] "
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-b856c615-5136-4e02-9c3b-14c6576e16e1",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-ba83542b-5838-41ce-a569-bc7b9c8c0a87.json b/packages/system/kibana/search/system-ba83542b-5838-41ce-a569-bc7b9c8c0a87.json
new file mode 100644
index 00000000000..24dac832fa5
--- /dev/null
+++ b/packages/system/kibana/search/system-ba83542b-5838-41ce-a569-bc7b9c8c0a87.json
@@ -0,0 +1,80 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "file.path",
+ "winlog.event_data.LinkName",
+ "winlog.event_data.TransactionId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4664"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4664"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Hard Link Essential Detail [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:24:59.380Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "system-ba83542b-5838-41ce-a569-bc7b9c8c0a87",
+ "managed": false,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-cc7c88b4-22c4-4f42-8b5b-3466000a3b32.json b/packages/system/kibana/search/system-cc7c88b4-22c4-4f42-8b5b-3466000a3b32.json
new file mode 100644
index 00000000000..fd999e56a5a
--- /dev/null
+++ b/packages/system/kibana/search/system-cc7c88b4-22c4-4f42-8b5b-3466000a3b32.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "winlog.event_data.TransactionId",
+ "winlog.event_data.NewState",
+ "process.name",
+ "process.pid"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4985"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4985"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Top Transaction State Changes [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-cc7c88b4-22c4-4f42-8b5b-3466000a3b32",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-cd3d5a1b-aeb6-4bf0-b45e-adf7837b3fa1.json b/packages/system/kibana/search/system-cd3d5a1b-aeb6-4bf0-b45e-adf7837b3fa1.json
new file mode 100644
index 00000000000..4a57e7ac002
--- /dev/null
+++ b/packages/system/kibana/search/system-cd3d5a1b-aeb6-4bf0-b45e-adf7837b3fa1.json
@@ -0,0 +1,111 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.RequestId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "negate": false,
+ "params": [
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4868"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4868"
+ }
+ }
+ },
+ {
+ "meta": {
+ "disabled": false,
+ "field": "event.code",
+ "index": "logs-*",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4869"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4869"
+ }
+ }
+ }
+ ],
+ "relation": "OR",
+ "type": "combined"
+ },
+ "query": {}
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Certificate Request Activities Essential Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-cd3d5a1b-aeb6-4bf0-b45e-adf7837b3fa1",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-dd3e3d90-8f72-4f04-ba7d-de0051bc1749.json b/packages/system/kibana/search/system-dd3e3d90-8f72-4f04-ba7d-de0051bc1749.json
new file mode 100644
index 00000000000..a97c6cadd0b
--- /dev/null
+++ b/packages/system/kibana/search/system-dd3e3d90-8f72-4f04-ba7d-de0051bc1749.json
@@ -0,0 +1,84 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.MasterKeyId",
+ "winlog.event_data.RecoveryKeyId",
+ "winlog.event_data.FailureReasons",
+ "winlog.event_data.FailureReasonsOutcome"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4692"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4692"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Data Protection Key Backup Essential Detail [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T10:12:22.275Z",
+ "id": "system-dd3e3d90-8f72-4f04-ba7d-de0051bc1749",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-e629186d-6a2a-4469-a060-bac42926f5d3.json b/packages/system/kibana/search/system-e629186d-6a2a-4469-a060-bac42926f5d3.json
new file mode 100644
index 00000000000..0caa6f0d7b3
--- /dev/null
+++ b/packages/system/kibana/search/system-e629186d-6a2a-4469-a060-bac42926f5d3.json
@@ -0,0 +1,109 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "event.action",
+ "user.id",
+ "user.name",
+ "user.domain",
+ "winlog.logon.id",
+ "winlog.event_data.SessionId"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4801"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4801"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Workstation Unlock Essential Details",
+ "viewMode": "documents"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-e629186d-6a2a-4469-a060-bac42926f5d3",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-f21d4873-7987-480e-8110-1fda397c3e0d.json b/packages/system/kibana/search/system-f21d4873-7987-480e-8110-1fda397c3e0d.json
new file mode 100644
index 00000000000..3ddcd3ba09f
--- /dev/null
+++ b/packages/system/kibana/search/system-f21d4873-7987-480e-8110-1fda397c3e0d.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.target.name",
+ "user.target.domain",
+ "winlog.event_data.TdoType",
+ "winlog.event_data.TdoDirection",
+ "winlog.event_data.TdoSid"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4675"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4675"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Essential Trust Filtering Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-06T08:28:18.104Z",
+ "id": "system-f21d4873-7987-480e-8110-1fda397c3e0d",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5.json b/packages/system/kibana/search/system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5.json
new file mode 100644
index 00000000000..de6d9123f1c
--- /dev/null
+++ b/packages/system/kibana/search/system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5.json
@@ -0,0 +1,113 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.target.name",
+ "user.target.domain",
+ "winlog.trustDirection",
+ "winlog.trustAttribute",
+ "winlog.trustType",
+ "winlog.event_data.SidListDesc"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4675"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4675"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Essential Trust Filtering Details [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/search/system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c.json b/packages/system/kibana/search/system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c.json
new file mode 100644
index 00000000000..c7b3d6df362
--- /dev/null
+++ b/packages/system/kibana/search/system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c.json
@@ -0,0 +1,109 @@
+{
+ "attributes": {
+ "columns": [
+ "event.code",
+ "user.target.name",
+ "winlog.event_data.GroupMembership"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "system.security"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "system.security"
+ }
+ }
+ },
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "event.code",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "key": "event.code",
+ "negate": false,
+ "params": {
+ "query": "4627"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "event.code": "4627"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "Group Membership by User [Logs System Windows Security]"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:42.346Z",
+ "id": "system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c",
+ "managed": true,
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-system-security-solution-default",
+ "type": "tag"
+ },
+ {
+ "id": "system-security-solution-default",
+ "name": "tag-ref-security-solution-default",
+ "type": "tag"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/system/kibana/tag/system-security-solution-default.json b/packages/system/kibana/tag/system-security-solution-default.json
new file mode 100644
index 00000000000..7b26cd3a0ae
--- /dev/null
+++ b/packages/system/kibana/tag/system-security-solution-default.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#00BFB3",
+ "description": "Tag defined in package-spec",
+ "name": "Security Solution"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-05-12T09:20:46.115Z",
+ "id": "system-security-solution-default",
+ "managed": true,
+ "references": [],
+ "type": "tag",
+ "typeMigrationVersion": "8.0.0"
+}
\ No newline at end of file
diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
index 11f936d09ba..2a3c9b26aa0 100644
--- a/packages/system/manifest.yml
+++ b/packages/system/manifest.yml
@@ -1,15 +1,31 @@
format_version: 3.0.2
name: system
title: System
-version: "2.4.0"
+version: "2.5.0"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
- os_system
conditions:
kibana:
- version: "^8.17.0 || ^9.0.0"
+ version: "^8.18.0 || ^9.0.0"
screenshots:
+ - src: /img/policy-and-object-monitoring-dashboard.png
+ title: policy and object monitoring
+ size: 600x600
+ type: image/png
+ - src: /img/system-and-process-activity-dashboard.png
+ title: system and process activity
+ size: 600x600
+ type: image/png
+ - src: /img/logon-activity-dashboard.png
+ title: Logon Activity
+ size: 600x600
+ type: image/png
+ - src: /img/directory-and-account-monitoring-dashboard.png
+ title: directory and account monitoring dashboard
+ size: 600x600
+ type: image/png
- src: /img/system-overview.png
title: system overview
size: 3226x1956