From 5a2f00f81a4440a045fec3a366e55aae294e9c61 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 29 Oct 2025 13:12:47 -0400 Subject: [PATCH 1/2] fix(x-pack/winlogbeat): run ingest pipeline tests on CI At some point the CI tests for the ingest pipeline in Winlogbeat stopped being tested on CI because there was no linux host running the unit tests. The unit tests for the pipeline tests require Docker for running Elasticsearch. This adds a new Buildkite step for x-pack/winlogbeat. It fixes the tests there broken. It removes the request body from an eslegclient debug statement that was very noisy, and in some cases extremely lengthy. It removes the deprecated 'version' from the docker-compose.yaml file used to run ES. The pipelines were mostly fine because they have been copied from elastic/integrations where they are independently testing. --- .../x-pack/pipeline.xpack.winlogbeat.yml | 32 +++++++++++++++++-- .../winlogbeat/exported-fields-powershell.md | 6 ++++ libbeat/esleg/eslegclient/connection.go | 2 +- x-pack/winlogbeat/module/.gitignore | 1 + .../module/powershell/_meta/fields.yml | 4 +++ x-pack/winlogbeat/module/powershell/fields.go | 2 +- .../module/security/ingest/security.yml | 5 ++- .../security/ingest/security_standard.yml | 24 +++++++++----- x-pack/winlogbeat/module/testing.go | 1 + x-pack/winlogbeat/module/wintest/docker.go | 4 +-- .../winlogbeat/module/wintest/docker_test.go | 1 + x-pack/winlogbeat/module/wintest/simulate.go | 7 +++- .../module/wintest/simulate_test.go | 3 +- 13 files changed, 75 insertions(+), 17 deletions(-) diff --git a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml index a3bbb76b14a2..1eb72069e226 100644 --- a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml +++ b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml @@ -5,6 +5,10 @@ env: AWS_ARM_INSTANCE_TYPE: "m6g.xlarge" AWS_IMAGE_UBUNTU_ARM_64: "platform-ingest-beats-ubuntu-2204-aarch64" + GCP_DEFAULT_MACHINE_TYPE: "c2d-highcpu-8" + GCP_HI_PERF_MACHINE_TYPE: "c2d-highcpu-16" + GCP_WIN_MACHINE_TYPE: "n2-standard-8" + IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204" IMAGE_WIN_10: "family/platform-ingest-beats-windows-10" IMAGE_WIN_11: "family/platform-ingest-beats-windows-11" @@ -12,8 +16,6 @@ env: IMAGE_WIN_2019: "family/platform-ingest-beats-windows-2019" IMAGE_WIN_2022: "family/platform-ingest-beats-windows-2022" IMAGE_WIN_2025: "family/platform-ingest-beats-windows-2025" - GCP_WIN_MACHINE_TYPE: "n2-standard-8" - GCP_HI_PERF_MACHINE_TYPE: "c2d-highcpu-16" IMAGE_BEATS_WITH_HOOKS_LATEST: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:latest" @@ -66,6 +68,32 @@ steps: key: "x-pack-winlogbeat-mandatory-tests" steps: + # Linux is required to execute ingest pipeline tests with dockerized Elasticsearch. + - label: ":ubuntu: x-pack/winlogbeat: Ubuntu x86_64 Unit Tests" + key: "mandatory-linux-unit-tests" + command: | + cd x-pack/winlogbeat + mage build unitTest + retry: + automatic: + - limit: 1 + agents: + provider: "gcp" + image: "${IMAGE_UBUNTU_X86_64}" + machineType: "${GCP_DEFAULT_MACHINE_TYPE}" + artifact_paths: + - "x-pack/winlogbeat/build/*.xml" + - "x-pack/winlogbeat/build/*.json" + plugins: + - test-collector#v1.10.2: + files: "x-pack/winlogbeat/build/TEST-*.xml" + format: "junit" + branches: "main" + debug: true + notify: + - github.amrom.workers.devmit_status: + context: "x-pack/winlogbeat: Ubuntu x86_64 Unit Tests" + - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests" key: "mandatory-win-2019-unit-tests" command: | diff --git a/docs/reference/winlogbeat/exported-fields-powershell.md b/docs/reference/winlogbeat/exported-fields-powershell.md index 59443c07924d..5f33025c3dd5 100644 --- a/docs/reference/winlogbeat/exported-fields-powershell.md +++ b/docs/reference/winlogbeat/exported-fields-powershell.md @@ -177,6 +177,12 @@ Data related to the PowerShell engine. Data related to the executed script file. +**`powershell.file.script_block_hash`** +: A hash of the script to be used in rules. + + type: keyword + + **`powershell.file.script_block_id`** : Id of the executed script block. diff --git a/libbeat/esleg/eslegclient/connection.go b/libbeat/esleg/eslegclient/connection.go index d2c9db06140a..5dbb15266113 100644 --- a/libbeat/esleg/eslegclient/connection.go +++ b/libbeat/esleg/eslegclient/connection.go @@ -378,7 +378,7 @@ func (conn *Connection) Request( ) (int, []byte, error) { url := addToURL(conn.URL, path, pipeline, params) - conn.log.Debugf("%s %s %s %v", method, url, pipeline, body) + conn.log.Debugf("%s %s %s", method, url, pipeline) return conn.RequestURL(method, url, body) } diff --git a/x-pack/winlogbeat/module/.gitignore b/x-pack/winlogbeat/module/.gitignore index 378eac25d311..2a3ce48c7b95 100644 --- a/x-pack/winlogbeat/module/.gitignore +++ b/x-pack/winlogbeat/module/.gitignore @@ -1 +1,2 @@ build +docker-compose.yaml diff --git a/x-pack/winlogbeat/module/powershell/_meta/fields.yml b/x-pack/winlogbeat/module/powershell/_meta/fields.yml index 093ac17761c0..a3cdb1dd15c8 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/fields.yml +++ b/x-pack/winlogbeat/module/powershell/_meta/fields.yml @@ -120,6 +120,10 @@ type: group description: Data related to the executed script file. fields: + - name: script_block_hash + type: keyword + description: A hash of the script to be used in rules. + - name: script_block_id type: keyword description: Id of the executed script block. diff --git a/x-pack/winlogbeat/module/powershell/fields.go b/x-pack/winlogbeat/module/powershell/fields.go index 8ca3a28ece40..c96de1059a16 100644 --- a/x-pack/winlogbeat/module/powershell/fields.go +++ b/x-pack/winlogbeat/module/powershell/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPowershell returns asset data. // This is the base64 encoded zlib format compressed contents of module/powershell. func AssetPowershell() string { - return "eJzEV8Fu4zYQvfsrBjnspZAaJ86m9mGBdIsWBtokSNLsYb01RuLYYkORKknb8X59QYqKrUhKbCdocwhgkZz3ZubxjRTBA61HUKgVaZORED0Ay62gEVy7Z7fuGeSKLQT1ABiZVPPCciVH8KkHAHCXkSFATWAzAlqStDDjJJgBU1DKZzwFq/xiGQZmSvuff/BUK6NmNvrCJVMrE20gf7wqSKPDQQEoGYQt26yEmpu4B6BJEBoaQUIWexDQRz1PLwKJOW1nGHPmVwDsuqCRK8BK6epZLcMSZ8zisEiPmBeuNk/USz5l5brwCl6Q4JKmuwNfhyPAm9hH/aNOKL2QpsB0H6ibcKQVajDD4fH5gEWDM0yiAZ2dRsP+8CyiYX/4Ux/TkyRJutkY+mdBMqUaFaHkvLXWYTPIRZ6QBjXzItmEA3qkdOE2N3j2OylYZVHshH/ndm6B52QMzskAl55IlUwT/LgTPVV5jrLeirlWi6KNwC9o0WkZLbHqxpQpE4MQqQKvJA7h7wkbbfb0sL35Ta2hzapqd+HVVfF5NJmE+ziZmLWxlJ+eTCZpzmJ6pKCHbVru/760LjGn/Wh14zvAffHv1sV++BdFIXjqPavJYIli0aRg6dF24mcEXC7Vwyuw47xQ2ka/qxQF/07MywjqP6MZF+SIwIVOM76kGzJqoVMyTaYOs8xiysgiF6ZBG7XGdRfvT1sLABey3O0qqZK/KbUGUiUtcsnlHEoEYsDlTOncw3YXfQeu8UGtzshvdMhlnNZKfy55jJ9AdyIUbvS07gV7cQtHnSmsMp5mvjxlfOBmyzPadclY5MS8E9tDbmq941dSrGFhiPk5f40ac7Kkf+aSbTruA8cwlszdGDKl1Vd7Pb32XIyhPBFrZw475bP/vatn48rvY1SqDPrwCzmhV7GaAbew4kIAo4IkAyW3e+STbUvn1ntnPL6KP6u80GSMm26/ckHlyguDRUpKnawWhvTh8+UpjuuYriasnIfFnWYOUzlyua9o/nR45dHW0txf/HZzcXn3PrPEg3WKaolzjdJ2FpvknEs6vMhbr6xlqNcquiTthLBvlvflsUqpDdgqbnk7raoctq3ZtQIdncX9uH9+/vE07h8fn7cM2ELTkquFmRqL9o0Gch1igY/VmU27PyyRC0xEizlIWr0Hu0taHULs1qqiINapMTeg3+E1sdwHLtprIiu3ThOh0ofN58LOVRmzxpwO4D5ih46O2QlLGEbnpx/70WB48jHC4YBFbEjIZiwZnM6wRV01qs+8u9XQUaJYfyc9qrVuxaVQ84TQTjeVn4bg7Ueq+AVaS1o+WwtPR3D0dTL58uHD17+ib99+ONraZQh1mnUE/x/4vDTp6NEe0NJ4MsHAOS7MC5+mhVYpGROXsd0dndZ97tUv1Wf+FkwtU8ZPrBAfNvGbn7OtPtbOdcnZWwZr03wdz9fu5H/gUVVq7faZWr5s8843vxVeB9juKXyPmnvn/jcAAP//Kx+R4w==" + return "eJzEV01v4zYQvftXDHLYSyE1TpxN7cMC7hYtDLS7wW6aPay3xkgcW2woUiUpO95fX5CiEiuSEtsJ2hwCmB/z3gwf31AR3NJ2AoXakDYZCTEAsNwKmsCVG/vsxiBXrBQ0AGBkUs0Ly5WcwLsBAMB1RoYANYHNCGhN0sKSk2AGTEEpX/IUrPKTVRhYKu1//sFTrYxa2ugLl0xtTPQA+ePHgjQ6HBSAkkFYsstKqJWJBwCaBKGhCSRkcQABfTLw9CKQmNNuhjFnfgbAbguauAJslK7HGhlWODMWh0m6w7xwtbmnXvGpKteHV/CCBJe02B/4KmwB3sY+GZ70QulSmgLTQ6A+hS2dUKMljk8vRywaXWASjejiPBoPxxcRjYfjn4aYniVJ0s/G0D8lyZQaVISSq85ah8UgyzwhDWrpRfIQDuiO0tItbvEc9lKwyqLYC//ardwBz8kYXJEBLj2ROpk2+GkveqryHGXzKFZalUUXgV/QotMyWmL1jalSJgYhUg1eSxzC3z022ux+sPvw21pDm9XV7sNrquL9ZD4P93E+N1tjKT8/m8/TnMV0R0EPu7Tc/0NpfcCcDqPVj+8AD8W/3haH4U+LQvDUe1abwRpF2aZg6c724mcEXK7V7TOws7xQ2ka/qxQF/07MywiaP6MlF+SIwFSnGV/TJzKq1CmZNlOHWWWxYGSRC9OijVrjto/3u50JgKmsVrtKquRvSq2BVEmLXHK5ggqBGHC5VDr3sP1F34NrfNRRZ+QXOuQqTmel31c8ZvegexEKN3rR9IKDuIWtzhQ2GU8zX54qPnCz4xndumQscmLei+0xN7V54h+l2EJpiPk+f4Uac7Kkf+aSPZy4DxzDTDJ3Y8hUVl+v9fS6czGG8kRsnTnslc/h966ZjSu/j1GrMujDT+SEXsVqCdzChgsBjAqSDJTcPSOfbFc6n713xrOP8XuVF5qMcd3tVy6omnmisUhJqZNVaUgf31/u47gT03WHlaswuVfPYSpHLg8VzZ8Or9raWZqb6W+fph+uX6eXeLBeUa1xpVHa3mKTXHFJxxd558lahXquomvSTgiHZnlTbauV2oKt41a306raYbsOu1Ggk4t4GA8vL9+ex8PT08uOBltoWnNVmoWxaF9oIFchFvhYvdl0+8MaucBEdJiDpM1rsPtAm2OIfbaqKIj1asw16Fd4JlbrwEV7TmTV0kUiVHq7yNAc/G6cgttVlyEgWwUJVQLjEnQpyOzW42kW/ODuOGOt10Ig4iP2qPmUnbGEYXR5/nYYjcZnbyMcj1jExoRsyZLR+RI7NN6g+qiDdLYVlCi230lPGgLacCnUKiG0i4fzX4Tg3Vvq+AVaS1o+mgujEzj5Op9/efPm61/Rt28/nOysMoQ6zXqC/w98nuq3dGePONJ4PsfAOS7MEx/IhVYpGRNXsZ1TLJpu++z38iOXDdaaKeP7ZogPD/HbH9WdbtrNdc3ZS9p7uwU4ns85w3/glHVq3SaeWr7ucvAXv02vAmz/W+AGNff9498AAAD///D8uG8=" } diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index ccbb522879ef..69aab14f3056 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -85,4 +85,7 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/x-pack/winlogbeat/module/security/ingest/security_standard.yml b/x-pack/winlogbeat/module/security/ingest/security_standard.yml index 68e74d61f1e1..d71971c9f492 100644 --- a/x-pack/winlogbeat/module/security/ingest/security_standard.yml +++ b/x-pack/winlogbeat/module/security/ingest/security_standard.yml @@ -942,14 +942,14 @@ processors: return; } Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); - ArrayList tDescs = new ArrayList(); + TreeSet tDescs = new TreeSet(); for (entry in params.entrySet()) { Long flag = Long.decode(entry.getKey()); if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { tDescs.add(entry.getValue()); } } - if (tDescs.length == 0) { + if (tDescs.size() == 0) { return; } ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); @@ -3308,10 +3308,10 @@ processors: } if (ctx.group?.id != null) { ctx.user.target.group.put("id", ctx.group.id); - } + } if (ctx.group?.name != null) { ctx.user.target.group.put("name", ctx.group.name); - } + } if (ctx.group?.domain != null) { ctx.user.target.group.put("domain", ctx.group.domain); } @@ -3799,7 +3799,11 @@ processors: if: |- ctx.source?.ip != null && ctx.source.ip != "-" - + - gsub: + field: winlog.event_data.SidList + pattern: '\s+' + replacement: ' ' + ignore_missing: true - script: lang: painless ignore_failure: false @@ -4128,14 +4132,15 @@ processors: void splitSidList(def sids, def params, def ctx) { ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); + def sidsArray = sids.splitOnToken(" "); + ArrayList sidList = new ArrayList(Arrays.asList(sidsArray)); ctx.winlog.event_data.put("SidList", sidList); for (def i = 0; i < sidList.length; i++ ) { al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); } ctx.winlog.event_data.put("SidListDesc", al); } - + if (ctx.event?.code == null || !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { return; @@ -4245,4 +4250,7 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/x-pack/winlogbeat/module/testing.go b/x-pack/winlogbeat/module/testing.go index 0758f9b95c93..0a8010ac679c 100644 --- a/x-pack/winlogbeat/module/testing.go +++ b/x-pack/winlogbeat/module/testing.go @@ -127,6 +127,7 @@ func testIngestPipeline(t *testing.T, pipeline, pattern string, p *params) { "powershell_operational", "routing", "security", + "security_standard", "sysmon", } if len(loaded) != len(wantPipelines) { diff --git a/x-pack/winlogbeat/module/wintest/docker.go b/x-pack/winlogbeat/module/wintest/docker.go index 36552aecb79d..795f0bae99fa 100644 --- a/x-pack/winlogbeat/module/wintest/docker.go +++ b/x-pack/winlogbeat/module/wintest/docker.go @@ -91,7 +91,7 @@ func saveLogs(env map[string]string, root, target string) error { const ( composeFile = "docker-compose.yaml" - compose = `version: '2.3' + compose = `--- services: # This is a proxy used to block beats until all services are healthy. # See: https://github.com/docker/compose/issues/4369 @@ -109,7 +109,7 @@ services: retries: 300 interval: 1s ports: - - 9200:9200 + - 127.0.0.1:9200:9200 ` ) diff --git a/x-pack/winlogbeat/module/wintest/docker_test.go b/x-pack/winlogbeat/module/wintest/docker_test.go index 46687a6d1d36..0a3f8f5e054f 100644 --- a/x-pack/winlogbeat/module/wintest/docker_test.go +++ b/x-pack/winlogbeat/module/wintest/docker_test.go @@ -103,6 +103,7 @@ func TestDocker(t *testing.T) { "powershell_operational", "routing", "security", + "security_standard", "sysmon", } if len(loaded) != len(wantPipelines) { diff --git a/x-pack/winlogbeat/module/wintest/simulate.go b/x-pack/winlogbeat/module/wintest/simulate.go index 8212cbf8e0ec..5bebafcf7014 100644 --- a/x-pack/winlogbeat/module/wintest/simulate.go +++ b/x-pack/winlogbeat/module/wintest/simulate.go @@ -135,6 +135,10 @@ func simulatePipeline(api *esapi.API, pipeline string, docs []json.RawMessage) ( } var events []json.RawMessage for _, doc := range response.Docs { + if doc.Error != nil { + events = append(events, doc.Error) + continue + } events = append(events, doc.Doc.Source) } return events, nil @@ -149,7 +153,8 @@ type simulatePipelineResponse struct { } type pipelineIngestedDocument struct { - Doc pipelineDocument `json:"doc"` + Doc pipelineDocument `json:"doc"` + Error json.RawMessage `json:"error"` } type pipelineDocument struct { diff --git a/x-pack/winlogbeat/module/wintest/simulate_test.go b/x-pack/winlogbeat/module/wintest/simulate_test.go index 7e3870270852..d2d49b8aace5 100644 --- a/x-pack/winlogbeat/module/wintest/simulate_test.go +++ b/x-pack/winlogbeat/module/wintest/simulate_test.go @@ -33,7 +33,7 @@ import ( // ecsVersion is the expected ECS version for testing purposes. // Change this when ECS version is bumped. -const ecsVersion = "1.12.0" +const ecsVersion = "8.17.0" func TestSimulate(t *testing.T) { const ( @@ -94,6 +94,7 @@ func TestSimulate(t *testing.T) { "powershell_operational", "routing", "security", + "security_standard", "sysmon", } if len(loaded) != len(wantPipelines) { From d4c71ca266e0215d68c1074f178ac9c2357a2147 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 29 Oct 2025 14:51:49 -0400 Subject: [PATCH 2/2] update golden files [git-generate] go -C ./x-pack/winlogbeat/module/security test ./... -v -update go -C ./x-pack/winlogbeat/module/sysmon test ./... -v -update go -C ./x-pack/winlogbeat/module/powershell test ./... -v -update --- .../test/testdata/ingest/400.golden.json | 48 +- .../test/testdata/ingest/403.golden.json | 48 +- .../test/testdata/ingest/4103.golden.json | 24 +- .../test/testdata/ingest/4104.golden.json | 25 +- .../test/testdata/ingest/4105.golden.json | 12 +- .../test/testdata/ingest/4106.golden.json | 12 +- .../test/testdata/ingest/600.golden.json | 36 +- .../test/testdata/ingest/800.golden.json | 48 +- .../test/testdata/ingest/1100.golden.json | 2 +- .../test/testdata/ingest/1102.golden.json | 2 +- .../test/testdata/ingest/1104.golden.json | 2 +- .../test/testdata/ingest/1105.golden.json | 2 +- .../ingest/4670_WindowsSrv2016.golden.json | 2 +- .../ingest/4706_WindowsSrv2016.golden.json | 2 +- .../ingest/4707_WindowsSrv2016.golden.json | 2 +- .../ingest/4713_WindowsSrv2016.golden.json | 2 +- .../ingest/4716_WindowsSrv2016.golden.json | 2 +- .../ingest/4717_WindowsSrv2016.golden.json | 2 +- .../ingest/4718_WindowsSrv2016.golden.json | 2 +- .../test/testdata/ingest/4719.golden.json | 2 +- .../ingest/4719_WindowsSrv2016.golden.json | 2 +- .../ingest/4739_WindowsSrv2016.golden.json | 2 +- .../test/testdata/ingest/4741.golden.json | 6 +- .../test/testdata/ingest/4742.golden.json | 6 +- .../test/testdata/ingest/4743.golden.json | 2 +- .../test/testdata/ingest/4744.golden.json | 2 +- .../test/testdata/ingest/4745.golden.json | 2 +- .../test/testdata/ingest/4746.golden.json | 2 +- .../test/testdata/ingest/4747.golden.json | 2 +- .../test/testdata/ingest/4748.golden.json | 2 +- .../test/testdata/ingest/4749.golden.json | 2 +- .../test/testdata/ingest/4750.golden.json | 2 +- .../test/testdata/ingest/4751.golden.json | 2 +- .../test/testdata/ingest/4752.golden.json | 2 +- .../test/testdata/ingest/4753.golden.json | 2 +- .../test/testdata/ingest/4759.golden.json | 2 +- .../test/testdata/ingest/4760.golden.json | 2 +- .../test/testdata/ingest/4761.golden.json | 2 +- .../test/testdata/ingest/4762.golden.json | 2 +- .../test/testdata/ingest/4763.golden.json | 2 +- .../test/testdata/ingest/4778.golden.json | 10 +- .../test/testdata/ingest/4779.golden.json | 10 +- .../test/testdata/ingest/4797.golden.json | 10 +- .../ingest/4817_WindowsSrv2016.golden.json | 2 +- .../ingest/4902_WindowsSrv2016.golden.json | 2 +- .../ingest/4904_WindowsSrv2016.golden.json | 2 +- .../ingest/4905_WindowsSrv2016.golden.json | 2 +- .../ingest/4906_WindowsSrv2016.golden.json | 2 +- .../ingest/4907_WindowsSrv2016.golden.json | 2 +- .../ingest/4908_WindowsSrv2016.golden.json | 4 +- .../test/testdata/ingest/5379.golden.json | 10 +- .../test/testdata/ingest/5380.golden.json | 10 +- .../test/testdata/ingest/5381.golden.json | 10 +- .../test/testdata/ingest/5382.golden.json | 10 +- .../security-windows2012_4673.golden.json | 2 +- .../security-windows2012_4674.golden.json | 2 +- .../security-windows2012_4697.golden.json | 2 +- .../security-windows2012_4698.golden.json | 2 +- .../security-windows2012_4699.golden.json | 2 +- .../security-windows2012_4700.golden.json | 2 +- .../security-windows2012_4701.golden.json | 2 +- .../security-windows2012_4702.golden.json | 2 +- .../security-windows2012_4768.golden.json | 4 +- .../security-windows2012_4769.golden.json | 2 +- .../security-windows2012_4770.golden.json | 6 +- .../security-windows2012_4771.golden.json | 4 +- .../security-windows2012_4776.golden.json | 2 +- .../security-windows2012_4778.golden.json | 2 +- .../security-windows2012_4779.golden.json | 2 +- .../security-windows2012r2-logon.golden.json | 36 +- .../security-windows2016-4672.golden.json | 2 +- .../security-windows2016-logoff.golden.json | 4 +- ...ndows2016_4720_Account_Created.golden.json | 12 +- ...ndows2016_4722_Account_Enabled.golden.json | 4 +- ...ndows2016_4723_Password_Change.golden.json | 4 +- ...indows2016_4724_Password_Reset.golden.json | 4 +- ...dows2016_4725_Account_Disabled.golden.json | 4 +- ...ndows2016_4726_Account_Deleted.golden.json | 4 +- .../security-windows2016_4727.golden.json | 2 +- .../security-windows2016_4728.golden.json | 2 +- .../security-windows2016_4729.golden.json | 2 +- .../security-windows2016_4730.golden.json | 2 +- .../security-windows2016_4731.golden.json | 2 +- .../security-windows2016_4732.golden.json | 2 +- .../security-windows2016_4733.golden.json | 2 +- .../security-windows2016_4734.golden.json | 2 +- .../security-windows2016_4735.golden.json | 2 +- .../security-windows2016_4737.golden.json | 2 +- ...ndows2016_4738_Account_Changed.golden.json | 8 +- ...ws2016_4740_Account_Locked_Out.golden.json | 2 +- .../security-windows2016_4754.golden.json | 2 +- .../security-windows2016_4755.golden.json | 2 +- .../security-windows2016_4756.golden.json | 2 +- .../security-windows2016_4757.golden.json | 2 +- .../security-windows2016_4758.golden.json | 2 +- .../security-windows2016_4764.golden.json | 2 +- ...dows2016_4767_Account_Unlocked.golden.json | 2 +- ...ndows2016_4781_Account_Renamed.golden.json | 4 +- .../security-windows2016_4798.golden.json | 2 +- .../security-windows2016_4799.golden.json | 2 +- .../security-windows2016_4964.golden.json | 8 +- ...ndows2019_4688_Process_Created.golden.json | 2 +- ...indows2019_4689_Process_Exited.golden.json | 6 +- .../ingest/sysmon-10.2-dns.golden.json | 624 +++++++++--------- .../ingest/sysmon-11-filedelete.golden.json | 12 +- .../sysmon-11-filedeletedetected.golden.json | 8 +- .../ingest/sysmon-11-registry.golden.json | 20 +- .../ingest/sysmon-12-loadimage.golden.json | 4 +- .../sysmon-12-processcreate.golden.json | 4 +- .../sysmon-13-clipboardchange.golden.json | 4 +- .../sysmon-13-processtampering.golden.json | 4 +- .../testdata/ingest/sysmon-9.01.golden.json | 126 ++-- .../ingest/sysmon-no-evtx.golden.json | 3 +- 113 files changed, 743 insertions(+), 657 deletions(-) diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json index 67d0989f4a11..675ffb797b75 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json @@ -2,18 +2,22 @@ { "@timestamp": "2020-05-14T07:00:30.8914235Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "400", - "ingested": "2025-01-15T10:02:22.041691914Z", + "ingested": "2025-10-29T18:18:28.904269377Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 13, - "type": "start" + "type": [ + "start" + ] }, "host": { "name": "vagrant", @@ -62,18 +66,22 @@ { "@timestamp": "2020-05-14T07:01:14.3715076Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "400", - "ingested": "2025-01-15T10:02:22.042381068Z", + "ingested": "2025-10-29T18:18:28.904567044Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 13, - "type": "start" + "type": [ + "start" + ] }, "host": { "name": "vagrant", @@ -124,18 +132,22 @@ { "@timestamp": "2020-05-14T11:32:51.9892568Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "400", - "ingested": "2025-01-15T10:02:22.042395560Z", + "ingested": "2025-10-29T18:18:28.904575669Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 13, - "type": "start" + "type": [ + "start" + ] }, "host": { "name": "vagrant", @@ -184,18 +196,22 @@ { "@timestamp": "2020-06-04T07:20:27.7472275Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "400", - "ingested": "2025-01-15T10:02:22.042402302Z", + "ingested": "2025-10-29T18:18:28.904580210Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 9, - "type": "start" + "type": [ + "start" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json index e23c6b81a3f8..b2374df1a2fe 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json @@ -2,18 +2,22 @@ { "@timestamp": "2020-05-14T15:31:22.4269238Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "403", - "ingested": "2025-01-15T10:02:22.075700098Z", + "ingested": "2025-10-29T18:18:28.942849919Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 33, - "type": "end" + "type": [ + "end" + ] }, "host": { "name": "vagrant", @@ -61,18 +65,22 @@ { "@timestamp": "2020-05-15T08:11:47.932007Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "403", - "ingested": "2025-01-15T10:02:22.075721610Z", + "ingested": "2025-10-29T18:18:28.942869960Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 37, - "type": "end" + "type": [ + "end" + ] }, "host": { "name": "vagrant", @@ -121,18 +129,22 @@ { "@timestamp": "2020-05-15T08:28:53.6266982Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "403", - "ingested": "2025-01-15T10:02:22.075728323Z", + "ingested": "2025-10-29T18:18:28.942874294Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 37, - "type": "end" + "type": [ + "end" + ] }, "host": { "name": "vagrant", @@ -188,18 +200,22 @@ { "@timestamp": "2020-06-04T07:20:28.6861939Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Engine Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "403", - "ingested": "2025-01-15T10:02:22.075733622Z", + "ingested": "2025-10-29T18:18:28.942877752Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 10, - "type": "end" + "type": [ + "end" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json index 1e270875d3a6..e563a9090c1c 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json @@ -8,18 +8,22 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Executing Pipeline", - "category": "process", + "category": [ + "process" + ], "code": "4103", - "ingested": "2025-01-15T10:02:22.083664757Z", + "ingested": "2025-10-29T18:18:28.958489585Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "sequence": 34, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -117,18 +121,22 @@ { "@timestamp": "2020-05-15T08:13:06.7032939Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Executing Pipeline", - "category": "process", + "category": [ + "process" + ], "code": "4103", - "ingested": "2025-01-15T10:02:22.083688734Z", + "ingested": "2025-10-29T18:18:28.958508877Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "sequence": 22, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json index 874b034919c2..650cb6e3f33e 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json @@ -2,17 +2,21 @@ { "@timestamp": "2020-05-14T11:33:51.3892662Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Execute a Remote Command", - "category": "process", + "category": [ + "process" + ], "code": "4104", - "ingested": "2025-01-15T10:02:22.104487839Z", + "ingested": "2025-10-29T18:18:28.968386210Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -27,6 +31,7 @@ "message": "Creating Scriptblock text (1 of 1):\n.\\patata.ps1\n\nScriptBlock ID: 50d2dbda-7361-4926-a94d-d9eadfdb43fa\nPath: ", "powershell": { "file": { + "script_block_hash": "64TcviMSSJ/OdhiN8lVcBQeKWDU=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", "script_block_text": ".\\patata.ps1" }, @@ -61,17 +66,21 @@ { "@timestamp": "2020-05-14T11:33:51.3938848Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Execute a Remote Command", - "category": "process", + "category": [ + "process" + ], "code": "4104", - "ingested": "2025-01-15T10:02:22.104615177Z", + "ingested": "2025-10-29T18:18:28.968402377Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", - "type": "info" + "type": [ + "info" + ] }, "file": { "directory": "C:\\Users\\vagrant\\Desktop", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json index 79f97e6e9e5d..62c928198f5f 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json @@ -2,17 +2,21 @@ { "@timestamp": "2020-05-13T09:04:04.7552325Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Starting Command", - "category": "process", + "category": [ + "process" + ], "code": "4105", - "ingested": "2025-01-15T10:02:22.112704225Z", + "ingested": "2025-10-29T18:18:28.973112544Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", - "type": "start" + "type": [ + "start" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json index e69df74ff289..4cc7bc2f8ba4 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json @@ -2,17 +2,21 @@ { "@timestamp": "2020-05-13T10:40:32.5957152Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Stopping Command", - "category": "process", + "category": [ + "process" + ], "code": "4106", - "ingested": "2025-01-15T10:02:22.116886398Z", + "ingested": "2025-10-29T18:18:28.975185960Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", - "type": "end" + "type": [ + "end" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json index 7df9047f6051..61487aabbee8 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json @@ -2,18 +2,22 @@ { "@timestamp": "2020-05-13T13:21:43.1831809Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Provider Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "600", - "ingested": "2025-01-15T10:02:22.120659443Z", + "ingested": "2025-10-29T18:18:28.977234460Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 35, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -65,18 +69,22 @@ { "@timestamp": "2020-05-13T13:25:04.6564269Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Provider Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "600", - "ingested": "2025-01-15T10:02:22.120717968Z", + "ingested": "2025-10-29T18:18:28.977256919Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 1, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -125,18 +133,22 @@ { "@timestamp": "2020-06-04T07:25:04.8574302Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Provider Lifecycle", - "category": "process", + "category": [ + "process" + ], "code": "600", - "ingested": "2025-01-15T10:02:22.120732760Z", + "ingested": "2025-10-29T18:18:28.977261627Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 8, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json index 9c7e27e1d946..51ec9e70e423 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json @@ -2,18 +2,22 @@ { "@timestamp": "2020-02-26T09:37:40.4872415Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Pipeline Execution Details", - "category": "process", + "category": [ + "process" + ], "code": "800", - "ingested": "2025-01-15T10:02:22.127700838Z", + "ingested": "2025-10-29T18:18:28.980990835Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 17, - "type": "info" + "type": [ + "info" + ] }, "file": { "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", @@ -109,18 +113,22 @@ { "@timestamp": "2020-05-15T08:33:26.3769931Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Pipeline Execution Details", - "category": "process", + "category": [ + "process" + ], "code": "800", - "ingested": "2025-01-15T10:02:22.127748302Z", + "ingested": "2025-10-29T18:18:28.981003502Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 135, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -197,18 +205,22 @@ { "@timestamp": "2020-05-15T08:33:26.393089Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Pipeline Execution Details", - "category": "process", + "category": [ + "process" + ], "code": "800", - "ingested": "2025-01-15T10:02:22.127760188Z", + "ingested": "2025-10-29T18:18:28.981007419Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 141, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", @@ -296,18 +308,22 @@ { "@timestamp": "2020-05-15T08:33:26.393089Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Pipeline Execution Details", - "category": "process", + "category": [ + "process" + ], "code": "800", - "ingested": "2025-01-15T10:02:22.127766919Z", + "ingested": "2025-10-29T18:18:28.981010544Z", "kind": "event", "module": "powershell", "provider": "PowerShell", "sequence": 143, - "type": "info" + "type": [ + "info" + ] }, "host": { "name": "vagrant", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json index 547964c9fbff..d6b0a72228b0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-07T10:37:04.2260925Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logging-service-shutdown", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json index 5da9e28c4fb1..a99ffd496fce 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-07T10:34:29.0559196Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "audit-log-cleared", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json index baf58e5e7d16..fe706e4f7f24 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-08T07:56:17.3217049Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logging-full", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json index 1982c1a45360..1ae172e424ee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-07T16:22:14.8425353Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "auditlog-archieved", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json index 0708534f99a1..815993c8831c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-28T13:22:18.7993488Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "permissions-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json index 64b1d176053b..a8761a8cfb0f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-27T09:42:48.3690009Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "domain-trust-added", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json index 86b4169c1c90..4077b4fd3c8b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-28T06:18:04.600444Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "domain-trust-removed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json index 05971082abeb..c780f5b686ae 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-28T10:15:43.4951882Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "kerberos-policy-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json index 91ca0e97c698..2337e4a086ba 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-28T08:17:00.4706442Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "trusted-domain-information-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json index fa1d95cf168c..b09dfa7194f2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-27T09:30:41.9034803Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "system-security-access-granted", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json index 46fdd4dcb2be..0a7df8069b8a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-27T09:30:41.8778082Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "system-security-access-removed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json index d547ce768a87..076f4e023d9d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-07T15:22:57.6553291Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-audit-config", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json index 5e6c920747f9..4b1c48b38ea1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-18T13:45:57.4803543Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-audit-config", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json index 79a92a9cb7e7..399e6aba6cfc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-07-27T09:34:50.1578005Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "domain-policy-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json index 9a7abec68a1a..f54a8ffdf9a8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:22:12.3112534Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-computer-account", @@ -53,9 +53,9 @@ "HomePath": "-", "LogonHours": "\u003cvalue not set\u003e", "NewUACList": [ + "USER_WORKSTATION_TRUST_ACCOUNT", "USER_ACCOUNT_DISABLED", - "USER_PASSWORD_NOT_REQUIRED", - "USER_WORKSTATION_TRUST_ACCOUNT" + "USER_PASSWORD_NOT_REQUIRED" ], "NewUacValue": "0x85", "OldUacValue": "0x0", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json index 48c266b8774f..558321391657 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:22:12.3425087Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-computer-account", @@ -54,8 +54,8 @@ "HomePath": "-", "LogonHours": "-", "NewUACList": [ - "USER_PASSWORD_NOT_REQUIRED", - "USER_WORKSTATION_TRUST_ACCOUNT" + "USER_WORKSTATION_TRUST_ACCOUNT", + "USER_PASSWORD_NOT_REQUIRED" ], "NewUacValue": "0x84", "OldUacValue": "0x85", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json index 5e31341a0a68..7d6818e8656e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:25:21.5781833Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-computer-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json index 10b19723cc18..fb8d878776e8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:26:46.8744233Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json index 581a68898a63..48f43fda57ad 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:29:05.0175739Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json index dcc3e2c9525d..132ca10276ae 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:31:01.6117458Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json index b98e5c3aa901..078124cedf04 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-18T16:35:16.6816525Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json index 5710e63ea776..b4fda07d670d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:01:45.9824133Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json index 3fa551ed906a..c9474e47afe1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:03:42.7234679Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json index de5da8db2413..60013d4cae23 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:10:57.4737631Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json index e08c6d69cd43..ca68ddb6123d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:20:29.0889568Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json index 7f761d861f7e..913e920b3e68 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:21:23.6444225Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json index 990644b55d19..12834a559c9a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:24:36.5952761Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json index 7cc773fd0f0a..2b2a5a5221c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:26:26.1432582Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json index 6b1558b8fb9b..0c810f816a08 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:28:21.0305977Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json index 109f5487a23b..d936799d3d39 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:29:38.4487328Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json index ffbeb8b1c15e..f30f7382c5b8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:33:25.9678735Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-distribution-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json index 2165a06fda9e..607f86c3b02f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-12-19T08:34:23.1623432Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-distribution-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json index 2c7901156834..def5b0554bb6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T21:35:22.347Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", @@ -76,7 +76,7 @@ { "@timestamp": "2023-01-17T14:30:22.209Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", @@ -150,7 +150,7 @@ { "@timestamp": "2023-01-17T12:16:32.656Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", @@ -224,7 +224,7 @@ { "@timestamp": "2023-01-17T11:38:09.038Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", @@ -298,7 +298,7 @@ { "@timestamp": "2023-01-17T05:15:18.808Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json index f3579ec77c58..16517e849414 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T22:37:25.192Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", @@ -72,7 +72,7 @@ { "@timestamp": "2023-01-17T22:09:56.356Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", @@ -142,7 +142,7 @@ { "@timestamp": "2023-01-17T21:55:25.393Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", @@ -212,7 +212,7 @@ { "@timestamp": "2023-01-17T21:54:30.313Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", @@ -282,7 +282,7 @@ { "@timestamp": "2023-01-17T21:53:19.623Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4797.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4797.golden.json index d1acbe53943a..87abc5da289d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4797.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4797.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T22:10:41.555Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "query-existence-of-blank-password", @@ -76,7 +76,7 @@ { "@timestamp": "2023-01-17T22:10:41.532Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "query-existence-of-blank-password", @@ -150,7 +150,7 @@ { "@timestamp": "2023-01-17T22:10:41.512Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "query-existence-of-blank-password", @@ -224,7 +224,7 @@ { "@timestamp": "2023-01-17T22:10:41.490Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "query-existence-of-blank-password", @@ -298,7 +298,7 @@ { "@timestamp": "2023-01-17T22:10:41.468Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "query-existence-of-blank-password", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json index 9f3dfc9f046f..09e0d0338ff3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-17T12:49:09.4942066Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "object-audit-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json index cc5b83bb59e5..753c4dc59a16 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-19T06:07:08.801981Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "user-audit-policy-created", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json index ec1af11057ff..a66a5b95f352 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-19T07:56:52.019802Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "security-event-source-added", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json index 5d6c75b55031..cff21265d803 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-19T07:56:51.5792901Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "security-event-source-removed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json index 861be0f18576..b694c3fc77c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-18T09:19:00.2372249Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "crash-on-audit-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json index 1596c1a5d029..8c1bcda8ae46 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-19T07:56:17.1121901Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "audit-setting-changed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json index 28ad27ec5a67..c4389cc41be9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-08-19T06:07:25.0461779Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "special-group-table-changed", @@ -32,10 +32,12 @@ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { "SidList": [ + "", "%{S-1-5-32-544}", "%{S-1-5-32-123-54-65}" ], "SidListDesc": [ + "", "Administrators", "S-1-5-32-123-54-65" ] diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/5379.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/5379.golden.json index b7958910a049..fac50d93b551 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/5379.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/5379.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T22:18:03.557Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-manager-credentials-were-read", @@ -75,7 +75,7 @@ { "@timestamp": "2023-01-17T22:18:03.553Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-manager-credentials-were-read", @@ -148,7 +148,7 @@ { "@timestamp": "2023-01-17T22:18:03.548Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-manager-credentials-were-read", @@ -221,7 +221,7 @@ { "@timestamp": "2023-01-17T22:18:03.543Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-manager-credentials-were-read", @@ -294,7 +294,7 @@ { "@timestamp": "2023-01-17T22:18:03.539Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-manager-credentials-were-read", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/5380.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/5380.golden.json index 81527ef1a5f4..9225abe2d9ad 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/5380.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/5380.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T10:11:25.557Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credential-find", @@ -73,7 +73,7 @@ { "@timestamp": "2023-01-17T10:11:25.532Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credential-find", @@ -144,7 +144,7 @@ { "@timestamp": "2023-01-17T10:11:25.498Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credential-find", @@ -215,7 +215,7 @@ { "@timestamp": "2023-01-17T10:11:24.775Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credential-find", @@ -286,7 +286,7 @@ { "@timestamp": "2023-01-17T10:11:24.542Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credential-find", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/5381.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/5381.golden.json index 2ba518e4db19..3e7cee352ed1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/5381.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/5381.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T21:15:02.549Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -71,7 +71,7 @@ { "@timestamp": "2023-01-17T17:52:51.488Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -140,7 +140,7 @@ { "@timestamp": "2023-01-17T15:35:00.493Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -209,7 +209,7 @@ { "@timestamp": "2023-01-17T15:06:28.132Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -278,7 +278,7 @@ { "@timestamp": "2023-01-17T14:55:56.297Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/5382.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/5382.golden.json index c74840d4deb9..f27c875e0d85 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/5382.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/5382.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2023-01-17T22:25:53.163Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -75,7 +75,7 @@ { "@timestamp": "2023-01-17T21:53:44.417Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -148,7 +148,7 @@ { "@timestamp": "2023-01-17T21:53:44.412Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -221,7 +221,7 @@ { "@timestamp": "2023-01-17T21:53:44.411Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", @@ -294,7 +294,7 @@ { "@timestamp": "2023-01-17T21:53:44.411Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "vault-credentials-were-read", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json index 79b51a441b8d..ddf6a58efee2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-06T06:39:04.5491199Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "privileged-service-called", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json index e0454071eab9..885ba9c7b867 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-06T06:38:31.1087891Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "privileged-operation", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json index f17d808210d8..b1d84da61ef7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-02T14:34:08.8896056Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "service-installed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json index ed052f5494cc..5515e1e00842 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T14:34:34.6061085Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "scheduled-task-created", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json index f25ce8345f4e..5b588017d666 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T14:35:47.822282Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "scheduled-task-deleted", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json index 6df4512e1f59..4bb4acaf1e46 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T14:35:14.8732455Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "scheduled-task-enabled", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json index a1a43298ad25..bd842c512cb7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T14:35:04.7030004Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "scheduled-task-disabled", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json index a848d565d18a..2e82babd2fcd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T14:35:36.2637108Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "scheduled-task-updated", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json index edfcfdafd31a..7e060d0e3292 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T08:45:44.1717416Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "kerberos-authentication-ticket-requested", @@ -61,8 +61,8 @@ "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", "TicketOptions": "0x40810010", "TicketOptionsDescription": [ - "Renewable-ok", "Name-canonicalize", + "Renewable-ok", "Renewable", "Forwardable" ] diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json index 581aa06da469..518d12a51791 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T08:45:44.1717416Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "kerberos-service-ticket-requested", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json index 1feb88ec7d35..d61692e5d913 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T07:32:55.0104462Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "kerberos-service-ticket-renewed", @@ -56,8 +56,8 @@ "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", "TicketOptions": "0x10002", "TicketOptionsDescription": [ - "Renew", - "Name-canonicalize" + "Name-canonicalize", + "Renew" ] }, "event_id": "4770", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json index 47530545d71f..88b462c89774 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-03-31T07:50:27.1681182Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "kerberos-preauth-failed", @@ -56,8 +56,8 @@ "TargetUserName": "MPUIG", "TicketOptions": "0x40810010", "TicketOptionsDescription": [ - "Renewable-ok", "Name-canonicalize", + "Renewable-ok", "Renewable", "Forwardable" ] diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json index 35a91707f7e3..ddf37a286ed7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-01T08:45:42.1873153Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "credential-validated", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json index 702e036b24ee..f560812a5365 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-05T16:33:32.3888253Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-reconnected", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json index b87c03adc539..c46dc464dd2c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-04-03T10:18:01.8822336Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "session-disconnected", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json index a77484fb36a1..68f74cfd4823 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-03-29T21:10:39.7868321Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -89,7 +89,7 @@ { "@timestamp": "2019-03-29T21:10:40.2555609Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -176,7 +176,7 @@ { "@timestamp": "2019-03-29T21:10:40.3805426Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -269,7 +269,7 @@ { "@timestamp": "2019-03-29T21:10:40.5055514Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -356,7 +356,7 @@ { "@timestamp": "2019-03-29T21:10:40.6305447Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -442,7 +442,7 @@ { "@timestamp": "2019-03-29T21:10:53.6617957Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -528,7 +528,7 @@ { "@timestamp": "2019-03-29T21:10:54.6618303Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -614,7 +614,7 @@ { "@timestamp": "2019-03-29T21:10:55.4587259Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -700,7 +700,7 @@ { "@timestamp": "2019-03-29T21:13:17.3025591Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -789,7 +789,7 @@ { "@timestamp": "2019-03-29T21:13:17.5213056Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -876,7 +876,7 @@ { "@timestamp": "2019-03-29T21:13:17.6149946Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -969,7 +969,7 @@ { "@timestamp": "2019-03-29T21:13:18.7869259Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1056,7 +1056,7 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1143,7 +1143,7 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1230,7 +1230,7 @@ { "@timestamp": "2019-03-29T21:20:50.5840151Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1317,7 +1317,7 @@ { "@timestamp": "2019-03-29T21:23:42.5201798Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1404,7 +1404,7 @@ { "@timestamp": "2019-03-29T21:26:24.1764267Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in", @@ -1491,7 +1491,7 @@ { "@timestamp": "2019-03-29T21:45:35.177054Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logon-failed", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json index b7eecb441394..e0baf5c9c79a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2018-05-18T23:09:03.2086661Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in-special", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json index 83e4a7c656c1..2e879b5af037 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-05-17T11:06:58.210768Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-out", @@ -69,7 +69,7 @@ { "@timestamp": "2019-05-19T16:15:38.542273Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-out", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json index 4c9c4c3f8a07..d37a6ae5df0e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:24:39.2933111Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-user-account", @@ -54,9 +54,9 @@ "HomePath": "\u003cvalue not set\u003e", "LogonHours": "All", "NewUACList": [ + "USER_NORMAL_ACCOUNT", "USER_ACCOUNT_DISABLED", - "USER_PASSWORD_NOT_REQUIRED", - "USER_NORMAL_ACCOUNT" + "USER_PASSWORD_NOT_REQUIRED" ], "NewUacValue": "0x15", "OldUacValue": "0x0", @@ -106,7 +106,7 @@ { "@timestamp": "2019-09-06T13:25:21.8672707Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-user-account", @@ -158,9 +158,9 @@ "HomePath": "\u003cvalue not set\u003e", "LogonHours": "All", "NewUACList": [ + "USER_NORMAL_ACCOUNT", "USER_ACCOUNT_DISABLED", - "USER_PASSWORD_NOT_REQUIRED", - "USER_NORMAL_ACCOUNT" + "USER_PASSWORD_NOT_REQUIRED" ], "NewUacValue": "0x15", "OldUacValue": "0x0", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json index 07721d174a84..a19a533175f1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:28:46.1631928Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "enabled-user-account", @@ -78,7 +78,7 @@ { "@timestamp": "2019-09-06T13:29:08.5737904Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "enabled-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json index 3f487e030972..38e083e4cb76 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:32:13.8554125Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-password", @@ -78,7 +78,7 @@ { "@timestamp": "2019-09-06T13:32:23.8855201Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "changed-password", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json index 1833927d02c2..f5c6528034a8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:24:39.339071Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "reset-password", @@ -78,7 +78,7 @@ { "@timestamp": "2019-09-06T13:25:21.9005914Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "reset-password", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json index 79790a16dee5..5da84db19c96 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:28:40.0015275Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "disabled-user-account", @@ -78,7 +78,7 @@ { "@timestamp": "2019-09-06T13:28:55.2644212Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "disabled-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json index 0bda306500cd..9cad989e7796 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:35:25.5153959Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-user-account", @@ -79,7 +79,7 @@ { "@timestamp": "2019-09-06T13:35:29.6900555Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json index 7c0daddda1eb..2793819869f6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:26:12.4955445Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json index 8003cd0b0192..5e6830e23416 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:26.8613751Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json index 4192234cfafa..dcbaf4c9a98f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:45.5433159Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json index 9e1569a960de..159d5e83a083 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:34:01.6107262Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json index 04208917be62..c3259e0c4c83 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:29:49.3586766Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json index 676eb809a242..0f0daa2aa74b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:31:58.0398598Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json index 039f194b6ea2..858f531d7abc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:32:14.8941288Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json index f787de71d20a..49734d7cc13c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:32:35.1274042Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json index f714031bc222..b3d326a04ca3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:32:30.425487Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "modified-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json index a975fff3e55d..7ed262536edb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:57.2710608Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "modified-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json index 6b698d60b78c..5c94dd069e68 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:36:17.5667652Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "modified-user-account", @@ -74,9 +74,7 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", - "UserAccountControl": [ - "-" - ], + "UserAccountControl": "-", "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", "UserWorkstations": "\u003cvalue not set\u003e" @@ -104,7 +102,7 @@ { "@timestamp": "2019-09-06T13:36:36.3634107Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "modified-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json index 117bc6ecfc3c..58c75c678d89 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:39:43.0856521Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "locked-out-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json index 75e8b17da109..244128b2b8c9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:34:33.783048Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json index 45aa9656b2b5..c01d24087e7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:35:09.0701134Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "modified-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json index d96febf2d1f9..8ced27e81777 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:34:58.4130288Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "added-member-to-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json index 64018b473626..242520f67ae9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:35:09.0701919Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "removed-member-from-group", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json index 2c506ec72bbc..c909ce887454 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:35:13.5502867Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "deleted-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json index 91d5ffba175a..958996c37001 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:57.271141Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "type-changed-group-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json index 344e1c791536..b5e001c7e725 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:40:52.3149485Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "unlocked-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json index 81ed745b2eee..1e9d74d6d60a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-09-06T13:38:17.5566269Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "renamed-user-account", @@ -82,7 +82,7 @@ { "@timestamp": "2019-09-06T13:38:23.5161066Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "renamed-user-account", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json index 95744e328f82..ee4900477329 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-08T10:20:34.0535453Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "group-membership-enumerated", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json index 3ea261e3f824..79652e9d33ba 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-08T10:20:44.4724208Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "user-member-enumerated", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json index 0105f55f0c77..25340be8537e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2020-03-21T23:50:34.347458Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in-special", @@ -42,7 +42,7 @@ "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "SidList": " %{S-1-5-21-101361758-2486510592-3018839910-519}", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-41OB2LO92CR$", @@ -76,7 +76,7 @@ { "@timestamp": "2020-03-24T16:36:59.5703294Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "logged-in-special", @@ -116,7 +116,7 @@ "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "SidList": " %{S-1-5-21-101361758-2486510592-3018839910-512} %{S-1-5-21-101361758-2486510592-3018839910-519} %{S-1-5-21-101361758-2486510592-3018839910-1007}", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-41OB2LO92CR$", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json index ad67510f4801..8e4026fe7737 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-14T17:10:15.1515514Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "created-process", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json index fe343e8a273a..fe2cd1d5967e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-11-14T21:26:49.4961966Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "exited-process", @@ -73,7 +73,7 @@ { "@timestamp": "2019-11-14T21:27:46.9609089Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "exited-process", @@ -144,7 +144,7 @@ { "@timestamp": "2019-11-14T21:28:18.4605129Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "exited-process", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json index f641be5635c3..e5e1a64db0cb 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json @@ -27,10 +27,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -130,10 +130,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -234,10 +234,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -342,10 +342,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -446,10 +446,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -556,10 +556,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -656,10 +656,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -763,10 +763,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -859,10 +859,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -968,10 +968,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1113,10 +1113,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1220,10 +1220,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1322,10 +1322,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1430,10 +1430,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1526,10 +1526,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1633,10 +1633,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1737,10 +1737,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1840,10 +1840,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -1970,10 +1970,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2085,10 +2085,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2241,10 +2241,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2394,10 +2394,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2550,10 +2550,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2672,10 +2672,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2824,10 +2824,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -2986,10 +2986,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3095,10 +3095,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3238,10 +3238,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3349,10 +3349,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3493,10 +3493,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3600,10 +3600,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3698,10 +3698,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3835,10 +3835,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -3969,10 +3969,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4073,10 +4073,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4206,10 +4206,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4361,10 +4361,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4520,10 +4520,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4628,10 +4628,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4776,10 +4776,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -4928,10 +4928,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5035,10 +5035,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5129,10 +5129,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5239,10 +5239,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5380,10 +5380,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5530,10 +5530,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5645,10 +5645,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5796,10 +5796,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -5913,10 +5913,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6042,10 +6042,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6150,10 +6150,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6249,10 +6249,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6334,10 +6334,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6415,10 +6415,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6554,10 +6554,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6670,10 +6670,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6770,10 +6770,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -6913,10 +6913,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7029,10 +7029,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7174,10 +7174,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7281,10 +7281,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7394,10 +7394,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7510,10 +7510,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7612,10 +7612,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7755,10 +7755,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -7912,10 +7912,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8071,10 +8071,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8224,10 +8224,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8340,10 +8340,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8455,10 +8455,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8556,10 +8556,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8699,10 +8699,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -8861,10 +8861,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9014,10 +9014,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9125,10 +9125,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9274,10 +9274,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9386,10 +9386,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9535,10 +9535,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9688,10 +9688,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9818,10 +9818,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -9972,10 +9972,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10105,10 +10105,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10204,10 +10204,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10346,10 +10346,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10468,10 +10468,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10564,10 +10564,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10706,10 +10706,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10859,10 +10859,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -10991,10 +10991,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11139,10 +11139,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11280,10 +11280,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11419,10 +11419,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11579,10 +11579,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11734,10 +11734,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -11880,10 +11880,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12031,10 +12031,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12183,10 +12183,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12294,10 +12294,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12436,10 +12436,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12547,10 +12547,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12661,10 +12661,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12767,10 +12767,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12871,10 +12871,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -12974,10 +12974,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13078,10 +13078,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13177,10 +13177,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13284,10 +13284,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13388,10 +13388,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13495,10 +13495,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13599,10 +13599,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13702,10 +13702,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13805,10 +13805,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -13955,10 +13955,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14078,10 +14078,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14185,10 +14185,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14330,10 +14330,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14433,10 +14433,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14534,10 +14534,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14683,10 +14683,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14791,10 +14791,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -14893,10 +14893,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15040,10 +15040,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15202,10 +15202,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15315,10 +15315,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15464,10 +15464,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15623,10 +15623,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15777,10 +15777,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -15925,10 +15925,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16082,10 +16082,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16445,10 +16445,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16659,10 +16659,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16770,10 +16770,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16876,10 +16876,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -16963,10 +16963,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17061,10 +17061,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17211,10 +17211,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17370,10 +17370,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17482,10 +17482,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17626,10 +17626,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17778,10 +17778,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -17929,10 +17929,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18069,10 +18069,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18178,10 +18178,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18281,10 +18281,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18425,10 +18425,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18548,10 +18548,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18701,10 +18701,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18809,10 +18809,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -18911,10 +18911,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19010,10 +19010,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19095,10 +19095,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19173,10 +19173,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19251,10 +19251,10 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19353,10 +19353,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19453,10 +19453,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], @@ -19585,10 +19585,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Dns query (rule: DnsQuery)", + "action": "DNSEvent (DNS query)", "category": [ "network" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json index f718c8506c2c..7339c2c56c40 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2020-05-07T08:14:44.489Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File Delete archived (rule: FileDelete)", + "action": "FileDelete (File Delete archived)", "category": [ "file" ], @@ -89,10 +89,10 @@ { "@timestamp": "2020-05-07T07:27:18.722Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File Delete archived (rule: FileDelete)", + "action": "FileDelete (File Delete archived)", "category": [ "file" ], @@ -172,10 +172,10 @@ { "@timestamp": "2020-05-12T06:48:27.084Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File Delete archived (rule: FileDelete)", + "action": "FileDelete (File Delete archived)", "category": [ "file" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json index a508af011f9d..a5a552f01093 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2022-01-24T05:12:34.328Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File Delete logged (rule: FileDeleteDetected)", + "action": "FileDeleteDetected (File Delete logged)", "category": [ "file" ], @@ -84,10 +84,10 @@ { "@timestamp": "2022-01-24T05:12:51.031Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File Delete logged (rule: FileDeleteDetected)", + "action": "FileDeleteDetected (File Delete logged)", "category": [ "file" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json index 506618a3fe76..23f83e48179a 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2020-05-05T14:57:40.589Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Registry value set (rule: RegistryEvent)", + "action": "RegistryEvent (Value Set)", "category": [ "configuration", "registry" @@ -76,10 +76,10 @@ { "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Registry value set (rule: RegistryEvent)", + "action": "RegistryEvent (Value Set)", "category": [ "configuration", "registry" @@ -150,10 +150,10 @@ { "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Registry value set (rule: RegistryEvent)", + "action": "RegistryEvent (Value Set)", "category": [ "configuration", "registry" @@ -224,10 +224,10 @@ { "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Registry value set (rule: RegistryEvent)", + "action": "RegistryEvent (Value Set)", "category": [ "configuration", "registry" @@ -298,10 +298,10 @@ { "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Registry value set (rule: RegistryEvent)", + "action": "RegistryEvent (Value Set)", "category": [ "configuration", "registry" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json index 7f7531daa3fd..89d8526d49f1 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2020-10-28T02:39:26.374Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Image loaded (rule: ImageLoad)", + "action": "Image loaded", "category": [ "process" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json index 02aa528e2297..6ae8f82f82c4 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2020-10-27T20:00:14.320Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process Create (rule: ProcessCreate)", + "action": "Process creation", "category": [ "process" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json index fc4ca383715e..f6d22520e224 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2021-02-25T15:04:48.592Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Clipboard changed (rule: ClipboardChange)", + "action": "ClipboardChange (New content in the clipboard)", "code": "24", "kind": "event", "module": "sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json index 6f410bb65c78..2fa3577bbeba 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2021-02-25T14:43:23.550Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process Tampering (rule: ProcessTampering)", + "action": "ProcessTampering (Process image change)", "category": [ "process" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json index 25ad7dde8578..85a33cd6065b 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json @@ -2,10 +2,10 @@ { "@timestamp": "2019-03-18T16:57:37.933Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Sysmon config state changed", + "action": "ServiceConfigurationChange", "category": [ "configuration" ], @@ -54,7 +54,7 @@ { "@timestamp": "2019-03-18T16:57:38.011Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { "action": "Sysmon service state changed", @@ -111,10 +111,10 @@ { "@timestamp": "2019-03-18T16:57:37.949Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process Create (rule: ProcessCreate)", + "action": "Process creation", "category": [ "process" ], @@ -215,10 +215,10 @@ { "@timestamp": "2019-03-18T16:57:37.964Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process Create (rule: ProcessCreate)", + "action": "Process creation", "category": [ "process" ], @@ -322,10 +322,10 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process terminated (rule: ProcessTerminate)", + "action": "Process terminated", "category": [ "process" ], @@ -380,10 +380,10 @@ { "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process terminated (rule: ProcessTerminate)", + "action": "Process terminated", "category": [ "process" ], @@ -438,10 +438,10 @@ { "@timestamp": "2019-03-18T16:57:39.012Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process Create (rule: ProcessCreate)", + "action": "Process creation", "category": [ "process" ], @@ -549,10 +549,10 @@ "port": 53 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -635,10 +635,10 @@ "port": 53 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -722,10 +722,10 @@ "port": 443 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -809,10 +809,10 @@ "port": 443 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -896,10 +896,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -983,10 +983,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1068,10 +1068,10 @@ "port": 5355 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1155,10 +1155,10 @@ "port": 5355 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1241,10 +1241,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1326,10 +1326,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1411,10 +1411,10 @@ "port": 5355 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1497,10 +1497,10 @@ "port": 5355 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1583,10 +1583,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1669,10 +1669,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1755,10 +1755,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1841,10 +1841,10 @@ "port": 137 }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Network connection detected (rule: NetworkConnect)", + "action": "Network connection", "category": [ "network" ], @@ -1923,10 +1923,10 @@ { "@timestamp": "2019-03-18T16:57:52.350Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process terminated (rule: ProcessTerminate)", + "action": "Process terminated", "category": [ "process" ], @@ -1981,10 +1981,10 @@ { "@timestamp": "2019-03-18T16:57:52.364Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process terminated (rule: ProcessTerminate)", + "action": "Process terminated", "category": [ "process" ], @@ -2039,10 +2039,10 @@ { "@timestamp": "2019-03-18T16:57:52.387Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], @@ -2107,10 +2107,10 @@ { "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], @@ -2175,10 +2175,10 @@ { "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], @@ -2243,10 +2243,10 @@ { "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], @@ -2311,10 +2311,10 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "Process terminated (rule: ProcessTerminate)", + "action": "Process terminated", "category": [ "process" ], @@ -2369,10 +2369,10 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], @@ -2437,10 +2437,10 @@ { "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { - "action": "File creation time changed (rule: FileCreateTime)", + "action": "A process changed a file creation time", "category": [ "file" ], diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json index 93a011fed42b..04c526c5f34d 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json @@ -29,9 +29,10 @@ ] }, "ecs": { - "version": "1.12.0" + "version": "8.17.0" }, "event": { + "action": "DNSEvent (DNS query)", "category": [ "network" ],