The Active Directory Federation Service (AD FS) can publish events to the Windows Security log. Some of the event IDs that it uses overlap with event IDs used by other publishers to the Security channel. This causes a problem with the Security module for Winlogbeat because it assumes the content of an event based on its event ID.
In most systems there are two publishers to the Security channel - Microsoft-Windows-Eventlog and Microsoft-Windows-Security-Auditing, and their event IDs do not collide. Because their can be collisions the Security module should also check the winlog.provider_name field because making assumptions about the winlog.event_id value.
As an example event ID 1102 from Microsoft-Windows-Eventlog collides with 1102 from the AD FS log. So when the module processes 1102 from AD FS it gets marked event.action: audit-log-cleared.
The Active Directory Federation Service (AD FS) can publish events to the Windows Security log. Some of the event IDs that it uses overlap with event IDs used by other publishers to the Security channel. This causes a problem with the Security module for Winlogbeat because it assumes the content of an event based on its event ID.
In most systems there are two publishers to the Security channel - Microsoft-Windows-Eventlog and Microsoft-Windows-Security-Auditing, and their event IDs do not collide. Because their can be collisions the Security module should also check the
winlog.provider_namefield because making assumptions about thewinlog.event_idvalue.As an example event ID 1102 from Microsoft-Windows-Eventlog collides with 1102 from the AD FS log. So when the module processes 1102 from AD FS it gets marked
event.action: audit-log-cleared.beats/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Line 168 in 75ed47c