22 "events": [
33 {
44 "@timestamp": "2021-09-14T09:20:46.257Z",
5- "agent":{
6- "ephemeral_id":"b512edb8-9998-42bd-8941-e1e53d750cc9",
7- "hostname":"logcollector2",
8- "id":"ef67a54e-002d-4c31-a1c8-931a1a56bea4",
9- "name":"logcollector2",
10- "type":"filebeat",
11- "version":"7.14.1"
12- },
13- "data_stream":{
14- "dataset":"windows.forwarded",
15- "namespace":"default",
16- "type":"logs"
17- },
18- "ecs":{
19- "version":"1.10.0"
20- },
21- "elastic_agent":{
22- "id":"ef67a54e-002d-4c31-a1c8-931a1a56bea4",
23- "snapshot":false,
24- "version":"7.14.1"
25- },
26- "event":{
27- "code":"22",
28- "created":"2021-09-14T09:20:46.257Z",
29- "dataset":"windows.forwarded",
30- "kind":"event",
31- "provider":"Microsoft-Windows-Sysmon"
32- },
33- "host":{
34- "name": "Win2018Eval"
35- },
36- "input":{
37- "type":"winlog"
38- },
39- "log":{
40- "level":"information"
41- },
42- "tags":["forwarded"],
43- "winlog":{
44- "api":"wineventlog",
45- "channel":"Microsoft-Windows-Sysmon/Operational",
46- "computer_name":"Win2018Eval",
47- "event_data":{
48- "Image":"\u003cunknown process\u003e","ProcessGuid":"{00000000-0000-0000-0000-000000000000}",
49- "ProcessId":"6968",
50- "QueryName":"enterpriseregistration.windows.net",
51- "QueryResults":"type: 5 adrs.privatelink.msidentity.com;type: 5 www.tm.prd.adrs.akadns.net;::ffff:20.190.129.168;",
52- "QueryStatus":"0",
53- "RuleName":"-",
54- "UtcTime":"2021-09-14 09:01:34.006"
55- },
56- "event_id":"22",
57- "process":{
58- "pid":2412,
59- "thread":{
60- "id":3596
61- }
62- },
63- "provider_guid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
64- "provider_name":"Microsoft-Windows-Sysmon",
65- "record_id":12337,
66- "user":{
67- "domain":"NT AUTHORITY",
68- "identifier":"S-1-5-18",
69- "name":"SYSTEM",
70- "type":"User"
71- },
72- "version":5
5+ "agent": {
6+ "ephemeral_id": "b512edb8-9998-42bd-8941-e1e53d750cc9",
7+ "hostname": "logcollector2",
8+ "id": "ef67a54e-002d-4c31-a1c8-931a1a56bea4",
9+ "name": "logcollector2",
10+ "type": "filebeat",
11+ "version": "7.14.1"
12+ },
13+ "data_stream": {
14+ "dataset": "windows.forwarded",
15+ "namespace": "default",
16+ "type": "logs"
17+ },
18+ "ecs": {
19+ "version": "1.10.0"
20+ },
21+ "elastic_agent": {
22+ "id": "ef67a54e-002d-4c31-a1c8-931a1a56bea4",
23+ "snapshot": false,
24+ "version": "7.14.1"
25+ },
26+ "event": {
27+ "code": "22",
28+ "created": "2021-09-14T09:20:46.257Z",
29+ "dataset": "windows.forwarded",
30+ "kind": "event",
31+ "provider": "Microsoft-Windows-Sysmon"
32+ },
33+ "host": {
34+ "name": "Win2018Eval"
35+ },
36+ "input": {
37+ "type": "winlog"
38+ },
39+ "log": {
40+ "level": "information"
41+ },
42+ "tags": [
43+ "forwarded"
44+ ],
45+ "winlog": {
46+ "api": "wineventlog",
47+ "channel": "Microsoft-Windows-Sysmon/Operational",
48+ "computer_name": "Win2018Eval",
49+ "event_data": {
50+ "Image": "\u003cunknown process\u003e",
51+ "ProcessGuid": "{00000000-0000-0000-0000-000000000000}",
52+ "ProcessId": "6968",
53+ "QueryName": "enterpriseregistration.windows.net",
54+ "QueryResults": "type: 5 adrs.privatelink.msidentity.com;type: 5 www.tm.prd.adrs.akadns.net;::ffff:20.190.129.168;",
55+ "QueryStatus": "0",
56+ "RuleName": "-",
57+ "UtcTime": "2021-09-14 09:01:34.006"
58+ },
59+ "event_id": "22",
60+ "process": {
61+ "pid": 2412,
62+ "thread": {
63+ "id": 3596
64+ }
65+ },
66+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
67+ "provider_name": "Microsoft-Windows-Sysmon",
68+ "record_id": 12337,
69+ "user": {
70+ "domain": "NT AUTHORITY",
71+ "identifier": "S-1-5-18",
72+ "name": "SYSTEM",
73+ "type": "User"
74+ },
75+ "version": 5
7376 }
7477 },
7578 {
86428645 }
86438646 }
86448647 ]
8645- }
8648+ }
0 commit comments