IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Modules Sysmon Module »
Elastic Docs Winlogbeat Reference [7.2] Modules

Security Module

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Security Module

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

  • 4624 - An account was successfully logged on.
  • 4625 - An account failed to log on.
  • 4648 - A logon was attempted using explicit credentials.

More event IDs will be added.

Configuration

edit
winlogbeat.event_logs:
  - name: Security
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
« Modules Sysmon Module »