Is there a new Mapping for Windows Logs in v2.9 breaking ECS?

When I created a “Windows Logs” detector with v2.7 there were about 2-3 fields I had to map manually. Now there are 56 unmapped fields (only one got mapped automatically).

I have been trying to find the ECS definition for the fields in question but couldn’t find them.
For example (this is only the first mapping page):

  • winlog.event_data.Accesses
  • winlog.event_data.Action
  • winlog.event_data.ApplicationPath
  • winlog.event_data.AuditPolicyChanges
  • winlog.event_data.CertThumbprint
  • winlog.event_data.Commandline
  • winlog.event_data.CurrentDirectory
  • winlog.event_data.Destination
  • winlog.event_data.DestinationHostname
  • winlog.event_data.DestinationIsIpv6

My log sources are from Winlogbeat 8.x

Same here.
There is a lack of Documentation regarding this.
I’ll look into this in a couple of weeks. If I find something useful, I’ll let you know.

1 Like

Is this maybe something to do with a wrong .sap-alias-mappings-* component template from previous releases?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.