When I created a “Windows Logs” detector with v2.7 there were about 2-3 fields I had to map manually. Now there are 56 unmapped fields (only one got mapped automatically).
I have been trying to find the ECS definition for the fields in question but couldn’t find them.
For example (this is only the first mapping page):
- winlog.event_data.Accesses
- winlog.event_data.Action
- winlog.event_data.ApplicationPath
- winlog.event_data.AuditPolicyChanges
- winlog.event_data.CertThumbprint
- winlog.event_data.Commandline
- winlog.event_data.CurrentDirectory
- winlog.event_data.Destination
- winlog.event_data.DestinationHostname
- winlog.event_data.DestinationIsIpv6
My log sources are from Winlogbeat 8.x