From 952239867e8b7f0c6f303cfafb19c3b15db52486 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Wed, 19 Aug 2020 12:00:37 +0200
Subject: [PATCH 1/5] Audit and Authentication Policy Change Events

---
 .../security/config/winlogbeat-security.js    | 519 +++++++++++++++++-
 .../test/testdata/4670_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4706_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4707_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4713_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4716_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4717_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4718_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4719_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4739_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4817_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4902_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4904_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4905_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4906_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4907_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4908_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 .../test/testdata/4912_WindowsSrv2016.evtx    | Bin 0 -> 69632 bytes
 18 files changed, 506 insertions(+), 13 deletions(-)
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 56cdced6b51..4895ba807e6 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -180,6 +180,7 @@ var security = (function () {
         "4647": [["authentication"], ["end"], "logged-out"],
         "4648": [["authentication"], ["start"], "logged-in-explicit"],
         "4657": [["configuration"], ["change"], "registry-value-modified"],
+        "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"],
         "4672": [["iam"], ["admin"], "logged-in-special"],
         "4673": [["iam"], ["admin"], "privileged-service-called"],
         "4674": [["iam"], ["admin"], "privileged-operation"],
@@ -197,6 +198,8 @@ var security = (function () {
         "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"],
         "4715": [["configuration"], ["change"], "object-audit-policy-changed"],
         "4716": [["configuration"], ["change"], "trusted-domain-information-changed"],
+        "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"],
+        "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"],
         "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin
         "4720": [["iam"], ["user", "creation"], "added-user-account"],
         "4722": [["iam"], ["user", "change"], "enabled-user-account"],
@@ -252,7 +255,14 @@ var security = (function () {
         "4781": [["iam"], ["user", "change"], "renamed-user-account"],
         "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs
         "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group
-        "4912": [["configuration"], ["change"], "per-user-audit-policy-changed"],
+        "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"],
+        "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"],
+        "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"],
+        "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"],
+        "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"],
+        "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"],
+        "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"],
+        "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"],
         "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"],
         "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"],
         "4964": [["iam"], ["admin", "group"], "logged-in-special"],
@@ -263,16 +273,6 @@ var security = (function () {
         "5037": [["driver"], ["end"], "windows-firewall-driver-error"],
     };
 
-
-    // Audit Policy Changes Table
-    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
-    var auditActions = {
-        "8448": "Success Removed",
-        "8450": "Failure Removed",
-        "8449": "Success Added",
-        "8451": "Failure Added",
-    };
-
     // Services Types
     // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
     var serviceTypes = {
@@ -1351,6 +1351,250 @@ var security = (function () {
         "16903": "Publish",
     };
 
+    // Trust Types 
+    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+    var trustTypes = {
+        "1": "TRUST_TYPE_DOWNLEVEL",
+        "2": "TRUST_TYPE_UPLEVEL",
+        "3": "TRUST_TYPE_MIT",
+        "4": "TRUST_TYPE_DCE"
+    }
+
+    // Trust Direction 
+    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+    var trustDirection = {
+        "0": "TRUST_DIRECTION_DISABLED",
+        "1": "TRUST_DIRECTION_INBOUND",
+        "2": "TRUST_DIRECTION_OUTBOUND",
+        "3": "TRUST_DIRECTION_BIDIRECTIONAL"
+    }
+
+    // Trust Attributes 
+    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+    var trustAttributes = {
+        "0": "UNDEFINED",
+        "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+        "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY",
+        "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN",
+        "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE",
+        "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION",
+        "32": "TRUST_ATTRIBUTE_WITHIN_FOREST",
+        "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL",
+        "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION",
+        "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION",
+        "1024": "TRUST_ATTRIBUTE_PIM_TRUST"
+    }
+
+    // SDDL Ace Types
+    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
+    // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
+    // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070
+    var aceTypes = {
+        "A": "Access Allowed",
+        "D": "Access Denied",
+        "OA": "Object Access Allowed",
+        "OD": "Object Access Denied",
+        "AU": "System Audit",
+        "AL": "System Alarm",
+        "OU": "System Object Audit",
+        "OL": "System Object Alarm",
+        "ML": "System Mandatory Label",
+        "SP": "Central Policy ID"
+    }
+
+    // SDDL Permissions
+    // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
+    // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070
+    var permissionDescription = {
+        "GA": "Generic All",
+        "GR": "Generic Read",
+        "GW": "Generic Write",
+        "GX": "Generic Execute",
+        "RC": "Read Permissions",
+        "SD": "Delete",
+        "WD": "Modify Permissions",
+        "WO": "Modify Owner",
+        "RP": "Read All Properties",
+        "WP": "Write All Properties",
+        "CC": "Create All Child Objects",
+        "DC": "Delete All Child Objects",
+        "LC": "List Contents",
+        "SW": "All Validated",
+        "LO": "List Object",
+        "DT": "Delete Subtree",
+        "CR": "All Extended Rights",
+        "FA": "File All Access",
+        "FR": "File Generic Read",
+        "FX": "FILE GENERIC EXECUTE",
+        "FW": "FILE GENERIC WRITE",
+        "KA": "KEY ALL ACCESS",
+        "KR": "KEY READ",
+        "KW": "KEY WRITE",
+        "KX": "KEY EXECUTE"
+    }
+
+    // Known SIDs
+    // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems
+    // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings
+    var accountSIDDescription = {
+        "AO": "Account operators",
+        "RU": "Alias to allow previous Windows 2000",
+        "AN": "Anonymous logon",
+        "AU": "Authenticated users",
+        "BA": "Built-in administrators",
+        "BG": "Built-in guests",
+        "BO": "Backup operators",
+        "BU": "Built-in users",
+        "CA": "Certificate server administrators",
+        "CG": "Creator group",
+        "CO": "Creator owner",
+        "DA": "Domain administrators",
+        "DC": "Domain computers",
+        "DD": "Domain controllers",
+        "DG": "Domain guests",
+        "DU": "Domain users",
+        "EA": "Enterprise administrators",
+        "ED": "Enterprise domain controllers",
+        "WD": "Everyone",
+        "PA": "Group Policy administrators",
+        "IU": "Interactively logged-on user",
+        "LA": "Local administrator",
+        "LG": "Local guest",
+        "LS": "Local service account",
+        "SY": "Local system",
+        "NU": "Network logon user",
+        "NO": "Network configuration operators",
+        "NS": "Network service account",
+        "PO": "Printer operators",
+        "PS": "Personal self",
+        "PU": "Power users",
+        "RS": "RAS servers group",
+        "RD": "Terminal server users",
+        "RE": "Replicator",
+        "RC": "Restricted code",
+        "SA": "Schema administrators",
+        "SO": "Server operators",
+        "SU": "Service logon user",
+        "S-1-0": "Null Authority",
+        "S-1-0-0": "Nobody",
+        "S-1-1": "World Authority",
+        "S-1-1-0": "Everyone",
+        "S-1-16-0": "Untrusted Mandatory Level",
+        "S-1-16-12288": "High Mandatory Level",
+        "S-1-16-16384": "System Mandatory Level",
+        "S-1-16-20480": "Protected Process Mandatory Level",
+        "S-1-16-28672": "Secure Process Mandatory Level",
+        "S-1-16-4096": "Low Mandatory Level",
+        "S-1-16-8192": "Medium Mandatory Level",
+        "S-1-16-8448": "Medium Plus Mandatory Level",
+        "S-1-2": "Local Authority",
+        "S-1-2-0": "Local",
+        "S-1-2-1": "Console Logon",
+        "S-1-3": "Creator Authority",
+        "S-1-3-0": "Creator Owner",
+        "S-1-3-1": "Creator Group",
+        "S-1-3-2": "Creator Owner Server",
+        "S-1-3-3": "Creator Group Server",
+        "S-1-3-4": "Owner Rights",
+        "S-1-4": "Non-unique Authority",
+        "S-1-5": "NT Authority",
+        "S-1-5-1": "Dialup",
+        "S-1-5-10": "Principal Self",
+        "S-1-5-11": "Authenticated Users",
+        "S-1-5-12": "Restricted Code",
+        "S-1-5-13": "Terminal Server Users",
+        "S-1-5-14": "Remote Interactive Logon",
+        "S-1-5-15": "This Organization",
+        "S-1-5-17": "This Organization",
+        "S-1-5-18": "Local System",
+        "S-1-5-19": "NT Authority",
+        "S-1-5-2": "Network",
+        "S-1-5-20": "NT Authority",
+        "S-1-5-3": "Batch",
+        "S-1-5-32-544": "Administrators",
+        "S-1-5-32-545": "Users",
+        "S-1-5-32-546": "Guests",
+        "S-1-5-32-547": "Power Users",
+        "S-1-5-32-548": "Account Operators",
+        "S-1-5-32-549": "Server Operators",
+        "S-1-5-32-550": "Print Operators",
+        "S-1-5-32-551": "Backup Operators",
+        "S-1-5-32-552": "Replicators",
+        "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access",
+        "S-1-5-32-555": "Builtin\Remote Desktop Users",
+        "S-1-5-32-556": "Builtin\Network Configuration Operators",
+        "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders",
+        "S-1-5-32-558": "Builtin\Performance Monitor Users",
+        "S-1-5-32-559": "Builtin\Performance Log Users",
+        "S-1-5-32-560": "Builtin\Windows Authorization Access Group",
+        "S-1-5-32-561": "Builtin\Terminal Server License Servers",
+        "S-1-5-32-562": "Builtin\Distributed COM Users",
+        "S-1-5-32-569": "Builtin\Cryptographic Operators",
+        "S-1-5-32-573": "Builtin\Event Log Readers",
+        "S-1-5-32-574": "Builtin\Certificate Service DCOM Access",
+        "S-1-5-32-575": "Builtin\RDS Remote Access Servers",
+        "S-1-5-32-576": "Builtin\RDS Endpoint Servers",
+        "S-1-5-32-577": "Builtin\RDS Management Servers",
+        "S-1-5-32-578": "Builtin\Hyper-V Administrators",
+        "S-1-5-32-579": "Builtin\Access Control Assistance Operators",
+        "S-1-5-32-580": "Builtin\Remote Management Users",
+        "S-1-5-32-582": "Storage Replica Administrators",
+        "S-1-5-4": "Interactive",
+        "S-1-5-5-X-Y": "Logon Session",
+        "S-1-5-6": "Service",
+        "S-1-5-64-10": "NTLM Authentication",
+        "S-1-5-64-14": "SChannel Authentication",
+        "S-1-5-64-21": "Digest Authentication",
+        "S-1-5-7": "Anonymous",
+        "S-1-5-8": "Proxy",
+        "S-1-5-80": "NT Service",
+        "S-1-5-80-0": "All Services",
+        "S-1-5-83-0": "NT Virtual Machine\Virtual Machines",
+        "S-1-5-9": "Enterprise Domain Controllers",
+        "S-1-5-90-0": "Windows Manager\Windows Manager Group"
+    }
+
+    // Domain-specific SIDs
+    // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems
+    var domainSpecificSID = {
+        "498": "Enterprise Read-only Domain Controllers",
+        "500": "Administrator",
+        "501": "Guest",
+        "502": "KRBTGT",
+        "512": "Domain Admins",
+        "513": "Domain Users",
+        "514": "Domain Guests",
+        "515": "Domain Computers",
+        "516": "Domain Controllers",
+        "517": "Cert Publishers",
+        "518": "Schema Admins",
+        "519": "Enterprise Admins",
+        "520": "Group Policy Creator Owners",
+        "521": "Read-only Domain Controllers",
+        "522": "Cloneable Domain Controllers",
+        "526": "Key Admins",
+        "527": "Enterprise Key Admins",
+        "553": "RAS and IAS Servers",
+        "571": "Allowed RODC Password Replication Group",
+        "572": "Denied RODC Password Replication Group"
+    }
+
+    // Object Permission Flags
+    // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b
+    var permsFlags = [
+        [0x80000000, 'Generic Read'],
+        [0x4000000, 'Generic Write'],
+        [0x20000000, 'Generic Execute'],
+        [0x10000000, 'Generic All'],
+        [0x02000000, 'Maximun Allowed'],
+        [0x01000000, 'Access System Security'],
+        [0x00100000, 'Syncronize'],
+        [0x00080000, 'Write Owner'],
+        [0x00040000, 'Write DACL'],
+        [0x00020000, 'Read Control'],
+        [0x00010000, 'Delete']
+    ];
+
     // lookupMessageCode returns the string associated with the code. key should
     // be the name of the field in evt containing the code (e.g. %%2313).
     var lookupMessageCode = function (evt, key) {
@@ -1455,7 +1699,7 @@ var security = (function () {
         var actionResults = [];
         for (var j = 0; j < codedActions.length; j++) {
             var actionCode = codedActions[j].replace("%%", '').replace(' ', '');
-            actionResults.push(auditActions[actionCode]);
+            actionResults.push(msobjsMessageTable[actionCode]);
         }
         evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults);
     };
@@ -1495,12 +1739,118 @@ var security = (function () {
         evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]);
     };
 
+    var translateSID = function(sid){
+        var translatedSID = accountSIDDescription[sid];
+            if (translatedSID == undefined) {
+                if (/^S\-1\-5\-21/.test(sid)) {
+                    var uid = sid.match(/[0-9]{1,5}$/g);
+                    if (uid) {
+                        translatedSID = domainSpecificSID[uid];
+                    }
+                }
+            }
+            if (translatedSID == undefined) {
+                translatedSID = sid;
+            }
+        return translatedSID;
+    }
+
+    var translatePermissionMask = function(mask) {
+        if (!mask) {
+            return;
+        }
+        var permCode = parseInt(mask);
+        var permResult = [];
+        for (var i = 0; i < permsFlags.length; i++) {
+            if ((permCode | permsFlags[i][0]) === permCode) {
+                permResult.push(permsFlags[i][1]);
+            }
+        }
+        if (permResult) {
+            return permResult;
+        } else {
+            return mask;
+        }
+    };
+
+    var translateACL = function(dacl) {
+        var aceArray = dacl.split(";");
+        var aceResult = [];
+        var aceType = aceArray[0];
+        var acePerm = aceArray[2];
+        var aceTrustedSid = aceArray[5];
+        if (aceTrustedSid) {
+            aceResult['grantee'] = translateSID(aceTrustedSid);
+        }
+        if (aceType) {
+            aceResult['type'] = aceTypes[aceType];
+        }
+        if (acePerm) {
+            if (/^0x/.test(acePerm)) {
+                var perms = translatePermissionMask(acePerm);
+            }
+            else {
+                var perms = []
+                var permPairs = acePerm.match(/.{1,2}/g);
+                for ( var i = 0; i < permPairs.length; i ++) {
+                    perms.push(permissionDescription[permPairs[i]])
+                }
+            }
+            aceResult['perms'] = perms;
+        }
+        return aceResult;
+    };
+
+    var enrichSDDL = function(evt, sddl) {
+        var sddlStr = evt.Get(sddl);
+        if (!sddlStr) {
+            return;
+        }
+        var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g);
+        var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g);
+        var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g);
+        var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g);
+        if (sdOwner) {
+            evt.Put(sddl+"Owner", translateSID(sdOwner));
+        }
+        if (sdGroup) {
+            evt.Put(sddl+"Group", translateSID(sdGroup));
+        }
+        if (sdDacl) {
+            // Split each entry of the DACL
+            var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g);
+            if (daclList) {
+                for (var i = 0; i < daclList.length; i++) {
+                    var newDacl = translateACL(daclList[i].replace("(", '').replace(")", ''));
+                    evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")");
+                    if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) {
+                        evt.AppendTo('related.user', newDacl['grantee']);
+                    }
+                }
+            }
+        }
+        if (sdSacl) {
+            // Split each entry of the SACL
+            var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g);
+            if (saclList) {
+                for (var i = 0; i < saclList.length; i++) {
+                    var newSacl = translateACL(saclList[i].replace("(", '').replace(")", ''));
+                    evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")");
+                    if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) {
+                        evt.AppendTo('related.user', newSacl['grantee']);
+                    }
+                }
+            }
+        }
+    };
+
     var addSessionData = new processor.Chain()
         .Convert({
             fields: [
                 {from: "winlog.event_data.AccountName", to: "user.name"},
                 {from: "winlog.event_data.AccountDomain", to: "user.domain"},
                 {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"},
+                {from: "winlog.event_data.ClientAddress", to: "related.ip"},
                 {from: "winlog.event_data.ClientName", to: "source.domain"},
                 {from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
             ],
@@ -1529,6 +1879,26 @@ var security = (function () {
         })
         .Build();
 
+    var addTrustInformation = new processor.Chain()
+        .Add(function(evt) {
+            var code = evt.Get("winlog.event_data.TdoType");
+            if (!code) {
+                return;
+            }
+            evt.Put("winlog.trustType", trustTypes[code]);
+            code = evt.Get("winlog.event_data.TdoDirection");
+            if (!code) {
+                return;
+            }
+            evt.Put("winlog.trustDirection", trustDirection[code]);
+            code = evt.Get("winlog.event_data.TdoAttributes");
+            if (!code) {
+                return;
+            }
+            evt.Put("winlog.trustAttribute", trustAttributes[code]);
+
+        })
+        .Build();
     var copyTargetUser = new processor.Chain()
         .Convert({
             fields: [
@@ -1635,6 +2005,7 @@ var security = (function () {
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.ProcessName", to: "process.executable"},
                 {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
+                {from: "winlog.event_data.ClientAddress", to: "related.ip"},
                 {from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
                 {from: "winlog.event_data.WorkstationName", to: "source.domain"},
             ],
@@ -1831,7 +2202,6 @@ var security = (function () {
             }
             evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', ''));
         })
-
         .Build();
 
     var auditLogCleared = new processor.Chain()
@@ -1892,6 +2262,7 @@ var security = (function () {
             var ip = evt.Get("source.ip");
             if (/::ffff:/.test(ip)) {
                 evt.Put("source.ip", ip.replace("::ffff:", ""));
+                evt.Put("related.ip", ip.replace("::ffff:", ""));
             }
         })
         .Build();
@@ -1939,6 +2310,81 @@ var security = (function () {
         })
         .Build();
 
+    var trustDomainMgmtEvts = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(addEventFields)
+        .Add(addTrustInformation)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+        })
+        .Build();
+
+    var policyChange = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(addEventFields)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+        })
+        .Build();
+
+    var objectPolicyChange = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(renameCommonAuthFields)
+        .Add(addEventFields)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+            var oldSd = evt.Get("winlog.event_data.OldSd");
+            var newSd = evt.Get("winlog.event_data.NewSd");
+            if (oldSd) {
+                enrichSDDL(evt, "winlog.event_data.OldSd");
+            }
+            if (newSd) {
+                enrichSDDL(evt, "winlog.event_data.NewSd");
+            }
+        })
+        .Build();
+
+    var genericAuditChange = new processor.Chain()
+        .Add(addEventFields)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+        })
+        .Build();
+
+    var event4908 = new processor.Chain()
+        .Add(addEventFields)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+            var sids = evt.Get("winlog.event_data.SidList");
+            if (!sids) {
+                return;
+            }
+            var sidList = sids.split(/\s+/);
+            evt.Put("winlog.event_data.SidList", sids.split(/\s+/));
+            var sidListDesc = [];
+            for (var i = 0; i < sidList.length; i++) {
+                var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ","");
+                if (sidTemp) {
+                    sidListDesc.push(translateSID(sidTemp));
+                }
+            }
+            evt.Put("winlog.event_data.SidListDesc", sidListDesc);
+        })
+        .Build();
+
+    var securityEventSource = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(renameCommonAuthFields)
+        .Add(addEventFields)
+        .Add(function(evt) {
+            evt.AppendTo("event.type", "change");
+        })
+        .Build();
+
     return {
 
         // 1100 - The event logging service has shut down.
@@ -1971,6 +2417,9 @@ var security = (function () {
         // 4648 - A logon was attempted using explicit credentials.
         4648: event4648.Run,
 
+        // 4670 - Permissions on an object were changed.
+        4670: objectPolicyChange.Run,
+
         // 4672 - Special privileges assigned to new logon.
         4672: event4672.Run,
 
@@ -2004,6 +2453,24 @@ var security = (function () {
         // 4702 - A scheduled task was updated.
         4702: scheduledTask.Run,
 
+        // 4706 - A new trust was created to a domain.
+        4706: trustDomainMgmtEvts.Run,
+
+        // 4707 - A trust to a domain was removed.
+        4707: trustDomainMgmtEvts.Run,
+
+        // 4713 - Kerberos policy was changed.
+        4713: policyChange.Run,
+
+        // 4716 - Trusted domain information was modified.
+        4716: trustDomainMgmtEvts.Run,
+
+        // 4717 - System security access was granted to an account.
+        4717: policyChange.Run,
+
+        // 4718 - System security access was removed from an account.
+        4718: policyChange.Run,
+
         // 4719 -  System audit policy was changed.
         4719: auditChanged.Run,
 
@@ -2055,6 +2522,8 @@ var security = (function () {
         // 4737 - A security-enabled global group was changed.
         4737: groupMgmtEvts.Run,
 
+        // 4739 - A security-enabled global group was changed.
+        4739: policyChange.Run,
         // 4738 - An user account was changed.
         4738: userMgmtEvts.Run,
 
@@ -2166,6 +2635,30 @@ var security = (function () {
         // 4799 - A security-enabled local group membership was enumerated.
         4799: groupMgmtEvts.Run,
 
+        // 4817 - Auditing settings on object were changed.
+        4817: objectPolicyChange.Run,
+
+        // 4902 - The Per-user audit policy table was created.
+        4902: genericAuditChange.Run,
+
+        // 4904 - An attempt was made to register a security event source.
+        4904: securityEventSource.Run,
+
+        // 4905 - An attempt was made to unregister a security event source.
+        4905: securityEventSource.Run,
+
+        // 4906 - The CrashOnAuditFail value has changed.
+        4906: genericAuditChange.Run,
+
+        // 4907 - Auditing settings on object were changed.
+        4907: objectPolicyChange.Run,
+
+        // 4908 - Special Groups Logon table modified.
+        4908: event4908.Run,
+
+        // 4912 -   Per User Audit Policy was changed.
+        4912: auditChanged.Run,
+
         // 4964 - Special groups have been assigned to a new logon.
         4964: event4964.Run,
 
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..30c2adc84263bcfff0b595fa11920631f55738d8
GIT binary patch
literal 69632
zcmeI5du$xV9mjunzPnufHX$SpN$NBKV!-h$eql)BIB|&bjtxmjT54kF=|_m2R}(1@
zKt=fjfp|!${UfaswH1g~sw$xn5G}Mop_B-fwt(8Itw^P|q5-u~6!rT3&g}Xgdv?x;
zy;$(u)86gQ&dkov&dz-9J2Sss+P$rHXLpyRE<wlP7=8niBT^hl_429ri>Jok_|%bT
z1eyby1DXSx1DXSx1DXSx1DXSx1DXSx1DXSx1DDN#rQO?FcJ%JXe|)<P^?QtmAqwot
z7pXrJe8Bq7{+s8ic)jE0#298oL_VG%@?luyZ=u8^BBfE0TOdP>bb0+UVb0*3TxQ^$
zTt0IAzwEfv?OSl$mXe-@*#FoONv5ToqsNJhVSnIkuY%uJ#CbL)9{R~<IgfnGX1UfC
zcAUW1Uypm5OO3}aS6+B$=AS#?3KRtbk{`IR`nu=c5Zpf5bmRKFt4gBhbDt=C5?4ZB
z%_VXQo4i0SXY<3dRQ5}k^vVGCzlk-n%Q<+iC@cr1N4jya9|yvLTG;__1F}bMk_vqK
zWh-2|;HLxI^YFV9E_<a9dwsGEKIdV-5AGFm0LOaqTP>CN%*R%xG~l~y@bvvjd%-{~
z_AlHk_rCSDN2E;-A?5*dMilVoSZov0<=)YYhoiFAoP9se)d^pFakLI=t6LaXJQ|YK
zNNf)diWC+~AhOXZ4`q`>vP|}wkT_H%MLEqmvI^e5;rRG>$ApB;S}sd)>^iIw7CA;!
z_I9qULlhmzvYoj6ohAv)y26k|f`vH}2?g@xD{yd2`qYUN<aWo~PUKWCjs*+zBox9u
zo{1f|h<CmomX+|xd(~|`2|Wd6I(DWz<#g%ckhGh7vD<hF@`M2?#SR|<E>F#j$Qs;0
z-WFyNPZwZJVVQ#+_sQAy>!_^2;X}A@eaOd7<U75FWpW7Fz7{(VIWaapkcX4*G<n(r
zuU$w0Z&4@wnC#(G#4>gB;oPJ<=mtXeM5H7qkc-k1uS;5U3KDXAJtAb1nG&1x!NOe0
zWm@h-Ah$yJ?gx3&V!SaO-6kb&wr+vH)>h{U&%Kx{&4_UT31?{;z?Ir~3nxfXgp~qs
zd+pClgr~MK@tTGRRKVgAi}m0fZYA>cPbT654w{7TGbggQ_g1C@cT<>_+}}=g%IsEn
z?8nDRMO2~@R;|3X_ccb5!#kY3bu*xFqC|57#ils1GUjp*if9XbcAy~jnsoD~6-yu#
zh{ZO-18X(jxTfBy$*3L_1t!iuE5UGJnruK4R!g}oM!{T#2X!U(tMFZgvR#K;)Q+oa
z!}mPoN*}V2rJeU-F`{=X=u`8e@WWfS52?1<EAnOdh`4q2wv`dN4cE&vJJ*~qlX60Z
zB{C}{SHLTZrCCvm(U{pQjLKw*N(qjl_+yJ}RC0|!<A|?T>=jE9)_{C3Gz%`l+69ad
zOX;x(A75+gOk{#wLPY0|m;<O2k<R4Gs~ma3N~;ssc>qZ*_gqss%ELY!=M~cDcDd%U
zd)p7TKeGJH*#%8Gb6+S(%>`Rk*Uf(WHMddV_VEb|Hy?TP<dn9j)=hd6j|zR^j-A3L
z+gL73POvz+RrL~6v^(I=T5u_TOVQ@CRGsV#p=RPE$fMU_jj;9$2MUq;eR7xVGWTU*
zF!S4x@=ggBh)m*btaaitkFE__G(<?ZCJh!KwG7+nguNkt){>O4OOTgrE|^>K@If2C
z#tA=6s#hZXcC5W9G)#4lt&l35ki6T@_2#3Vi(f78!(Nkpdl3o+i|J)LnQt@Vp>mT#
zwWC_tgOI_3aE2k`*A%fKn2$Wim*VG$%B{!&maA^WZLed36f;FkKYdS%`wk;T-SFFH
zt~Y99P3vzpVmsjYn`r%&Iq_W`kI!4-FduX6`O6*u=25kGKQE<%ieF(K&JhwYCe}$(
zDgi<2uue9Q9v@2FSF=AKzb`u5i|~u$%_YpIa`^gY&R~6W0i~Er>J!zD(y$v>-izn6
z8xH`NB><GUcs85xS?2sUA><}0OXI#8N6In^vmTWu<7~n`*^oA_Hl(5oYc19WAP)Dc
zrN*q>szM!Fj^A2o#CHQeHE^jlVQQovzqN4ZFWu|mm#($=<`IVGRypeBD&yXWbJXF(
zxXR=bDhw_yxc)6EwbvG0WgMTFqAgDK%LdRkKl6}}Y_YJAGlyvX7vb=5t-dKdmv8N_
zMKl?=@@!d$Yu#5evdgsUBW=xZL!3jk;tl3}!?oVSx7yPXe%RKUh&2YSbTy()-#Smh
zk%&L7^7b(6uf$e)>iM4@`R~@Z0&JBZMCI`8RoLL-W2-EwE%6D|I8IBvADhFqz{`--
z<d&B$QY88RM#gRMa!+hk>0-;cU0&shkFC5Xbt7u4v%KOV+V2)m3JpV~=3fSF`a(}k
zhGbG>x=cHtRV?wA(P{geJZYJoF5idY0p6$Na%EU0^=i^GLdId!aKkO0^BN{gJ@2qA
z(d>zXG~y|Bqs15J9KKjEhI}!d|F*G=7rr1%)EP2p1Wz=A3P=KUBSTagmS{8-QH`Tj
z_)vbShre3mN(!Mb5=gxXN$RKrOVna*G;~rAu6Wwvs?51!KZs%n$c%DL0#zXIO0iDG
zidx<*{N=t|<;M#0Fn|dTT>l9Q`3+X{w@Fe}t#_RYy17K&z-FqNbrcaqK6@3b5=l$1
zUhxS@uUZ*4N`BgmT9sa<;?tT=oiZSnp(;fn8CH#Ai#((XbtMiCp+5264x>8piMov1
zv<P05H_5lkn<xrm{!)%a1qw%IAygu7zVztwJ6zuUHfo>~R#H;lbaW%-O%#}LKzY+@
zW63R17@Y-aG^sBTZ{7@gSql-1TGv?WS*J&!XHlD4CL6J?cQmTSP`<`e*CKC{E~_1$
zq~=Afs{wB0O1hIL$)nV+s8o?SYv5u@ltfCci_FQ;H8@Jus|J1>u*HtTbc&r<Wn=gT
zb3VpQ-Hcir8MY3tjETQ=t%F-VK6K$Zm>T+}CP$5pT3a<fOidNSFx@sZwYpK&*igrm
zVogWGZi5s?r`aG4Z^m|u(lGT&rD3=GG_}vwK)<T5!}gheq1D%ZkNWz`ujVGv@NuQ#
zq+V2|Vbr)v!^i|xU(@vNl7^qdI@UD&4+v>oGErasreW%;T*-)}NUE%sa;c({HrYc<
zA|_Ybo?mh=>6ffbzuf0H37Rx&dwDHMSHhQH?0MX&{+As}V9!n1ZdUeG_EaTSmDsGu
z<K69H&rL6#-smc^r=i3iRrXZ&^!5^~607X_S&l61<jAB9*)u-kP)8P~8Ci&2EXA5m
z^>i!$HA<c$ItBoJw(g9RMJO>!o=TphNS^fz?{9X=lVbp8DtRh-DtVe2Ksx4h+{|ey
zwlm){QazPChn>>`hA73Fjy&DUf6dVZ&GSxdFH_A^HBTi^CC{wM^MFV5Ja%N-qD1nX
zq2#ILspP5Tnb~Y=_P77chyM1t<9hTd=P0qSoIU8A(Zq3_9IeSc_N%i8p8e|d!K0i3
zW&7yav(8bS+-Dpdv&vDQ9H&}|U&g@^pOyIatIyqS0(z7`RryS^wX+ESSd>4NKSz;2
zi^`r^n8=^gl|Pj~l|Pj~#}|LzJdVeEa&FP*i9ZLM0PT5K{#5=nmJ4aq&)RHk0E6r7
z`z&oRddGbJ`1-2``IBZjuU7t4{#5={{>+R&{jw(c*AeKSe)YU_X1r@R(rTQIM&l%p
zQn73_R5~A;XSvxXqf!aAX1A>xN?p^=i?<AG=N{QPOPn81#k9^h<#Vv|zbB#ReJi$C
zXwSR$ysPr5<e9bddDzqQUf8ia&s9EugfXA5!tAwK)Xu1}7hZ+T@K|V6JELiAhi7FW
z)MHOPt60>|sI{5y*eq{GnN1$AI%al8+4KGjA9~(jw3SjuV?O<!>27DKTgy(gjKuzT
zawVCQtZ8jH%?FR#UiNxy(T)>o)y|41U)pe->CT>cJ6E1opcszUm`J1kG3a13a6ExQ
zJFvZ68B`fm8B`fGYX&{!VbF(muZ?}|*t-8d81y-1P*p#@)U7k#b;f(T8Si9JKi;J?
ze+25M-waAp<k(GG{B#MFV?Rlb_B(E8l%#6Ol<(2uandR+ds=%;v`|V5q1Fm0W3?YL
zYo%{0sM`pHlt8urUHjj)|9$k{f#@aBciz9_e=dP;gw*h?5~vcW5~%jSXV(Aj7lF<h
z#{|lLb}}d}e)40j*ONiHP5berO7_jug}g~+)GDF00c!o(SxL6fom|RrWL2uAWLw7J
z*9;`L5eW4qXrODbU9TFbYM`otss@_12I_s^=MVo9P9o5AN}x)hN}x)hnGq;QfSz;u
z;m7iQpU3!KLoAtCocCh{=;!HupMzDt@}?@Ds(7m6IeLnxmp6YuGxUk8cyiq5Gs>IF
zo64KYo8yZ&@1LZ+xkWZ$-fgdRV(#q$ygz=6w8<g!9{DcmfreTQmwp-f`{ms#zgc-x
zc~f~)d2=jzbIyC0K5}{U6nOKj@}}~p@}~0U_~Ok6l{Z0?W5b(nmEWuuJ(V|=H<dR>
zk2k#*<u85k>VI6`<cQ9#%A3lY%A3lYneiq^boyaYzI_C5(e!&xksXow`LQTJ*aWEF
zsr;$@sr)&5{ORpqzp3lti!Oh%fBi1yPvuYLPvy_d_|vcPoR3_g{p(|;cMewhI)hz#
zQ+ZQ)bM$!AJA=LTm-~`<vqO1Pc~f~)c{4NK^lJut=Qw_Y5p5;W3cR(~$@%HlV&{C!
zIk$G<X@PUTnb}V3@wB2;Z$ebVl{S>zneUv{-iTwIokU*^*rNqcy3pOP8SI0NfGVC!
zph}=hprc2iUd8j1Lv`;bDxP0g0#yQ40#yRdj6nTTJfC-7t)?^BM}J0<Tjf{ln~Rh;
zl{b|)M~^qXZ!S9Z`0>BHyh*F^cPeixZz^vpZ)V1uR6PB7bJ6s1Ji?P!IBB<&x+XPD
zZqw!_-<-*BdxUm9t&T}Qv?kw()xPD3V?=42lfLcyj%eYNcH*gqQthOU%5T3kPq!JU
zJDgy(b2GME)M}?%?NqCsYPB<KtDXIxHy7=GW#<K#K{?9vYs#R?pvs`ipqVi!HBUbn
z^tBN%s2^54D-BPwubuA{B7^eRvL|i4^L^~>g{Ld~;K`G8XKy>-_s%_QG2Xu4oqg(j
z3q0SNNsIC1R`#~D=bpCY{bEnI`mfg!pQ?YV{;B%s=;@!{5uXoNx4)Ojo?lh=RQ6Q%
zRQAk_J^dQ-`MYsE;?uqpvjL<?V&r?=?Hk(dh)=$Ch{`43L&R??pJYmIQQfrf$F%Q#
zC!KQSXti;r?nzD6&YdU8`bD5_Bd|hkEGdC1fhvKH9)WsoEKONl{HH_${X@h~CY4pN
zSG-mB!d`Jd)@?F?S~1zCTsdqQcbU7h7k&p|&$wKgWgl!DbC1@Jx63t;-P?Y!{gLHo
z&Ms)mnfpRPYKWphK=P$-_S>%=pRjQAkvC6HX?tqjq!Vawcq9;u?Z@Vl6BA`Aj3aj;
z$^pE#qyyg_NM^7(7F&kjlS#~20hh>%M?<n2o_Y{SBpfJ2TKCCavdg4+KyJfTb>ZsT
zkj_pC0=p-L5ZiK3Y*p!ED;gp;_l&^;q@D4t^2Ar0F20hK_?95YdysnOVLZ;DjWf$D
zUWqujW9^mY=8AJ<GE>;%N#PCYQmF53*Y~y$_1<<rY%E<Gf%@sUjinlpCua>+fh<Xv
zR5Hu4Ppy+Y$v0=x#gZi7*4~JtoT+5hQZg&GPxjICE$vnTwJw%S8M}Woj@%}o<A!{Z
zV$=p)^RWG4o~@Si<-+Rgo<G@i<NCX+N}}g;pD26Rsj!<%<PB_|%?~G3*dj++rJO4Y
z%Ry9Y-Kc^{HQ_+5>_AOEAbaE{slcZnjmZvF%dGnPWgdQ0o1l5{!K$$WM)X-ZRv;U#
zlw5(|2JCkYwiEqHd%-{~R*9tbwMS6d#!c_rR-_r}xp+7#YfXc<-!uwr9+W?oKMmoK
zXV`WM3Yqr4XWjcgd%`SaU$Az8W3r_5*uw8r{?X;n)98JFSNSuEW|cotV8Q|APvy^{
z__H?{5FT5Eo_PFe<Pv86vH|~eR)f11%kB6#J6~2}zY5<~vJRv*N7}(CZTP+bEZ~y*
z-?SYy{%!z8FXA{oj``CnnpW?$^Ve<PJgJeSX=k|eIH}aWf4v63R5xqj#%=1HjriqQ
z&`Lv~99K#|BvNXkq}4K+i+}h{_{2vTv>^tnt7KV*WlulVRq`;;Nw(#gNyTK}dPBq<
zTWZ~SobEO7$<PEkj$EZH&(F~TjFY2NnR<>9U@ROFkV$H+&dW0}HCFqzEY7oV{6Zb#
zWh&^(E1+NIhs_7_Jaf^8<{tgg7u9BRJX4lwT6j0e^bBLI4=^^SgySLT&e0Lnuw9Ls
s{{tF~8*`ZdFzA=}l=;A%<vq7KYgKT@;g?qJHrHJ`TTK5eWcOd;|LGsX0ssI2

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..e87e18d54415392471bffb87fcc632fd0859d5a8
GIT binary patch
literal 69632
zcmeI1TWnlc6^7TDn~%r#*sf(!LQ|%tp-sUPyUuvxhJf7IhA2*YiQ5z@LUKIg#>sdl
ziS1ml5Ft<@RZyr(kqR#nQq`*}A#qbwp-NRHo(g>_ZN*DpfG5;)QLDTR|G&>ZGh<_`
zKqbV(zejs!U)J7h?QgBU&WSTsU6@|1R%~NQ_<>9K4J>Ka7i<*y$o;<S8^8O=n`i?O
z5CIVo0TB=Z5fA|p5CIVo0TB>^4<#^FUD$u3b_)N-kIGiRmpF|-3f$IZc6s3|Pe#)J
z{WtZzb>z*__8qoo%)-#@Z)vkXr`l)ChB3Yme}?!^%WEI9<|*i8*$$m7?|b>*_;HT?
z7-I_??D+!vANW6#Y}=q?$?wIr&-(Tu$WCL=s~h&A%>S}{+S~k2N2K-k+u_qr{*5Op
zFFZQ@{I&Tvg5Dso?%+>{Z+$sl!S*A2KYQPqk^b=Y?DIQcz)2`I(QjAK<N;Z(cBgI1
z&RNB3wu1h*Q8Op~<V(G2yI@OJ#pE(3(m~NqKy1ZM+nu%xpJkiJNCh%;XczFih>^2a
zN3U)RkSw5I$M`NgkGUFt@33KfcB3_Hd+=Rps$X8$O9YL^yYN-)xB6_xj@U))yy7$>
zz$Y4wFT<|bqwlSSc8}A34!X*aI*Zvc)af`F4?dBy!!ULUlV-V`1(^qZJnS4y*%xiq
zt;AHX^(H5hb_il$^%DP>>u7^@z$P(wD{6)z$8C1Lowa+h#T<|=;`ocs1ft8OER)D3
zEt3km>}Cwak$!z=hdtoM7D1|pxkRqZQYrZOMs(s3FTa+y83@u>RVQQ=O4tqP+~DJM
zYAt26&KIYgNP-Fj%cH|9!1Cga8M_+}q+5uH>H_YRwp-ANZ_dfzhISCs7vZ-$IF`Yk
zqG=mU0sB4ZJmz=Y`)C)GE;^?BAzFa}bWs^H4i9e;W9oBj*>xU_7XeSk`jbHx(bCE#
z)5)GT+V^2YnoLU~@`+s5vb5!4EQ%AtPyX6v`<)o=s5(nxtj8cXJ?(FJ_Pwl4V8<00
z&S+V|Nuzyp9oCy+QlQ(5ul5^NM?3LMTP*5fxHK9|&=Dt*U;Vrj2e{x2Uv-Ki_kM|X
zz?()}vcK>2F*^^zWqiC9p@kWyR=W1#@eqVhc(yTsT&IP}pwER9lQGLT5u*DcIfp>1
zIlJk!J_}MoqwydFnAPaGy|vJRT0$t$xah7V(!n-63KI_7kllsAJcNrngZ>D<M-ba%
zaM3JIbp+o9P^kkUqn&=Z3){yD`br^$3|+Pgt0TN-pM*pv&eaPu8M`0nrDlKTZW~CZ
za{YEw%C3Vb!qQblF&<{o2}2vS(E6><dNCWi8d}!LVTmi#=y4v$wu8x=FcuV#b3>H;
zrH?=Niv!G=XP&t3*B{KAJ?(zq2tv5~T|6(p@v%q}XWy92hQNkNtc-J?hv`HAa>gOV
z$13J|VoE+_JAU}B*$cBjIPlcf&+kp%_Dau2DpBgbcK^@bf5#_zw(ouMM@RQvtEQ5F
z_+H^Ot`4Q(!7`eB=CVv)W_ZP^d(wsa9LAXy_u-e%U`E*^^%OD{uOw%;qh^>5)3|Pv
zI0sWVEse8cq6fI>&YgabPqbEau3K>g>&lks32cD!d^w=b9WD7B_^jG-JLw`}rRnZ?
zWg=Qx^ebJmh-~ZKVr9$9WMt*IU;CMs*8UA^H$Npp>)*6`29zE`tszW#UY`PaPM(+H
z;)!<PRxmbZkxWkG%!!_ih19ak%Q6<dY`2%41V!emC>2plqNgKTHR4x&s<o=eubO~6
zSKQ4y?yv7M)*)w5TkL&m_1Xr&gx;FQcNHsn>7w|Yg2p-csERS3t`l5RxKMoh;HAO_
z@PHYxZD@zC4mPhHuU|LDMr<4p^#Xp!@IWu1J&H#=`$e=6xXprR3`=?tUyuLtrx%Wm
ztzEezIsBc!LuLZn`T9^p<s<&A3t1-oINzLjCQ1PaUj7#sG&9(CKu-x4@G*amJMjGo
zXPLvw6`U)28bxwruxAfG*^bDl*N=Ypm8a9AGvB}a>o5J~kGabe$Z}JbcZo5|pY%!|
z`|if~4EDU}$PGgS%kZTDq&mHPeCz4Myh~|!Vr~uRDnVxjc2@9PLe|&=Yj@)_gi8C0
zXpN&i>SoKBA4Z=sQNdfpJlZ9!{+iQu$Z_Fo7wuy1U4;}iP1zZ=Ig*Ff^(`%1zbXsq
z=)>2t_76vk(4Kdrd1rI0U2Kk*FcXarp*7wdC+*GT+xN`dF+@rkwSsyMbrE&m_c^z@
zeIu}m_A%mGI!2o95~8p*PVez#v@dRRZOhiuI$Mu7*XF^w0Hy^*Q)DM?rHy>uJ%zft
zeSFEKeJwWBx6s^otc`04lw0<d+hpSLJgjS-Z9P9StD{y?S5cQx$#MjBYks_;k$t5$
zeJvhi*kf~ktuvHxx>%;2-+KGb!w&MQp^_bK<rw*GZQt&ueXSVcE#FLEsp(Vtx5aD>
z`eOOfHvf*c#YW!Qanakuf3A=n8IGbdt8MPzqPMU8tYn}f0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
jA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L|)2L%2Jdqw{L

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..3f9f51c4f98aac5aed5e44b3716a7c4460ec1922
GIT binary patch
literal 69632
zcmeI%TWl2983*uh_U841*LH~|M7V6KQc8+%nDt^PZ5(5_D29;W79#OtylZT{-UYli
z5UVYsrIn&2N^g0|3qqn7HL6rq6&1=uB~+<TX?bZY)W<f-Q<^lX%G>t;KQptt-r9l)
z9`f)XYj$VOd~?ose&@^?V@8Y9W3$DAHE)ri;4;2Fi<)(K%^?qc-m$Uz=ZCID6-Yn=
z5|DrdBp?9^NI(J-kbndva9@GZ;`GQ&X%7F!_qVmaFY_|~DA18I`_`_jPx16&Hn#J@
zmQ=E_jx7nZdo5-k#m(M}HC{2xAo2kI4Dm^~x9@Y$4YbK^3)<xN-yr^vK{?CbK-qLt
zK3~E4z2J`|o0{5~59;E*zX*;GBX$gR-fF6cF^^)q1Gfj+J|F&JCkTG>NsK9M!*T!3
z^^gDc)BIn&cF(i*-n&P3{64&c$1m;Q_58X1&g7lcFL%C)o-k^-)2`u=9prXvecVQE
z$qH7o3eLZeJ#i+u_*Q$|F50{mad80`;$GHf5LU6Xw$FO;vtUywDIjJN$36I-Mag+9
z<E(7ci0r|68Rflp0oO|S-feyO*@L4#+l$Xat@(u&XA!Sj{QzSXj$3&mVaMzeYOc5z
zF~Ntc)fbRgIHDgeC+(<feF<&l5p^C{2eFTZlku6K#Ow%?oySG9blSYciC{kL?26e}
zZPDF{OYPPk9gf;zguNI<{AaSI0qc+*#I+sR6P$9aX6N0MJ%=hLK{ku-&$<*ymyTH?
zl8#y;=B=~Oq9B~<8(UlK8$sACq)NCJNw2e53}d_%C*c&&za6)61ahp3F31=ZvCTNy
z9L&?v<(N&lv6yoq5jN;q1}A(3xczEt!k)zda#%>j<~-IEx6k1ud~(kGDQVB(@+FL0
z8IF0lGc;~pF|Z%S$q#}W_rJOhjm|pL5rh_y0EZ}#7{|k>h;!;o%c&J37~TY)gmp%}
z6lP0(Eg6fpHE2JN3Yju9@#Q1wl%<%<RooOV2-p9;&PH4q^C-GZLe`Ur8ygFr@YIJX
z8%B*4B+l7VK~Md9(=FDX;G)1`&;Fs)*tB00`?SVQZJaLE>O9&A7m?rnwiO+?=n`La
z4f(_SHRgfQH0F}}YilrPrx3V+pCF5*B@<j)IkZ=Yk`SH=Y(s!_t0kjehnr4ZjJbUW
zQ*;E8lbA>)mp2Ek!@QVRt)4&tS2YgY{!-FG&0{JsIsaLS#Jx>+94Q>JZhION^DrLN
zah&(#vmbMN5JNP9ULC_{4^+w^<ZS0SJdNtZ1^QY~5-}XIMP%*snr%ZwB3!Gd#}oE-
z^p`CMeO_-HqOo+RJrT3dAQaQm?U==QnfX0TT9+lQ6IU_)al}1oDHrDo@iB(84r|Bm
z*=Xbmlz7=GR){Tg`EQSv?sCmcVtD_Kb-0}Mub{8Zi&r-+xM=0k&kIPk`~UjXjrp*M
z>+B&TPuup_zdLbp;>U+>-1_qV=ofCcH7oc_^_!h@bKy&X$N#vw?YTny{oa3`t@Qp7
zPd=kCV&B6d-?7{dUg2~Km+FIVYEPn^tKb2AXYgL&ta_;&!^*@*kXN^0PjK~%<MBF(
zesHN~rr|0WX#)?3Z)Z@)<MlgQSKM(7_vJ0p=Gg|u4+Qbs>+xy$EZQkM<3_$x8{Y8F
zh<_)+nXOwK{M_2txU-&R)X#D#xc7_oRy&*SUA>o>N)MRzIFwFfFJW4;zg+ULe51jw
zm{6FbSaLVmCLAZ--i0S)2(Pssd=KK4)`Q~#yxe%6#Sw<Gwqcd!7VpBxk8b|@;>p3~
zYrCU;FMo`fVYJ2<XbC%Ca_8M3a>)yyxS5{^k2zv1{5=4Xr-H|K0h!`aU>`Xf`f#-u
z-@({#fDuP;44=i|arfuzDB7DuEk%qOd)o@97#=9BJWaif1icR*JASk5(e$Z%g%c($
z{~HUn8=g8tj(Kav_XrltOkgwZ-mp_RpT=mN$M=%+^M56oL`enx^4~_=ZMz$t0gTUH
zOSQ0GvpdIMx&5>F!1!y=e*3NW-$`E?#ws_8diVzM*H6A6SnnQuj>GAaTdw-t-9WzV
zL8>)~4_5)+n{i9pK3rQy<~g)kK>G!J=g^<Mm?wMi(~X_^WpOlw;{kUykL!In=jvHN
z-==V!!`<I>Z5>8@1!XfXFRs0dh+<2lb`HlZp-_3v%$8hCcvlM1{ttgGYy4qp7A<95
zX~yMTKhD<5bGYJ{cjIWNRz8UStQOx`XU0zAImu%$U|+&Mi+w6M=e5=I>qkz^kI!4Z
zjsDtk4$ok{oTJB{F~9Jb_ttaGt;qFM?cNNWd*IcB+2rTRT$v+(-JQd}dVc&Rm-*Fg
z*xq!l-oXaf9F*(%<r`wc@(i-8_id#g&C1w|*cY+SW2a?5_O<=EKKc3O8rrLS45E(J
z{px+lp?6_Squ<K>E+7wjm9W!}xw4FYYv;G8mS24i<<=OlTy0D_zIC%fv=`<#&@jFO
z4Ra&o^0*Y_!+);Oj)nu+xu&l^zS$tZ#=g=(n*<~v0SQPz0uqpb1SB8<2}nQ!5|Drd
zBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-
zkbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(T
zKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU
z0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb
z1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!
y5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}s~mAn-pd!uHbu

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..5d4bb4d159ae89680ba533a7704a81149e9dcd6d
GIT binary patch
literal 69632
zcmeI$No-Yh6vy#%-^A^MzP2C<A%LJDlPxV!1ga8-RtbX$RWTZq($_+vgOrxR#)PQE
zgoTNT=)#4>gcu`nXF`Zk5@SMKpl&c4HmqPN8X~TqzjKGS)Bq}R_r1*<?){(t^!cCr
zzwlanyW4ttyKLf-NiH1MXJA>g+F)YHeV^CPsQhr>jnDuB2q1s}0tg_000IagfB*sr
z+*6>nw|nEh{sa0yetg{N^SBr5M}c!ivny>2&c@OI{oVUny>P?L@h!|Qn1!L)?|HN9
zx$z}tjk^AXeuntB$EADJIio)Pn5{nj_#=tGm|XX3AL?57gz>D?`K{zfl9?0w=u6u2
zx}PTBw<)$wZJwXdj>p{Zadpx^Z{d;jhn=L#k|kPG*{19MSbcBx#q#B#CJ1awaBcg-
z3uz7iezN7!od=uh!XJyDEk3K6c+~njJFTxiK|jt<$y=)(wl3?pA)UXiS7Cor_+?Gr
zj#{7fs_>8s@<FrhQ`nHbYHMwo{tj8Eu5>A;L*E<p*`q6iHlVWs>sDlg&IfdTnH^DC
zzdn~+qyARvTcfSkd)H|9hi*H|1eMCKTB~&32HFd@%Z{n#p{PeC`1(raMU5+6(HkS7
z?TC6mtiH;M8dT{jz1q@b+;S>s+cnre6`GYw78G_T`LK9;&YrU2sHTc)tR}lYYugm|
zS`u-yW70UR&9+Hp3-u~^%6T)3e<|9tYNA7AJ(_+`Gz6zB<*bk?Wv!44Cfh^0kY@Uf
zs!8^I64oQBewAfPlP#Ci8qd*5n&Rb4dE2T$U#s3I$UG=xvve{m$<x-6oV7=5aUcrG
zc!z<_)rsE%etbTsV9#g)eOa8yy9>Ofyv^51dgtu_KC~?=KBjdWkYicy9-6o5IkE51
z$-7C5E$>WLr#+GBMum210KP<J#Y8-Q7kN%SK2p4G1=C96DOg=LC@NdV_L8=2^*HUF
zYS4%5BZ=iRrJ@ymEGJYc-4H(hZL)2Q!h9UP(MVF(mlfC6mfYdR8%0~M7Kb!&&z2$0
zG;X&v$!ZF|DfqHCe_LnXb=;EA=?;~uJzXl5KJ}4qBImxS(gco110Rk$ikJ6kABR@c
zd@RMEs*;@TRNx`~C8G!}Ecn*yOM7BXDB*pHZ3<ATvM?LeM(O06u^(?LMK>z4Ly6QM
zjoTNk)`DD6sq9vO?`pnqE&X8x)u&YO!NvDVCLheS7c_+JR&N`WnA>!tZq<2{-kX%$
ztF%Pzn$<47H%Mhbgr4ob4ja^bx<Q|A2o>W?Hmp&{yk-w7qLA*@-CGOxoaXC2Cv%=+
z)3Uizoz2VHRD~)nqnEN+53_iNp-s2Y>a5mkR2oLF(27x<szgVd&b(aHwx2WebS-G^
z@dkCwJ^tN=a<pe2JT>*JTb*W~M4y*~P|JNqdvo2cI8t+;xS7?<#y7FD=6ys%um9T|
z>y;nFD)$+C<X&6w{#)%w+uz%K=KPZ_*+t(}PgIGw?v*10FI`pVe)#vEhX-Hz`p=86
zf3S4qqr=(>JW4CLUtj&1>&K=yJiXGbdsCF^9lGwjVyiy=8SGhhav-Oj%5O<8U7%ON
zcf)*8(&&e6kL{1vX=rpYc4_2g%T$|9^JQ&L+KO)FxMs~AYNk7Drdp%*x@(fUOUHVx
zn^1R?EdBA}T4VJyas3rZ{kx2MtLpF7t6xdvqt3<~)Vic*(^$_BL>t<mX6z~FkEk7b
z_no>^H-CE9>{V%|T8Wp-ne<FKX>*lGVf31A*Y&Bz@FVXzb@#hv{^;FuP3C_1raBnq
zR=>*Ds_jPY5zV$jqi>Q!r{4Vm*{G65qh%c`?b74Y?=~-6Y%MCEJK9=@+SobT+A7_(
zYoaz+s#e_E`1V%o+H$qlrMQ(z`Ry&nkI|!YNk>@Ly}w4I>_}>)quZmF%4(xI=_zd|
zo~_>f-zyvlAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@
z2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000Iag
zfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}
z0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*sr
zAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_0
z00IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAn^YS
F`~`AHXBhwh

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..39053c8797e1eac25dfe85d4571fd2ecd4d72ebd
GIT binary patch
literal 69632
zcmeI%TWlOx9R~3K?9JnKytW%zRG}$bN+>DVvE$gA3kA8h7os|8(imE#2+8rTYbR@O
zQm>r^tHLT&ND&|^C?NHL2q`Lv3W*0)6cwmcA;C+aAQcJm(ih+bL<^{WKw7@<%$c3F
zv8hmm#KSkM*_}CaF8}j8m)$s1wfXX5t!i73luy{eXJBcw-e7B%+rIC;v-zvru0$0`
zKmrnwfCMBU0SQPz0uqpb1SIf|0#mj5iG}40_&0uZ?DV<8$NZx}m)YPq51i%g?Hp|9
zg<sq{-d@MvoLLx}{Vi+ur%d}3vmvBEfImb0x5uq_D02gC^4N<udA#NG|J<iD?Kz~)
zZ;9ulxPROKkz~)7HkN!{Ec;!5eFAyQsPpEQdYFgD>mAYO|N8y?@gH`4L-*g0i%$NH
zCpv!r=ZVudE3XATL14RrKc2kr<+uc|uO0i)BbSEz!dLU(+y4T3!d&Bhb{&`OAdj27
zvNmOFR<&ho;Qk9ZbLaiTmwK{x#g?pwhbwrH4MuGN*&24yj@kjdR%{L_Rpgn)^&mbM
zk@AGqaaXr_<Q&9(9q9+`GM+8t^PmmkbqH5Ob{Ox~R`V;H?ovUs`B#ipJZ|-woSm_&
zsJY=<!~`F2Ha~^9;t_pgJ+xD<^)<9rL9Qq8bPQ)Xo{SGYo3WD!b_oy73Iz*tkNNqq
zzdvIivsG6Tk9w>pJ)X7`$o3hZ;~%pfZCJ-`63_0#nd6jWHT!>;x6`O%7G#U){-O(k
zbcKxNQiZhTGC`NU7YXr9zq7N$KIyY9LTVY$QiU$dWH82e<0hWsm0MYxMn;ZR&1EuX
zO4(hwxy#Sfsr8J_xUsn4vZUBxU`5<;3Gn#--8p+01IS?^5t|EGQ`X*xn|S4%|7B<o
z;qg_BTOE!SxHD_k`ZHiZg_~!5jmN&+g+>>h=>)P?5dep%f;^6gtB7;z!|VA?BN!I~
zPtN+%K_0Uu*-Ogl?l$d5P$5HRB$0fokheTzc^ZY{4dL5wcG-l>#yDy&l9-jdV7cs9
zc>ayNjibf}0_SXLpr=v2g%0b<aZ}*1kN&LB*mP7A`?N!$ZcdkGa|vz4o5+uT*oh8Y
zae=S8hN9v9IOD)*8e_@-w$snqIb>YH%SRDfnB&&Up?&&D2;l{98v_(NEldZ!ZaQ%@
z=J7d9(Fx?7#Y9?madXgmEyx7T=3~gfU5x{GY&mpLOPC4_E?O(8Y_P{3MF=Ntz#hcJ
zJb{Hejr(D|4`XhRVTfkXt21~Xgi0NRob4Qk2T^^zL0=yXk%vRJil`%Av-coJF5au>
zr*rlR^p`FBKJT*K=}e)|?#b94$cky{PRwF_nMFMet=~fHvtH}L)6kuv<y}4$aYq?<
ze2#A0zVtmv3r1_K5Jz$2+S-pVzlc5a(zAE`<n1}L=iTRPL5SggxnOqsXp|Fu-@2I%
zz=oSx1^vE^&<Fmlj{}$=t9Z^HGw0*B@9UqRxia&$<2P=8<XHLxuXJx!iMH-H%fI>7
z>;6lH*H6Cn&rjd@={IIJetl}sMJyfW!U$Gy$?seqlTUGa#as8Jo9eSj=dL(~Pksk;
zmR+l7uv2kK^65UDIqrtppn&LC?VO!=<J4#k#u-Fju~fI&ZVv0HugfjvsASI$CF7kn
z)s1Lb_J}Y0!KBr`EoCQR$*&J;CFN65`4M0KKSVu^@{i+O#w23Y>1cyuixk+Kw44XS
zc5PvjG1mRQ#JiIcotsL;F4@S1F|mbrCHXtBDmXW0u$f$hYN|VDA?rTi^KveF{arrq
zBzn%hD%y(Jk5qR@RBG6lx;H7+?MsbgI2&$do%73g1?8}3u(bz#IkxIs+YNP&Y8me}
zl;om|=I0bzoW(4tA&q{W(8ypxVdt^kwg*cnbZ0-7Abw;ZEnar~WE#FXcx3zW_SF}E
zaOLdS`t^h9p)dYDFsz0OMwcxuV!be8PDF0w@h-CPooHbX7^ZmZzy#%gW1)7#Dl?R?
z@OKZktW#F>^~}3(*g4$KyBdpF4ABn|{v?@28x8a;`Zn5!i9d|pYXm<z4qLt>YU<TT
zzx2xU*^%k5Jp9?0{_=;yQ{&j>rcfWhL8ASWqr!R*;e8r)UUhOqh=j+`MgXZ!pFdvp
zEL(J2+EF}PN8}~6Sw;I*e3sCk!-(V%UIRE8-zct*;CjS8t>F0(?l~u_=-V8wODO%M
zYwHB^H;}gA;^N-Bid<}I$}ZuWDHN*j7}=W36PL;(cl6@Vvi28KN6}Kzr50Vx$@OR}
zy@V%G`T(wuw9=`)UH<kui*^>@BNd!goNG82anAXBKHEONVZ_Av#$c7SG2FT?;b&%&
z&e3Df7+-wNvPrC^O|hP9l`X<~5MG0rO;MbTl`-<??ggCN$HyPJj4!cad-JV&$J$&=
zP)_2jwB?D@i-<1i+h#wS)p6EvuHsz6Ny}lJJNu2a;w!bamw1e!j_v)DK9tbAI8VFZ
z=J+ln4tg!)q#a{r8vS;T?@%kgWDb>f7_U-mOgX-Z*%;c3;~Qxk-;uVtQFL)!_3`kZ
zE3~8G2+o5zw;$h8A76W4X`n*_5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz
z0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<
z2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|Drd
zBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-
zkbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(T
zKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU
o0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndv@P8oiFYAl~8~^|S

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..f27db52c5362e79c6a22584388e2f2ae14f7543c
GIT binary patch
literal 69632
zcmeI$U2Ggz83y2YW@k6+O?KB#l@dZ*9GbRCi_?TAg%D_Q{gYab-6VFPK_D>R^-sJ%
zk$0WOq!&>jLW(Nd0xgwN35rxzl~9E!MIqt}gaiT=#6^*UxGEC8;DWSN^ahsqJ2MmS
zt~W6yx9>#bojLQJzvnx1*6~njW_Z3-MEl`K1!wr_ApvxI?IAaO-@Uo<hZ}B04M;!&
z5|DrdBp?9^NI(J-kbndvu%^IJX=Y%qvcUi2hsU)(&)8%BQDAch_{`-uZw{mX|DV>+
zxgWmuRC5crrhvEC0q-P%w}R#;z?L-dY5p1F{T{EcQRhkaX~(VX(~f^d@js5rt?UBJ
zX4=N{An)Ic{z$T=t&eilmeqYZx*lWfFx$M;){ezo@Axe}ZsfQ#{zJ|+8oB#!=9IQ^
z-e<n&KmXqJ8(!Y?u)+JsKM(&oZo#f!yYTVD7vH(~?U6Sh_}#OdiADAI;5;vFf_7Zm
zki-y9qKFFWy#EHz)bZ%y&+|!~LK!7Ktnoq8+lx7d)o}u!#J&7i!!%2ZjG5x~PJYg_
zWD!-~RWZZJoxHEI{9Zi9XBB>a47>Pm53hFN6Z~1c+I_9%&i5LP%gj}rx9VgH6If=;
zb=M;ocz>gDjN^(kdgXK)hg|O`*;j#4i+p-N&*6A6jy@A$oP#a%A&|?#OFbH`haH;&
z9Ke#R$wztQ6a5K{G3={R#Jf}Lny^MN$Y*!)OxcpNW_Dc8;4qt*BH28rKktTMbh!X2
zKbJr%@YdraEQnY7=B{=4Y!o(6sS2O@x%CJF=J+<=#7n&JdJ+d2Xt^r6AXt!(TX=Iz
zv`&Xk2bgrZSa2b}b?Bj&H}(qH@ycx}Ji-K8T8zlL^Q@&Lw(%x@bB_N$jZr>cX5OlF
zEYRITlh_oH{Sa@Sj#}LR&Gqbb-kA<Cw8#NiiVBQzJoXmZn)=k~OiKpiO5{nQC*ftd
zT2}Uw;Y7Ac`v@DfA=^koc|Vsy#>R4vmEsNI2XC*(fD5y6l-x*S)-Nz_csP2)GgmU`
zXNz?X+*V7SGY#9#twTO#n}Vf%@2`4bU572%oUTzRYs;n4D6@}v6S??W7bkGa4SdOU
z6sGrK8waxq8%yR-UD2AIW?+r~qEV!gPTAIKsXezZP2su7HU`LbA)WBL-Ey+c*p9Dp
zi4HJwiVLaY#%)RKh8K8^#zPFSUCk1=zmj%PWiAC9T==f|NiUDjaR}q+!$Vw{V|-B$
z@_sje?&jLQA0}=M#ar?Bccz(COU@F<7eWFbW<)C9m1hp7aFjE%KBC!ez)guD*MqGA
zHZqh8(4Abb{MriVlEx;a(SvT}`84g$G%_xZRopSmJA2LvV#43bGH-9$8syP?=G8y`
z<T=|N8$Y}7(|4zt%uDw9hL>hy_wc+uLgOskx2--Z*mhOmT6&B_?^`v;KCXl%KDQZL
z<Sg!Z_Un_UCciWC;-v@nC$|4G+pZFB(r171_^J47!mhu2&$o`f{K8AWdExZUuRO<h
z-lCYRCwOV!u67KbwS^RK(t~bMPqEzgzaf6wx2>(G^VNWRlD&NP^bVdW+xL=Qj-y|~
zS8&|rseUyX6C8N~eipdN(z-Wl%e}N=&HOcL#(Sur<!G($zNqd!E4}u#)g7dzeNmX!
zN_{`9e_vGpI-@?w`m;PMTtqhNM7S00h-!XlrROfU2`)0aNQ`)vK{(6ZQT**I@mcp)
z$1mUkE>nAd!adB-COJZG-wfxfMK71yMxM4j?fy<)Gi7!pZRK76?b*iXk8npB<yXxS
zULEDj|2O8yj<}UBUfbFkccTxt-vz#Z@$8RKaMpbh1Fr_*?*rigTr;~^W=GVVyZ&;A
zvNKUxhQA}m$B$UHi#OKUG!aUCHOAcjWJ#N5$0uBAoIb0!ZB_gL2fj$YhZ$SrK!NS6
zVn+C+#zh&vIs;6A9lbnT`#!>vRM}P-VPmuHxa`V`YmUzPZI53)x^R5$ah*nJb8U}n
z9bx+%`ngmK)Cl)>R&VnPzhlQZp8}oj`^|n0>*d+pPkSrv^Xl9RzdYEEWpKb{&VEx{
zq;!ePCme@88;O?sET4tjcO1bW9TJd$1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(T
zKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU
z0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb
z1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!
z5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^
zNI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndv
zAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp`wRL0}wHD5J>8q?gASuclDL
z5*9I!3T82ZI!o#-slm_sNC*9m#xaJUuLc-&kEVFn&oedpOn~P0KET@6UMXs;pDh+J
zz>;aqb!<Pu_5(Hrq&K<`_oM!A-+eZhJ>Q}1*B#3K&a&;S9rs#vBdFp8mRsg#9ekAM
z2%j(D0LNY7x#%W1k1Fq)C4g;=y}lN(hcWL@0GJ#aJ2aQ%{8`t|N4*3*elG9X_t(Sc
z|MU5ae|hTh@vT>~dC!B_Xaosh@N5@`aMBIA-joxcnHpu))=b^Ul2w`NUem|Vay*v%
zFRp5Fs8fp{#8H~nTJpbE4*aYa_VJ}veH`f2#}<sT{pF6?3fI~M^Jg&4xx2cGZQQLk
ueVuyAw&k$3EnBfvd2m%*cXetjgGsKuG7j+#SmgS#cWr_1RS>qq*YLmQ3r_C<

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..43ef6f5a7877fefaf1892f54bc1fd04ba7c6f87b
GIT binary patch
literal 69632
zcmeI$S!`5Q90u_Jovkwiowg8+!EI1c!L+n=84#D$(kh{VKoL!dN$E_XbUM{8EH*}h
z8WZ9gmzeOPCT=fAO;l`rGd@XBUo_D-P1FZtT%$gi@%zrbcV=2!*B2kYJ2^9VIm`e2
z&bjB_wzoLkH&QIv{4ElkIF4V>qGpZW{4D?ZxbfWb2miSeRUiQgNI(J-kbndvAOQ(T
zKmrnwz+VdV7KeKdmPYY6zP~N@dz_c?Pl0UO?8I-+obhx2`){`MZEEkK+8QoMn0;So
z_Cwt4t61$7vz1A+Yw&M~f4ZIhi!u+RO>P&UO>RF2`Ckjp^V}(%8=e=>bvXVd_$SHA
zd2NgZb+PPA!TvVn?L(cj^Xg%qf4aQ~qrbad7XBk=kpgSiVoYHhj{EH7t55wh^pV%#
zdA8L1_Q#!{hBa{i^;5Z>r++y8*p|<)J@X`b!d%@=b`rbnAh+42aqG3iR<M#y;rM=}
z#G&Bg+YNC$YGYQ!#YtR<d!2R=*{1AvyUNz#GigIOQ$U_U?6=@|1ZO5}97p3ejGQev
z9>@80b_CZ-_+4+U_;g^e)i&U}P-%X0&QZiGmp{Q+h2u6pkg(l$3^h-=7BRuQ%jH`U
zS2&{I%_Qw6*ZN_!l}D}#T<t>Y3n$~&Ct|i8!H(ggStes%;+9}OtXUDW8*JK@#H9vn
zh;~P98?xOQ<oIc@t_Ew1ZN|0BkrJG8tY*z8Y1@e^20=E0?vJ<-NSBFOB9e((BIYfz
zi*X{H>F1{E?B*cb2&7857RfBJSPWx)Ar8VRo<AG6eq`iW6<sD{rih)7gY$!V+B*}o
z0XG(-E=z<BdX~ijZvk#EUzo5R7(fmSiP)USn&NgT4#GR<(ECZ-ip$3^ZsTyw!<|{<
zwju`hn{e=GP~)bDmY~rQXWE0T1q8q$$|H~C;a$Wzb@fbo&IpEuz>~11sF%iUsjek`
z(fS(gU8s;DGZJ4ul1W>dvD}A3;ezn&_e-qDWn&yg7fHyv5Bd7~f;&9@UD~=);}int
zY?(q&{dzNX){x+$z+vxvx5?PFUlaSZNTGU8mvVUwZG?-+>DN=}z)=_Yv}?#8-WwSQ
zM$;He`r}kEXNQn+5}zQ7q$LwvS~;}$ZA?P=U|<^pWKx!ldW~*6aWUq052k1jat>l5
zm0a8$v_|t{Ub%cdGH_Mnz-=le9n=`60)zAKl}Oxcu)PRjyEWVOn3&seqxR#t4c~2;
z+g(O+RunG9Pq!p7s2rSW#OFhrU4$Hoa8(}ePuL#xjBNzHTWZUru}qV#irF$`#RPN-
z^A(RRzb{E!VM%MUMr**;q)SOlyL>3(wmuy3Iyz{3Bdc)E>nyQCY}w<Veff%89m{W>
zdgG@d4CX9<Kk||o*bbx+4ZWPdY&AoH%T*q8=?Fq^{zD&|F%zb7ojqpG1Gf6fdk2mV
zJig_**=sjNuXv|^zKXv{U;Opj{ox~l`_E^7z3r~i>FmoVZ#?HI-1E$Zv3dZze7bVm
ze1a1xT%<R<Nj-@3T>pCU%cm{p)5-A|)+FA1yt*1G!F4b0Wf1+e?YBd2oTe&+u^W-+
zEmCi`oWt4~)a7nkzhuKACBro|Qjcg^c4JWX%4(}k^U7|9B_9;js+N!V<=cbue-d>+
z${#=~VG=RwsJ|4g2}+(<Z8_x@!3pFp03+;W%<pAekpGfu{(5&;hc_Va_c63XaJCai
zgjl|j9kbT5m}<+AI6WJ2d>QsJWZdGMd4GQQT#D;Eu%c|mqh=TO_Tc9K5@W;-YdN=g
z7GJBd&-t_6^}t_(M{y5^0=uAiz&(sDxP2%2USLU%#WmPz#nC$a1~XuJpwNeM#o%`L
zXKgP$2QfE_L2py8w|H;FgJrp`bUpQZi;;2y;mycjp2L%aTYLq+9((iEqx-sMo?ahq
zec(r^bVHCY1tlatxF_87<T5^hDZQJk+Kc|}-W)2r%1FXQ*k&Z&i7EW{z$+WnGwhzQ
zLpUCW%LIN8ySDsSl0lrALcjc{(Q4cdZCJh9@yfBm(siuY?8ChezVkx7z5kINcfbA3
z7nu{?5bi}ie1iDvCm#^3w*%k(i2WGqo4|{UzqKCsupp&^{NY-_vRSv#U4?5ih&+cj
z3uwQ9-yHh00g-gz(~QLUI<dDA`|a*(9@krO%r&)uz71hNhthYswzfGz_K|V%O=B9l
z*ix_EfqkB#(D<T}%`KHiZvVsAvf2;NcB1vHJDYVeSNA(B=X1E?pKr$A#>#nWFO<Kw
z&aCajLqCsHKst;xf;1Ey^V-7kwIL?P*9EI;8*P>S99}c4=Q(=p8RHB0S+*K$ZceQG
zD`m5AZh>hFM%|B-u`))!?v5fY93NkD8DG_g?G0Dz?W%FjLAe@Vz9vt2K8xt8eVgk?
zvvH&%(lpW-5-r=17WZqf#FwjSuj<i-Iu`b;_92Jfg?VcI=EipfanP%TL_5aHbM#w0
zzK%+K)j5<~WV~{fG3EGH&AQND7+-tM__o)~jjW5~SP&2YT%jEe+mY5IEj+%RL437+
zrGYjHNI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-
zkbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(T
zKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU
z0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb
z1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!
z5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^
YNI(J-kbndvAOQ(TKmrnw!2dwtcgvLk`Tzg`

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..c30822f456f51a1632929b644b61b209f2237e0a
GIT binary patch
literal 69632
zcmeI1du-HI7RS$T<~P${r_*^znne`kRk6A)Ewu<19~IgarM21$7;CiB7KXMn*iNC?
zXz)Qyh;Lm&Vq%DiG3**2F-Ag+8jT5m7+iOw8_8xjW;g3ACO)IlKgRF5zx!i41BEEj
zzrJ_!d)#}^z4zSDIrp3&rF~?mBQr86<t1brcH!wrSS00?i=1{nHM{V))1HJAkN^pg
z011!)36KB@kN^pg011!)37nEZ`^eDhE!koG8{aQ8J$Gq0{wQ!TCh~Dx??GSs*WY!W
zC+F<-rq3`pD&nE#n~2CK?(`m!MzmjoKSTV|a^w_ap2nJ5=3-4P-&^^^wq4tvK-*B6
zK9`~XgZ(4PoU%1W?OZzcfPL?TYzO8%R5p*wX!)qZfBx3@bAvzZ*oDqNA2tQs!0vbb
zZ}0yHCq8hJjw5mB<E|xd1S9l)PwOAAyR9khy%+my-Lu$<O0}hBKVEf%S`Nh{(k|O&
zP_mLo{XSgLt+w;kWJD%qR7TJ_j*f`aB3mGqmu+&fEX8kJHlbw@GW~dOz%zrEG0CBp
zlOaeppq@kfQrUsNES}4x5x)!Z)+j4*A3V1Fcu6hf6bfI$R)O7ey;13rotQaqR)mAM
z6$&>%ufU>TO?lF7R^N`b1|T(t-sQMD0%yGX&#rVq*-><gBog98H(GzFt8wK|GGRud
zD=EovTUa_FcDt4MuD@a$thKTReM@jf)#Y@Wx}!0<7E|;CSq9tB7!?#<!j)(!5tgXy
zRLMd#1fD*-vO?Bdu?$FM(HBZoiR;3~^H2#~eBek#)<IBhHDZKBg+g*RDrZ|iZJ%<b
z*Vtm%h=g=ON9LoVM?lMS^P+MM45(&NM7o@#Geu-ED#6Lw`mQHeqkAXpmIKEDa97cY
z)VRRjjmjf-#?}X`uxQ3GT@BGeD4-@9fQ-STr$~Kj)l{s+g25o*iAp-`#NaK(Ske)$
zo<{pROsFcWCO-L4A|^4_Wj6)|0pY2yt7NqiQ$0qECIQwy$aQqs6CV32CT*B855?76
z^4O_AZ=ynyQ4I=e_LjHPqD%WT>7Hg7RITn(D2!r_Ac!1%xe^<gG>T7{g?#f~sd~Vg
zqPoQXS!sQC69mWcvs!rKMK!dlX?L&mKzNH~8vsaDiWhcL#+@`6Yq<w5x*C%GaHOo!
zTaA_y$8`#YjS$eNriN?HdIr=eTtSud&q^rb%#jUHp-bxJ3OHsb4(dA8n{aP}Z!d?5
zda<h>+#5h82ZZYFYKJQ@eGs7cH+YaylTAQtAFs$ckcbAcdT3o#uE&0LWxMCN%nG}S
zv@CGt42Z%l%>^$;GV^!nNsV}tmXsvX>zT`wn32N}Q#w%7er#L*6I!5cEjgVKW&W-W
zHfFAz+c9|Agvhvge&EDm?sqg_{?|s=PUu}4%<92LgV+G}y#uP(AGgPP_{RkLb;l~X
zS!(y*+dJ9&_}ZrrUD_Hx@2%=`Dt_pGB>qtNBb!w8{hOo9Hq3jzD|LAH9huoUIw}PV
z#__5-SIe5a)xCnyy#{8;<AS+iigr9T2dkIu$+?JBL2oU3q8be&P6FCb$gQ%~*eQR^
z7(LK@Ktk0bv(&6Db}n<2{gKHTMh1~JR1Ix)>`FWKg5s*_vaxHxQqzahDvl5N<D2dH
zlW4sT<2U2V!iiMtupgjwMI|t|xN-~*??)z;A2SDDN5IKc*Csn+QE^1I)m435k4Wjb
zh(GQme9FfK=_OPhm87oOYS*kUu6f2Z59)@Vnn^Z6*Wgrdh92Y4x&o`~0YHS1SuzK%
z?wPAb;&>vlnIoX@i0oP-HMl+Y%8QeI%cu4)3pd{XE&RL<%rt3dacN>5Gdoo}!70C^
z6VU>t7QYop-WMSv=zA01SC~Y;<k2JX=Q1CrU;9UQcW-xNqc3?O<W}fF{a!hV2E}=o
z+j*O%8M9v`SIsbQ3sy!+RpQqC;rQ@@g>UrLEn9zZ@ne%eeTOzZD`5L6Uc0e&3ER^A
z6r@W3qag^udVti~pTOWV@wCT9L$H433{P`Y#3(hR#x<2r7o}Z9b#<C8FqJ(Fbyn)E
zqST3Ef2cYnp3Ztg9aL3KXhBd_hxgzJYNYKjb}z0VF7_dOmxr*vvJlpXW4{ef;5+y=
znAiWJD|H5y>cMBj&3H~CG3XcGu!-C^BetmPY%?ixC$y+Vt@xFuk~wgwmA;bpW*AZR
zn?P%qk?=p5{3GM1>;|l$=~HBW9JkAHLAzTJy!1Obh3CcdwN2#izbvTv{<!bp6Xg&D
zP#lz*a|lw9nekF^)Eu%N&lj8p;yMGM1WTG;*%hp~;msdk{Nm8Uwa<K>d}r3{@4s*u
zTCJ)oY9??-EfH1bcyk<|Q35CHv4$7`q7j4ov&B>YK0ID|)xMi<Jo>L6AO6GX&9>Bh
z1#0qD)BC_RlgFJ~y6=2tG-0$BeZO(hzKyFM{`RH!7C!U$chPLm*IRhi^Hma?i`wTg
z?-*t-rl?<juJq{Yxia4ke(I?@mZtPGPyf-PK9Vn<G7bDXrX=vMg`|44eirF5_ftg(
zLD<#*EjK6UJlIw({(GJpEX_g!BtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{
z0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2J
zBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZr
zKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{
z0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2J
zBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZr
zKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{
w0wh2JBtQZrKmw;Gkdd5ZrC&xQ?mTed+#NSniMSYcuQ+lgu9PHE_kxLj2B4;0P5=M^

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..60063744d4c9740095e2e31e12c398b2eee4eabc
GIT binary patch
literal 69632
zcmeHQ4R9Psm436@U9DDH{n*yoII&q_6kEY-OO~{<B5We-$961B#!_N@NdaqVB|Fhi
ztRKh54mLO@Bpj(DKTsi+vpGl^3`rG<lS@(w7z}r*!<Y!}5<{i#;?&h87q0F|0(H5A
zLifF%nVsF)-O=jL-oTsD?DR}`zv+J6{kq?$*WE4sy{&utqhvo^#)~7kYm`G&tl5Li
z__=t|#EUZ~A_Rm3!U5rca6mX991so&2ZRH{0pWmfKsX>An3Mx8{k=`Q2XBFnuOI2|
zN7x&nz@kE;Up8xDJ@oW{`8%iI?%fklVTqUM-CUw~JVbA}<9&#NKB9GiA*OnqpCryB
z_$D7q@J&Ac#|Zy|@t)s3gm=BR^n3)*?;0S<V%s+c3|bubTZVfp!nT6uvo<;$X10!T
z@NTl>Dihc-0$zPJ%Cvwn9{upX_0-D$?S4rs(ljd2UT<H1#*D%4yBk(+-&<AU8~1;^
z;ycI*hiWXL6L4|{`FOU#LoKwAqBKaOc)k;t_h!TMxgrnkrvd7R=LkGJS}pBHuu-~|
zuA$X9N2nWbq6ia#dll|`@Mf5X@H9ld2)PQ+LwLWMZiC+-?rW$LXANAHv=+b7*yl$Q
zo?P0*#BWemX1NV@d8v~QfbyvNA}V;}#Kcad%Pi5i4*F=D`uaY6s|TTm;mei3)vSzL
z9&l4T5<37-qQXMbydN{_Lq(~ZHqw}i39lk5%4y7@tqArhBgF3_xpB<eOwI6Hj?2qc
zj>%N~%1<8!i3nJ>2if1FlEADhbd%Rrm_uH-mQNqR3$vy#%FCr2j9`1fsX_R;3iHYB
zMj0=~gIUFU&U>g00lBRDRUqO(F1ivAR~q%S<)E9oR9W1jg1GpD8U^vdO@NQbmU^iJ
z1<1w1EaJ~;OvytZ#Dm##ZvL5%w!r%U%54aI>;d07sE113VEZ;ae955La8Euyx<~P}
z2|=Ss02fgY!YKA|E8;r!;e-B!5;P-$Jzgrw(fp__mMm$_3B+-GI|y=;IVC#hU4?$~
zb6Soek|_}W_U(LXQo%SK{VF9UTW><R)>fm1``_|YBPfm{;aporkyD*+VJ;PUStxL^
z*Z#PK_|rNi&QqF50j@3+69f2$DMX%rG7lNpuM$3{KBO1#CQb)RlQ=E@m-CD|+l_!D
zIE_^J$meCz%0+vu-UklvHh60?pfHboIa;x*PArW1IEpITgpd(bq(PN#F0^9O+}gy%
z#}I&}8W&u{piePs09An#r?(ZCM_Wugkc4&$(FRn^t!Suic&@^473y{vMbw2{b>epw
zxH1G5a&6~w*Z}gTfIhLxhcH}ZV@S2mUZVFSgx8eSy=`8)9{J@j8+k6E`8n>w5-M}k
zJOo9xR2OP7Ix{_oJ}M<2mB1I(A1=Op<X7R;OZ>FrshEmzY1H8@!yB#kC=<jHJW@LF
zsFImJ6z@u0=K{J9@@f}eA@G8QRuA%d8<HAI%2NpSVGRD9Lk`(T<zK#|Yk$}Mn;&_0
zeM8QQvjIC7bWy$j7v%+J2f*%MpZ{iO-J=C3E_~_j1=pd}ITT84J)GRf^3nWRu1=<?
zZdO%0g7+*1J8%!8&*fTm_mCTsiJKt%uEynM>F3er<28%oh)U@;xLHbdqvD%2rVoYD
zLoP5x;{yGVL3N2m!=FIIl%%czQp+(aj2Kr~G4c{(bmEKr1sBcd@YP26aw~ixcsxeC
z=w?-WMq^dPjG3dytTkdP0i)-yC{0W&m8eeq)p{c?=g;6xi7jqCr>yuMJ$?qMZUcAw
za1EkrbAG+L*sL<Xyv+J?KsA3|2=yb+Tn2665_fa1K(50VxxNk}Hg~-vF)`h!D7XSX
z$CwewrF1d#^q3(dt*X)L9L`76ViC-u%FJOe`Z-qs4UjooXT;%pU~slrh3uwV5R(Os
zDaS@2rMLz%ck=bv8;#gpK1S?Cw%8r08M?^Wr>eLv+v8iQD^Q?QOIbrW)mB=Xm2~2!
zqSJ8&0(#sABPGlOBPH{a_@xguZUrxf6$KXGt^kG<Y3o?(660Q-CC4Z@;tCY$@f(d4
za9uM}P@0s2O-4Q8GC2TF#nWM#j}lpD&`FR3TfsXXxN-f7sveEI)-gPds`1MZ?h&M=
zM5mFGlbjds+j<h(_g2v1QH3io&mkZ2t!o29bAQF1Fy|w2Fyso%*Xg8ea~+5~fEG50
zI>>QZwpnGl05RR@E_fWJp_9;P5zQy`F%&eOxifLW4SDByaTxn$Z#_YjjwMmeK2k$h
zi^IdIxbN@2yZ@%}!4qq8D*p=NUA^aC$+^G%V64A=9a5Z+P~1s0#`*wqG>WhLDNl9k
z++*oI5=)>Uc*}kC7`Sx}LR6yMcnEHt)rgrcE_clw>mX?CqH4sd#@S8vNJTfEqIe2n
zlu$>t>Rmma>+t;$p84HcgbL%{gD?>l`gZj#u7jhh7TVL-LVJ-`PVuG5RWEW;gH%Uw
zk09Ng%Nmt~8q}+`NPP%7tHad|7w4RLP>1nQ1pZ;<DU5S&a^=TZ{Tj6FPE`sk&{i98
zHsR!Z1Kx*_4!&yf%Oz1o6_gxq2jZuC--wZ3g)04WDo5NfXmI}Q2Ma<zg18pp(s1#?
zcYglmA%4QKxfsR=xbszkpAuYZ$U}CG^c7TR_Gv7k7vZ#PqK84id-*lcN+d0{=Glk@
zrq(#Gf=_D-O*6HI$r3u1W~ut!3^mHdpy8-V{sjW0)gTwZGmYlRW$U0ZvhF#Frg$xa
zIBAF~o0DsXil>=sgai1dlP1^(|JF$~z^Q6}*Mnv{jc={`o|C5Mtl@F-I%;;?5MT~8
zx-}r1T9aD{AMeaGIM&cI(cr4`%kVKz?MCiHaRiU7UG~b-*Lq&k_C7H0d+&A=omBUi
zG}h?ckT(}hVRQ*KI{NN#`7IZq(cV7x{0shz&-MK$dVWKTdlgP6?TsZsqSmJLp+pJd
z(UO4zU03s&<IO}G%r&o_MsAWmrRn+<k9ZT~FH05Q7mIIcMHm@z3RoT{QczleJq7s~
zCow>1L3BFI<O<|a5z}c(qNDUQJDq|gI#!AdJ?|q)l$5q;r{qu2f4eY}<}tl1U}$?8
zmrg6jT>Ti+us&es$*bon<CMhHu<~PQfzzU5<;TznGcM`)wCGxFo({NWOrZ@Uqyq{3
z@az1@n5Py6iyMZv$Xa4zeM?j0EgE_*3P`mW)>RYZtFFjiJG>a5M^UnU&{9|<59mC|
zxGWfrOdOBLX^9!9!9*RIR!m2nLK=89&1fBK;AY)~0G?92Z9-{URIKt~El~&TSe&zd
zRfBOMi}$N>hd!*_VZ+T}9s8}ovkBha3$WV^$9mRj2uxE$nvY^?hYl3P*!OzeH(^A)
z9XekZ?WCJ9GVVa@ZNxo@v2Y7~Zh&7CT(xzjTQ(OTX+Cv&{F&#^)D<W91wn*kt?^d%
zYiW+wNO&zq)lW43?&F7E`Qz3T4?TQWY5k_VSliUwIP1=%pus4b{{NF8M%hv51QGC=
zB|#ABVOJDmYjbqH78=FhuhWn#qVXMHJbThp-S*cVhoAeee=qzj=c5I&^g6@z8K7qU
zs0P1QJ+4IDKcKVY`{a5XYbv`ysSaP}w1x0ng(uc#YB1Vo-6n+hVbEIxR~YVHIM={c
zg|OA&LKQ+!rs1@MkDS`*wDh--(n3<}ua*wVsp9moCRwlYQUy&djC|;M*@ZlEUTSc1
z{%Vna&OwjTYU=UKx?b(1dErtHqHZvb&WKz(E>EUeSAt3i7wg=dlK3+dox28k<Nv3y
ze#fN{LjKn%x1QfMD5nteTnRtc$Rjv+AqJnU#n$7CHSnFR>@Ky=El7eO38|3;bMWr|
zK1TBRQ`d1g?!+ZXg8n~iK@uR}?Eh<4!#6<^9RFARXN@GBOhOWFD04;<UKS()61WVP
zAPI@Oq96$q6B*+Gf+Vp0g&+x02oetr;AVy-bU7diZ)P!)@V!@W`<u|4pK5;W!>6L}
zF6?~O2}xk9p<(F#{2K(u!MM#Xh2Joilqt^eV*_Vss2{%Wc-3>wcbt8;>y;;-I-MS8
z2!pnTGcf-D2aSN~2+ojQID_@S`{}rJOd=kOn2uZU3$cXAW=n`QDJ>r6+7cqBGW5ma
z7aQSTE%*iZ|H|fG@C(5&_@BTjY~IBZLj7Y5Ekzv(w(Lpx#q#$%;}<UpegQ6);S&5p
z@Qavbhgd?0CB)^kgmA(yve^>iS3kJ0_ZVH#bkAz<zrC^V>rc-;e(@u*lK>u*Xk#FD
z66Oq#AS`{%xd~z?Au}%QEoFK(EmNOyad~hCb7(*KlQ^8=+i>3}ID_B}GUI}0c*u+k
zg&~-8<};mf@kA2Nux^Pn&hXEIGYHOrxf@fkNY~e>VB1=2hJwtvux60Rj0>4@F*7@f
z?KV3Jo`GS`xX5NZi6^hV<EvkICwIfK|NFqL1tSly%^YXokW;skIBTE`Us-wj>+a*j
ztxtdY{D1uDX!&8&N<v?Hi01&YJ;rKdy@V*{jp%bT5^W}U2_v?dsKh<ptN}}JmAM(0
zZf?eOEG4WsVlyGDN9e1>#N$r90>q!v>JgU*%ZRBDBXL+pC)^E!WeAobScYI3N$dY*
zie=oGgk`*Og)^4%Pl9C#mLXV%KF8g{X2fPfY$h(B&4d${k<B&}<JI03-`IGl<Jf`E
ze`m|8hvv;SmhnRa%Xt0xPcJ_C+mQ`lKC^Sxrh}i`mMNBzxX#2%1IsugSO(TtkaZ?x
zoe5d7(!QFJ-Rk1KVm}cZ=6@{?bNCG0djxY3%t0^*!5pTIIoy?mIXtu28FToBU=D&g
z2<9M|1Fw&e8#e=AFo(;BIXJCYnZ5QCHMIE3$6x--^+!7%zQ1@N_~Hu-oiK+?SCZ&m
z50eHQGhaz!lUPM$5t7ggix$@E)18y83t?GBq@$3@ds#_BR+7l(l_W0Do*Jf7&@2cA
zk?g4vxBKF?+!H(Ox+p7Q^6rVUl0@2-B$5$|d*A1bQ2bmF3N$)dNkV3LU`0N$im=uQ
z6of($3TwOXO!m~ku6j3r`oYd)J2yRcc-hJQSG70I20{^?HH5+?2t^hl6q(=$PGL-h
z!WrjqqQHKFPzXXH2!)OTTf2V7lmglHQxJ*~=tr(XkG|2lAQS{#U2G_(Z9|c~>*wx8
z&IrZ0AQXa7hz*6<P>2l$bAWfXjo+_RcKsZ}Ty0*lVe(x+YiQJSVYKJ>|Gn|?v$u`c
z;657&MUR0{%zW3+BZ5$56+*EeRuqYr5<2Q2yM89Fl_0x*%C4WOcm0eF-UUezBteh_
zY>dJGRnpg+5hOvO2rlwMza?xjUy7?lZ6eRhnVCzP@#1FY5x;9jGLlfU&>2a1QIG^M
zQfwW>)<J9?WHyE%3C}!#rmlD^dgE@ihpE~+?0Ea!#om7jwtw-)k)>Z-uy1HKkc948
zLlQnINJ5q&3Ei+Zh~R%mQ3@+e!9o(EwpkitlOQ$;Vv}IENr(;J1xXMjL68JN65KQo
z+AO03d@+hJdq_fesWX!BGeHsrNf4U^u}Kh{1hGjtb$Wb8NW#(Rp}f})U%c+AvNz8y
zJ^IH}vw<Y+nl&V$SdfG)LlW$B8Z0Cs9%GQ%4b{L^1W6Di!Hy)v2JhdGTOsl|+;_?f
zk+MRhtiK?$8>WpUoJ?9F(!0PJNjNV^f*=WkBnXlqNJ91?30;7c3vv0N`|^fFD-^_x
zwTJMW%_~H92G{i+8gjLrdho%#g@GqN>Vzb8;y=;DYUj&g%$?{^c8OEpV>2>qt24;@
zk=e8pg{&WG-~XV6_M(mO%&Q<Qc!$!WV*6B>F|@90C=Uq4ew%eiHDXS_e{2N%-3oru
zP4x=H;oWq3N6xUao(a?Kii2D6ZZ`Mrc(3em5mOlizYt3Zv4jvyh}pA*NX9RAlsMxT
zKNb8!@C(5&1iujcLhy^3T0*?Gyx`ZXuR4G2Jry@rUHtj_6LXJWd~(+C3t3$<oA3*}
zjl@)+WpzoxFZ5a3i7Q?70*|NxG84f)LLr6H)WAL{gtxtz-4lkZp6YOQ!zK8|B4whD
zALGu?F_ob&&i-N}+^fa@LhLWZ{zB|8rfq-Gkz{{SS?r8ooD=*4BDoBgcgq8AYDcd&
z0F+(V=B}p^^<TnH%#rRPS3slrZs__A@V<M<P0b2`kKk!ps`x%K<C|1n0T*dZp)rX<
zMJfvUv`x*--lx9L|F1MxyUU>>rqh%}=R>LJ6eQ8HQiSP4Oi9*+0C#2o3)%l78&;Qe
zvcI_3t=nd>T?V8HoyO`wnub;nku@Jb?Wn~;YJ}|RqD`=C*iM__+DSKI_tg%p5!r})
zkUFUaJ~zOx39j0@(k+{dk2KE|zu3Oy_jUiUu6e`bo8Kw_M(OT}xyLU)F>CWYWbMi9
z!Y^d)NwJd<oS__+A7S7vYzJaLLdJ_A?x}Ew*w9{Z2C<V6I|;Fqm_0j*WSqfU<cu@?
zL~sU(=`vh`GbCas%Tw`$SNY!!cx90KfWTOKxkpDU)*((JmGV?n@~9QaNk6P4<FOO3
zj-6zTc*N7NaFg6A;wJG_to-<NDj6e6@l^C3D)Y!cB}~fF@J%equk#~go>~+vZshCv
zs81@FG&SC$A^U7zzI`^|t2o0a+PdoA_ej}wk3P~i?te9SZtii0kIx#;AS+X58_p2F
zY6S0gVXY@2D^oVBSsVw^6U%%Iv1dq)GsK4Wf-?xtAUK2I40DMy{A<7&XZT0K8K8ru
b(Yj1~1hHo@Z9D{LNQImD5^$4CfHV9*Hi+ZS

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..7dda9113651d5fa4f43e4274230708bf48f58be2
GIT binary patch
literal 69632
zcmeI0U2I&%701ury}Q0%+q-rn^AQnn(j+7SJF$ZU!QsRBqog>F8=E8*L13^=oUFZJ
zZIeJG6aokdiHb^qka$6r5TdOrs)8s{)uKkN@<4$gK`V;d(mteWK_Yx8h?nL6pL=iC
zUX!G0B*epiR(J2t%sDe>e&@`Yv3v4kz2o^&t1OAA;Q-#ACC%!+N|AG}*I!V2>zoJC
z03sj)A|L`HAOa#F0wN#+A|L`HAOdG3(32nQ+Bvx!f8&ScRPO`q#y<r<t}%P{r9ZkV
zoBrRzd6qwNaN%tIMQO7jF#9xR_HTc7kJ%cuUxR-`oNamI3_8zYPL@TOljTGte<W&W
z+cRhztFY%f)W3-SNwTnFj)`b2>b?;D-UQiRjCrVH9Lk(c`Jn1-r02^nk8F;6R;_|h
ztNA~ku=M=%FP}a!{jQhuJgfDN^<Vm0tij)pc3i&Y?$(CjXy#`te~y(<s<XkK#ZNAf
z<xp+Pdh8w>wMm;s{SiFrT~X(6aw*$q6P8Ek6gpB~yX}P7wC%C0Z8bhqb|+d!Av28M
zEqITkrDz4z3N{AG7Ss!9Uu}EQH;H$ft-<FC{90pI;d}Jt^iy+c39nT87`}@ARv1d#
zpxuj+r`?PQ@Xk`{hp;R5=<)r54Y=9w!CWJdDx!BCp58bZZ+g<Vei%D}PP1&*y!7@c
z9#%H`_C1?%n&`?|F4>v1O%S^;lK6bMY8I@G){VYP@uV4Y9A@Qv8T$c-7zVO&EPvdY
zKy+E((ur)+(!N(?OVAKU`UTZhwlxwP2dPQ)C9*Z<`|$C_sKg;Y@<z(~AV^>3osdx|
zVHcrtQ52^=`+Xa7zS!+V5}eSpCRDfuSblMF+BU<1bPEx2I*%izY$+=7&e`>5U^k)r
zUihs5jw9es(Udj%z&?P=kE0PgepG`=#~sryh>pSlx@ZJ44i9$`V`{_x%p4EKO2Cu0
zhNPE4w3Ks6Z?bL{?JXFPCexCTd?K5%3~hNBN^wH?$tN||<-}-5-dPf3-2u7Y-e`ws
zj%TbBBTmC`M$0r-8jhQ-vRs-;fo^aALxXYZa3rqj6iRgrmr`j0bHqvH*DqIN0sEZc
zGj5{Ly*JVhc++T0=Finp%-#vXDSRR;0t?bit#s|f>jMzp8L^E4WUDPmdi5@xn2cE-
zM2L1lau|U$>FlP{>do`LQfWH`nAPaGj>*7*nm{PfxNxr|Qr<$_1{3<N*=|5!Zo)?G
zL%kK>t%&V)aM2J}HHhyPP$>W*qn&=Z0mH`$`q`EMGIZGttPb&-T>^=8oU6zB(snb}
z%bBA!*V=-lpKY+kzI_Lx2ut@MigB2QD-5jB0&B2(%b_=LPhc4*2NhR(QDZ-rZRh)o
z+17rP1EMq?D8BmF*O@a{UH+%PKY*OK)4kvI0=WA_oR?$2jk4<|*gZFyHG>V4*a+6W
z7p6DQTVpfgV+Q?PF(vP^Wludcv~TE%jn5srwj;UXa9t&pFm?Z<c=*@{(P6>g|2lYL
z>-!C#FMIj5<L52J)}a(Un8i<?xh&lW8D4Sf?slO*jCN+l9=v%5Gs+$<_{db;lI&fE
zC(Ue_^0Kgg#_q6P&QH@PoiPZ@M=Viiwt#MJkH&IaIn>OZLNm^+i8@$I-Sv^~W#w5L
zDs;QSlE(*WmGu*${@O_YG*<UP|1La}2qIdY3=`DqNR!@=)?16bS6(gsP;~f;&_bZm
zUfM}+i^^J=Ia)(V6MLYUs7w8i8s#;mLk(KQITn=XNMVjVtRHkMs5*^YKjz*W$pw(}
z4YvWqzOg0*J6iBGVyk#|UR38c>Sy$L5QN*g4^F?sm!90=#}FqheVDNmha>m<9q?5i
zv$3TMJ-zT;9##$FO0WWLH(Q76>p*W80*^9XXxWB5I)Lv1v<;zcGg`Nxy&K<MXz#|e
z8M^!oVrRADX~)y%e(}=KhFr8BwKlsF7l$id-#WCgy$$ax+_i!lYoXbSmUiST%C2)`
z@!GNSTWw=2EDWtQEAgIZ&md4P#5)S%@P5MsEl#Qo_yA#ml#XEbfR<S^%!@mazAIDM
z4q%?0!gj!6dk}Wvk-Zt?hBrFivWl*ib5Uv#?zs)`eK;6+!`tmP&~0$sI8xyr1i>&i
z2Q$nR-tjGsk_C*l3}ei0Ukf+Uz8SRkJBjeZ#N&jilN-7PGw}E{YpTW9^>|?2?FdTV
zgX{6Wx`}OO2Y<S_@x)B!J^1U+5F}8yMNV~wa4WG~3ywTPw&MMwx7d7d1eCCiT(2F7
zXWaJtFMs*bp(Pui|8MT~1;2ae#Urq415T0HvN`*1zB}fhDDm}eFml8Q5OIGM?LSNR
z|Lw?B_4l8?^_KVE|MKzk&uz5Ta3?ca=;RPMcXq9J`@sFLOk~4#^7k#@eR}(b$3Oek
z(IwBn{U(}u79m$2#?JwS=bYSJww}jL5w0vBQ9PJ<h|G)WSgD*Uk+hhOn<Hs=ZwQZ`
z8bn}tXW%uDf3z@0rjd}NBZn!RGt5ch8zISv<h6+RtnjEvSPnY}4s$za1$;}7f0Mfg
zQ>%!82#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph`^Z%j9bAb
gZP@Zw>pk|u^1Zj#nE6n9$UM6dPrc<(58{Eo0{#d_LjV8(

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..695eae2bb3bd58c67f3612dcb789524337ef1370
GIT binary patch
literal 69632
zcmeI0X>3$g6vxk-c{80(+nE-uB7&BkqAi;cSyZ-`y;fQQV~tj(h0=BgX$w^nQ&BWA
zQE?+Ags2!q#06uFgqTPqCVU_u#3d49;wSe7l|V3Y{Ga>YW!j;LNHj6|-^qLLF6Z5Q
z?(Z!3wG}Oml}#-Tl3fCRM;D%s1Vsv+Y>`WD7xqhkbjg!&0umqr5+DH*AOR8}0TLhq
z5+DH*Ab|@KsAy@Nxgyz&zwy0tzGs&X<DUY%BO(Pmp4_L+ODVd}n7+wf-RBq>7CD_G
z@@q)sYq$G|ND0=x5&wp`*mCFs?`+4KS_WcGEvJ0>1Af2uZ9!jSmOeM5ecJygN&l=h
zTK&27-JO1YA!I8t=iaP&RK}Jg*!#a-hTDJa_zR611)D-IYxkO^)q$TnK6T=bBl*r(
zRU`J<H?;oPl<OAVJGLltB)Y5gHS9#CrWeTzsOko_?9C5Jg{+YVNlH7~kKzii^atOI
zhon<lr3Hg+7zjBNWCg_9WtB{p(fGB=GW0Y+rXKZjJe$z7T2g4Gq!E(kXs6IWTGnDL
ziRU;OgWvV2jgcF0Z#cVrTaQ-2NvD5?t*qTrwPC4|`!I96SrHCCJ)OQCdRdE}SQn9M
zv-%pWm4MW0j84Q=X`ONYbFNfD*;WjS#A4!vm-_xtTI|Yf=`e3%C@%5f^q?$+*!{l5
z$@-jbu;$7vjE%q*R+rOhN{>b5R!mV3WKGz9lTks@#asyoVnGSJPM!=#hxPP+xjC}f
z7i$8kB*p@<JaJvv_-Zt)izg0+WB~-#RxL(IR45<=&=}zRX~jBMYK<+LjYvQjbfg3g
z4FN50TpgBMU_dpCBGTm?ohc+k(Xf%T@^D1vWB5MUEd`DVa97cg6uZD)jmA^{j8mS-
z!=g=w=}d?=Kmj#T0x|}VMv?l|)OFDw7PKz`PgshAP88mf$t9J+f^M`IVM0||HSx#?
zVo`~zE*tQYO$gh5$&;BzO!a6nnpmuLkgKfpBRqN{D$_AzI}}%MX~#~zd1E;e4{K6T
zvrqW2NOWm$Cf(C{UMf&`NvB(}hD{=S-pR!VI*sBTW+BhKb5svlQ&gAeXSu%5E`wkj
ze!dnFiG($^s%bY&ih%G6pREND%ausbDKze+$ym!naM78NtcN2djoxasLUCLton8t7
z&1!16DanWd)e2Wo<-Ax4gq;4e1S(WXnaqG=E<~U%Kzl6iW8vEqVWL{>ss{IRP)Pxy
zdb`?T2Bx<O`i1fcWYlCG(AvW*at$QHHdi+;2+M8QudeLxIbZq)-B^(fa-|PM;g;rt
z7vnJVb{LUjiAWJf;r^)U6_KcsGo83qqE#qyT#kGxgS30X@V?$?N!LBEzj*pb<jg{t
zcN(q}L;Q5N5PJ4ZUS(jRNh^VUu7#>)=j^Er{?LJO-Jwb@mtmV8uI;RScJB7QH%$qS
z++UDQ!AsT0b3U1G4-l;%oc&_W(aY9sefrJ)-*1DaDg}#eLRHULEwk3EJK0n{%eZzu
z`ZWtq!m|Wtu6osDDHoYZLr_Pr#1+=;7jiT?YHrf_=zy;65-1RfsOif5_l<!(={#S$
z8q%80mYD!a;2j4kz}2q{AAT`vB1fM$58V8v^_<EqZL^Y1zPhxdOKXPM0@ZscYW*T3
z4IKWW>tR*oZK;EEW*e+7%V2eI(kf7^MGCBhpLvPj%V^D*;jczZ@aAm1TZMPmAPmZJ
zUX{yu+{Ysnlz5HYZUUhKnrP8<pOjZ%FFmL42J}fKW<cUE4Jtl$&N<zik1JN|<Atba
z`#3_xOnDOssE;qk^ABeb<Q~M&@s<<mvMWA1VEM=Uw^q&D_449bk6gaw!voN2YF<V&
zfum^&sWRsRJvRcZA#30fdh{pYOD!gdza6^nivw-B^ETgk$FbvQHePXQvyC>VlqLuD
zCohL<rpb54f8N$yfGudz`p&`o>Pp8g-ZS)>&fia>Ph$s;^$n`ka4hw0KLYx|_q(4@
zb}!yXgH6C1P`!Gk70-C3@5354>cg6r{H0ukk1D>x1dQ?YQeWz-j8t#AKTr_xg0fc~
zR8@sxlWL$K2x%Ag7kH@yPuHyJ<;A}jA-CZKNElrkfPA%YR{hHI(Cb=t$ka6$y$jDy
z91Qw}*KCY_7jjJ#QsXL^rXDFmWEfhRuQZiRVXk4AqkI2&d<Uw29q6qx65a=s9w*k^
z<yb+FPmz**+@|4zb{bb2Uz)!smuR2J`d9y1e8tbQvS&zd@wMAQd^rhFLKgBC?6NB^
z`QXf3KkOYmcgJ_}gMHusWVekktJ(iBzV5Dm;N8}kw@<C#F=X@7sT+TL`^exOM-QXh
zkFWixYJ3gD(|7t9+)w`yXoj=2qqZ9N%#n5RaiyWFan<8kvS))HV|s|GkLXdRCj=t*
zTK}Da8MUJLzR<s5RHY<5r~z#~$N~~a<iL$g<cx%EHKYEQQG=yfNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNb3!UUQmB}u857Rh%W-#L8kop~ZI
SUVB&^nS-lP;%G<gM1KOS#$7D{

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..0fde0144e53025170f3f001a660289ba6e79f81d
GIT binary patch
literal 69632
zcmeI533wGnw#Vyc;~GK;Fd(voMG!&ueGwE00R{p{!lpq2B!OT^5W)_M;1ZEVM{y8g
zL=gQzbY=hrd9wH%N5+NG_sw%bzXyz?;D#vj)aNjH=kz`Qq!X%!E7CpFx!w70y6^4f
z{BQm0oT{#>TRk8@H#ILmM^#*+<bx%&4yb6Qk^&VE`PuK2>Xy9qvoGRbz)t}`1^g87
zQ@~FFKLz|0@KeA~0Y3%&6!25PPXRv#E|>xX@^kx7Ex3j5@k5Jgy@YpDqrkCvrHaQ~
z{&48%i~rAdk{|owYx@-%#wisHDs?7Ssgp7GJxaBw&wEod#7|ugU*McAWRsVMWRsWg
z<oHAKIe+#jeU@86&vo?vdub%8SHZ?~xfY+hRkqXU*i^da-U`>@V=iVnUgcuWQtB!+
z?8xb@S`kx9TX1i1@6sFoG5eiB^*}%+1WpWVaS&(l_VQk>N8Z|@M)2+Ur(15PZ^B3Q
zt)Vv3CVxR*_9n!t0cwuQQ3a}q-rqy7xM{NU#p<zYo|>-mY3D535gX{DrqW?WYKH2m
z+R@)EHJLuip<^b}c3WEK(I+!iA-yY9xpZV(dS6JNw^MUzUjeN<s`m8PnYP-i?({#W
z)cmY+@1g=FC8voMxD{r^sdP1;u3ThUqzvA-q+}fF0@1G*2Gt15`W&*AO-Ie7y<O>*
zip)4<O^g~wVyDwir4kcWAa1PWhnBTt)Ic@cI+J!)SJk8YMyoVBY=Incc48G<VhvU)
zw66ud;yBCkWm+DIS2xflCQ_2+(bvzjByiFt#;CZc#Ap>46R4`1(g(=tbuX);M$2J&
zlu`w>FDkLBiish{$@B(UJo|908cGK;t9<Jq#Ro;H2K1(Z<kJBQV^oI4;uh<WC^i^S
zjp+@$058ub$Eo22kg;$QvAF<WDONS3H}ITke-5f4w0k~rE2MPHrgY~+V^!@KO7;=-
z<^j24uT@paXr7g({prvg62OSE=@=_{*o!z%UAr*896_8!$rGn)L<iz2x0J<_)aYuq
z)E-F}WXY@~l=4xD@hYCR+(joLAZ+@ks_JhY#yavXB}mpxIxaO;JUssEc-5D#SVY1(
zw-nJg4P7^}imD#RL4mP%d8LM8)1fQzcQTw*jk8Nh$#k-TAhPGV%jgTtvxLvK42AFx
zVjV<Nv6lFEFOxhwnGT#qf1)C&f^i&L8SPy?f|SBjC2f%aiI=HhbRfyfP8^JRSw>m3
zKOH%dGE#x1o1rDCKun;dWGo%PQH{a%DhOH$HJ!2oiwpTmRBWK08bcC>sWz$~Wy~~k
z)S>jg1O4wndAlni%AjwRPXF6dsuWTZa&Bi1{pj)t&>PzZ=@>>fn^cFASE)vHL>yvu
z?$9_jioP#fmhYUPYDLE+)=*7iR82aRvZeK+Tug;o=o<!AZ532CRFbMrdxO?1sN${T
z=oD*7rFXoazP73o-Go2ua&@iHzQ#-LEGZt!G4rm%T}MvMR_bMI{Z1f>aCfKIkG&=Q
zrIGIP!K@9X4F|Do`rdO%dYkjUV;jmJvuQtnV?J_<YX0z@8S^q88oXt1pI*^dzg(?i
zs)Ry!)bEE(JT8R<Z{Pddyb<4xDL6Z=`+MDjq=%0pf`6x=z-2BkDN8wfA#|r$S$!gX
z&QWmyt+@>5T(-P0h9VWaB=2obuQ-l|v4KQVKU+;w(=1L!r7+S-dA5qGrc^D)+C{Eq
zxpL^t>V`8BS);0vT0XajoO?}~)fyGfO`){p;)7GG?EI+E`JLqaf1-LQoj-+M1(b<c
zb#y2|X;qi8NvAV7XR_0kS*7g8sym3)E6Y^dLy`U5kWC4SE#<uWW#^sm+^jK9C9$10
za=hghp_Hv!AsCctt3uj1!z)Ezq8d}y4qC6;s;;crHAc`jWffjx*@gbOFE=ao<r9=6
zco|H8>6EY2C~IX<UhYS)blPqjlWOg+n`o^lbo5l26}%ynjw~ylJ5fQOX;ICgtT&6&
zdXDWq)6OLZZ7KaZLQ=Lp#@~(9)BomC>R<wK$)NAqm-1zX8boE*NYa*}xWK0+My;hI
zxjw|}G2*fvYprOKeqMb@7fbkrvRJ~`D<4ZZk$LG#f;g6N!uC~7xKgb~%nPXNc_*C)
zi^cCHFWtQPgX@box4g647sGC+5UW0<gQ2V(mGB}<8l`@JimhCW;M&<M<5sL~5dZvu
zEu#`9wJ7MgIJ~P&Cl9w@rJWV_L#0Fc;x8eP)91-=>JtVQj|Abs%Q-9@E;$_g>|Dlj
za?z4}Zu5kjT;&3bN@aa?mb7PCIznHKxj<QjaG??lT#6|*#tE04aW_tJj!OrPzrdp4
zC|$u{pv==;I5NXuxI!MPFDWW*s8+z~kGOTCaA>^a(6i2Q(8VoSJh*<I<sa{zdg{%c
zL<1b4%+nmgjawA^gQevO^SKFe>zlvragK}5Ka#~_sbk0nxImewxtRQeZw2Pq{UcL2
ze9&OY=gx7^`3EeTI6#@FIfUyUR=vYsevB6`cYLwpv~yf^{sD`oxCLdN=3?>>i-X-i
zZWazt_FC~mrmOWUSTu2fGEZ{|*FUUw0=s`q5H8;w-n8F2E;|2!MH3e&^E8*R{Ub{_
zM4wvpk#ih$<p(U9I6#@FIfUyU=anB5h0E!e)}C~Zi_Sk_(R5!3WuE3@@(-(9#$J9*
z5)M)0_n&i)gU&x-(Zm7DJk23o{~!vl2khm?WZ}}K=}S@L9V^#${sD^vu3X-%`4xXk
z+qCiVl=1&L`c~Y3K$)kxnEZp<D`FJ<gV))@Vbi10>n6C$0TxZ=2b5J#4&28B4(t~>
z!r|4yx!auMpo>$mXyO26p5_p4oU+Cj*yB{LaM>Bt>g_C7{R0;FjoWwKfTPX(zF1@Y
zm~IEMQxT`2%+p*<af*AbV(k7gML5iQZtw@ranSh(ESfk#nWs5~>mO58V>QC=A5(?P
zk-NLTIK@@}fJIaN3d%gq#pEB{nHdHD;B}sGSTbqWU-De#0E;FLP*y29SpAORz<z;|
zWmS)E{~zZ#=;9PCnm9n2r#XZhr>wzwh*P}2Mf~Hy;^9|KbId<<Twu{uzk;%e;9~Xj
z+qvWmm%;nrZaCdlF0g3g0%Z}wrHDqvi~*PK#ALc~S$%rh(dCYDId0vLDs|($vhgOc
zsEcD)lP5!&C%Ej{`sBQKdCVs*yxnue%rUPG+I{chTCu<9G3zqwZ8>fBqhTpLvW-WQ
zO{49Gw3cyf@uefUczi66xhtX(kUV}Zjz?MX=qf&=M%fu<V}MIXs__UjKI-zaqpHw&
zqg;CNct0Mc6jd!s1!)YHRlA^3F*T`=pGV2?Fg&)%y_Y=ZvWNyYhw_It?ve8g_xE!-
zSRnc4>BV(UJC|=dY4Qy$>in68H<c>$RK5wH1dZ23J%rbV!ePweM`rDH%zt$pU{UA4
zduVVSlvP>|xpodSgu|qQ`{ujL0Ty-sa5d!+D2ogZw+e^iBlDNP=&C=!qK*Um1C&Ju
zhnd3R*6r(7yUPI<O&p*sGC0f<4(Tz8AHVOaKft1{e8`|7$xs#<9Eya))X76Wb(aGy
z>imH@Kv`sPm@ORsyCl<P4zQ@>@GX@OP!<^+<_L#QtNVQEu0Oz{i35~H28X%Ap~sg8
zUjD+>@&Oig<pWRp24#`KVV-dKyj8{_cR9eK&L6mZfU?NoFkd)y>9EUX4zOtA0A-QE
zVS#YC>CBsNxa$wFh`2O^+R=F7{&<c{P!<^+77B;EKYsbHFI_DkU{U7}%mK<ODF^!1
zE83Tq5Q9a+;pFeC)%eOW4lM#aZcM36TRS~0z7$XgDcQ^Y{%{YyhcZua`14cG{djxm
z2f&KA554f&xMMF&Kiz2aZPk|2myve*Ikbs(`fjw%?dklRXlbWUqTdHwzwojC<Co3a
zHhXO=zwYc%`+bbn-p;>NEuuDg{$+9s+2Cm%c%)1w^$&2Xd_Vdn-UND0rYR5d=rutt
zq?Y;~G{ZqRl}fJ;^lC$|{&aRn+UiU{{%ucZ@o)P3(RLTw>O|X}X@6%rBedOx_H<Q?
z>1)dTE1d7p-oIG#-|QVu=09CKGc20&AC!3_|Dm5K{PzBov>u29yuM91#Q)K44zOtA
z0A-bwgY<jh_pY}Khxex~Zsc4%9-!&}g2np>{cZbE$`L2OKHBSPa$1htyXXaFp5)L>
zdLnC5T$?3Reat8~KMT)Tf>}0V>FZL5ANsR-%`uCYK}BwJfkhJ+D2qHU9JlTeE{n!w
zH*wBibma#u>bPvDoC0N@<Z|Jjdzuc)UVbbU4o5dEZSF1ySk!UgxCLdEl!L9`eh>M>
zGWf&js%@O(Fj-T6EE0<*4p8Pv4*jJ3XhOAPuA%chXN9UUy_-!VT0--Pg=Vv&@y*th
zT|CECA=QU@bWCXSuv{v4ta0gFj?lij%!|u?Uf(I)PGq{x4Hiw@pv>o{<93&Ddw$U$
zT=2J>=9P_egGCcJDD%1LxZN$>niadj%|1R67ERos%;%=#c8_pdz0z%NuxR22Wj;3@
zw_@QoaK#Z9;-uZ*V9~@4%6x7*ZubheItx#@%ncTG+_-%h%6x7*Zp($+{7ENW<_3!<
zZcyfP({Z~`xb<kgqn-2jZ}$2mESk7Mna@qfZG~{_+{bNhuxR22Wj;3@x0S+e*AzFn
z+3O{+XyOKCJ~xXSwX)dTOI8WDb_?9*28$+cQ08;9xY2y@c5bVM+u{73E|hO}e}hFG
zH*P0}GM}5pjppG6H*V*@U%1`Y`-Qn@92+O1n{NpgEmia{OE$P)@))UtGEZ<b%^z->
zr{TQ$kRK2ZYwC2I?;Ho+@6cgUlK(soQ08e4;m!|Waak+v_v|0P5-z!`A7A^OWB!4D
zNPE2<7Hbn27Lg@@*gsCvI9n+51ec#aj-^PoLqFs(;_#qwXsI?k$YG`Qe~q74)*cUw
zIu7e?$~?gV<JmYh|J9?$qL?ej$2=r_YpvPpAYY7+vHKY;>iBZ~0m?kVx1yi@tno4I
ze`|zGqq^NUpL0C^+3R(%h<e@FZx8grxFwE%Q07T47aoT}50OLs<MqSB;cV}kPq@ng
z7C)G<ZPWMXdJSE*VS9Gc-ZLXGehkVgDF=Gem7T+{g~PeikGaeN7ES&DWtEfzjWPxY
zE;rT+heMN|c8~+=1NQOlu&Cp}^#LgJ1c!g8`aq$*KJbX}Z8z#g2l=8tU@v!IQOB3d
z9Vqhz-%C*+sEPX_Uau1_6JK+i3oM$rKv~3aIR!2p7av7D+_rj)yY+)ZVo}HCT2cjN
zp5$`jdK&!%2IUg3*9(W+9w>U!c@Fmb7+5rMfU?TUA*z%E`^5&~aC%uwddzLb=R`aC
zTtrv|hvGArUyu71Zr6k|PjE1`YlhpNruN*K(Uy6H9`=gobYH6U*Ns<Zi%W~%3Ebbf
zY5D_X`Q)kHw@je>c)nlx9lc^DXLut0x%}qmQsVbtmwvo5rOO^lC5%^&lhmo7Kgvo)
z_qf5Li5ryp+$a;%QpSz_tBP>Td~M+Z&i&4C)Ab*~qK?~#qzcMB!HwhHyEG{z2aAh&
z4(xf)Qw$21YVTk1*Y%EZ(e<yvqLo?bUzTj}S7R<v=4mdb{x$1a>GpcrWy0aXn3LbT
z%K;Wm{sCo`p99CKc;WEXu-Z3naLgZcaS9eq9H7k89Kx=bRebJiRpGKfX6F6QanZ#o
zSTu2gGEZ|c#wq52IK}>vARIO~*|_63uKEWo);V(JjDdgsX!zEL-+1?U`n^q1UO<_r
zIfU&Witg)~2iJ?456ysWE$MG=+U*<{oqxch$v>dX(_D=Hv4GMZ{=w@+;jlILlXH(d
z<{vr^uvn8i&RIlOC_`9PMXpalS>@!g(8huNqPlQcQ*YSfO^$KUmE*8D`1XVz=}){e
zWMB5DKdgM>+bW1tQ08e4;l?TJJ`Zt<*Ga<VzEAHs>n;~qG{q?>i%c#xgv)_vm#y0D
zs=vUZi3^lP9v3c8Y6_QaH#cv8$T2P$-)HY<gvCZG;k@!BKdDTaC%9B>r@U~#$;|TO
zTWSdhwPVn5cR9eK&Oew#sj>iN7g}Pu@jA_#VQnVO_Fz3xie`eK=j705{KOQR0fIiI
zaU*n8Kbli5pFX#qZ=_xsXFU&kz?M-7lUfvXTpZq2rmIQiuF{U)70T=s)_7HGzBih;
zMI{7&ItS8guV4K_I2`JEBEOld<Go-pNHr=>=`4Ej!sYrQnz;$eDycuvxO_W@+QQ*T
zx4pNz%K;X3{=gidtdepdF9rv$Pt_3)FZ6rnp%#w$gRY(ni?zuESVR`RctJfE$~?j0
z=eDa`anoMUy<E85bEfUMYh2|5iy<24bAhsm;9`|`b}n^=%dU;pX1dD-7Ikrp@6Vwu
zBDhfIj4d6v#qsP4;d1%k$MkRKn7`=SO<>XFFHq)bF2?pN71Q(<dwEh%IMluQzfzpz
zpes*c(Zm7DJk258b`wg3vi4n$U-gB{4JGgWy{lvXq2mIJx_U3iEhvi&F14vY#9p2>
z5H2e|?OCh4t6X5wRGvUtL~t3_;^0+L;KJjy8w!_K$F+{{?HCu`_<LAPjZ!Hjq+Gq2
zf3F2)p5Vgc?<Y`$0;lG``uBJW<L|k=N*2C*Z*r2au3ZckO?;uu6MTPqdknQQp}xTD
zM#5o1p4%K?(Zm7DDk%qB`{W+t&{#P9;mRrXoQrq5@vN|zv~1hx(WGMP>Ff6YgTe*3
z1Mqy*Q07Svmwr4ev0`2r&)P(|1zWq#4Hiw@pv>n+nOO1DMZk^g8BK-Tj>YR5I_Gb?
z-+#d(J*md>w=7Fu$lrK=LMZbjw~P5bcxk<lxm+n+k~gh)nF}nMxIkINa4Ee{V!vr7
zTr#u2agYnjC;RV?VDYVcg2O+XlYM>h@v(b8OM1Nvmrv|3Q07T4m%e<W`zXXYUN;wR
z<9eKNft$Vm85T|4pv>nMDgc7z>J?WBw>2Z(<_3!<ZcyfP({XDd+@9!|l<Zu+0&&vr
zZ?I_M24y}s9k;86TiXYJ;W9T^G;xD6pPP<bOX1f13AeeyqKO-n`P_8eS_!w~PakgN
ze4Mn`Ct*>?joUk*%;%=#c8zd*X0O}aV9~@4%6x7*Zmoq|tpjdwv)4;t(ZmhPd~P~!
zZG_vtqi%D9MH4qD^SSA`wH0nlHoWaZ`DXVwSk!Uj{!1wHxmD!G{gds4+m3|c_g&{|
zzcVaOQECbe3qP;l8Ol7t?ccWFxxMh6ndl^6UB5Fdn)pJQC-`1OzjN(!{mvbP!?^lx
zbAUw?2Pmto9Nt=l{(o*C?kF5SioSW1bMa2sUImLhFEY2~lMqV_+V!E#lN>I6yMCUU
zY;V`^B-~cka+@10nz%uk&n;BH$ST*a-&weg8q;Zu^ZsUU_kcwcHz@PDS={J%cXog4
zBHRW|a)X<_J`al~ZcyfPv$!>gf8Nfmt8m+v<2E-~G;xD6pPR+a_PnRHR4?f!+#daE
zl!I|nH$DdzP28Z&liV(5d`=$oz;iUZ3zvRsw98yz(ZmJHB8JQJ;KK2)hj2MGaFK&t
zboF>xq!x>h&XSTW%bi1YdTwumGEZ{3^!4}(<x@}L_Q~!CUFHUhpX98XmD%O{l;RWn
z7Hyc4wG#JVQ08;9GIRxQz2I;A-R5>kESk7Mna@qf?ONe>ZQGJ3-M#;U#e?hTS#k2c
zQ%}9QlO(dgah!xQpPP<bZ{aq#yW8Ag(ZmhPd~P~!eT3Vaecj+@zi);`6E`UHx#_rF
zC){?Xy3Gw1P28Z&=ceO!y>MHzQa$B-`DXVwSk!Ujar#i^bF0XW`(yeFx9RPsKHAr@
zerMhM8L+71_93Z)GEZ<b%>!hbKf{_|4gFz!Kiy9_B>y=3b>}$f=4pV%+A5&pD2vRn
zvPr0Z$Q+=|(;R-n{29*%(7wUz{=(&%R;QYzIOZQZF0dG{qOA_ftO{J9EJC=%{NHvv
zmlWah>($lj40M$XESlmLltl;^+k7(|&jtvWt*f>sJI6&=p1`8GN$HC3b2*MdnWwp!
z$`kAPEcWt*W;d{w1x@}V-8l}rxCM))0AvFkpv==8!Y)sCkWV0PF`t3L<^AO^k9CfV
z&Ocx=@mGHunUVQ;+OnA=KHh&vg8;ZdnWwoJ{bMJkJ^X{$gM>r9p)DSAmjf)C$`2^3
zoE&!9IIv#~77pE7FMG^64!Sr6izW_G=4lRL$EoLt1>zL1e<@s+Tyf;pL9W)XU{Tkv
z$K^PbMFyAWD{vViTpsDPbmL%Gxxk{yU!W`^xa26BN6GFlLxs!oN0uJ=rK?<E(ZmJH
zB7_UgN^j?qCR{#Pchwt1T;&3bCN5AG5nQbC40bNVgv&GQfBSlxt6X5wRK7r2L~ya5
zvj8q!FCH#j(i+eCi*sCb_b0Gux^ILsPjfNdpIA@X!2JpH7$F>X-?sORa~yQ_VpueB
zfHF^W2)ABbZhn5|bAxahT)6vt=eX$n0~Sr?36y!7i^)IA^_MV*k%&|OtCkIOto+b%
zNE3@D4p3GpIZ&z>e~UQ9>vZ9;_w}NE!(HV7i=RK%{@4%6i&7phtbbtLvYeJ^&w{c_
s$$^4%*V6VZE-x~KL&^ABe{_z6uDpOn69*{sG>34@3#-s%9^o$k4<C^k&Hw-a

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..7e43d61f913ec35304c74f3d746e68246173a9db
GIT binary patch
literal 69632
zcmeI533wGnw#VxxHz9@)0t|@kAd4XTzK9AW0R{p{!lobrl0Yyd2w?|Ba6x3zQ5-~g
zvWR{lIx~Q>JT{->m~mnBee+z<?;+zTxFL!>orTFer|<bEolrGgknWkz?ap`8eQ$T)
z^S|}0bE>+kx;iB<Cp9-OTa{m;<b%bu4yb6Qk^<!q`N{8-Y8Su#lfT6O0zU=(6!25P
zPXRv#{1ot0z)t}`1^g87Q@~FFKLz|0xM&Kb<mL36l79zX<A)a0dNJ>&MuD~QN^M&7
z)q&8_m;aybwC=W{x&0gJ$0`*Ur_|XPrA`Iydz5NVpZBI_h)Z3LUgVsuWRsWrWRsU4
z<oF`_oIiV#KFcYm=O%jpqcoD#DQ9Dvd>5a)O}5kM*i`z?{pG%gkGY)XM5W6)OR45)
z*pbs)wIZgJw%~qm@v_1HnDuU;Y9OEz0w;&GID#{HdwH+c!|&`+E$*H8=UVQdU&2TA
zsirp4CjUTQ_9w)s6g69At9(^R?;oI7>{Qu#plXbotEQ<u+BuVU#00viDRfw&nyz}P
zcJwz>O`=b->6i($-Imt5^vMiWK<^4v4jtK+-WSm4?bICFmrv`Csy+R6rmgm>JN?ft
zF+a1+yQn~M@fl(TZUq^!DqYQ^Z!WYfQU>o+Ts($!f#|mj;?yw9`fRe5MMuq`y<O>*
zip)4@O;8OXvD0X$Qi+Kw5Ib7(L(7^$)nCoB&ZJ#cRn_P|(JGA&n=eP4n^4J?SOZlu
z?Q21=Sk7|%H7$?Dt6S(RCQy>)($CMeByiFt232fSVzi141}dv2^Z{~u?W-!Ok#blr
zrBpuci%P7lf<a>3fZiaBXB~}EgXutKm1iBK_@F3NkKWXie44T#s4^@TcUXr+vB7|9
zL~qyyczK~gtQtxH84D*7n+xza#i*wA2A(tZ4{>S`?Vd;63Md`3DBbzc7*#V!$v%wU
zJR;xNYgJ`3nro$LKRPs<1Tdm3I>t&K_9D(xH!O%RLl7rX^2DlY(Sdl%Ev2y}HM)u|
zwTIIevSd~gO8Kb7coolD?xT|s5H^2TS@p9HV;y;x5+v(bIxaO;JUsr}c-4o#v5<sw
zZYiW+8v5SEN~&rs2L;C7<<)A6O^3dTf0N;)Dx6)4i>Hwd1d+WjUPV7(t|feyWhjJq
z0P7%{inYYQca`MXNp#>$`V$p#DlV2oE2F)yM;xW_6iHhoK;l&@E;^88WhV~Cyey?G
z+K-N$Kp83D(#_D4R3I2AE*?z>a8zS(z4GI%gqlWKfyIS<B`PLRM~xy0LsT2pmojD=
zIqG0~-+}&jpuF9c5M|J>N~iyADOCz62|2ejhraan2+$kb#?dj1Y!;~wC9hHq>4;dw
z>YTx`Y6SgWwk*FnLDh&3CRS68gQ_|mO4-tSQ7)#!Ec6TGR81A9s;MMZmG;J2uQ(NN
z9Y?2FODetN{q(cdzNp6hS(lbILi-vmjwwp9V&;7XyN{iorPM3d`rSYh;qFeazxI~!
zmqxnF2D3JlHXOvV=y%T{>1{6fjcq7@%%c7Li}}dOs@dcBX3WiaY~a@YH};CY?v*O#
zQzaC-qkc1J!U-uPc>BR$<qrE{RQ|cC-QVvPM|$`uBKUU-3S8#$lDveo7eaTkmDMNE
z=NuJNXw79X=d$GmL5fuDlDxMWy<#~U#sm^c{VX+6O|>``mcU3S<yk7Kic&QgYZv)0
z%aucCRyCZ7$Qo6J)bhDK<lO5^tyU{{ZZf4M7ayEjrRPV5&hI4W{}a`N>HNv`%BM`k
zs-r^zN~^k*O*);yIg_2P)GB2+R^36YUR$c#9*XSehHOeuY$@l}Ej{l-=VpzuDv9m1
zk>f452&HW0a>1ZfTP4!Q8D1&!64i*ZcAWL9scOrbU4zn1QC8t4hF$2N`*PC~Up`4W
zf|r5xmrnUQjj~n-<>kKgN~i563ph(Dl_hS((!~$BK0?P#qny-_A_13qT$gBPg_lqi
zDjQ}K0@*h{^Ics!jp9&=6SIT!FJbY`qSTQD;*vqXvk&FV3^jnttl^|BLvevmOHi$)
zBdz)ntw)K=cC4|Yary=IAzdut6G~%AsSLytPGnxXk|2&H!)V<{HRejS8a6keZswhI
z8Z0h*zrm6%TRyyb*_M{~cKd3`-Tc!&qJyEV43+RAOB$uVJw;y~vtn(%_?J?)j!2l;
zBERFJ@V>=OF4-LW>|923a?#S@{Fd>zxyl6=mCF3&9OaNqO9yifae=Z3;X)-AxGba8
z7$aP=$J{#EIW8SE{sN1FqhtjxQ08ea9GNMVtvJRN@=$$AQE5Z90#1L#ty_gdqn$-B
zILAR3w_x$e`ni^Wynp)Hw|0?aaDXyTa|pXUp~`kidBS{dL)`lA&wHKYqVtaiVzI<A
zWCL8F%+p*<{=t_5v+e#dRycfEZ}FGTanSh(ESfk#nWs5~>mOFV!(M)j6E63Bwc?C(
zTy*{ci>9~*WuE3@@(+uH-9K&@4$t&jv2U!a^($C3aey*Ua|qWztabvse~cF{-yPk2
z$T==L|A0jk7bx>Im$3aKQ#eGQUigV~9CYOeESfk#nWs5~>mL`C9}|SjnU~j|a*m76
zKVZ>xT?l2K=3?>>t6RoieoPb&QR5DscaDS3KVZ?s0m?khAzc3;3U37L<;Nu9(xu7E
zQR5sd*LD5@iz(MGZ`$md-=}TfxG8zue~r8o*B?;kX)Y%Jp!SNOf`9NjOE_$PGJ4&3
zS2@6<sr-Pliphcdc))@EB3n4THZW(qa~yPW3KmTqpv==8!i`hb_yT*J$`LNRg00@k
zbk#p#@!*()H>DhJ*5^RAaih8&&Pqj`f-+BYF~uqFwF=t(W3q6V`QpG2o#UYM4_GvD
zfHF^W2-iO*t43;=-9M%Xmt*&LJuul-|A0kP{R+xF&Bf#&+?g2#|KN45a9BKX<{xui
z<p7H&4p3GhIas}y;J|)?k!6*S@AzNmIOyUOESfk#nWs5~8>g(nd5BZIzC--u@S>s3
zr#j{zIxetis$W4_L~yZ2PT0BR373I~-l;#$RW7h-;sRw6!KIK!#Eb%$?!;u8a9Mq3
z>G9=`aXDdKk1BQR+|uzTu&9e;*O4bfnJ2jH-S*7f_jt@FExg@x*o;xH57_hIq8c&3
zd7M6zQE$s>vo8%7;*o7Ul58q%*Qd3NV~Z~t!NucadCXlQjez9wYq31aibq%R8P!V9
zC>;Y_GE$94nDJ3pmmXD##vA3(i^n--(>TtkDp4wq#$Z{s3mUCdo%;BBL>3RjV~gB-
z$zv`HX<&0Ge^}!lIlpj!KbM2~l5d_{RO^g$`KFU5-@u~IpJ{kgi84>+oA61{cumwp
zcwHbIMjd@(=6=WgSH}Ssb^g0Iu~b=w<&b0NFkLuI%ztQ}yBuIq=MUFW4uP`B;BcpK
zSaxjQ@&m5=11#z|us=XqWN?@v9PZq)Zne7{V9~?@$|8fqOyQ6oO#Ji%SN#DNb>%|_
z4M~Qw$ly>Y9HvYf^trnnU{U7}%mK<GgTpN0@IS?4UFHCbIu74c`2b~+!C|&==(PIA
zuif<rSTu2fvdG{tM>zEO`tU1XxmrHJqON@4N#CF>GC0f?4qvv)C~}trEb9D$%Lgcn
z3=Z>zLzfP_UFHCbCJs;*864&dhuhA+^`^W20E>uA)2SVe7w(VexCCX9!C`@Lxc}2v
z?)%!+@&Oig{=gidtb%f&yI#@0w3rwy6b`3;U8UMLj&W!a;BjM0jkUGY!{W;Ub%c_=
z%>9RZ={=Nrg2Nx4eerL1r;=(~c)Mud7h^u&H|<QrEq7H}LZ3-H{cPGqJAF6W=Js^H
zCtBL+ljtsC>kc35KkjVSw%Kc2`E_T9+V6u_dpqAjTu5#5J=Ivc;hks7;Booc^lk|K
zFQmI^Gt_u`O`<6ea_Kc*EufbA9yG&2H<e1S4)kh6uYPoPN80L4H~+S$v-qC=zO>zi
zwmQ*vXWHMH&IoOHp*>yIBKny!{|e_jwD&KP{5NZ-llf2A&J2sD{0C*8$baZ33ctNS
zIjslc0I%;74)MQpn*%JGI6zqi<skiDxZm||;qbxKMGc*c$0?frFIaqdz@K*<ryOzW
z+vB~SBd6uKy_;T8=1C4sr6;mF#kH9-)yMQQ^Rw`bC75L+hJG$}_@O_W*BrBW8Bpjp
z7g#iLfwIWs!g1>!;j(a4R%7S<MOS{nqK?ZB$|+FhNiG-fxu@x%?B&N2;c$Gzl4kC5
zfJGe#j$2SxK{?p^?e~&DEQLRetlY*q4wE$H$3n4a;s9ly<j_~jkH%Cx<{CQBb5@`l
z(YskRq9rtsSZFpY8sBV9*~N2Q6;OScN5_OF56hu)#~PQ;<p}MY!@RiM=k>k9?c`Xu
zxxu1|8<hFnblmO}ZZ9qTtqcBk+uYJ|Zm?+L24y}s9k=_1ThnE3aI=q3ghdlKDD%1L
zxIG};R<CrM8!Vc*L7C4@$8DK#>%Zcd3vtr!Z?I_M24y}s9k&OCTdf5rUFHUhI&R!P
z3}rqy9k=DeZQjIFE^~uL6E`UHx#_q)B;0zm-r3Ii>o<FS5*AI|pv>o{<F-P$b-vMU
zZm?+L24y}s9k-RjZTDn1xY_F^uxR22Wj;5H8@007+e=mnw|4X0<_3!<ZcyfPv$)ZG
z@OEyih1=1*T`rVwc7KCK9XD<#hBBX<#f|3S1vhTze^|KP)qCHZvyP1u(apC6i<T<-
zmnj?EFZnU4f-+BVGtKL6ny2A{`H&wG4r^+4oaY<|-F@h=D9L{T2PpG2hj8Zyu(+(1
z_Ivh^UkI0+)tlD-;Fy1)AJSfLhsBx%hDBrwAoh<_G|m>vJi+DC$Fb0J6wnX(F>!cQ
zIJ8t-9OST4`oG4_Ep3m7MIDFrHf5gRfbndcn*ZuiV^Pc%<6|BZzBSftbC55_$JqT0
z7Il2N{s3j3;9K6$e$x0D_P;g4rD5&vTh2Qk|LpZTSVX;U^!JBv#JDAne^BO0E*Bq%
zK@X8b{NwfG!r@%+>QB4N0Tw?TzkTzM=X(uawP8nA(*Co<Fn$cmDkukf(v_XVFNMST
zGf%n90TxaE0A&@F1C25U2QD|(3WuVJ&pF5e^#S|%c39ML;Q9cRd4j{gQ+=SoULSZu
z__iByz(KyK57^5cSk&?5atF#h!S_nk2dd+Gh}Y|c%Y@h6<^qc*E>IRRTuy@v$HgZR
z54W%0>Tdm@NG$5O+(4?J%#&O$UQeT2U{EgcdcAPC>yg4|oabP_j)6rJ2Pmtk9HL4%
zuwQHt4ri9Oq{rNre@?WM&qahqa9DQs>YH)h!tI(+<_Qj_cFl0x)70L3Gukqb(8FHw
zobD@?{<`tXY;j59yMc!rHA#PjET1~P=Z^7o9naS*zou7=<P1-wKbPP9yinZ#b>+t^
zQ@ZS>RKj@WSV^6_c_XY;bdMV>nz%uk&y6xMEv4MpzbXm0v9B+f&$-_jZo2*hSk!U*
zh*UwDC%AFEdygiC<Y0k^Y+uszdCNafF;2Kt`QVyAt#^!zu73>{t;|CIGG&8*8gqd%
zPjfN#uUXGZx7W+A5)O|BPyOgF2Us-u2b5KO4jiZAg~K;PYTmlRF@Mm-DOfadfHF^W
z2)kZZK2B8@E{B3M9(In4E>6Lsi3^l@nu{?`F$csc_KyVNu%+?Fo&Vvgf52j`W7kga
z|EEueZhQRA_fDig*cjynlzEy%*#4pDx}JG(y_osX4A|C^{?_I_&T-NC2P~TW1Ij$j
z#poaNDed7OyiODj+j2fTzsWKG&~bpp>eO-0A~Hi6!m28AeG1AdCWi$!4(u0Ig~OUU
zLl$jzjDxNmhsA++C-g{v`qe=Pvp)aJ%BR1tgg6Cdp5_p4oU*R-5T|&ZBwQZ){GM~}
za)CutoPx5*<Wfzz9DZTxsx7Yi3oM$rKw0E*;qs)qaM^x)v-U-fal!aLdp{#AHdF~0
zlqY#frOG_PrF=W(#rsWWlpWtvLpZ3N1BSZG0Ty-s!5m7I1t`1F62pzxY1RyDGibI4
z>xoh{69hdchd$#crqB!!^eK%Sp`-fJoN9UWx%GS__39YwdC)0aM<h&ak>7Dqc;7Nj
zO)T>*?dV;B%uZpASGDGQqj_6YLg3OlkY0QJ>Sw~CsOQPNrml|ng2gzhQE^IV(u)@^
z*NbT8CMc_*{y^jM?Hp<fhhyFL-{~#~Sk(CgbAYl6%7MHX9JoGJOE~Q7`}|`q9P<ZV
zJr@>hk_WJeOnUKxdM=cCg2PX3SGVG(y`FouaCzWt+cDR>$^{lfG%n-<Wf8%}D(~!E
zY73X$8>`H4mkTWF;uc?@Ls>*{q0AXmGH#3G*)_uD>c5Zb*UmA2(Y2evqRC&N%+p+q
z?N=(;<PLjzQb#z{zWu+Go#UV@Phio+0m?khA>4KoN`%t(U5;OMh086)@Bh84WB#Gz
z0*ktOFUKt?iwrI`sXxSCp41aAD?aa8qr0nIV9`{bKv_g^8PeiN^C)oPaoY8T%WGp=
z$M<%Oi*EcqET%@OWD-)QUd;DvL76AG@c8@j)S$qr`LDhoPhtE$msbsh@BZ7I<g05J
zgGCcxDDwp0OK*>%RwmRJc->Gq%+Gb311y?2Kv@OlU~8Y;OB@;rhu>a1xsG%3PB)$v
z7L%54A32g#OgVGYp?^@g;C29>j~dE6$>GY6XC+q53*%WE3%9t|ZgYc06E`UHxltxo
z{B#j;<9bFD;kI+py86!fo9_NESfnS_SpJr2$qV@#&rb+tp5%5p_k)+z`<TnM!ll9H
z^)7RPMH3e&ix@5?*GcR*O@+(YtnVD;g7V3J-w`an{XpE%FJ@=myzIp2y<a4~(S^$=
z_7^DgB$q2+KGAg);vBD=3AZsl&bq+O-v11XCT>vXa|;y!ab@Zi&4t^V;cjz-MH4qD
z^SSA`wGeJkcT8&FT)hHu((Z4tXyOKCJ~th=>x5g|M}OurH&`@rgEF6+j$2FN*6eAw
zxxu1|8<hFnblh4Aw-e7DZRmWQwAUwLQOAwjJD|+xrsH<KaC?5g+uUH$#0|=PZaQwQ
zg<FloZg8{LOJLE&4a$6OI&N)*+ri^*bAv?_Hz@PD>A1BOZi_d(<3jmn_cvJ7apV3=
zDD%0M=f?e$?S$LTgrN`J<Z8b&EKXKxG7SsApx+tFJi+bXw%@tE@STz9Bwt;>Gc20;
zLYXJ{UPixj%`*MY9fZS}x^8oTMH2@otEe2_UWopGZXfO_96pJ@eY11%PS;)qi##tf
zx8;)%OAFfdq0EyUu6(<Gu9{?T*Y70UR@QKv8!Vc*L7C4jRKLh9)2`oHxQ!UqX{+=8
zW^ea^MH4qD^SN2v=)OC<zjYCA117q`&0e2}MH4qD^SN2v>czig=hjuYZO?X_8!Vc*
zL7C6Z;%0l^(^{&RbQ5k*elx<sIH?<-1B)hZQ07T)moq*mmwDhh8r_9UUp3NYF0g3g
z0%Z}y<t1?8c-KR?6!l-|AQxRd9u}#^;*)cvB-3)|P@SIJo1n~-T&{dQzFhg#Q@DM$
z=TVor!QyAxt7eYv@?-L{lLr@Wn4Gy1*I!WPbF(sZIc~k+Z-?CGRwNcp+@Q?orsH;l
zaJ!*x@iXpTf5GCB^>eK_`Tpr=-`YhI+21%$LYdD^$E~+;o73HGZm?+L24y}s9k&~W
z+gp9y;AX#WhD8%MDD%1LxZNb&cBQ(_4Hiw@pv>o{<94%fTeDI<>wNiU_cvJ7apQ6N
zQ08+h&yD+I`Utma?WR20$FY8A-TWD_sN?n#se&?3a5K#VWST$2nqLk5VSGK^S2#5I
z+pIU7<Di?T0TyejfQqFoGTq81q52_nfHF^WxP<vLUI?IlgV+6p%k!;HH%@lUKXhDR
zF<wPm9h8~nxIkHia0&i(hn-8ZaQWrxDz*B%$^{lpaSO^Kgo|yy8IETu!e!g4Z4I2`
zqAO2eQQV|t#n-tU$Dqv9TukK&%`Q`RzI~eAz*^=v{?ByhIOyUQES3O}4RC-mPjd*n
zJlRP;fw;x~(O<ZHu>6(L&T-NC2P`K3;`hTd#%@YmI%C+UhwiBt02e6pG#8_P?4q<s
zeT&xvghQRdEgo~111y@#4=Agc9Cq6{uwM)m4&7QWeablwx;O=kCJs>MX%1n>sTYX_
z;uNocE?gF0bL_PNuGX($QP;1><v5f@2A7x0aTz3Bp6Ik><3Lxrz@o`tpe!P|WGk9S
z$?h+Mh0F3MmK^@Mt6X5w#0APCgbU3|Z|9OGTs~aa{LMkGa)Ct?7buGeF4lMkJC`BC
z<@xo$dLzwMF0g1SU!W`^xLD6w02i(o4;3zHjb{JRIWD^E6Ie7|H$s`GxtOj`tfy??
z`h<B56ApXs+JDwL4!U|VESfk#nWs5~TQ4p%KR@%iMYs$s*z==vTy*{ci>C4f$~?`*
z<R4}FOPIrO#Hs&NONTgCe&{%)iA56!D65bhDAkvJk2uBabm6f7jlzRNUF86aUq03T
z<G(amn7pZ=?%{Pyvs<D)3(6`a2MW$zOWL!zyvPs^#p7!H&N&Xc@&Xo39H7k89KtOx
LtU{A{guDDd{I(Zg

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..43a47a29d32e575cec5ef6a2ad042dcce5a9ba5c
GIT binary patch
literal 69632
zcmeI0Pi$OQ6~@0e^Jelqw#Rl-M^Tfs<ETl9g`EbH2x_2lZBHFFag6P>35t-Mc<f9(
z9*6NvVmDn_K%hjlY9&BIRi&y>Aq0YMBBH<|5+K1Qw3`%l+XXBs6{1k6`Obas#rDK?
zTOwF}cXZ#of6l$<+}}C(yu<^g$$YU?Kz&I>1B-lnNCK^1y~thnTemE|cGsI|0}&7b
z5fA|p5CIVo0TB=Z5fA|p5P=URFi@K8J6oRS|MA1}LGMMI<{t%~4uGD0Ki?Qi|MySR
zb89;Do0U6kPXq660NzOffA&|-06FUYJpT;wam&pQS@Q~YTG>vWR{kEz|1KK0u@^Wt
zS!d6~?7tiRk>uVw9W&8hw)V$S`zU4e-1B<fJ|^@3EU%OA%F@|MpVF?_@89_S?l%tA
zZh0-9hbHe&L%VP6icV?mD?Oha`O3bw;PuQ;_WYD5F{$1*yu_v*(8~3u6b5hs1(Z=`
z|C_AobJ66lT2h$D3`(4w<3!3kfU^{<;yfP0UjF8Ah9d>ajI-U%cab9%%(6F&NlJFJ
zKg;pGxX8IO-=D&R{OxD!L41bK!fo|)t9l7<Y3VQYRqVIfu{1`pz@4j3BLlp5Y3U^G
ziaq-Fr2xZD`vvNnpj3sk2U+uRFh2HOA44>DhLb=x3om^liibVzJ|0EQt>jb-T9Um<
z9HrQkk;LD|H>`kl82y~v&6>85vu*agnZXyi#W;}_dHkX?!O&%Wq!ZaB(!SS-9UO=w
zeM`dzJRXS^Nvh1bM79yWPaogMP8{MBH&Zx5LGx9~3BiOC*v8JbC{711`51G)n06uw
zQ|KYbj$HvOKf5oDV|1Xo#Sob~&vr`T0e0e>bM6lT9^>=^{WeRE6Xb59DYW~<KFrSZ
z(T+XOHd1NPG3}#hfd-h1CMe_Z*e$Y{`rM_=Di6ksh$oG<q?ci|Ea#GZvUvsV5pHNE
zn<XLnL^gwr*>ahS;)L+>UmMZq#LSM8vn0lPigNjUbi*@mXVA+Xt2ErArOK0r`(`(w
zC2dK;+<xG<Z7|j0PIjgbSk!Fcva~cq9dQ!5cC~>An0JQPoTAXZgJuW439}{hMne>{
zXDB$wUt~pqAZ@ADTzmPm0STXt*v0^|4G5B6s|zPf##X+@5bdMnI0LEd>^7&h!t=eQ
zr4tmetY(huDF+VJ3`4<;3-3xI<=u-XXu=S>@CXC*C@<;}_V@9*kFkA_E*j&hM)~X}
zm02RRXg5DR!tLV({Ze;88FN{UR)=_j`zeu*bM@qrG>-GUra3xu6E-FNY#Ta!*e8o&
z=_;d`AG7d;0ooCujk64YwyXxoI5{`SN1nY_w6J>kB|2>QK<B1#Hn;fwZ$JNn<;*6!
z_W{-`Z$;VkDD7OGyt>H3lGX&zd6A}e-EpQa#zT$sc0!Y!!p`q~eQbX0JBMGn{)L|8
zCw|>rPa#az^H)#ru;gy(+S<=->o~dh7vJ*#{oeSAr)jB4(PK}sY2R2Y{a>|kic@vJ
z3+-`^TNWJUJI8OXMb(vApP9+7pv``oHEr21<+an{6%NiZK914WWy|v%Ez*mR^IhV3
z3P>~qfp7Rj%poFYlzo5j43$|~&!~qvf0c4S;)2yixi|=oYIH~|?he`wh?BD!;8|4d
ziFVn_cXW^j#*2M%rYJwmca;Z9G!vM~cSZ8+=osT&Kkp8iSVzaGBUs^cSw6Xr4oeJ{
zp=v~1U2zUVBuF|2gTz^8-NCwr^&snVIw>GWzZKmjx4dMzZh>QYS{i=K?4)5b%hgev
z!_Mg1_LI#Bd#AW_Ki7`3b!T9AQ_A)<OT)`)VQOBmXLpp5=BYm(x2sX$Ou;3zT6Ax7
z^h5X=$wecUOHI;tHy_#Mu{n!IV>v{cIofud??Hy)2rU`INm@C?71ii#GhL?_{5+rm
zuz&yj(F6XqnK)T~u&W{e{_TJNJU3PBvI}(&XX<l@<&X7p2UCyRajnO8uY-ApX?QCR
zh4YJxv1XrF>s1DLY|&clH6{WgAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0&5Xy_d4Kn;__A;3g;IW&)xsSf%j{-JU<D%ng;%{Ia=v?u94cvR|`8$
z-td!;UORpoNO5Es9)?(Vux?@9%=!chIE@^7ah|^tia3LDRQaAond8H#ur-ebw)@;z
z)s2)WTVN}PQTM*!Ru-_6J07N%em+OoJH?&*k*CzDNLQ$7dEd2m?dG2ItToI<T4tzw
zg6&*166>?E8CqQCtj$%~uJCz;@^+FEH7~evlLOm(u^)KN13Ei_8+`vWqPOv_kZK6-
zxv65;t^{xo7kTu6)dbSFYk+nHXyYt66Sx{6<K&vK$&Ih|NO^bqGu9mYGqwop`|}|x
z+s_*N^B~(F$DbeFbM-#Ed;bh!jQ;AyalQv}jInZ<t&@zBA$qimi}YUw({<4m18uoM
zzj<%Ic<swy3JgEc#It8v>5BiY|12)*@8eDHomKboy^nSu2Wju^@)Ykk_w8lW+U>jG
xV!fZO3R^a2JnR<c*|(^#th%SGeL2UwYSQPqZj^hSVXwwJQs#bTO!4Nk{0D%QE9U?J

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..6a9530c298e713bf5abcbf40e9e8bd8202c7be39
GIT binary patch
literal 69632
zcmeI0e`sB28ONV<f92#Rxi@zqF6-JZ)plL7C25u>YnN^_YjRC#l6ASM=`^Eexi@Lj
zn|ot^w3!v{+{U1YD5wl3SO@z<TZV|@=q5}=C^F{8V8Z?paZ*tPH|Z=oyndheyeBug
zP1@PoLCg1C-gDj`&-=d5^Ld{4IVb7KjwdIx87aL2w&OUSjs!)jol=pjZdcb8-ni;T
zxBv-|011!)36KB@kN^pg011!)36Q{L3G`&gcOS|f#^3nfwbt{v4&$E!byXtq51!cK
zNniP0_esC?mBHmJY>0?lC=>ZdSme*4<s%~XuE>4(H^l#Xy?&WFFJMo-HegS^{%PgU
z+J5bO4t?V#`aFR41^Z8ubtQXD+qHD=4{g04vPrCYreqzJxsvNmaJrJ~cK;tcc5-7Q
zd|ILZ<MA%{k&fhl7T$K^jw6-Mxq+>(`ZKhCqVul7FSaJ!H>0N-PQwzF>PpB-RMkMe
z&Qyk_M~+BFax#zhGboWMJNQaGEQ>NNSq#o$AndfuA&AY(jNB_N_|3@}dNPn1MZFo%
zN%YK09<98LL$Vp|Jo;PYD8_Pl-Ywhk+m6~c*@1gzY5Tbqt$<S~{2jjX{gxk!NJ<{Z
z%JXJN1bA1W@CfwsJ^J1;SN56Rk6^Dfq-HVNfs*utaqo9RG5}?#F(?v?i4!?s<DsE8
zB%hH5GZRB`i3hua(hspOS&8$bWy@ggk#3A_MTuz0=`s!PMCD;DF$!dpFn`jhpy*;D
zi3DOniG-XA`6N30NUtj|lh0bQNs!86ED)=ZPzXNWh=w2H>DR;32SN2!)(D9T1!O%M
z>usF&91F>i@x@^y63`7DsYgSPfL<?djL1W9pt?m7>2{8;6qe0s_$O!Tx328P@Z<1X
z9vsu)uA*V74FUT;G`?k5?EFRrHk~v~cSAG-1=K}p$QV3&iZrHn9gD8;pg#$CB9aI?
zQAA5Imn4H#%V-Z`K~-5b@yG{aQHiQ9Ph*mw5T1X(LUtQ5)gx;(@v)9TE}66^Jo;W#
zy0GFr6xV2(ho#=Su`-EAG%2Xt+kc%9-P&78ZCYbem4-{9FpWL@B=XYF%3;8wQGCH{
z<hi$3^?)};b&3A2+{Ww}1n2OxTDamyG_|U0pWf+$@FC0A2M{Y4H|SKGaMEO~*OLg*
z-H;qbAmxnS>a=QcLQbJ@00NrT)N!3T*MOQvD5!GYSqX%lbutVU2Bb+IL}2#gp!T8N
zihC<!y8|v7f>kNpn?WTHgc|MYhX=8|pP)}RyO2?rEkJ7zugGnXi1@jBye}gAVXy9N
zZLXA>U?`T5O(D4nq6kY<5XE?zc^0}-E3PCkittBGiz`thXF739qE#(%6i4=kH)(hK
zoi*NQ{qes&b><$;nSdbA;*g!c&!)S6=(#d^HGzdDtu*XB3RRmfvZ)F2uz+#3P$eg1
z%Xgm|S{(ZJo)^yC-x<8)S5>7Hyj0!ssdrxUUkX}(qU?dsfBCHwH>X~FxaKtUQ7L%r
zB&zz3)vNn!8cu$y?lz%4ihj+4J$TmRovTrGA|FC#(j%y&TTmjJ{lZQR+AqjsGG+WS
zzXU%8&C?RVr$UXovE8m^j;=Q|zQ#;HlLo4wt<K$P=iXV|HBmCR8!Yv8p|pzg1K#{L
zJO2_|_hJ47N)ADzS_i#^)M96<x2?UE$a6(&)eo}<-z;V!uvA~wQ@L#@&Wf&>HH5S<
zgPDP<@JF0cv?=1vP>#CCEyX=t=>-9et1Q;`>?o6J)kyVMX$@CvM;IDqA)7Mxy56d*
z$_-$(qgJlmlWVZ+-CA7l;)J6dqu%~aR^A*{&-)c6394ve1@;I@C8pryO1(G&?NDmX
z(bM|#wylR*kEM=Xz!TxES6GkvrSr|^rF?S^QLI<#iAo}tl;duEl#G;|*bzwUC&Mrp
z4kLSQzer-AIolc=Df20l#abhXlUC%nZK(BQJdJasJItZ2Z-Z&{Y0A`hfuFY59%)7d
z&0&pJ*;Vdaa4+T#qU@17aNjST*u4vcx=`zeC4DG^;I8)+dWKDT2&4MbR)f4&?X9-D
z-CpKO;r)|>*80VhHufJx?czM=eVi5ZoR^mM#W-e8>I5v%gfb?F<)E~|mdEgY(}oYY
zcC0#zwcE_<89dt|(F%6TuNk%N=-Y{+^&R-NVLWF}a0az|z%h;9?O0KtcjKqCJ5Y9@
zHUj@o!eV{(ABOBK*2$Q+s%O3V9=26JNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
z;D#X(kpOIQr4}V2)u@M1)8a~09MmeM##q~nR<*=s2+z1|k|272gSx#w{pi5>#t#<W
zcD~vB?&;s7yZ8Ou?mvaWvk;sq6R8bZNynQLz6tGqnUpb^mAuTMjLW<<$uRnIl1BR|
zdYhzMGIGSoWh90Aye!BJW{yH?R3^|fD=$Z0{;+ZCkI7R%+MNCApWL7Pzt(M$E@(1s
zG^%tWzpUtMb*&kaUxXozjUxK|gthL`gC2!AtgLj-4Qze&b^umWm8F(|DD$i1es(!`
zyW?8iea+;C<Ngx3-)y<pef3&$??=4rMl;K}`#Y}1-Pi0o=Ki^7I=_FuTqF$BH5usf
z4@sFRu9VAw?3X_LL_U0OSD|g{4+p;fuOHm?ZhKRUcf>KUbm5$<zx?x3XZ_ao?`!F|
z)$)|T<7$5E#zFNpyN>;Ki9B_S<^GF`36rfqzC7jcxE6O`vm1}Q#{D|WeX-$Ma$hY^
z`8%$~-Pi0o=Kj(1)EAzudZqP^za)PC*W<Z-ZgT9hdFoc{x6$uiOTVp_r~DmP^V^RT
zBEDwVvENqaDM!Df{P)9p%f0c`$H9I1_mscmTHJljZW!+7`}NY_`%7=}%U1piXd1nP

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..e319bcf9a0bae8c9bd63dc37a13677c6f4ae7722
GIT binary patch
literal 69632
zcmeI$e{5Cd83*w1x%b@D)7$pmUP+Z9AWQ_>aKVc8SJACdDulLUQiLs%S^EQ8+Ix|<
zP$fp<W=zPkY{|APVab?=7=;+KY#Bk9uuT`T7^hj{lKo?hESl|)O^A+6lDqG7?s-}1
zTDpmlK)&bZ+<VS>pY#6sJnwn$ZPyO<w+#&SVe*!UFYM>1ha^zzO%A!_^V->^w=TI7
zRUiQgNI(J-kbndvAOQ(TKmrnwz>ETGhx*s-DD33l_~mW7&;3@+e+rxkfmL0DXUfr^
z{oUGm<GCAi6Kj|k0B0+JGb!Lhe_{!+fbHJPe?$Dg+nY1obC_+~Hji!E_Rl!}WPIJO
z9pttCN&Wc}&(FsHB$+d*jp4X1yZ43oxP!56tn>J!dMxHjY;V)mw#DurJLOX}G%%;^
zm&^NaUV9|*_px`ptmmQH`=E2l33rDbA820oz@v@1@a^=G`lB3)MYZH`h=(>n+m2VK
zuoipJhXO`<{tWkEFfM#Go5DDTF~q_V7Noo;>|od^cHthZ;A;duywb;*ZXPe^=K!zl
zMv-Sl^fPif&x^di0()6j;OA|)m9N`*bSv)Sd*AuyM=m%^c%{-mm@AjJVpo7oc#JiV
zMlEuJx0Fg>W4~NRKiU^!W7PT{w$;n1-7LL>dz+h#8-C!Ulbs!AA&|+y3%17dp}x+?
z{TPexWKkB`WJ?kq40}9|__(`b0@ix8vTO<Wz^0s4Q~&2QzRD`PNjAXY4@6xsx{Qw?
zkx3%(y()Z>7u-yrU0Hz#<FElr6<C(YRKfR|<M}*sQ@r=h6xtbRxf+UsU_lAY<;mQ5
zp03^JqbthA&L|{d4SHC>6MF<~due`vuP}j@79+CeJgX^%MLcm&&fp(HY+&(Y%v+I;
zy>z$G6zY7kZ{*4M;u@R3Q^iIHBGWYt?PCWlMZJuPc<d>%IkjqE`hpC)o5&L&m-Nz{
zE&o|d+LARBv>#xF)@AESSw4|TBW-<onm4%x;n~wwSQCX=KZc^7IM#<4*VYz4;pvak
zXkm?`?6}RAQI51+Z>9p-z!n8dd(-PVSkvX2Y)sSKRAbYnR2pU*ZV@^5i%Je)JnHyZ
z)KEFS>#QHlCaf>%KUKzawugZue8s&85eBxjT56xZJEZWA*wz7LDiJ2V+Gsl2Vr<(t
zIYrknvYQjB5cS)VRtwMfN~Ns~uvN_x*IWoAs9{b8>s<L+Nu<0v*upM!B9GOam>qmj
z+j-u|_eRd`JD8#_j%pL%ms6!kLYwWDht;g!EzpOShm5h5jj`8dUf?E11a7VFZx67U
z<F%IKF;`<&($D0u(8qNQ<+O};&SHL<l}8w&4k5~4L_Uvf50Q@IcuTak@vIhE?jFuy
zp<QcQHmh8=VE?AA8>2O|mg!x}{q)W8a@WCrUbuMWX<>_2FUPr;UCsa3nDU$tV=T83
zTI6=z^22X+jdy*2{o&*HH7A$;wq~+Id8zKX_v}2k$lGz%-GAIN^3v}X)jvPWx2M~p
zn6Za>Xy386wLWFj$t~5b(bVqdbz24R<mUo@=i00~Q1rPn*&}GBH*gPZ^-Fmb?7c0E
z?R>XIG*Lrh--x+-@x6wOm3-ZTeT>XA-+44~U&$rgj&A4ci5a3A8M`u$&U3aj@s4=2
z?=5W-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndv
zAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnw
zfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz
z0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<
z2}nQ!5|DrdBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|Drd
zBp?9^NI(J-kbndvAOQ(TKmrnwfCMBU0SQPz0uqpb1SB8<2}nQ!5|DrdBp?9^NI(J-
zkbndvAOQ(TKmr#R2#{bvh&t{$)biNpk?kSU@OV^>Sy2`1cvg!ny7-yJLL_<h_dJfb
zFK_GYpa03&JKlHKojUq1FRwd&(|t!+c#?s;Du6maj`Yg+q^{$62L{lC-6&#&dp|~z
z#}-~IpqJ-+c{Pt#^kGjF*N06!9>o}T@y>2Wbz?iP?8Ym>E9V*p-)}qe;-aCS|0Vp{
z=T+|tw6G_`QID#<;MY~{jbS_t6vsJ`h6cbsua8H!?Hgr<EJs=GebBk&#9{*5P|ecz
z1kC)>+)qw)k6WD1-SrIDocl4l-w?ace)4j<cW}O2L%SxpyB4Q&cRjm`-M{`!^G`mm
z1X3KjEe7`Z`>2Ta5S8e}X0-DKoIALxv~uvht>6CFPnVr)%C9It;w(77@j17Ax#wke
zoVS)wFK6DSTBlr#Q{}Cd531|gRh+krtW#fz-G5cJJzA}=+&bl2oX*|#?Amj;c|Rw1
zAFsch?o+K(uEpuxUC*v!_y2vJdiX~*uQtB**W54vw!cs;4D`&nPTd&it^3E9GjCI^
zQ?A9S^7e8La6P+<^LF7n<=O8j_x&(8c5gUxCEO?eo^mZt=k9uT&A3OuUoZZ9|NOW3
Hj0gV)w~Z5L

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..15a93a947a21e60b5c5de31a57cd5c14625ff795
GIT binary patch
literal 69632
zcmeI1X>3$g6vxk-c{99DXX((?1w{d=QnaN7i(ql7v{jVCXe(kYN~JB7PG@QtC^j0R
z7!$YP8WQ|KOpL)T8e<^DsF9fP!Qd7l7-M2$;zCRmF&H%&|L4B<n9h_XLgJ_YoxFK>
zIrrXkf9KqDZ>P=ao|fKpw-l#<SFssyOM)V0R<X!gm&?w}eRkG^Z~zh@0TLhq5+DH*
zAOR8}0TLhq5+H%o5@=5MEMAxC!{7LBI@x=(HseQuvQm)+Z)_cKrO*6Z=UH{|?{mhF
zFf}aVI3mA?M1Hi#w}{lD{u=xY@n6&a)AV^6b84E3IW-;g<o9{?TDKi_Jw^Ilhw`7^
zk0euy=IHmv(!M*rd@E#IFy@}3aa86^(sz^2q?gF0{tr7|_t~>y(-QrS$4&P{#-f>#
z16IPaBx?Pz?6MF29-4ow;fmYtt4lhcM_#LX9V=0(#-!{(Ru`ygPc$UWvO&5fBf}^^
ziYL6@YkV&el2PfGG#ZD{5VGoJ9mIxZK(3ZK_zcM!)O16p6Zsmvdr>neS(LKU1IZec
zv#6gV8_|}*d#=>tb0u=MvH;)R$EP1EC<Uxs?pN5#w_CP7EN!w0BM+My;oyzA+?~+N
zx9D$Uj-<@&8!%TFqz2JCA5V+#jJG^*%Q7h2k4BMrT&(a)&mXEPY`IZJOiwf=BoS;3
zN-M<f_ay%4oHP#B5@|x)Wq88saym@a*AclDLv#XJFP7hHR8VwrTf%{OP{OuVDl<^w
zd-{1LlVpV_)(cV@v<2d&V%xCsMJV_#-nBm@OChMXN*f_jp@3Y7!iAonHjmlTZfwzK
zL;^aYCDTyQEuiVmi^8%T22`^sBAw3CkwP*P1%KzP|J0FN(7XwD%YtJUxT|PLDr{g+
zq42afV#8CVn6%e0T@2A~D4-_lf{ekVyGVU%(O9Iwf_^992}?3)Mc^&@Ske-VjiY@V
z22_<*6PJ7-9+8OZ@(4Ql0pX=1rLx$FsUB&giI24daxE?14v+j6kw%O-48_%3hOtt2
z-1sC(gf%Fr+3P<}icam0q-#1!r<l4+F4vDa{2;RX-4ZNd)F?h;CUVVtlj;F$is}+M
zSmOEY8VC;I<7wfD6V}kGrhR0g1H$V(wmyJ(i8w*4%(#;VV@(gkMHfS|6ONQIdaKdO
z#ImhiZY2aXs;S``GL8Y&4_8p-+`SSASySW=sIW|`<pwxrD>mv<l<V+a2j89#6SZSi
zZTPMMl`Igdx2qj)!0>*6-cjQ~Mol&XtzEn#7egZK$LgM?VYwaa)tS9DN2NSy$CEPM
zmdOx>Tbc)6jKj=bp(7RINK(oqfmX*njzo+cx|r00lD1>na#e7;*45XRyKU1pKYHZg
zKWW6wg;QI)uNx5=GVcRc6z2XuDiZtNi>|HEyD*qlgN+8UF06YaRIi?}#%lP-2-<bU
zD!EoFU)a(<+Wy><m-k%T5S+C)R!qeW-H#u8@#uHnA))!zR}9>}^6<~CyAB`uC55e{
zQm|kXvU=ufYI;cB%Maa6#??DfuTilXZ#{$6%O1<xh*Y{IwY3sYSfgRcibMMmxmVU3
zI}IN<MjJHml0ZzPT+LeVjb*m7+cR;Jo_=Hv#GtMAUFh|_JU?r)sBaTk>hYnp^8EvD
z|9M{jQ)s;u{nz5jz=>4rpc|m-yq=fjXO6*VJK=0=vEGTRwcXXKrb=#VzF!0z#f@k>
z&!7nuI#bBi@q{zEWOZ-o)++25cKe-zYjHpSSPH}to0MyVr)70s%gN(BF9kjI1X=@K
z{b-=89)i{mX14`*2pk;cG6h=%HFzpaIf^_EMYDZ0k5fTYr~+Tl?s|K)WB%BVxxv~e
zj$)5Ag0~*{89aI@51Q2~AwNPq(27WdbgEG*;gSn*DYy!;Me}ts51%@eZ+>Qf^v&Kw
z$@jlZrP@=qwXWoqQV(e)y$8v>LqmN#XMEUEHFw4Cna_^?{RirFuYl1{$fjV)0!D@B
zlYdmYmj*uo>jqM1-;U1b<Lzx14Z(WL=^N*!Selwc<C;n*^U^k=x*C5Skb9e<%9FYv
zFLk2WABY9S(NRyRgQ}_rnjciv;T;%ML2rP;+VS{tu>;||ID~Z+g|H56`vDlzb=2h;
z*S*md8dRm)aBa8;?@=5Kdc*63Lk*&)$(Vn@9Fd!#MI{*JZ)qx-1&2!MD5#$YBdUHQ
zs9k0x+zXTI`tFfkgBkSr6q$y&EZ5_KcB>J*%sm+ItEXw5$V0DAuQ)d09(<xR1Oe1I
z`^nA_96@HpYr#>^kQI2pWla~`>H;NL(zMEEf5tmL`s?jq_RLuF%HhN(<sW?Y);?&p
z2!D0?nhBgyQ%IGWXpV^|itl7?o*}w`C~Z*xJag>ZeM2QTZ(DWO*WdiL_1v=?ZH~DG
zstMKfE^s}`qt@!wgS-0UMr+ahU6*WIxoGRrcRru-$`_xa+S^}yk=6ZG5S#Pb4`bXx
zjGRBB{`<btt*iUW+#B4Zr}X$SrPn<DqeXpWIKRs@fNP(E0KNp0>d|^F(rxY@6#)cO
zTmM^bcFru=RxSR2?ix(ZL;@s00wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZr
zKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{
z0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2J
zBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZr
zKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{
z0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2J
zBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZrKmsH{0wh2JBtQZr
uKmsH{0wh2Jrzg-WS;<JJq$O%Sx%1MEt4c*|blW19+=Qo05-2<VK>q^BKV2OF

literal 0
HcmV?d00001


From 4b6813efc78c30ab43fc04219a7bd0e49da77687 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Wed, 19 Aug 2020 12:37:01 +0200
Subject: [PATCH 2/5] Audit and Authentication Policy Change Events - CHANGELOG

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 1d9bacfa6bb..a203f6990fc 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -973,6 +973,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add additional event categorization for security and sysmon modules. {pull}22988[22988]
 - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
 - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
+- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684]
 
 *Elastic Log Driver*
 

From 35a2effb11dbfab2cf9d8fbb7580ea4918e2e986 Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Wed, 18 Nov 2020 17:25:22 +0100
Subject: [PATCH 3/5] new ECS 1.7.0 event.category configuration for audit
 changes

---
 .../module/security/config/winlogbeat-security.js   | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 4895ba807e6..62ce461b1b6 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -2316,7 +2316,7 @@ var security = (function () {
         .Add(addEventFields)
         .Add(addTrustInformation)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
         })
         .Build();
 
@@ -2325,7 +2325,7 @@ var security = (function () {
         .Add(copySubjectUserLogonId)
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
         })
         .Build();
 
@@ -2335,7 +2335,7 @@ var security = (function () {
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
             var oldSd = evt.Get("winlog.event_data.OldSd");
             var newSd = evt.Get("winlog.event_data.NewSd");
             if (oldSd) {
@@ -2350,14 +2350,14 @@ var security = (function () {
     var genericAuditChange = new processor.Chain()
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
         })
         .Build();
 
     var event4908 = new processor.Chain()
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
             var sids = evt.Get("winlog.event_data.SidList");
             if (!sids) {
                 return;
@@ -2381,7 +2381,7 @@ var security = (function () {
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "change");
+            evt.AppendTo("event.type", "admin");
         })
         .Build();
 
@@ -2524,6 +2524,7 @@ var security = (function () {
 
         // 4739 - A security-enabled global group was changed.
         4739: policyChange.Run,
+
         // 4738 - An user account was changed.
         4738: userMgmtEvts.Run,
 

From e2fbcc5361535823376146add9ec16f9530ea685 Mon Sep 17 00:00:00 2001
From: "Lee E. Hinman" <lee.e.hinman@elastic.co>
Date: Wed, 20 Jan 2021 15:07:46 -0600
Subject: [PATCH 4/5] Merge fixes and updated golden files

---
 .../security/config/winlogbeat-security.js    | 16 +---
 .../4670_WindowsSrv2016.evtx.golden.json      | 80 +++++++++++++++++++
 .../4706_WindowsSrv2016.evtx.golden.json      | 72 +++++++++++++++++
 .../4707_WindowsSrv2016.evtx.golden.json      | 64 +++++++++++++++
 .../4713_WindowsSrv2016.evtx.golden.json      | 64 +++++++++++++++
 .../4716_WindowsSrv2016.evtx.golden.json      | 72 +++++++++++++++++
 .../4717_WindowsSrv2016.evtx.golden.json      | 67 ++++++++++++++++
 .../4718_WindowsSrv2016.evtx.golden.json      | 67 ++++++++++++++++
 .../4719_WindowsSrv2016.evtx.golden.json      | 74 +++++++++++++++++
 .../4739_WindowsSrv2016.evtx.golden.json      | 71 ++++++++++++++++
 .../4817_WindowsSrv2016.evtx.golden.json      | 74 +++++++++++++++++
 .../4902_WindowsSrv2016.evtx.golden.json      | 51 ++++++++++++
 .../4904_WindowsSrv2016.evtx.golden.json      | 72 +++++++++++++++++
 .../4905_WindowsSrv2016.evtx.golden.json      | 72 +++++++++++++++++
 .../4906_WindowsSrv2016.evtx.golden.json      | 50 ++++++++++++
 .../4907_WindowsSrv2016.evtx.golden.json      | 75 +++++++++++++++++
 .../4908_WindowsSrv2016.evtx.golden.json      | 58 ++++++++++++++
 .../4912_WindowsSrv2016.evtx.golden.json      | 70 ++++++++++++++++
 ...security-windows2012_4771.evtx.golden.json |  1 +
 ...security-windows2012_4778.evtx.golden.json |  1 +
 ...security-windows2012_4779.evtx.golden.json |  1 +
 21 files changed, 1157 insertions(+), 15 deletions(-)
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx.golden.json

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 62ce461b1b6..bee92e1e975 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1209,7 +1209,7 @@ var security = (function () {
         "8448": "Success removed",
         "8449": "Success Added",
         "8450": "Failure removed",
-        "8451": "Failure added",
+        "8451": "Failure Added",
         "8452": "Success include removed",
         "8453": "Success include added",
         "8454": "Success exclude removed",
@@ -2315,18 +2315,12 @@ var security = (function () {
         .Add(copySubjectUserLogonId)
         .Add(addEventFields)
         .Add(addTrustInformation)
-        .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
-        })
         .Build();
 
     var policyChange = new processor.Chain()
         .Add(copySubjectUser)
         .Add(copySubjectUserLogonId)
         .Add(addEventFields)
-        .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
-        })
         .Build();
 
     var objectPolicyChange = new processor.Chain()
@@ -2335,7 +2329,6 @@ var security = (function () {
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
             var oldSd = evt.Get("winlog.event_data.OldSd");
             var newSd = evt.Get("winlog.event_data.NewSd");
             if (oldSd) {
@@ -2349,15 +2342,11 @@ var security = (function () {
 
     var genericAuditChange = new processor.Chain()
         .Add(addEventFields)
-        .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
-        })
         .Build();
 
     var event4908 = new processor.Chain()
         .Add(addEventFields)
         .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
             var sids = evt.Get("winlog.event_data.SidList");
             if (!sids) {
                 return;
@@ -2380,9 +2369,6 @@ var security = (function () {
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
-        .Add(function(evt) {
-            evt.AppendTo("event.type", "admin");
-        })
         .Build();
 
     return {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..0666a8b5ac8
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,80 @@
+[
+  {
+    "@timestamp": "2020-07-28T13:22:18.7993488Z",
+    "event": {
+      "action": "permissions-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4670,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\services.exe",
+      "name": "services.exe",
+      "pid": 764
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "HandleId": "0x56c",
+        "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
+        "NewSdDacl0": "Local system :Access Allowed (Generic All)",
+        "NewSdDacl1": "OW :Access Allowed (Read Permissions)",
+        "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed (Generic All)",
+        "ObjectName": "-",
+        "ObjectServer": "Security",
+        "ObjectType": "Token",
+        "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
+        "OldSdDacl0": "Local system :Access Allowed (Generic All)",
+        "OldSdDacl1": "Network service account :Access Allowed (Generic All)",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4670,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 4604
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 31932,
+      "task": "Authorization Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..7cdf639ce48
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-07-27T09:42:48.3690009Z",
+    "event": {
+      "action": "domain-trust-added",
+      "category": [
+        "configuration"
+      ],
+      "code": 4706,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "creation"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "192.168.230.153",
+        "DomainSid": "S-1-0-0",
+        "SidFilteringEnabled": "%%1796",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
+        "TdoAttributes": "1",
+        "TdoDirection": "3",
+        "TdoType": "3"
+      },
+      "event_id": 4706,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 3056
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 6017,
+      "task": "Authentication Policy Change",
+      "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+      "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
+      "trustType": "TRUST_TYPE_MIT"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..d16ff334435
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,64 @@
+[
+  {
+    "@timestamp": "2020-07-28T06:18:04.600444Z",
+    "event": {
+      "action": "domain-trust-removed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4707,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "deletion"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "192.168.230.153",
+        "DomainSid": "S-1-0-0",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500"
+      },
+      "event_id": 4707,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 2012
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 13679,
+      "task": "Authentication Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..9dcfe4ddb59
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,64 @@
+[
+  {
+    "@timestamp": "2020-07-28T10:15:43.4951882Z",
+    "event": {
+      "action": "kerberos-policy-changed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4713,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00);  KerMaxR: 0x649534e0000 (0x58028e44000);  KerProxy: 0xd693a400 (0xb2d05e00);  ",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4713,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 2012
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 21265,
+      "task": "Authentication Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..6e43b04c6f3
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-07-28T08:17:00.4706442Z",
+    "event": {
+      "action": "trusted-domain-information-changed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4716,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "-",
+        "DomainSid": "S-1-0-0",
+        "SidFilteringEnabled": "-",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
+        "TdoAttributes": "1",
+        "TdoDirection": "3",
+        "TdoType": "3"
+      },
+      "event_id": 4716,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 3776
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 14929,
+      "task": "Authentication Policy Change",
+      "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+      "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
+      "trustType": "TRUST_TYPE_MIT"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..fe3d49133e0
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,67 @@
+[
+  {
+    "@timestamp": "2020-07-27T09:30:41.9034803Z",
+    "event": {
+      "action": "system-security-access-granted",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4717,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "WORKGROUP",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6",
+      "event_data": {
+        "AccessGranted": "SeNetworkLogonRight",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetSid": "S-1-5-9"
+      },
+      "event_id": 4717,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 820
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 1571,
+      "task": "Authentication Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..6e5fc0f6d54
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,67 @@
+[
+  {
+    "@timestamp": "2020-07-27T09:30:41.8778082Z",
+    "event": {
+      "action": "system-security-access-removed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4718,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "deletion"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "WORKGROUP",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6",
+      "event_data": {
+        "AccessRemoved": "SeNetworkLogonRight",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetSid": "S-1-5-32-545"
+      },
+      "event_id": 4718,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 820
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 1565,
+      "task": "Authentication Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..4bc9323ce3f
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,74 @@
+[
+  {
+    "@timestamp": "2020-08-18T13:45:57.4803543Z",
+    "event": {
+      "action": "changed-audit-config",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4719,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{65461d39-753f-0000-731d-46653f75d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "AuditPolicyChanges": "%%8448",
+        "AuditPolicyChangesDescription": [
+          "Success removed"
+        ],
+        "Category": "Object Access",
+        "CategoryId": "%%8274",
+        "SubCategory": "Other Object Access Events",
+        "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}",
+        "SubcategoryId": "%%12804",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x44d7d",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500"
+      },
+      "event_id": 4719,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x44d7d"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 2764
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 123879,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..4035618ea1d
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,71 @@
+[
+  {
+    "@timestamp": "2020-07-27T09:34:50.1578005Z",
+    "event": {
+      "action": "domain-policy-changed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4739,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainBehaviorVersion": "-",
+        "DomainName": "TEST",
+        "DomainPolicyChanged": "Password Policy",
+        "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786",
+        "MachineAccountQuota": "-",
+        "MixedDomainMode": "-",
+        "OemInformation": "-",
+        "PasswordHistoryLength": "-",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4739,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 812
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 3532,
+      "task": "Authentication Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..71607b7242c
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,74 @@
+[
+  {
+    "@timestamp": "2020-08-17T12:49:09.4942066Z",
+    "event": {
+      "action": "object-audit-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4817,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": [
+        "WIN-BVM4LI1L1Q6$",
+        "Administrator"
+      ]
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)",
+        "NewSdSacl0": "Administrator :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)",
+        "NewSdSacl1": "S-1-5-21-2024912787-2692429404-2351956786-1000 :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)",
+        "ObjectName": "File",
+        "ObjectServer": "LSA",
+        "ObjectType": "Global SACL",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4817,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 3052
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 114278,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..0c21de310ab
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,51 @@
+[
+  {
+    "@timestamp": "2020-08-19T06:07:08.801981Z",
+    "event": {
+      "action": "user-audit-policy-created",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4902,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "creation"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "PuaCount": "0",
+        "PuaPolicyId": "0x9fd2"
+      },
+      "event_id": 4902,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 784,
+        "thread": {
+          "id": 832
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 140273,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..cb92cffa1b2
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-08-19T07:56:52.019802Z",
+    "event": {
+      "action": "security-event-source-added",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4904,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe",
+      "name": "inetinfo.exe",
+      "pid": 3608
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "AuditSourceName": "IIS-METABASE",
+        "EventSourceId": "0x460422",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4904,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 784,
+        "thread": {
+          "id": 824
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 146939,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..7b5c2e7c0c7
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-08-19T07:56:51.5792901Z",
+    "event": {
+      "action": "security-event-source-removed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4905,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "deletion"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "-",
+      "name": "-",
+      "pid": 4964
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "AuditSourceName": "IIS-METABASE",
+        "EventSourceId": "0x457b22",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4905,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 784,
+        "thread": {
+          "id": 824
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 146938,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..9711989c89e
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,50 @@
+[
+  {
+    "@timestamp": "2020-08-18T09:19:00.2372249Z",
+    "event": {
+      "action": "crash-on-audit-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4906,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "CrashOnAuditFailValue": "1"
+      },
+      "event_id": 4906,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 804
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 123786,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..32dd648fc2a
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,75 @@
+[
+  {
+    "@timestamp": "2020-08-19T07:56:17.1121901Z",
+    "event": {
+      "action": "audit-setting-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4907,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe",
+      "name": "TiWorker.exe",
+      "pid": 4300
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "HandleId": "0x93c",
+        "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)",
+        "NewSdSacl0": "Everyone :System Audit (Delete All Child Objects,List Contents,Read All Properties,All Extended Rights,Delete,Modify Permissions,Modify Owner)",
+        "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1",
+        "ObjectServer": "Security",
+        "ObjectType": "File",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4907,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 408
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 146933,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..fcbdbce1d3d
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,58 @@
+[
+  {
+    "@timestamp": "2020-08-19T06:07:25.0461779Z",
+    "event": {
+      "action": "special-group-table-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4908,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "SidList": [
+          "",
+          "%{S-1-5-32-544}",
+          "%{S-1-5-32-123-54-65}"
+        ],
+        "SidListDesc": [
+          "Administrators",
+          "S-1-5-32-123-54-65"
+        ]
+      },
+      "event_id": 4908,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 784,
+        "thread": {
+          "id": 808
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 140274,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx.golden.json
new file mode 100644
index 00000000000..5e9a933c7bb
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/4912_WindowsSrv2016.evtx.golden.json
@@ -0,0 +1,70 @@
+[
+  {
+    "@timestamp": "2020-08-18T14:36:41.2936839Z",
+    "event": {
+      "action": "per-user-audit-policy-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4912,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{65461d39-753f-0000-731d-46653f75d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "AuditPolicyChanges": "%%8452",
+        "CategoryId": "%%8276",
+        "SubcategoryGuid": "{0cce924a-69ae-11d9-bed3-505054503030}",
+        "SubcategoryId": "%%13317",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x44d7d",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
+        "TargetUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500"
+      },
+      "event_id": 4912,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x44d7d"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 3300
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 123917,
+      "task": "Audit Policy Change"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
index 6519408002c..977ea0fe116 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "192.168.5.44",
       "user": "MPUIG"
     },
     "source": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json
index 649db8b0e23..f7944a0c686 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "10.100.150.9",
       "user": "at_adm"
     },
     "source": {
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json
index 12c23f0a09d..93f89a592a6 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "10.100.150.17",
       "user": "at_adm"
     },
     "source": {

From f820bed3443996ccf31690e212579d831a78d5fb Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <anabella.cristaldi@andorratelecom.ad>
Date: Sat, 23 Jan 2021 18:01:53 +0100
Subject: [PATCH 5/5] Added related.ip type - Added checks

---
 .../security/config/winlogbeat-security.js    | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index bee92e1e975..44d0e8eb34d 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1850,7 +1850,7 @@ var security = (function () {
                 {from: "winlog.event_data.AccountName", to: "user.name"},
                 {from: "winlog.event_data.AccountDomain", to: "user.domain"},
                 {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip"},
+                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.ClientName", to: "source.domain"},
                 {from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
             ],
@@ -2005,7 +2005,7 @@ var security = (function () {
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.ProcessName", to: "process.executable"},
                 {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip"},
+                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
                 {from: "winlog.event_data.WorkstationName", to: "source.domain"},
             ],
@@ -2143,10 +2143,12 @@ var security = (function () {
         .Add(addEventFields)
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.TargetUserName");
-            var res = /^-$/.test(user);
-                if (!res) {
-                    evt.AppendTo('related.user', user);
-                }
+            if (user) {
+                var res = /^-$/.test(user);
+                    if (!res) {
+                        evt.AppendTo('related.user', user);
+                    }
+            }
         })
         .Build();
 
@@ -2260,9 +2262,11 @@ var security = (function () {
         .Add(addEventFields)
         .Add(function(evt) {
             var ip = evt.Get("source.ip");
-            if (/::ffff:/.test(ip)) {
-                evt.Put("source.ip", ip.replace("::ffff:", ""));
-                evt.Put("related.ip", ip.replace("::ffff:", ""));
+            if (ip) {
+               if (/::ffff:/.test(ip)) {
+                   evt.Put("source.ip", ip.replace("::ffff:", ""));
+                   evt.Put("related.ip", ip.replace("::ffff:", ""));
+               }
             }
         })
         .Build();