diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 0c6fa5ca7686..2516dfa1ab6c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -27,7 +27,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -94,7 +95,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -162,7 +164,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -234,7 +237,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -301,7 +305,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -375,7 +380,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -438,7 +444,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -510,7 +517,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -569,7 +577,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -644,7 +653,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -751,7 +761,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -814,7 +825,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -881,7 +893,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -953,7 +966,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1012,7 +1026,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1085,7 +1100,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1152,7 +1168,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1219,7 +1236,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1313,7 +1331,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1387,7 +1406,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1506,7 +1526,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1613,7 +1634,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1725,7 +1747,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1802,7 +1825,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -1916,7 +1940,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2033,7 +2058,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2096,7 +2122,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2204,7 +2231,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2271,7 +2299,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2379,7 +2408,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2442,7 +2472,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2505,7 +2536,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2607,7 +2639,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2698,7 +2731,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2761,7 +2795,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2859,7 +2894,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -2972,7 +3008,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3086,7 +3123,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3149,7 +3187,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3262,7 +3301,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3369,7 +3409,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3432,7 +3473,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3491,7 +3533,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3567,7 +3610,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3670,7 +3714,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3777,7 +3822,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3848,7 +3894,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -3962,7 +4009,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4034,7 +4082,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4126,7 +4175,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4193,7 +4243,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4256,7 +4307,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4306,7 +4358,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4356,7 +4409,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4464,7 +4518,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4536,7 +4591,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4599,7 +4655,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4707,7 +4764,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4779,7 +4837,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4887,7 +4946,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -4950,7 +5010,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5028,7 +5089,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5106,7 +5168,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5170,7 +5233,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5278,7 +5342,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5392,7 +5457,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5506,7 +5572,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5614,7 +5681,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5686,7 +5754,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5764,7 +5833,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5827,7 +5897,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -5935,7 +6006,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6053,7 +6125,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6160,7 +6233,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6227,7 +6301,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6340,7 +6415,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6407,7 +6483,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6520,7 +6597,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6628,7 +6706,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6714,7 +6793,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6828,7 +6908,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6916,7 +6997,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -6975,7 +7057,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7083,7 +7166,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7161,7 +7245,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7220,7 +7305,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7328,7 +7414,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7437,7 +7524,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7525,7 +7613,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7633,7 +7722,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7730,7 +7820,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7827,7 +7918,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -7945,7 +8037,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8054,7 +8147,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8156,7 +8250,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8264,7 +8359,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8372,7 +8468,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8439,7 +8536,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8545,7 +8643,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8612,7 +8711,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8690,7 +8790,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8758,7 +8859,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8826,7 +8928,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8893,7 +8996,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -8961,7 +9065,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9024,7 +9129,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9096,7 +9202,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9163,7 +9270,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9234,7 +9342,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9301,7 +9410,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9368,7 +9478,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9435,7 +9546,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9549,7 +9661,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9627,7 +9740,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9696,7 +9810,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9805,7 +9920,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9864,7 +9980,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -9931,7 +10048,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10044,7 +10162,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10107,7 +10226,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10174,7 +10294,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10285,7 +10406,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10402,7 +10524,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10469,7 +10592,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10582,7 +10706,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10696,7 +10821,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10805,7 +10931,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -10909,7 +11036,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11023,7 +11151,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11346,7 +11475,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11474,7 +11604,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11537,7 +11668,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11608,7 +11740,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11658,7 +11791,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11725,7 +11859,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11839,7 +11974,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -11953,7 +12089,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12020,7 +12157,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12128,7 +12266,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12236,7 +12375,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12343,7 +12483,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12439,7 +12580,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12506,7 +12648,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12573,7 +12716,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12681,7 +12825,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12760,7 +12905,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12874,7 +13020,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -12937,7 +13084,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13004,7 +13152,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13067,7 +13216,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13117,7 +13267,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13166,7 +13317,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13215,7 +13367,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13286,7 +13439,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13349,7 +13503,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" @@ -13446,7 +13601,8 @@ "event": { "code": 22, "kind": "event", - "module": "sysmon" + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" }, "log": { "level": "information" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index c5a697179ae9..1717f1d687d3 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -1764,4 +1764,4 @@ "version": 4 } } -] +] \ No newline at end of file