[System]: Improve field mappings Windows Event 5136 #16965
Description
Integration Name
System [system]
Dataset Name
system.security
Integration Version
2.9.1
Agent Version
9.2.3
OS Version and Architecture
Windows Server 2019 Datacenter (x86_64)
User Goal
This event captures changes to directory objects but more granular mappings could be made.
When winlog.event_data.ObjectClass is user, computer, group, there are additional ecs fields that can be captured for IAM events.
winlog.event_data.ObjectDN contains the name (user.target.name, group.name, host.name etc) of the object being modified. For users I have a custom pipeline with a grok pattern CN=%{WORD:user.target.name}, There may be better nested fields for these.
The value in winlog.event_data.AttributeValue may also be useful. In group changes, it contains the user being added/removed. Certain attributes like mail for user could also be be captured under user.target.email. These may be a lot more granular than just capturing the ObjectDN though.
The ObjectClass being user or group also gives info for setting event.type to include it as well.
Existing Features
Searching for user.target.name or related.user currently does not return these events.
What did you see?
{
"@timestamp": "2026-01-14T12:00:08.656Z",
"agent.ephemeral_id": "l",
"agent.id": "l",
"agent.name": "WMSC15P",
"agent.type": "filebeat",
"agent.version": "9.2.3",
"data_stream.dataset": "system.security",
"data_stream.namespace": "default",
"data_stream.type": "logs",
"ecs.version": "8.11.0",
"elastic_agent.id": "l",
"elastic_agent.snapshot": false,
"elastic_agent.version": "9.2.3",
"error.message": null,
"event.action": "directory-service-object-modified",
"event.agent_id_status": "verified",
"event.category": [
"configuration",
"iam"
],
"event.code": "5136",
"event.created": "2026-01-14T12:00:21.116Z",
"event.dataset": "system.security",
"event.ingested": "2026-01-14T12:00:31.000Z",
"event.kind": "event",
"event.module": "system",
"event.original": null,
"event.outcome": "success",
"event.provider": "Microsoft-Windows-Security-Auditing",
"event.type": [
"admin",
"change"
],
"host.architecture": "x86_64",
"host.hostname": "host",
"host.id": "boom",
"host.ip": "127.10.10.10",
"host.mac": "00-00-00-00-00-00",
"host.name": "host",
"host.os.build": "17763.8146",
"host.os.family": "windows",
"host.os.kernel": "10.0.17763.8146 (WinBuild.160101.0800)",
"host.os.name": "Windows Server 2019 Standard",
"host.os.platform": "windows",
"host.os.type": "windows",
"host.os.version": "10.0",
"input.type": "winlog",
"log.level": "information",
"message": "A directory service object was modified. snipped for redaction and relevant info in other fields",
"related.user": "username",
"tags": null,
"user.domain": "SSCAdomainD",
"user.id": "S-1-5-21-snippy",
"user.name": "username",
"winlog.channel": "Security",
"winlog.computer_name": "myhost",
"winlog.event_data.AttributeLDAPDisplayName": "employeeNumber",
"winlog.event_data.AttributeSyntaxOID": "2.5.5.12",
"winlog.event_data.AttributeValue": "x",
"winlog.event_data.DSName": "domain",
"winlog.event_data.DSType": "Active Directory Domain Services",
"winlog.event_data.ObjectClass": "user",
"winlog.event_data.ObjectDN": "CN=userg,OU=myou,DC=consoso,DC=com",
"winlog.event_data.ObjectGUID": "{foo}",
"winlog.event_data.OpCorrelationID": "{bar}",
"winlog.event_data.OperationType": "Value Added",
"winlog.event_data.SubjectDomainName": "domain",
"winlog.event_data.SubjectLogonId": "0xBEEFBEEF",
"winlog.event_data.SubjectUserName": "user",
"winlog.event_data.SubjectUserSid": "S-1-5-21-x",
"winlog.event_id": "5136",
"winlog.keywords": "Audit Success",
"winlog.logon.id": "0xBEEFBEEF",
"winlog.opcode": "Info",
"winlog.process.pid": 696,
"winlog.process.thread.id": 824,
"winlog.provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"winlog.provider_name": "Microsoft-Windows-Security-Auditing",
"winlog.record_id": "707177777",
"winlog.task": "Directory Service Changes"
}
Anything else?
No response