From 781598351d39f09d08bf24a1948202481cf0969f Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 27 Oct 2021 17:13:34 +0200
Subject: [PATCH] Add SourceUser and TargetUser

---
 tools/config/winlogbeat-modules-enabled.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 8bf9155f..dfc0ca9e 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -186,6 +186,8 @@ fieldmappings:
     ParentImage: process.parent.executable
     ParentCommandLine: process.parent.command_line
     ParentUser: winlog.event_data.ParentUser  #Sysmon 13.30
+    SourceUser: winlog.event_data.SourceUser  #Sysmon 13.30
+    TargetUser: winlog.event_data.TargetUser  #Sysmon 13.30
     TargetFilename: file.path
     CreationUtcTime: winlog.event_data.CreationUtcTime
     PreviousCreationUtcTime: winlog.event_data.PreviousCreationUtcTime