From 8e31628955f89ab550e33a1ae1cc750b850a29ab Mon Sep 17 00:00:00 2001
From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Date: Tue, 17 Dec 2019 17:15:24 +0100
Subject: [PATCH] [Winlogbeat] Add Group Management Events - Add NewUAC
 Description for User Management Events (#14299)

* Added Group Management Events
* Added User and Group Enumeration
* Added New UAC Description
---
 .../security/config/winlogbeat-security.js    | 142 ++++++++++++++++++
 ...2016_4720_Account_Created.evtx.golden.json |  20 ++-
 .../testdata/security-windows2016_4727.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4727.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4728.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4728.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4729.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4729.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4730.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4730.evtx.golden.json |  61 ++++++++
 .../testdata/security-windows2016_4731.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4731.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4732.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4732.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4733.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4733.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4734.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4734.evtx.golden.json |  61 ++++++++
 .../testdata/security-windows2016_4735.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4735.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4737.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4737.evtx.golden.json |  63 ++++++++
 ...2016_4738_Account_Changed.evtx.golden.json |  16 +-
 .../testdata/security-windows2016_4754.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4754.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4755.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4755.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4756.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4756.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4757.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4757.evtx.golden.json |  63 ++++++++
 .../testdata/security-windows2016_4758.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4758.evtx.golden.json |  61 ++++++++
 .../testdata/security-windows2016_4764.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4764.evtx.golden.json |  62 ++++++++
 .../testdata/security-windows2016_4798.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4798.evtx.golden.json |  58 +++++++
 .../testdata/security-windows2016_4799.evtx   | Bin 0 -> 69632 bytes
 ...security-windows2016_4799.evtx.golden.json |  63 ++++++++
 39 files changed, 1296 insertions(+), 4 deletions(-)
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx
 create mode 100644 x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index 6a8dda197de..13ef413f9e5 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -19,6 +19,34 @@ var security = (function () {
         "11": "CachedInteractive",
     };
 
+    // User Account Control Attributes Table
+    // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
+    var uac_flags = [
+        [0x0001, 'SCRIPT'],
+        [0x0002, 'ACCOUNTDISABLE'],
+        [0x0008, 'HOMEDIR_REQUIRED'],
+        [0x0010, 'LOCKOUT'],
+        [0x0020, 'PASSWD_NOTREQD'],
+        [0x0040, 'PASSWD_CANT_CHANGE'],
+        [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'],
+        [0x0100, 'TEMP_DUPLICATE_ACCOUNT'],
+        [0x0200, 'NORMAL_ACCOUNT'],
+        [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'],
+        [0x1000, 'WORKSTATION_TRUST_ACCOUNT'],
+        [0x2000, 'SERVER_TRUST_ACCOUNT'],
+        [0x10000, 'DONT_EXPIRE_PASSWORD'],
+        [0x20000, 'MNS_LOGON_ACCOUNT'],
+        [0x40000, 'SMARTCARD_REQUIRED'],
+        [0x80000, 'TRUSTED_FOR_DELEGATION'],
+        [0x100000, 'NOT_DELEGATED'],
+        [0x200000, 'USE_DES_KEY_ONLY'],
+        [0x400000, 'DONT_REQ_PREAUTH'],
+        [0x800000, 'PASSWORD_EXPIRED'],
+        [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'],
+        [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'],
+    ];
+
+    // event.action Description Table
     var eventActionTypes = {
         "4624": "logged-in",
         "4625": "logon-failed",
@@ -32,10 +60,28 @@ var security = (function () {
         "4724": "reset-password",
         "4725": "disabled-user-account",
         "4726": "deleted-user-account",
+        "4727": "added-group-account",
+        "4728": "added-group-account-to",
+        "4729": "deleted-group-account-from",
+        "4730": "deleted-group-account",
+        "4731": "added-group-account",
+        "4732": "added-group-account-to",
+        "4733": "deleted-group-account-from",
+        "4734": "deleted-group-account",
+        "4735": "modified-group-account",
+        "4737": "modified-group-account",
         "4738": "modified-user-account",
         "4740": "locked-out-user-account",
+        "4754": "added-group-account",
+        "4755": "modified-group-account",
+        "4756": "added-group-account-to",
+        "4757": "deleted-group-account-from",
+        "4758": "deleted-group-account",
+        "4764": "type-changed-group-account",
         "4767": "unlocked-user-account",
         "4781": "renamed-user-account",
+        "4798": "group-membership-enumerated",
+        "4799": "user-member-enumerated",
     };
 
     // Descriptions of failure status codes.
@@ -1104,6 +1150,28 @@ var security = (function () {
         evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus);
     };
 
+    var addUACDescription = function(evt) {
+        var code = evt.Get("winlog.event_data.NewUacValue");
+        if (!code) {
+            return;
+        }
+        var uac_code=parseInt(code);
+        var uac_result = [];
+        for (var i=0; i<uac_flags.length; i++) {
+            if ((uac_code | uac_flags[i][0]) === uac_code) {
+                uac_result.push(uac_flags[i][1]);
+            }
+        }
+        if (uac_result) {
+            evt.Put("winlog.event_data.NewUACList",uac_result);
+        }
+        var uac_list=evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g,'').split("%%").filter(String);
+        if (! uac_list) {
+            return;
+        }
+        evt.Put("winlog.event_data.UserAccountControl",uac_list);
+      };
+
     var copyTargetUser = new processor.Chain()
         .Convert({
             fields: [
@@ -1115,6 +1183,17 @@ var security = (function () {
         })
         .Build();
 
+    var copyTargetUserToGroup = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetUserSid", to: "group.id"},
+                {from: "winlog.event_data.TargetUserName", to: "group.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "group.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Build();
+
     var copyTargetUserLogonId  = new processor.Chain()
         .Convert({
             fields: [
@@ -1304,6 +1383,7 @@ var security = (function () {
         .Add(copyTargetUser)
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
+        .Add(addUACDescription)
         .Add(addActionDesc)
         .Build();
 
@@ -1313,6 +1393,14 @@ var security = (function () {
         .Add(addActionDesc)
         .Build();
 
+    var groupMgmtEvts = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(copyTargetUserToGroup)
+        .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
+        .Build();
+
     return {
         // 4624 - An account was successfully logged on.
         4624: logonSuccess.Run,
@@ -1356,18 +1444,72 @@ var security = (function () {
         // 4726 - An user account was deleted.
         4726: userMgmtEvts.Run,
 
+        // 4727 - A security-enabled global group was created.
+        4727: groupMgmtEvts.Run,
+
+        // 4728 - A member was added to a security-enabled global group.
+        4728: groupMgmtEvts.Run,
+
+        // 4729 - A member was removed from a security-enabled global group.
+        4729: groupMgmtEvts.Run,
+
+        // 4730 - A security-enabled global group was deleted.
+        4730: groupMgmtEvts.Run,
+
+        // 4731 - A security-enabled local group was created.
+        4731: groupMgmtEvts.Run,
+
+        // 4732 - A member was added to a security-enabled local group.
+        4732: groupMgmtEvts.Run,
+
+        // 4733 - A member was removed from a security-enabled local group.
+        4733: groupMgmtEvts.Run,
+
+        // 4734 - A security-enabled local group was deleted.
+        4734: groupMgmtEvts.Run,
+
+        // 4735 - A security-enabled local group was changed.
+        4735: groupMgmtEvts.Run,
+
+        // 4737 - A security-enabled global group was changed.
+        4737: groupMgmtEvts.Run,
+
         // 4738 - An user account was changed.
         4738: userMgmtEvts.Run,
 
         // 4740 - An account was locked out
         4740: userMgmtEvts.Run,
 
+        // 4754 -  A security-enabled universal group was created.
+        4754: groupMgmtEvts.Run,
+
+        // 4755 - A security-enabled universal group was changed.
+        4755: groupMgmtEvts.Run,
+
+        // 4756 - A member was added to a security-enabled universal group.
+        4756: groupMgmtEvts.Run,
+
+        // 4757 - A member was removed from a security-enabled universal group.
+        4757: groupMgmtEvts.Run,
+
+        // 4758 - A security-enabled universal group was deleted.
+        4758: groupMgmtEvts.Run,
+
+        // 4764 - A group\'s type was changed.
+        4764: groupMgmtEvts.Run,
+
         // 4767 - A user account was unlocked.
         4767: userMgmtEvts.Run,
 
         // 4781 - The name of an account was changed.
         4781: userRenamed.Run,
 
+        // 4798 - A user's local group membership was enumerated.
+        4798: userMgmtEvts.Run,
+
+        // 4799 - A security-enabled local group membership was enumerated.
+        4799: groupMgmtEvts.Run,
+
         process: function(evt) {
             var event_id = evt.Get("winlog.event_id");
             var processor = this[event_id];
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
index 2f1c605a18c..ccd07ec3870 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
@@ -34,6 +34,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "SCRIPT",
+          "LOCKOUT"
+        ],
         "NewUacValue": "0x15",
         "OldUacValue": "0x0",
         "PasswordLastSet": "%%1794",
@@ -50,7 +54,11 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
         "TargetUserName": "elastictest1",
-        "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084",
+        "UserAccountControl": [
+          "2080",
+          "2082",
+          "2084"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
@@ -110,6 +118,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "SCRIPT",
+          "LOCKOUT"
+        ],
         "NewUacValue": "0x15",
         "OldUacValue": "0x0",
         "PasswordLastSet": "%%1794",
@@ -126,7 +138,11 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
         "TargetUserName": "audittest0609",
-        "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084",
+        "UserAccountControl": [
+          "2080",
+          "2082",
+          "2084"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..de81fec15c4620ef04518ded947a135011182a07
GIT binary patch
literal 69632
zcmeHQ3wRXO+5Tp;S(1=!!Zlt1p`r*9E(!=Dmv9LeLqLN_ZM8%aN+h=?L4r^k6a}l5
zi>O!>k;*R$Dk>-n1u1e71O$z!P!+2d>jhh|+UoP?f4|xD?aYQj<Fq?}W}aQ1<;>3Q
zd(V5`^PTUUIcGAoXi`>TQ32Kc_|%SSq#DH$rD=6f`Hz36ol*PRe|(eJ4Pp$$7>F?t
zV<5&rjDZ*fF$Q7`#2AP%5Mv<5K#YMOWMF8~q`{L*rl5}>`kXGU=EE2i7}%I-QR1p|
zLTB6mpY4p@KVyaY4y^-3-!&pS5l?i?Z$3iQK7ptoh9Q3JXWtK8^B8RMr!{Qy=WBKT
zt7<>*TZ(;?>fjlG-`}V~lC$dAC|394YadhFqi}8(?)hS!`|vqVe9l)`&9-X5b*D}!
z(?lNQQJ<aVH}9EOqoryZC2O~jTjrN5dHaJmZ_V8_>2TkEuS{sW7CGUwGMmsN*yIfI
z=f&iB8cH`(0hLfCe$T}>aDzIyDK(y|sF;dyumT6-wVpH?r&UrJT}oZ?uYx9GPXW%!
z!*&;>h1gS0rTA4!lW=Ai{4T}*t~3qDN|0Ve-SDpmwz^So{9h0@UlH-kr`6V;L|I9>
zm5vQiE=|XsD|L$ycxG+wPk~EH^zSngXpC<CM%c>7S>-s|3*Rge<K_4GDF<MSagZn&
zBrPyr>7io_KMkX)`jt48N~v*~aWo32-K5U=DzA}=tPwN>$2#B}V9D`qI=+)cSKt<T
zpsWztFVrD0bwNJ`e8D&h__fCL6YLPBpOM&z#;MZ^!Bh#3`GSqf??)N8!4Hvm{=Rt1
z#)({3Mfyp^C;6xqeza0L9Xi8LWA(C_qMzbpgBrEP53U0Id9qD_Mxy|^SePO<r}3TQ
zsXcy3&ADNJ0$q;7(@}1v;4vS(^QrOF!VlWV;KxFB$G&$phS5Tu)4@2k006j%@^Ow%
z57#2r)MYc0B1%v$0zCn05~n3WEru`2ic2xEeI;(lkQqscd0#Mzk{HXaxJVqrihnew
z!TM>8qew?0wEi6DWo4-vp7i%5%ETQj0i4xRiJXS+8*D_W0d@*p>^-+PAvPVl6X)qP
z7p1UVYHN#OL!8Kl^@+$pl@5HWZYWf|!x;xklNd|Vp+u$Gi8!$W{}hS@N(iuP<)Xc{
zPXZX8thf~df{Bz6r={s~VrR^sTOiTFI5Q7ID$#Lsp{0@L*J^8Z0&pT1T;Gxeov30+
zfx(69iZ5PkMOOnt4rQQ<c85|1p~7Y(?SphMxaa~w6w&p#fJ?axwo5@HE1t_@5HN_7
zUfv}E#m&Vw705#r6LDJ<5Pv->J3v<<&um@gJDHlr`GZZUou8WGR7g|*Ldj^*Lb*(!
z7L-6ua1>PlTl`I+B>g;nC;rRAuQW=<SEGu!cG%<VHH~kGPuuFAwUc$f=|>S)<EDve
zp(Cj7bsbm+_+ZDCk9<x8)QnT|lmSgl#c|FdpZQBV@7_6MtHv%KvGT?Ked8|JmQt66
zkh@NNuzd|Xb^h>n&l7iCJM^y$J59gr?AK?ay6{;jwK8mSJIkLTH?yR~T@TTVAP@W5
z6Anen?Jg_px21k~CoUj9dLF(3_JHwPP<IdIz*vBTLcMrIUkV84V!TA%tD|vcTEvw@
zzy>>g&aZJb@bcAs6(c#@xH>W7>ReoxPrei%HRJOyR_90H%mt^{(+#?Q45V^pT<FT4
z>Pp?sgmRdQ^0B(oKnX#y)jsOl3k{S_>RfA`%lOds^+25smVSwE3B=9$4TPL$cV+op
z!*Yu51VXN;2zlo6$p%Z@*!fZ#eXm7s&Dblkdz=bem8KF&2wll}<PvFZSY%hsr7&Ds
zVb?kxwi0oLAC(E72URB--&WKNX*0AUq2FBneENP(Plv!}1+-L#yM;V|s1dHh{jNqX
z20^l!D1Wpt{E2UY|E^n=6rlD!7f(8L{Mm7EN07RHjBDuk`=9m^_v~GX+JR37<bHY-
z8GH)IP5e2<{z=%*1a=NyN)#LAdQO-Va}GK@3aI$-{W2Ede$}fgzFvYfRH6G!Pg~FN
zmzCdQnBuqC+0^x0Ofr84fmrri!;z*_I}kh~ePnuw9ULCW78mE&gm>r{;lJ^S^e;p8
zy+d}Kj&06ueZ1TV@WD}1Im(uGS)hA94)%)huYBG$-TN<Ek+bCXi}wy2yCuIqcN_~Y
znc=HY8@lQ-2;ZF*6KbKk4N2Cj?#y4*44L5^`l%7+`Z`n-)%K!l?BV!#IH<f+<#P7I
z!#W#3mjBdx@&9M=@2CFh{Z0If#q}F<+AYi{T6dh&8cp~YWT#boL+5|uL!J7a4OhW}
zU4>F;gKsEwmlm)K%B!w6*!QsK;n2Sbo`B;IR?08nm8MZo{OXRV<RYBGUZDW{rh{Cr
zado>3_HD7}V0{@lvw?#>B6m{wqyJ|8u#Q+yzteXUO&FY%cn?bP$Lh#_Jr;{rI!Z=8
z7G$o~k##*ry_R~s9Q@y<_@7&t_kQ&F@1xh_$q)xS75y_%EH<SSUFs9mf#%?TAijdk
zwfqORHqO3S1-!hSGjaCV)vveRczjQ=HSbo@B}deQxVnd0HvHmp;rfw=dNN<J(sRm1
zU)d?2`uW+F7JgPNO8r=!GFtbu-2iwounIEQmXF!bmO+^8XHRWKyPV?Fa^cHDZ7}yO
z%dpLTD;~e$4&-q7Uyd2S-|uGPx-t~)5BW>oAF>Wa4-1qYK3_P*VLgaN(Zdpx9_And
z6J#+xL{Sf1`kLs0-R452hjA0`i=rOxx9|^QQS?v}jPwtJ%oBRZ{}KKnH2TFI{}Oz^
z-w#Bd%W?S+`-BWGcZr`Csq%kj%a`BSX&>yzPh#<Gy)%kvP9fp;AsOw1AaiZ`TgOk@
zz;OIjg?9RGmFq84cE;TowfHsFB7PE!)&ID^-&81K-dE3${~T!25Ie1dKNe)J<=-4X
zLGVP(x3q(c74OfD^bdK?2JiOcBC*(VA2oe0pJ>S;PHVKvB%+tWyC8Ed?{0{TXh!;m
zYt8N8JxUK#cHEm4Jv~^pgJMziFyO67JqR*S=%FFCgZc=G_=9^@`QNpENfgW9s-Gkl
zrTp)B$0+|*$wY$86XoAf`$_r(Z}A7!XeaJddiXZ+&<H#Jz<yjL7OnJ9jW$A%xmFL>
zaS?jG%)7*;OBDYT`fVKTEdOFr0SG7DK68B(WFF(6?ta+J|NSc83(Jo!a+ZIw=u4*H
z6;Q+kg@pNEhp!;>82_C@<JqGB->Y1ox3uFPXZaV4;(u;A9@!oVGLP|(=}u<-FID{a
z$r|vPv;2!i1t6S={so!G_{W&2ng0h=zQ;|R`Kt{!`e*jrU$Gb_UTrY{+&>d!-sb;7
zmFwdNN@h9BzgV>5-;efJka?GX9;aBQvVZp<j=lCm)bwvPE+iJk|F5`E)5j;?$1|q3
z;9rormjB3cA<T;~j|)8{wS8)*GynAKAOAer{<u)3ve@df+HG5ZO|*3wr#0GTsTdOi
z?}E&=yt`psi04CIE&V`Fmn%IqJ^t<4&gwxdiXJwNH1tr0F<L<u(?b-WmqqA-pPM|a
z^ss7v=T_0vgVi{pSQI^!3^(+^{y~s=LJtjToN%J~dD#k8{yTrSwT+$fw;z{^MFk+7
zaQndiK#;k%{H@1@&_0{{1%FWaK6GH@InMGg7PBxl9RXT+zJl;C$UMeB#4r5wyt_vf
z|L?pOUuB2?`o%{_E#?b|Me%>BV-5fJ7W!p^%(eWR<0GE8`4fEY&!znSc>~d&w;7s0
zUWvI(Jg>A!7fpeA-sVcBqufbtzO|zx`+ig`Dgfbx>+uA91(|DgR4+gJKPul(+_n4M
z?Kb*3_W2i!FZtUI3BaRl_~N0jJ^>o$KObK~<}v<Few6zak1GC~zTIovvRO{{GsR-{
zGkfPQn}r!*n>ek}=3&Y{kFN_d*Ya=nqYd?WBd?k{Y3^sPQhGRg>6%^6>Om}u9(HUo
z^w1fa5M(huM6sV4p$G17Jf`$;@J8*G=;^_#pD7ka4|#ty^uYc>ka<E64XK}5V(w=?
zuFC)9C!KfODS!LzvsgS``3o}FmcMm;RA>IdYQ=w_VMq5k%fDFcizVLXex|g~g3M$5
z(~+m8pULSO#s7h0Gix8R5g*ytzgQIgkJxGWzqS}>5o8|Yzf<J=gC`XK)hAkaSneqQ
zVo?DIC#-*tM+BM2_&3cz;C}LxD&M8wTr$uO|MeSZv05K17DfLp-Zu2l{0lPI@^9`R
zcx`<wRO8pzSMxj~*3nZ+M>n_G?XZr-qUdPx;Yb|`vY3wa)qwxM<8^h{S?liwknuWB
z*D4*wHCyz+BR1ND`uQWPabK}0I(qlhNF50>&*;c&<Gy90BaZ8yRyulO;#;?@w4o#W
zah+Ifg12};(E9RO2E%d1hUNw`*Xqc+UxW8^nB(ea6#u&it-Qxs{>7pKa0>r|%wzmx
zoX^bvvnu=D-aYFJXZaV4!oQ>vR|_(a@sHYW=6{{a_NdY4G=0=j|05QKcS)sRFUY*j
z|9X|}rK^^H;w=ASQFxb>`JV~@FUY*j|8pwa2L?Xnd(2V&hb<CbPzDqe6cX`2g3M$5
zBd$05pXXJsyJhaqc9ws!r~riLuZaEynaB9Y+oa6=Z&2C4XUB%k&hjr7g?~v!|ANe8
z{NqJ&X8vDL*?!~shv{)g{f}4_-X#_O1)0bA$NLP;{J*HO-7h$2${I)c7mG<iVCDY>
znaB7?Ud{Y(RQy-A9KHP+NBI|vE%9nl?*C3uNLc@E(}@I`$N0zlwaol)Qn`NozMO}j
zb(DXxr~rf$=6_BLB0=Uc{_#dMGyi{7`CfL>x_!>_FBZeZs}12_ka>)Mt?7I-|C?2=
ztNwZS*Us`U7Ei~&AoCdi$gY|HEh_ux5A8R3oumFoEL!out0j>j^BDg}Z(At*^E$tm
zRQ9+0C2>LY__tbDDHiMUpNzFTynaWJxt9OPb(L60XI@viRb{(&*d1Eq@ZUSB|NFM<
z_x#A}{W@ZC>VUF4lI9WZAIWKrmJQAy!B>#EmUr{>?1nnuHDVnd*T+98Jv>^mE6$D{
z>^}z*i$i@h3`?5BPc~T(<M9<_uGNF}b0E_?DxP<|P4PeX$fvgWw_hK{qSVI=#~Af-
zJm&ukGS~9&hWe<#|6k^xb9eA%rH4M9Qv7!6WBv4CHQ!h)iXMuy4Lz`b7G$2#Lq662
zJ<*ZxcK!bOA(7|S?>(@k=K03kRrwEDoY}}u`P=u$Vo?DIC(=F(GS`;BwLdn!?}q0`
z>`?jk_w3rj4*&J5e^&GT#G=%{jn^9WZ%EKU=34&E{@82t{q(<QCG%@I-KlhR=CvKq
zh@OtD=4pvV(NXU_Lq|V{9~Wev(UI5YX@%#Fa(uo^>1gZnoHllJWWPNSi{XYqZE$<Q
z{z#CyR!7$D0dgth6r8@Iay@?PpfzbW`pfqD7mIB$lNb&q{G34gM}o{_{J;OR6ycxa
z;@yh>y$5EjZDND}`nAVa;}v2tWyeSPO)y?@{2-?_+Hz?BW%Q2(nQQqsx5o{2yn+S~
zcso`4N1X0adN}xg>vhiRK`e?M-m5Y6um+kCWHCKNaeXfJzBG^~dSJKss?x)f%u!L)
zgH?Z7EQ%g}`?{eA_78&06MAS!{pDun{_<W`{&#Gj`@9{0V84A9i&o{o3Ca{?t}TD-
z_-N#o+0s69x=-={`v*7Q(9}lzY@dIzcrZvu&H$2b3JJH*?2iSR$N1MG=dtWpxt_Iu
z%FJet@-G$@fN;Y6v;GB{$N29;xuSn=hh9_pp0nk|r*`<aAD@av@jvtb71{m>GS~9&
zhWNAs?<vidc!bjfN)L-~pZU47dJv1EhjX-#!~K<Gh(`ojOb=0vPgxIx&3ZVf^sr#Y
za)<RG7DW#;;v)4R$YOekq8?EC_$%b_3-b4kURQc(IivauXZ?d%6g_;DVCZ2j+H64<
z(?b;XaNVk;Kv)m_oZt<mhYKIt_ht0-VD+3pEQ%ifkQAv0LFNfPc=0`+rSiOq{Y#C~
zQCZT-&dqJ~1MJ74Vo`K-FlgwA`(c926FO?B<D~qzs!Pr7%$rINk1pGh;jA9SqUhmh
zs-Xw&7YeeN9-`RJoT7(AN)Oj<yQzz_dJv1Ehr?-+dJtqWJw#Ct5r2Q4+l{xB9(o<y
z)HQl~u!=jxqUfP%Q$r8jUI;Qz=)sF|M|ge$&ntgh>FB&yH&)ouQT@h$t>*EI#WcKG
z!VeT<6q4^S*3lV@8wHtbbrd;|zl6G*=kdRzayzqa#hZ3`w;%6`#inJC+}|9}#e2=<
zv_^X%1%C?%^;eL&mUlOdJL>aHCEnxbVTY9-in>4gZuInE^&C_ziXQ%1M-PI`6MAS!
z&q2d~H=CbF98u+eWcE!*?UaB0{BSz{9*B=dq>oI8$<Sw@ShOmCehx0kTwDIu&q1fr
zbn|ndKPx&uD7x7e|MvZ{SQP%d%{Kh;2KZz_=34&U;E(Zk6Qlplx_DRV;dl92pS7?t
z9%H{gibVw=oJjjD$Xu%j>-uP#$Itw~r}DjX^NP#U9pzsvhKW}j%s<yhLFO_35rd0A
z<n(=&>tP)}UGFUaV$q8Kb>Lr+d5r%O<Na3LPdKWw-?I5_Uq+9AtA3eStjqr<^bL9=
z9uQ=%<v+4th6jA+e%S{q+ZCG+UcS?Y-?1MDh{bW+FG$~sep&fGPHVJ*=nH>`9)ciq
zE$?oK1B&qu>2h<w>@P|W&wRTzCwh9Y>X(T{(L;~@k$Mnhp3p;s?3b|)K2+tu<==mb
zV)<LGUl5B@{!bn-%0EBRK<0_^Z>Z1ZD1iR5_ydlMK2mzvd*#V7cKm_;et}q20Ky5k
z4`0R^$Xu%j>wdv-DmBNYAFF(~Eh@OuS^mZ1{Y3Xe2;ujB3jc!4WBgZAhVakz;IE4R
zNpm({vCGl;NGys!eDi}ye<;XY%fB1qBYmB;_(M*QDLq_z^5a}*^&l2S57&GcsRuz8
z(?b-WOJ78lR3&=g=hB}jJ-kz~Zd~;AVD(&DEQ%i1e-x<)LFNfPc>1|C>*;SwM;(Ue
zmPSuUR&lpj6desZ7O5ja<_R4&*tmNF%3u5n#~+_6J@k3t&g|Vb;tu<9w^&pF!U@NH
zcj8?Ng3Psgu#UTtPl@|D{Y>Ti?ho6??QxWUu_*QN{Bt{o$HllGEXX{@e=!vc|2#hV
zx#GWSdQt!A@ozOAEEa|T$sI!cH%Fhd8}u*8T+4stcrfPo%Xn~aOiTJg@&0+=cefh6
z-#%`c|2Flab>9Bq&0BLfO*-7S-zyW^ve!z*D$mR&<j3YHd@FF1zzx`l*Lu=qgiMwA
zt4){Ujs9J6Xd?C$P%-6Uy9?4n>?tRG0w_(wnO*R^6#Ki<G#o2IdJ)#jcB3BH>PEfs
ze*xj8gg8=(JD7j@wA$L4(9Soo?8~gJJsU92La8-Hn$-^*!60dY@w|~rsd1Tcgx8nT
zP56y!MS-P!z)t~RFpdI#tuevj(LU_-1sjv!j~nxjuk{^puYS#^?`Q?qd_f;yqUk#Z
z=sPq%BVOMzN#7AqE&Kq*U>0JBZt_KJ1OwD0PD|3yJf@$CZ9bFXw~klvv#=3tM5%#d
z-bi8ip)($nGxqU;1WE{;;EhB|h||*ao3;)xz%<hQT5ath+%$`K#A~hSY8pW~lmTkH
z(`Xt5qO+0qK{}YOL_tiWBDx+_=jp{#gkqV9?IMzV%*T!Nd_04VU@|p}^9P$yJHO62
z2q6A~8TBR1d~1Pk6G|id&kaPG{a#4S*@Nc>19ov*qb*J#nhgF#!LF^JZs->mQL;9X
z{ROWRL-EpaB>Wlo(A<|#^&2eu|Aro{o*Rfo(ZgTs=s}QqLJtk;xj`P6yQ~xZQZId?
z*%SX2#qzi6zlcRC|EfKa{y>m<qWl|b|AqZQcwB_zxW6ksG{1GvPCNd<e*Z-*o=y*f
z%(Z&3?!SP4iJv+BhvI)g%UXx|7mEqh2tMC<Zoutx5$00}GH>&LLh;}JjQNSLhWn2a
zNB?kpXkY(gaYL8iKGEux6T_a`dELK$F@M@t;a`w>lYey3Sag1fFW1+h8k>dTem#%Z
z-XP_&ve8RL!)o+(M#<WL`|k-@jn}qU7CZc`d0x>lz?{x$jkXTGiVckoWUeh2j$6+}
zB?rso#qruaS-;Hwb&AqaqbJXaE4HB{`}JEaDgfbxb+ijQ5@fE`5w~xLPp!v!;d;#D
z6-6rF&!+Vn6+Ql~#)rhB)Z?KyhU)PVa6cSnAjn+HKaUR$9u(FUg~x|@q^DTz-@mq^
zdx;I*+wb>_#T8G^`e`xzXQvl9t<kE$d$&dgGS~8M_MZ(k&et1Pc}~G;iPA%>xjlL~
zs|T?tdbshAh8|i$6M`(JhbTS|AJZAWSoFXxf2q<#o4;HVMLk%J1Bpe^!`?dnL6CVu
z4-IJ?h=+IeaUhP1%2fGxc)s-|cKm_;xJWE20O5q&2lfYo%(dlznz*PS92YVFzf$?u
z3QHa4Uo7?@>d_1+7APdbzaaA(|HgA;j!Vl`uD8Aa$*}0@-zqK@i=*Qx8_%d{xk8eR
z$3Yihq+XD@mj60&X+cC>%8wlR^I+SFcdm9cE)|RKO`Uq>YQ&{`W^r1h4dK23{Ei@V
zE$?oKOZ_y2@+1!7v@#?IT6sa*d}s9_7DW#`XB&EW1ey?JF+D^vF3m&n`$P{MpG;MH
z_-?`_QPhJ~Tq+ht4^_W0^uYc>ka<E64Jj@SKcD2d=tfokFKn(^WXB)ak4wcO-e`Qq
zI4Du#P-!0onQP1cG;wKZL|i&e@&9pE-+P_qUo0vB;Y9csWM1Rnh)Y@jRVv?i{%`dO
zXZaV4bIzlOS^pCh66T-h)Cn@L@m~?4|LH2%ub01(v&KezYTy5eMQML7SQgp-2r`fH
zfA8|2v+iYn%1w&@#}BMo{FDv;?T=fF#kDP7N`DglgW|TF)@Ylc|IX-_2{PC6?}q*X
zE%?Y7r{uVBhSI~o+Xa_6s|T?tdKiALp@(eDrW9l`Jw&m8fN8A75#!b~l^%NT91ul4
zSoIIYqUa&DouLQz4}#1SdT2=f1AV3fw-4M-{92WNw=1t%YR4bgZ=c1Y0uWB5eGp`>
zE&tQ>4~*ye%>OKv?|0r^bYQKG_SruFVo~bfn9fH1V}C5jJjOqkP)K~l>2DPONA@Od
zf7((0#p3F{8!!EA+|whMFUbGtS94eXg!TU+zJknS{DW^Z|J92Br?kJl@T{Z!i^XPG
zwSmAW+&>fk1(|pG=XqVT75}w!I&QYZfBpIgf5!Vr{nS6bzv+FXVp06h_L~g<!}=Fw
zuI1m{Kj3+RZSV~(?ZP`KvBk^43K5R!@1nx5LVbA`F9PEwUc5A{2!m#M_*H<dUtkT=
zH0p_8-La5NUyo1IaRl!-1-Vws$?V%AtdQa*Xa>$~;FyX%yogQz<dZMOJTLHOrK2~_
z%z4|6j_kK%V)1l35@fE`k#!uANJGVs^7GeQ6#ozOzv9E_@o)9~RV>zR$5tVRXp3=v
zLFQWiBcH$GiJPn&<^J>>#rx`QH#c9DAFX-SR_lMn;`$9a?H1+}t=Pe7jW!;fC*%E@
zg3PtNoBd})ofpU}L?fQR-m3KQ;KuXPoz;U_6g?bz#n8iWtUnQCF+D_ce5C?SvibSz
zZAuT<V>NyB^k6l<A{Ipt!*&{aVE-V<JfVjMJH9ekmH+u|^3SqU{`TV{v8Vuq6K)^g
zLVPXATwDIuaS`gD#6_IWQ~5rAd4a?Hi^VYUYJ>S_e=Nwn#(%NSf4ml?Omtt$=qhw=
z@UmSRg$_-={>BVv)}1A#^nPM7;vw;WRqsXmzuTo?@U{y6#J9kI`rrL*-*fS#L&u*z
z3HgjdKPd7w9T|1{Mj3dQMBP4I2IcB6`zS)ct$f}!-TN<Ek+bCXi}wy2yCuIqcO0v1
hT!njg#hWS0bOJfnDAaq0{4NT-hrr|O&h)=u^?#}KdGr7P

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json
new file mode 100644
index 00000000000..1a769e759c5
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:26:12.4955445Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4727,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "DnsUpdateProxy"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x27438\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1110\n\tGroup Name:\t\tDnsUpdateProxy\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tDnsUpdateProxy\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-18",
+      "name": "WIN-41OB2LO92CR$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "DnsUpdateProxy",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x27438",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110",
+        "TargetUserName": "DnsUpdateProxy"
+      },
+      "event_id": 4727,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x27438"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4105,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..b9beb8033299a7f85aacf392c20c19641998db47
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*P*DVV3kV`_2oFO*f|S~-M3NLF51IrCLTOMCtX3YP
zVo^jYe^F3TK~X43k%u5CXhemgShZLmXu+!0-#`7%>^(cPVZb<br<wWf@>}lg?ChNH
ze&@UAo_pucWKcnV#>9d=s{Zn+9Tg}wiX%$Xsvq)Se@;8A>b3v+B(W337>F?tV<5&r
zjDZ*fF$Q7`#2AP%5Mv<5K#YMH13$>Xpo07X6N)Bbj30WPuB_m%F)6U1E>W9i7j_OE
zZU29^GwPO{E6itT8X)?<4$+BtqGNvZH$*KHh<aff;>W)B{lIS?g-w1ng-w2at&V?1
z?dN?<u`j<Go<8{ejhZAmr<#pIbuRwxqiTCNj?KV1U#NB-KIW%-Rf4<Iy)KjqooWZP
zX#<}o@*Gd-b#adG_E+XrYN?t=$=YpWmigtEy#4;0bFw$(AL`lb<#El|q9%M)zk2jA
zHo1cQdLcQU2GNa_M@3YI&vWq(+@QYPlp0UvR7eH*vJ_v$Yh7sq4lAR{bQyKPzfu~H
zJ$X1L2ixsYPQ;!PD#oW`%EyuI@wpiLJJ3{oSA?=Nb;Q3e*y>2#@qb>}d}+idpH@|M
z6220@6^{;3Hci8s%XEtnc)zNuUjUbQ^vmf9G*Y*IBW&g3s1khJ4etyQ;}v)NDGOi=
z@g-3(NLpa5(nIS;ei}?u^k3quR7#EO7e~W!*iGt)uX5^`$Qnum@m(vt11vc{P3w1(
z=t`U-2b4`j^(X2On7W{!0={4z1^ilF`WbeJ($7k)Lu1ro6TwswzVij^lHU&>H^T>!
zc<#P<%EW=}s{;KX;)8tD1Rt6xoerArr_s7ECh3Rx*q}zu@qwEFzn*9opb>B&yM-xY
za~hv1o?7CAw457WO`t3A^)&dc7(C{JcRn<p8u>x{NPJkR&e-$Lx-dFX=X3xL%>w{-
zQ7(?r>ETwyn!0>?QiKQPN1!J__2RT7sKtmS8F48lwnyQF44ILHnD+&fD2cJm!H*;$
ztoUbL8lWG>I0|$mLhG+^Tt<d!;YnX6Q9qoq48U0}WvFTByumt@8sMP7ZtuFi9<k}r
znYd1;`B4hXrK+kBHYA8_Sf7Xrl<UB!=!Qb>9l|)^O=2ub2NRWM$K$|K{8K0rC?UY1
zm0dfhM*<k0ptuzRf{Bz6r={s~;$Y0LTOiQ^I5G!9D$;SY)6z)uYgJV`0XUEy*Rv==
zC#n!qU~r+f;)~as(9Z!Oi`t=yc7js+qrqmP?16FsxM&YS6wvkf0eiVUwu?a{E1rGP
z9~dM^FK?d!ceC530C|XFqVsS>K;m_NW`M3jo!PpocQQ4I^9Sou3qRGzp^&EjhLX{t
zg=(2VjVOWY;afBTZ1FpRlJw*Bo%k;UpVBB5Z;iIawZI-<w{kuqUd=0}{%gb>j+=hC
zxB@5bq`pCOuO7hKfe#K`xv1w<Ky7zQo!UVYQ}8|4kdOQ|U2xCr(dDBT4_)~}@1AiN
zZA+=nLMUAK9MvFRIsx8(@{`JIGQT|B<l8Mr{!xPF!bibt`Pk%smR|#JW=To79;mw@
z2m3h^_Cm@1E-UNz#ePI5b`XEt6z>2>z<4yV;UK$E_g_gk68cg=G`p|0I>))jFA^hu
zk&PPWk}pN027LS_>i7$c<AZttDgg_5FfY!PnCnaNg)CjFe#sUUwzP;}4g}xatuUj;
zuj9^ulLMdF6`cMv;LL{CuBRJxg&IiZm+_%rc2zj_Ko;UK6$-HWrGYXKLfJ$8_F|)s
z^{V~Wx|Vf9zqe#J(sm|T`ZeA~Xg=&0G!6DkCuRA3!*YrqW<tTP0Ci^nWP)ApPJJnf
zu;@n<LO+HE(}WsOW0c8in?IkUK6B%P4-pHps27x<3oo&cLT4(`MaN;ftvW&!P>MYR
zv9DJ|{E&S{6hS}4ulPpz@7h&K0czQGasI*M&z#f<NI687(RD!2NyZceug++nnTS$@
zfMqnD?$=`x@=o_1pZWClFrU5EBRCCS?fA`kSjDQ+ua}?<HRvAG($;hSWfixu8!;*r
zx6-g(J#I0@{OS*CIc^O>nNBT0_0aTT=|C8I^<|5Tb1TC;<cqP$^e;y<zFl^lskSwV
zazo))&XP*NIIAX4k9?f$72sdVysJC)UbG@>$!(YH9XxtVZcWZOT1C>Upw$j~4#H>W
zAQkGNxerO!%J0Zs)Bu&?8v3aYW&2uH5LI=f3hd$hcL=DwL)CKD!b3V6KbHU08u9;E
z@b9PI>Ag+-i^cUDvRW+6C0ci!%Sui77i4EtTTR&dU-3Ww!8X0lMK{8NT?H>R!#k9^
zOApu{{;IAGPR)1(!L70Yt&;N(R?2ng{ijk_eCmX(q%)2vN1~O7ebYcLM~>>l1^c$B
zT2I{`aUlmWq6ju7=z`Hdvwm1dtfxOH9gQ21lz2D1_+xcsza5K3D;*`H9Sbto>d3ks
zqg_ioUJm~6RQ%7KnDbur`0t^&;|UNO2NnI*S1i`26kY1$)E5oGeP6r<nQQqEY^|Gl
ziArmEJ8S%`(W_r?zVY~;U{l_$vP;gW`*U*-^=$aWe&P0!hITSvvC?%?=dbMer)F_>
zrA3?-i_$(;r;O0!Y)1fI46K68wf-^3*~t(l$JtZ+h4!b!v~0w(P#?@=%gNa0u@%qX
z@BnfM;%_KJI#b;3hu=+xYa>TCr^ZV?9<mNZ4-1qYK3h1@VLgaN(Zdpx9%ds06J#+x
zL{SgyeNFVhVRNC<!<cdRMo|y<S;PmiD0(OgM#cw0<_SII{)qSxn*HK|e-Yki&c7m$
z<-GidV?sOjyW~%cl>eXJ^2IlH`Um^@lUO`gAC4lMQ%JafNJjr4$Xx4x>-<UU8_u7~
z(NEu{YW+pZ&bWJ{mcOQ2<WFL;;-B~RngT`4`|7!|p8-u8a;J5O$AZkY{G0P92%d=f
zmVR)t;{DlS{(;Zh;N5;+Bo-U*qx#S05-mB%Wu;b@MD!AP7i6yG-3@sWO;6u&jkzDZ
zTj^oaj(akqrw6NkP%Mfb`n(mX2SMfuJ=CUtP@f@@cyN#M|DEfXMA83N<0P>t{=fYl
z!~d(2i3FJ^{9jwgN%{qEi3b(vC+<~x_%89_P&@I!eqJONt@KcVK0=VWRu9&B5k|et
zyX2)y6#wITZ5-h&|6)-A2p8Nxb9)qI9^;?xddSTGeX8CIOO7pamVdG6OQztJP{cTe
zg!x~Gw;=Nv|7}9^*`ohHs#;&LwDlfm`4@{4e{MM**&hiqkMWP?PG<ctRs8qJ=<}(w
z{EI~eAY6$41)0bA$DF8{|NB+F$Bduxn+-O`XZHJFu^1*^Z7}~lJ`-f#=Kldz>*M>2
zW;)BiShV8bkN#JXd6$2lr&y+{f7hRmz4m<6^lvpUBo-z9ueey#=O^C7HKyj^Uy!+$
z|HyeEtcx(u3q2^UeM+0N|MJ@(e?8g$yil34*yQr6ZCig!v~@6-mD=U0m=gl;g3PtN
zyJ234*F*kX#(`WeS9+*_{JV3V)q_|RJ!~3g=wUMEXa!kJ4^g~c7NG~eZt{@Q!>ajh
zn?z3!R`Y~nQS?wW#LxrB2SMfuJ=CUo!tv(oWh<2bcm82(GdupbpO=b71t45-|G@D;
zkh#|X*7HK>pUvZfKdE{j+&}C*XZaV48CaT*1TDN?LHHMB9^)V47yfzO-NTCicV3Gx
zx5IzU@}r{`>jlK3#J|+hM*MpV<1#_!TK>)X5wF|)8Q%8SQl5F;K(yCwhHm02!&)X@
zS6ZNpCeOTXbEVQzc7C((?C8jT92JWSK)B#`JPvO`=2{)qD31Q0s`uk}?mmCJjd6~B
z{>9>p{uToRh$tIAfAFi1frk0d#aobhjDJ%c<#EL$ivRj=ciXmXrjz4Lu~_l+-nq+W
zVg=YHE-STpShCOa>w?U+{F~!wZN1*8-w$IRXRcCuIC|NdUC!!3EQ%g>Y%%oE7Mc)b
zF+D_aoEf199&bFV^l;!t?d9m{!D^f-7DW#^e>U{M@j;MzLJzfRoLOWZXFjI<fAZtD
zyY2Yje*Y{MPv?I@=34(-=SS7nAFNjV_ZWP1kF)%X#h$pu+dR&c{#lTDjDI@(l#DaE
zT%-8ke{4q8gEsOb`}!A)qW_^gjri9b^DKhQWBj*?Tz~Mm;=kfV(^ktJ<zFl+0O5l5
z&-sWT^BDi8^#?poenQo|_?t`n+Tp)u^DI{P$BISKf1|ez{WJf9%(eWR#|K`!KNhO-
z>-SglIwIE5lS)T7H{0#7j>MwqXz`&)9SO3Sj`X_$|F`pX)$g;`p9>)KbzH7hI*Mzs
z=>CUo^anMIM^^K`Vo`K-<daAp2{O;<$ZPYylSN0I*FB|l^!WI<ZdqwVNA~kNu~-jJ
z@qnQ9+h-XJ=M@_o8pvF$BkOSup3h;<tDjc<@9w|yZfE%yiweLg{0lOV@sH=;nE8K3
zRlnnrb3S*Lf3Yb1ODTD^AoCdiXzgbH*Qsg`A8}s&M;whmVo`XPQpWXy%-j60SJhs+
zYU#($@-G&JcPW|w8HoRa%-j4wtE#=f?~}eq9o2u>BH>YGKrv1sk@zFXJjOrrdUO1F
zPSv_&zulS6@-G$@fbjYi(Z3+`82@<gqnZB=s`_{D*s$4I{>7s3FQw>Tka>)MJSfi0
z|MRNaZ#?%9J?3cq5sSjRl)}Ft^BDhlo}rol7gV)-1!qrM<0$`PF$oB);=dsC82_lN
zng5N7|FXs-wm<DC|6;K*9umsq-*E~F>%VzAks$LJ|9HNZng30y){otr_0Thp@-G$@
zfN;V5&u&B{$UMeBo``1V|Ie!4%Q~;y=PdtXF-*ML5dH<3$N1Ok&o}eGS=GAyUw3`&
zEdOHhbo>i4kMWP{n)%<Ns(<02UK7?i8h^y175}>$6A3bp@qhHzg~C7I=l7zj{+7Qb
zE{GogR`*qk#p?Vg<K7*<e@BqHmjB56Dsdm3`M%1ns@he9Z`bOE|K3T>pSNAJ>ql14
z*Aa_T`b@q(X&%w5!?>)}GQs)7cndPu@@~GKU0c_?M%+io?eQ;4508}YinF5!``3ZQ
z;vgRl#x2d^E1Rr`v3LtI*XqIgI*{o;DqeTIP4PeX@F%wTx8EMcqO`}0M;h&MEY|-E
zGS~9&hW4mG|6kUh^KkGbrH3AEQv7z>W6ktnwcc1PiXI9x4Lxvt7G$2#LoU_)Inj~N
zc0Kd@kjP_e_8iz^^Lpd$%Krlw_p4*a|MugtSX2PQh4jyY%(ecvj>o3w-SGN|9je~`
zt{ocL;lF0>&uYD&Sd{j+@fxH34GbE{T+6>X9(!%QpZ@o(WPJ^nJC%;kzNYnA(bJLD
zIxVp%I_jQd=;&97<ATgHI`Y~&t?;^0&d+x#9c^8n)y$5L?Dq#^G29WT4ek#(9tkqn
z>d3l3KrLmSg3Fgxt;bI3zb4Jbc-cPxVzC)k5+k65uM^1lNRWAq|Mz~GBK&h+yj$_V
zcmMRY^=$B8v;Np>zCtXf?D#OZ9_A~KAK<c5TMq5Ngz=Feb1nbo{<yZzSI~eyZ>P%m
zh|4`n4+q|By3ScWh(*!EyOo9>)<6@2ET)Gj-k(d|FAJoJ9ylz%qV%w&-|#5v!D_rL
z7DW%gf8Edn#|J^?2|d)N@p1$6czLh#|Lxo7K4&K$*zcdkqLu$QL79Tgwf?uxkA`iT
zCH*s(`xO6wd|>kp^=<Ue_W2i!2ZD6?EFkHqkZ}LZ@mP>~jDIb19m}h#)-zw7G^2r|
z{EI~eAY3s2tbak~G5*_Aw&<Vxq1RNsXKy+2i5>p!=ci&(;?MkVBl{mg=34&Uke`;~
zIi=Z>k8rtP>0$A0Gd^=x4`NaDaGv&2c)W59`G_Ek=^={wDeGZ?Sq}%49u`br?yw%j
zqUd3IT%;ZZSxgU6)C0Vaze0|<Ab;QJb)|>K(<?rAHa>_&(Zh!ch91_U&lY4cJw#Ct
z*RDzmg!RDJ3Eoh8xcI?+Uqnw2R@Vu{qUhmINs)RGWS-E27oX!<EZ3VjzEmn5O-?%5
zwxNx2fc-pFEQ*c}1PvYWI82avLPxcAo|OMqb+Nghc~j}(k!3sDIjaY;D0(=WYUqK-
zg@P=mhbZ<lr|99J(!;geZfftW9>k*P;ZRzn9t2rT4^h-Z#NVIie&a2rhi=C<b%>rG
ztnv=AD0--0-_Qg17lO<adhlZ25ni9b>&o9&I=bMMjiq*URI~YCt9AThF%3_a@B_t2
zh2(q8b+pCJje^XzI*MG!UqqeE>-gVMwVlzt^i4aw+t2sJV*SYv-`5b=#k<YmvQoQ0
z1%C?%?N^YwmUlPIJL>C9CEw%gVTY6+3OYS<Bzk(Vx(+H9MGya~rUyah2|d)N>!9Jk
zo6XlF4lDm3o^{hvJN~a(98SmI1M$(&^kL~R8G7{<i&p;U>)?XSwf?uh4my>lnXd!=
zRnhT&!Ogb#w;zwiqVV5wmJyFPASMek*YfX%c#Nl;7~^l&#Sx{4Kjdb7+Q`OyjQ#c~
z78QVSA^o!;bFCh%+oNe6KlA^ts`t*#E3Qa)lz*`pCSGkY|J)u0naB7?4lePK%lA~R
z2e<lUy|es_MJxW-fqy~fG5(8;=UeeO;i#&9<A%3>5k3B`#${r$I{%w6Ht3FgK#;kX
z|HyF}F7TPhW$&wMmu^0A#ZDV>$9^6l7RPMAD19f!WhMK#tkn8qEc`u22!hPDyt^R}
zD8w_QOU&c4zbQRD{oU5A=;^^~TqYJp4_#i3)Po@NgdS?;xQuo1f%5;BfBz+l{<pe+
zK`e^@pV)8sKR3}p<_Z7T*6VT<z<62W0p~>@Dn0BSb#kPgcwm2AAQlyXaKZh<7jXtM
z*XqG~Trh-+&3WlZs@}~D@<ut!zgWDF=spM`{M=9BUyyl>|1xSP{Bt|_yW&58_QorB
zIhr4dMTv)Rz8@J61(|F4cSC-p-zP2ckjrCA50{<%DBD>*h(*!E)gMIaL6F7t5XI}#
zovDn<MGt&k`eUVscS_fdiJl&;u1kwW(Zl)=BlRH2JfR0qUzcV*{X^-f)sXDs=;_ER
z?-q-qqyEPtbtK3<p`%)xcaMYrC9ZJ(@rlwykNfY)+-)Q8u%CB}MFk*SaNc(Zo~0nj
zT&oA`yc_kDypPLIRlV=}pk>@1NBI|v(jG57zjb(CjK{%(%wzl)QlaqA^OK(`{>!Ho
z^o}0?R`bDPQTU(GD#U+7j5#|(|ANf5{723QV|~BO2Y1J^q|X)apY=Sl)!_ZMG0Xh7
zst2v}_WN(n$=;NIsAsR2$2I4um5RGO`_&^qHizR~ijxFxz(%~*l_nr%D#KrGx(rYB
z?|`qyV^1CxQVzD;qnwC6C8RF^rF<OO9-oV`zXMIhcSR^W<6ha0)CF4|sXPA9BRrH4
z-<07D=1)GYs%i$b^9?Nf`c+k(3mE6XYxPlP^uk6kNLpYlZ=_OcT)#NN<ICwLd`7dP
zz*7FgPXS*rjskwIE+OF2KJ4@b>yqD(6Z4L*^&JSWe$A)vXad%JK_CA_(|7dIcW8V>
zyuKq}-w{uZ`~byZ7Gj5P@&#-J15__gOVW=#rXPuIK9b=#jaTq9uo0|7sewY?NMZP)
zBOa9__VE`9ln^+<8;O(<r={s9Z5m*JX{7nJs;d4tX$J3z*P77JX((k;J5bw+Mo@nc
zor$ss$^kSAj+jaXbUmof(cMx2w~WVj0ZBdP<3xHrp2kKnnHt3TgY~F|UuPTy5Wm5U
zdJ|T@HNv|drIG#X2BOSf&nIT>!F7W^ySS{>7AFu*0Dq!j*S1eLjEf5>SsTysg6|W9
zd+9g|evNr>?n|e}4Ho@Rp$Dt$24Ye4@b_wZ5M-XvLv6Zlki&kL`vkwxy-zf2{I^l`
zzt#9fEQ<fj_e916LFNhn*Vge1$Aj>^2<LHMDm^ruvuCHBcwm40A{I}l2SMgqJy?%l
zz`x|rT>ew>-=}ev!~BcI1ge9WZ(KLv{<#3_DFm6f`9GofZ+X`I#8<-ON6DjqxIeV7
zf3dis{qG-d^74tnPwu?-+w0~}-75SGGH>#a0UC?W5AkLDT2)|kVt8E7^R+jKUsl$6
zv0!keexFgY_EY~o0jv4imdawQUpCAs7z~)xxUAIHVN|i9u7S+8e&M|JY&3GPOkSL?
z&5`?;IlfL(I;!);d2xj{bY#DMi$w(>T(FLIK}UkjwL0Sd?a-<1I49hWdA_1R)%%&W
zZo{L;zt#MZSd?}==*CbxJ`C=Mzz2fNwfyt^(18A7T~T;`h-Z2V)&5u4mUb$#p?mw|
zezCaXiJ8ABMEq>?JeQSPIe70_$3W&<-p%o|w&wYI=PK7JxGYk7Xfn4;7iaY#7DW#?
z{@Kt&6KFz^#q<!x>)|8YA{L7txaTicdT92yOQWa<t9c-?D0<jiEj|b`Pw1gG%>(iD
zu09XMdC_F$|5nd6z0^)Tu%8!+MFk*SaR0#ZK#;lC|EI}|^1^u$^Zy%FZ*5|+!~BcI
zE<{}#0L21@MEDnEUgO`mZp?XUiK_Ls_dXsRJ^fqdrDAbJ9A)Af6)jgtl5sicBFxka
zGS~87EicWB$V>T>BflPKKK_o?j^?Fe@!cs?My*C(x@RVrmD)fa3n1<YGS~9%hP>2I
z11U%H5H8C?a-fwLrOkI%4`NaDuydB7hlimFK^D_P6!X#?xZfvw;QVBY(!=-TE{&od
ztnyN^D0(RWouLPg4}#1SdZ<l#Y54ji=S4Rv|3AOEa*>^QU_UPvi+G~(m1Cep$wQ@o
z5M-|P|7r5l;)uL-s^b5n@}BoN%fDDu0K$dvFUY*czmb=+{>xRp@A&_U6VCE47H3~T
z53&BoDJ0B4uc;GcUgN(sLjTiLtzR#BBWsO~{M3H@5sT9QT(m5*{}E&!<Nu!Jzhd3X
z`jnd#|Bvlov-n9H{M(<m7K>{ey_o(4#s`JXxvbPSLH}(rE)!&~<=+kC16uH*F;B^P
z;dG^kf42xOaaIpvQS>n6d_xbJSWPL&VtR<;_yEgT3nS*OXDB^%-PtFKdaxQFh(*yu
zY70XT93KRkC-hL8#s~UJ1@0fXpZKlvf5%Z*FSQd7?Dx-NQ2_`S(mx0?*ZTi7;{)S*
zKJ!0Q)%%?zi}tUz(LdYgUo1-d8`;)qe;khmnaB9YEfkU;arryN|KYt!+n;ijf3diF
z@5akM9rM(%<qL9u@zvawKV$uWfVUv?82{kg%zuUA|4Hp1&p+cR|6;KL?%F_N6ds=m
z|ANfB{PVi5S&ILv*{wI*;lF0%gTLZ=q<-q1-rMv%Qn4uUXZuY?{9*kIGS~8N9v|?!
zz-D-dZtcP|D6z%2flWj@ray}cpC;<JckxYNe2W*~8diWwvmAWN!`5}U2WcvG#ivfV
zkxaiIpQhm(Jl_=LTHQ`&-xlExDZT~Gz?lggQ?Q3`V$)x_<V!KH3%ptB=#8_p-nOG7
z`~8?$Je`gNnQL`qokt|nAc>=V{q+{b|NXtM{2+S#TU~z@i`DzFRmdTlW1e4-xt9OP
z>#w-tCiji<czU+tef74R8!pO?*1Bq|`+vmZ`VCnv7UmMI*uiC`HWr*G<N29_%(c9m
z<7aJM7sz*rMqGcLqxA5=#tYJ&)q_|RJsf=5(8Cbie<H|YdWh!yN-4Tz^YzzTl^(9g
z-SpAZgVp?sSQI@B-f8H8<AWgcgdS?`{K{PA{|lSto@2-V_VXgKr~rfu?jPPlel5sc
z>woLK2<=buA};5tdLO?c&td+>VwiZf!TfVP7Gz%Izfk8tUJFt`3|}VGRT$dfVY@UO
z1Dag@i5bq^cb1gW{qe=fha~=$zZ)6<ZWG7gX%+m6Z-oE!zx&y;>*D-_$DcU~`3%Q6
zDDp8K?W&E9+TmFe)yHt{C|iHnM*+rdCG)QC)O*p2tR=TyvUl+4Ex9#0<7j2$DxA9m
do=h=WCy;ZEiTdb}pGAS^5P1B)GyU&Z{Rhslf5-p;

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
new file mode 100644
index 00000000000..15df9e67183
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:26.8613751Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4728,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2"
+      },
+      "event_id": 4728,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4657,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..49da30221a502888bf42297ba20b7a2ee3aba32b
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*P*DUSJOl)hH-v{FAVErPRU%1BBoCSd2|{U56s%Sr
zqC!zbDt}Q>Q9(f{ND+b{C}>25qFA+9RJ35#>hGU^XZD`m*)U+7y3@@3cKI!Lc6N5o
zcfa%9bI-kVXEL}TFFn5?mukK|YDWc1jbeyWw3>(f*Pm0)seb*xK1uWhQ3j$6L>Y)O
z5M?0BK$L+f15pN|3`7}-G7x1T%D@jYFt{LZ;KZUy7~=<CXDTcBYfK6(u20ml=%I~)
zqpknXcGf4(?qxhfb05+7^@vW!5*_mzzaeTJN7NhB5I^>{?+1SKIBfE(Ic)OlYjymq
zYCrE=ihX%C@bty!Z`35oc{OYls&nygA6MHWaBMox`C^Up@G(Ets|wtm>2<M8=+ro%
zT|4+Rp67T1uj9w}-23X>DlJ*lC{ep}>@u(XlD9v2>-Mb8d53!Ser0^iwWtXn)xQBf
zicPK{zg|p?rNMMF<x&xq;qx54eK)BuHz&tZITca?zAVKTv068ph{MWgGF?F(@voF7
zU{5ZN$;NgX%6#l8p<;Y0raT;(hR?;=-;t)`yCRfbs1yEm#a1Wkf&X)Z=1apqd9>>4
zQ}C7et$2)&vS=F4T&7!u!24HM{{pzgqhC&sqfxr`n_(*lN0s2)?s%t*7_Yj|OPK&$
zh%br!e$ss7lpfkP@zM~QqW=<KB~x-t{}>v9!){SWe3f0#K-MrCgzwtm?PJODY1+P<
zKv&}w*`O>R)z8-<Fm-+}`8@s@@_DuT^fT-brJoaDkH)IQ^1)OQzVrC&lh+F$x4;LH
zc+S39%D{o_s{;KX;)6WY3?G^)oerMvr7^lMCh3QG*q}x&@qwEFzn*I0qmghRyM-xY
za~hv1mRjS3w49q>i=(UX^)&dc7(C{HcRn<hns`C`D12C;&e-do`Y@WWb2<=*<^lk_
zC<n*r^l&R;O<g%XA<TpFBhcfc1~FO!)Dns%=`l$LwnyWH44IJxnD_V-D1ouujvq-t
zSn<#LG*CZ`aTMrCgw|i-xb$?@!V|tsp#C^x8Gy4|%23n5dHwY$*~dYF-QI0S17g#G
zGjW~H@S`M_OLcW2Y)BB<us$9YDA$2c(G3OMJCt$2o5WZW4#q3ZPQZbs_@_|BQJjxM
zE4%jgo^fD!qT*Hv@W)eJjFzIyiGwk}Zi7Sz;>c_WsYu7oPD>%pt5sL)1mHk+T(6=y
zov1=cfx!jZiYHcUMn4CHOzMCp+8Ih2fCig^vM0)c;35rzD4-kh1NL$nwu?a{E1rEZ
z02m}lFHehuyV-41fIL7k(FHidC-FKj!$;Sk&TL)PJCPd2c>N8im6sagP)JjML&@mS
z0=0~zCKN{v@GY7Ew)h=K3HovRPW+dSPbrj)w?>sQt+2<_eHxz-ua*^+OG@T*-1Nf5
z6*y^6^$nVP%>dQ`d~o2(K|QAeYKPP6)B&29g73M8eB`g`qWfo$DIc?F*vc3C^oqG;
zds0mn0^z#X=ti;93GnvQ$E&W(`0{YGZ?_)#M+uq>9|f=FVUzn=ehs>nB_-i{knVzP
z?B__>8zuL<tgPP`dl8-3LHuoVynP%2W6{J$fb2rue<i_4=t%<6?7p_@9Os9A5g+!8
zEYvWEJV_cg;^Qw<$6pjW-meFs60nd9^Wt2Ixt=6Xz|!UFmuyjCO9}hsAn?uI3Nsq|
zb<A0Ca^MrYg425zoLTVNjdYW)&=6AjWo+P=-4sqekOeqQh62of8A9m`pzNuBdugbS
z4Ql+>yq5I>zc*z!+;#?7`ZeA~Xg=&0G!6DkXJz@qkmV#j%mjj60qV^D$pE|DoqCeu
zVbO~wgnkSSrWrM&^H3(LZR2NdeDEP+K_>Nv@^j!N_EF$WCA#Q1Ot)7@hyqHnXAt)F
z4vQbMFBC=45AiFu3I4l&Rf3ONcUzQq@WgYcGy+l%k!5rP&~uV81;MKennM?~(F{bY
z!N4<y&UA)x2zzJxj?aGPx){&i<}sWGuMYfQ#j4V;IUfr&=$_M3)^q-47Pqh)F)9$Z
zQm|b!ZZXCD8USiJZVg45O07Wku+-tHKo@xRV~dM&s)9S@i*d;GuS7GxOLm;CrnQN3
z!{ArWl1jiht0q^Ee4OkR;9tqyYdiN@xFU1$otNz$GG=Q|ZO%AGMbc}a)sA`&!e{3o
z73iV44@uO@@6K7+2$kU)dZ`{|dD>JERd=Tf?BV=(D5$(!)pFK?LpmEjmjC2h@&8xw
z@1;JeeGL4I#q}F9TP?^TT6coWDoywoWM@@cZP@x>@jv0=cD>I>H^PEl1uwL~JCM3d
z510mj)zk*3W;}x6R#|{n$@vE><p%WrQ>hz1bw*aw1xJ)4(aOcXX&{#)N6q1abz4-U
zr%ppm$VQAPf{lr~VD!(dAJ!4;=?_Xr;|C_h-v=-LSRGk!$70b;M~P_1g3PfxGH=Id
z*V2xcga3OJ|8w%Q-;W&sJ@s}x5n|(@qQCly#fFrmOMSfhqA|GdhqoYeEdRc3^)oJ0
zX)SMOPM9@j^&2fWo!H}V&bw81$r<$kZtj6z4WHOA+&)s!PUb0Ax=rfxl@<TgF3zqr
ziL+u++Q;gok$Rl%1i*`cRggK>KgKva8N%c^dwRc+c3Mo!LM#jP!92E{jBOrU@%#-B
zAcrFU1~R0x#ohk+-DJ2nd}MQaywu|%>p=7{U+Lkq1%qtXgIE+jEH>z2HZm|l7S%%p
z^}ycOL=PM`7brc99sfWC^{~VwK8QupLy<o`J_s^b=ppAv#D~D_7Z3c4@IHI~6@Dz|
z<v$z~I<Vg*e_E*g|LoQ;zOm9jSkIrt;`#b;6xp0Y!u>-c`UgSgSpS>nPg=iV{#1^B
z`d(G*FOn)_9*9`}nrxCkiN%V4F6li5ikSP=3*$ZmniS+t>ky9xnPd4k=1&kj5%Vqm
z;3CEQ^TWM^p0~ie^}I+dHr+=JpU=V7po3giX=MpSFN1eM=2+gHkQdSP)D71e`@#E^
z9wzO)KRt4KFzW}!qUfRT+u?c;WUkOdUFrw*84`&H_bdP3vwm>|{cko-5{u&hyWS1?
ze^nxpAajNP>*_d3zu+zLpaT8G14<9y#UC7IB_3GMi^QUt9xBjB2r|d&!8|X*sF!({
zymYbRe|+yvBkkp1EGhuOg8OG~kAlo){L{UU82MkK>b;=k*g|{x7mJ=m@?Q-_j8{mQ
z|8;l^GMDk+E-;@h`v0S<^+ikD?y;ADu_*E9wiDs~ksxy!|5)y1)c;b&f6w&3pW4g6
zSX2Olh3H?9xr~3zi5mHTP}O_vgc-ltU}1b_z5f-9LE_a0^UvcmLFR7$A5yhGvA<}h
zz5I(sGyc8ke+8L)`R93xWvcr3{^{838zZKFvw0!0DDi*ArJ6oJ@jk9GwFLiy%(483
z&kJE)gmGTzVQKAC+MWBC-~RaP$=2tE%9O=sS5|M|_FJNDL%6Kcu1v<95O^14j^*76
z^Fq8H^5-%R<Z`*vL&Fo_oo}xm#G>e7^YD-!CS#6PkVW+n!RuvVdf@9Ok0?E?n%BNr
z<n&-RPbd~e4@E;mdf@mV$Xua^x-?HX!FauFh4O#pAGWoy;(zOTsaRA1f(7>v91jGU
zWBqSFFNFTtI4<~;s`tVD!!NLxf3cX3rRhk}g6kE8e?jIl{vm$hpV!?zs`!8R_1JPN
z{MRl&I%=|BKrBl9OCA%7e{W-4CdeGizcD}Jb(=rK+xl9{v#%S7^t#Q!O<ZMI%f#zS
z3v|)s8rN;ER65GaYw?{G9a)c~Vo?DI7Tk`<<1NS>tD{=Q(f?ERe)68(7w)hy&auwF
zSbWLbYLE{RWy9wWfAtB_F#kDt3o@7SZ-}Eju6RuG-|(I8+n3F>bDSv_E1umuXW2}w
z0Nc!El{Obk_IZ9?kU5rrV;rrk*BkZwVT|L<RZ0&>uUNCoUOk9K(ZkNIAw9H*CInej
z4-p(^hUtOF8;>hJ9JpC~C31Q&8)u3|(L?s1Lwex&Ajn*yhq^S*EHaKWpHTik^-25P
zR{U?he-?{p^1mQ+tpCmPqZ;cERxAE{4mrBVUjD@*9@WvyIL?&*S&+Gme>(h(j5E1h
zqxj!{Y)19N7V;zO`WK6$|6!G(_}3EiEP~8s{I?5VfAFN@zv5)`Hp^}0Uo0vB!GiVA
z`G_EM8UKd$2Ru%GO4Ymgo6GxI;lFnCEN1t|ibc_XlXpV;XZ{75WBE6Z58QTtEL7vw
z@2}={M69Eym5y$0vD;=HiAB-TqC??25@b;w>30MEZ|Cc3-e;{p7eMCgxLm7r6w_$o
zgO6J14{8^W%;tT?qUh+z@o*gpGS}$HZS%g9MMs?1J)?B=<b=0xTWLW@*7G{C*Z@!Q
zfS~o;XBiCV6&o6dkU3UI=HnVXpTn3}KdboPJz(X1_VO<l6@b(D7i2EuAJ4rp^8cKw
zey1bneQq!RVo~^)Qu1m+<}&`#+Kv3LQ`H_Z@`8qs*&2VuqVO)IjOzuNyZK+Qs=aj8
z(ogK=Un~mmQZoND5dQ_4yZL`!ReOKGr#+9`s{f!x!lTN7V!T2k@kfxkjDO_y#`yDs
zs&%LSyEE+NUo0vB!SySme?jIl{_)&LBmWyz_3zucVT--|i$&pIO3}X{a~c15P@Iwf
zjjGyjzVHY=VQc&mi^98<!oMJM8UJ{mp^^U=RkeHjXHQyVEB|6K0SL_EzaVoN|EQ~x
z|4oYjvZf<<JZmfeVzDV663XM>@d^p+zhx?sAafc2c)pgA|IMn_Pdt$M$aA*xFBTPm
zV8Q&)ZbBr;T*g11h-T#f&#K<bx~$u0FaKgONW9t*{so!K_}3cFGxEPh)w=v&_kL|J
z|6=h>{0lOd@sH{n`QNIlfAQen6W7@qf5f60|GSzJ2{M=QfAo$8!av{V_mZmq*1yHi
zj~xGI_f?9;n*1l?-W|SwN02#||M2@NaUY%WzRGQ?+SNnu(&`8Q-bwABw_UsIM`q90
z5sOp$PQEK)F41elxvbJM!1<$i3o^&@ZoHmdSJ%6S-ABjm@h?gbkCpC<v7!g-*MY?1
zU=Iz!EzQ9zo2-X%cndPe>cRXvkl{WmUU$4*@jvJAaZCJLZ;xV8+T*38LhW%J*8dAK
z$MWxl_NYJqU)G=VaPVcNho0?{yjI#{?et)_-dHS(9ttx;df@mh$Xua^9IE|uqQjr<
zdiM1p;m6kQIk3gX^~O7t{|7DVU(bsFt;b`rr~m{D>7NCeWBqR)j}6be;q?(aRlU94
zIySMwf9=|z*?K>*DD7|4b)oh*$R9%HSpJRi*lp|m^uK2%>ub2IR608My0+&;PDf_z
zw8Wz5s7H24N54WG7i6x{k=xd31=o#oe!ffTXxsA47FKj*y+06(!Hz&}aDTw@NRT;J
zN9O$jYAN#+T)v`eJ#NZ?H7ORx%hvf9i!HE{7y%`Coj}G%g3M+7zyHf5;h*#3-HQLc
z`=_sMV1fVI^~YxO6=E@I=SMjWFkf-v0GCzTa%lf$jE@AFWBE7s$8~kSf(G_|Ct1cv
zT<%eNIPiY+b@u8(EQ%i9s|x914KyLhqI!tn{khcR3SWxofy3gfN)L<skBFci%*M-N
zQS|WpH$r;g_#nt!p@+IOUT$O@FYi_UziY>w7p%ks>;1D>H1q#vC{vI**8k@D(eSOa
zq<`jepW^?I4{f=rp@sh0I{#wvfS(SZ10<ak67HWl9t$#;@vnuiV|h*0dgg1BW;C*u
zf3c_l1PkV$^)JX=#(x@RiT=4CdR^6f_STcft?+L>KNX7-f98D~-v0<P$MWxl{InF$
zDb136gv<R(4~y=c@tM7P5R0OR3$%}e<CSB`M+8|^4-w2ySq}q^dN`o;Fn{`ToAn?T
zMGw<s!u24?qI!s+9^ifa6>`J{`TIt1C_OZtUh%oT@j)z#9zKc->0vGUY(W;)Lj?73
z{i+0CP!D{a;7z56OCR3%Mdb8gcAY>hiXQ%y5UvM7<_bNy@j0Hwa=nS;OO?{m<b+f0
z8(SC$SkFVnqUh*=KcpibhY2!Q=%}vFlk(rHE;jZvZz(-Iwrpnyd-Wg|MGr@lLwewG
zp&*OuA%gwPX?i%Q^l<(5Thi>+gIE+j97+k-gCL9QA%c1c`}_0UZ@jJa(EZrvj*-)Y
zS>7QQMGp-dhV;Pwg&=c<9^9CB1lK3<y7G6FjxKt2Q>hgl)o%XRY#qN?Ou>^Syg)HZ
zA^9G29qn;*qabsvj>6aR7g1;9I{tT6ZD+JBeai~(*7H5F*l_ZrOB&<4c=s7xR%s6=
z;cwxf{R%S2^6rFrM}3{C<a>NQ?2yt!LFdPgL{1N8*FnXi=;2>A^dQJwp@+J39W?lN
zv-x_&VdekBvu-(R#s9U7!>RatARZc)Iy@C71FwE!(aisR9bAw(*8k?$L8sC*<8`3F
zDmp$WxYZK>*5k2Q6#hHS3dQ3Mh{=M?vHUwB9^>gIq478C;)v42A9B(^ZDL_Q#(H}c
ziwZ!nkp5YaIaUwm?a{D~pZR}J)w^=bimOs><zFlYiB}uUKetCg<}&_~gG)T*@_kk7
zA#IMYx0iphXvY6K@Gr<*#(z=h`BpqmII61OwDBEZM2>&6ahX`G$^T}I4SFCS5M++!
zKYUz<3w*|L*$1lHrCSbMRcRsaSkD8*;@BORq*h{FR<e)FDy<*J!rx<rAjllcyA$$&
zLOesd#5gYdo6^Ix-)+l`oF2@^WnxkE(Dk)&JqR*a=%G%I%UA~=D*tc&_g^CDf3y1+
z#G?5Bsr@1U=fsDQxx)W-^|~DSFkY5;z<JR}N)LNSpBiN)9#|h2h(!e;SaARFMN9~p
zWA$J@E*MJ1#=P`nRqvJsxufmnUo0*mS^^;ipZh8N3o@7SUq&5-e{KhVSN!MA-gNaY
zTk|8aDDm*E55nW2AagALPRNh+`=liva(PVY;fhlqXW6R<u_$`D_QP;J2(qXiB6wZ8
z3zbp1=z*_Gf1>p8Zt1$Qk<)|Ob!o9EdRYHaxE=(VEA-&%>(Z>Je<&Tb8JblbIUSkh
z-C|L6G~igcjs%%2bW~^a?(y)y#1+mzjw?O%eDLm!-4^l=>v^|WQ~-hn=Y4nMSqg&8
zv3fAiyHQWc`?&m6)%)HLTgU9Nm4C4)?eXFZ+Xm;wcpNOqT*iMP6$<}6Klz#BzkFIj
zpUClVHXke&h5w0d0{l0|n6ne~FUTCrfB1Yb*7wVNa1Sg?`dsn;S+678LcHHOcA57M
z^`Ld${@|_Kvo_})>ec&|@hv%OCF3s7{td{B%@KH);v~MCuo0_uqlrkF%J5g4uD}!h
zJL0Pe*po|zl#T5)l=;|GLiz$w%EOUq_*{(r9ce1QD?-@?_sVvnuGs2CJ@9`n;h}{1
zrVM8=e)4G5)ia=-Z(!Nezq<N-z&H<HYlt$vH#Yo!(tP81Bbkz8`o|C+Urx8+Gny6o
zmhu-~@_GC*<nwCv2?3AxVW-DmpS)h2n0I`w??8C<Y94(@GqC3Id-x}szN4?cL*pZ2
z^&NToj#z5q1t<oy06TP(FJi;*qXscrf_~&N{YY%{kqp0itb(784SzjK_7(C*62lK1
z@wgnZkH3hcINwR$h^M$1Ek!?Ra~}gtA<e5*R}a8R(|Jd%){K5m!zhzFfZEP9k_Le2
z43s@l4y4g=#8fJv8$orp?v?_$WdgPfNa`^UC(`TjEH?a!)F{U5Z$PcQI^!UK_zh;%
zo3Qe&3EmATg{)sU5M}n>7@xTZ*A4pa;<8Fx6h|}>{E31c+diEzE-s)%Z34#&zE2G9
zr4uOlHTK~-FP|PaSoA-I9?Y&Ah(*!E-)rbWkhww+b?Lf6Hv3)f6Z}H=KGCcR-$u~?
zX5$yJDE=?s6CMu)nJfHXSH~|L4}$X|oX35s^w9YBJ(X7Cf%Wl=SUi&+1es&?U_O2U
z|B^p*`A@}v-=@_z^Dh?Ts2*Z|=(+*-&jnadA;{d#|4GGv>vQJCzZx7rN*?{g{h@XJ
zi^UCTzkjmXD<_9MU3vYtH_V&5P52jN?&Kc>G!~r~;>+^1slaA_a9q#xwKs`hR@Qr|
zU`UmIpHZUrQ~x~yv-#TA%3_;eHqI^>0+`ddtkTwDRI#Cc2$^I3!g=etXyjm-+&EvG
zE%z^Te4V6pRPU(^VhSzj$a?!0iwZ!nU>)s(js%%wb;SMKq0`%OcCa1ud_{q(_j4)T
zM?{W)v-u&hDD8Og&4G4&7~Btq4+NQG`RDnefdhiNqTu`x&-4_k{jaSp?ObF*_twY#
zVsXV&Gk;Nt_}OkFmsMIhc<)p%gv_zL8{=nP&GYrnRjyNTS)}yPY);p%_Ub__iXLwM
zb4U-(pb0@1)k6fYhmUHHSS)(rp1)Y>p~c@WkDwmR=7Geb=wWY-_#nt!p@+IO55&{E
z`aBTlMU$2P+q}^Hax3w`dR`<J6@XyD{R77XLFQQhpCK>G4dzA6|8G>iwfth6`4@{_
ziMlodiunqO@Gr>R#((I#G3TWvs@B`z|71wy^lz4zip7yJl!0qhv|J%c#O0t%FjFtc
z9Ls-=yfil~FXc;){CcS6gu7SUnwN^j_ohr4y&8Gxo|#-$X@htyfVd;b9Lu{C@=`Ai
zqHM`SxGW3EfmU9UGS6N;h(*yu<*bk%9)%_ZSyT@Z%uBQ3evjyZ^OGq`58sc!Jc4>K
z%S*+g=%M^~Aw6(>5M-{<LtV;CgV!fHFS=Rzf8&;_g;wH$^}JLp;)%vrkA)H?50(Bw
zkU7@>XUI#7!}8LpivN$xd);p@|6)-A2o}P>Aafi4p}ds!U#{wX_y1R%w3mOeIQt@c
zg!MmOAz}V`O`RZf8~>$Y`k$t1{YJ@~nQJWMr`F?-Sd{+fl4arjk05gy|MxHd73*Hs
zr`)3We`5cdMNeDc-}=0@SX|rWrPQY|J}7L-WtFxW`frbMnILm4|4tYm(EN`=^OT$y
zPFH&PcPsy5d-Wg|MGr$S4Cx^Qt0@IpR1XmxA7B}4Vc5L&45f!|m3<?q2ea{kSQI@Z
zw+iWj<AWe`g&ykC_&{H&!2JXF6Temd?=<?_rB>pB_5N8bDgePk`UgSgSpT14d=R>x
z&-~9+^?vur!u@M4^v~A$7mL#VMzs&MKaR(O%w_!J77EFaxcr^s|M1>~9naXxzgS$o
zcheQ0j(ukM^7%Qx_-f9|pRxWw#9NTLjDPTL<iA4k|FrgxjnCQ2zgTR9yEc#*1;=N?
zzaVoj|Gchimg2v9cH1ph_^;jg;IDWdsh9es_Axw<R4hvT*>OuK{;>W9nPd4kjt_WU
zU<<qhw|3zfl-T0i!19rf>Cd9Vr+oePF1`tjZ}H+=!wN8ImW@xj*t!AtAWfxi_|zFU
zlIi#3(=>d8=bM6Dv)jq6+alZ{#kZh^aAp9<6zt)f*z{Kpd6JCl0&i71dh^`OcdY2h
zdOs!>&!i(k=2#t>=MnKVSmG#Of4xod|6rf1Ka3pzX4hZEV$FVR6>^A{nCBN{j^#i6
z`YW!u$$g_do}R6EU%ma-#tU;IwXWLi{vWZpenV!f1vx}3c5+#zjRWV2cz&iJb1d)1
z_*qxi1@axDVb@=8S9*A8(?zNF>Om}u9uB?|(!)^Pe<H}DdWhuwN-4Tz<Mr1&lpb!x
z-Sm;ugW3FwSQI@BsSN3X<AWe`g&ykc{K_2V|BGAXoM*-V*7G8<r~m{D?jPPpel5rx
z>wojS2<=buA};5udY`x|*Jl33Vvu;X!TfVP7G!SYzfk8tR`XMT3|}VGH5l69VY@T}
z1DYKDi5d3Xcb1UU<H<$Hha~=$zZV|=?i9!1X%+m6ZG!*wzx&y`+oHUKC!RY6`Ha9g
zDEu)U9cqk?I^bCnHOFurC`*6XM*+rdC3COs+-Kp6%*A(Jws**wtvR(h;}~V*8l1Z$
do=h=WCy;ZEe0_At&!WI{2wZ;Onf~{y{sSxZgINFo

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
new file mode 100644
index 00000000000..02fa62e43a9
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:45.5433159Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4729,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4729,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4665,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..c166533f080c746d68c32056c672f4879911cd31
GIT binary patch
literal 69632
zcmeHQ349gR^*;0R@<>AR64tl?LPZf|7Z9ZE5Eer~gNW88k%Y2jp(K&8lm<nCYGn}>
ziy~6_i-L*@ib6q(EP|k*5f!Rp)nZ++1*@(8n*Vp^-ScK%7%)zK)6D$d<M+7pW;@^g
z?sv~U_s+eOK?UP7CKTjT^^Z^Os6eVw98sE9{gnUuciLH1um9IKiQOQ^K#YMH12G0-
z48$0SF%V-Q#z2gL7y~f|VhqF>_(28+6^t7&zGxEq_@U3~(h5F|L4l1)M12=tm%~5*
zn-AMLI;{I)^F5jdh`z5wbRwSUnBRPasAU3CFAPKc*w6kSxaKj~<WE!B<j*(i{8!a}
z-nR_<##O`92fx2ngCyrvvr(w-#n(Qjwuj@~4BYd@YWLxDocL6NSF2B(HYihYE9L&&
zbBVuybzY^Gs%ez0%^$tof1%1HZ-4mKZP}a09q!rdm7M15kP|+uUp;yRo18)ZyqFwM
zgXm_;ry?rF@45H}CaQy*Q{$<e3aJ1GOK>1w>q_HsS}9GY%cukXmC#u1$;Ual*lv$>
z0`^RyV*DzmaX7O*eivhZ2bzjwMMyhSNBrx8t&Y?k|L2Fzmqh&XX;oDxQC3oJ#iIh0
zP1A7aQr#j1-mj|a8sL%={rijr8mU{q8Mg9p))XA=hHr+5@$!58lm)PbI7k!>k`@@F
z^w7GIp9WKzekBg2QfgekI2w-ArmHi)&aGo2YbXuGu~zs7SaN)u*6$|K6}Uw%D4T%n
zPtYMSbwNJ`e8D&h__ez9GwcwhpOsjLMyt~%fT<!J^9AdY-;XkGh94sFy#4W%i4(c3
z3iOkRPx4U{{Ai+dI%tNUM(JfSNk7HM1~qDqA6y0a^JKFCjX(i%u`oq!PUAbpQ%n4i
znltgW1iBoDr=i@6!DAkH=TqaUksq{=#E(Vljy><H3!@WsP6y!Bd;s7g%ELK2JzR@e
zQ$L@P6j6e55$Fj}y*MoiYB79CMqG-C?JIFZhRjGp%=>~#l*CwW!$sl{R{o<d4bV?x
z90fWOq4hePmyw}rc+%gKs2}cF3gE1kQsgvr-(Vd|4X{(-V(+@69<k}roj6aYxhRF@
zQdLz58{$MZZb(E1%5~snx}i|<4q+T9O=2ubhZ2=$$Ku2i{8K0rC?UYEm5cVa9tmK0
zyy8{}2qscOoR+4`iJdWjZiPe#;LKbIsYu7og_cH|U#qIp3BZY5a6O9>bfO9&1qK(Y
zE53NG30(~cS=0_yv=fxl9~CweX%D0Wz(soqqJVC~1zgJQv0V%rS@B#J{eeN8^osTg
zC~hvcG9V98OmrU32#CKPml>d|kY~28@|{c#;{3sS)WT2oaVn&#f1zYFXrWvtP$Np9
zdN_(IfGz$eP?CP0z7zjt;8z-@;;Yf8z82Wy>o%Qlh)?s1{|pQ0e$$U4uE0%ut0SoH
z)g4$n@WGBN5BZ!5sO?V4Q#)v)497W#eC99df_vwTDj&6E=&Bcc_l&z}drEZ{LhgF>
zx90`e(X-3u?YVDuzF~gZ_}$w|hfGYvK0XVj=Eo+tv-}x&3rkAe^+3G{a<QL1;UJ{k
z?y|CeTkMB-;sWBM7vLLU4;Zfnb@wm@81r#Zs27juO9A0rjF+l=wKlFyi@0(i*kGs6
z`8BQvUcQ>IVkGApS0_eXosH}A$d}@y27LY{>ih_t+2HghnyBl?Kq^<pg|6(XuGHO3
zD2J&iAFC@3ln@kK?V+x{*g#pY+O^iXj1OI31Js#d>6iExLEN0*K*)J^QkKs*ET`yB
zAmoY)kY_HROt8d_oiC*hEV9Va)IrY4_%@*i`d5B)mGEIdS7g5CM%;m$;WAY3&Javz
zs5ldKc@VTZis0+{6W<8`-LN_-KrOp28F%RTvt!^GPIv62Mz}T)rOss@LN-O07&~S2
z-CI41+u+j<-(GYT$16CagxW%q1F*;JKV+ZbMb2b@ltu0?sd4VE`N?xf6{}0WS(+HC
zs>xc9X=xj{GF$mA>_!2G{8k#atNSf3Q2z8sA+p~Zf;634piqaV4@(F4p-*47xFoMK
zyh9F*sf+d%)%OnBaV8#X;^l^-q&Z6Bl4D)w>z<E;y#oB3GVj_>y%(>{S~~xdeS=4B
z&8x{BM=4Kw6>38VJqF>svy%$7(A<V3Yvp(5EpC9!a1Q-chq8UGDu}AOQ3dvJ{5u3x
z-l=jqd(mN?jgUjFIsd6O;{VU!-%q{Mdz<(diyJm(wOEu#wEj4!m74G`$j(@gYQon4
zivO_>wdr*(sw@k3HA<lwzM;@vTEO-wuj<<1(2RQ!>~jj>b2$EBrQC?te=2pwuTF?c
zI^&FT1X}snHx1;nFR9*Luy2d1wbbq5@p9n-i(q5CE*Skc>xXs3ditHxQO<y*#CuSR
zKUPQf>#<n0(or(%u^@A;j;!l3>b2D472y9a#sAz1xgSK2{~mfh9uKjxQ_(+t#bSL*
z(WRcF4m1S!eeo4!uH`?lt#0NeDy-%0tg*94t$CyQrsI2qO?kJ9E;*v^&(%HDX5$x^
z3)c@0K^G`ix=!l+wVm>*nV(%{;b+C7)Q>eOBXmF85rCHfs~~f2`I!CeWC)Y}?5XWS
z`%`>cHhfvA4d%Y(WNdTaipOub133i#Hx&P!$?x{Vb(2xFkv*GJ{iW^?SqGwrg-Q=!
zEE?#r9>k*PVW~+Ea}a?EvX~yCs0S{6P4vKSbCJ@+=$!kasE7M4{DW8&Jro5a{evL$
zgdXyKgntN)esRaY2;VcuUy<i>T>is8p&ggI#7~P=`9HJut8eYJ5BB3Hv3RcD@kKPJ
zkZ}8ujP^m0xwibR<0q|eIDRTeJAJpx^;apo;_i!D{F-VJKZ(VPf85`z42qcd_48xC
z0Gc$!PV3>11(|F4H^)y9JQ4FP?cfr{`*Xwm1D~_OyZyLGEH>Ux^`FZlT6&1nO06`B
z=w<LO$Xv_28{#6Gk-qVIb31sC(!->k_hv*-4_57<SQI_<c{@@Mg3J?os7>vlK0+e?
z;9gb!cWqc2#qzi6Cy7NV|2y6_%71k-ks$L#`PbHdlK#M3{6PiUiTjiuzDqnb)Q&%}
z9~X&5D?L=8jSyt6)q{0hgkCT6E^+Bn#eYt(O(UG;Uo0vB;e^{~u8)GuWBk+I51aYF
zU*&tzlw*sX<zFoNk|}rv6p^ElF#qfE6=WXczfEX7TlD{XmFo+ZwchJ2|6)=6&#lKJ
z+ap2dG5#^#$*linivJ!NeLi=Vf3c_lgcH%fAoCdi7!x(~|A5N(=&>_@wb4fZ%zpbT
z7Q@7=4d$QwXM)Vz{6DC2ef&VtENA%_i&p&m(f$fD@AA*%6w6ii@BYKF*I$U5{;kG^
z#G?5Bl^1LJ_{0Zz#?&1A3o_U8A2}|Bc@gGup@*clm$f<jPrv^0&y($s3zaI1O@3ar
zecP{zwhiXAQu}!-#)QDTAagD6ZWtHh`H)vjKakTEN)Ppqe|N64dJv1Eht0zbJxs<J
ztssl(A&Sq-BJ{w|O&(TySiPWalj!NeYMf9kiXMuF7<yp;AjmwShuSnwIM)2UY^5sy
zUBBDb%ue~+k4wd(0uWBPePDke$Xr|g*5g8GpUwS(Kd5{kIxy@!XZaV48JL=m04+RU
zLHHMB9^)V47yfzP-6M+scVCY$x5IzU;-jM$^997B_`lRqhW~pT{W3x3TK>)P5zpKF
z8NT-CQl5F<K(yy=h8A&^VlETUD=pAPlW(54xk~9Mdt9^c?C8k89~FxVKse!goP)0*
zbFGeQ<VXKc<@<@d_ME@NMnA_s|6=hae~W<uc$AG_KJ@jcK*Rj!;VZ~I#=psra=+qH
z#ee;Gx@})R%gKJGSgd$v-`wT1FavBer<K|~Oxfr0bwTD@{>^^0wmxs<wK^xw{mj)$
z4@WOsyW3ekh(*!E&aH+X+Cme8ET)Gj_A?{&!2ONKlpYS=ti2LFJy`WK#iHmT_m74i
z*gps|Pw1gG^)rji{mjQz`Jeo>?H)VjZ@+yOi>E7pLFU@>w~mjh%|BS9`0p|J=w4^}
z7mGcy#M|7@l=fMWd5nKL^0f3bIbEyxKX7bj)k8MoBm4Rni=zLbyA1!=9OEp4%wznw
ziJX7%gyO&AMAKF)9OYjuDgfbx_0RE$AoCdiruhflPkvJ6yZGBn``Y2ZX5%bY>tn^D
z=)ciBhW?p<LFQWi&HV$ft&fFj{QCN8o=3zwdP?c&mS%e#){$5g9W6N=sUtxa(~-U!
z@P9jASACte{$2nXuj6!`(otN4#Sc7UqdlmZKe8J46^o*y_dbi%ks$Moj=VPRJ6UwZ
zaoy8OM^B7>`_@%9bYwrS6N~lm77qwoUp~uVIIh^(&_L!|9a;Bl@O}<+T>XsVe^38a
z_c+VHSX2N`;a`w>jDL*tnfZTKWxwNl=X~ib|6)=2msH|vLFO_3QQOV@uUFX~KH|Lk
zk2>mq#G>#nsr2gwnYa1hpt8Me^|DW$<zFlc?~*eAGvWUQnYa0WPG$Q*-=}<!IjaA#
zMM@+d*UC{y#Qz8~kMWPV-t2##SGn%kZ%?MP{EI~eAUuCX^e@Of#y{TsXy$*T%Kkk&
zH*Rs3f3Yb1ODg&oWFF%mFN!ns|ANZ)o6kQ?k2~sr#G>#nsqinzJjOrXXK3dCMV0Md
z!8w!GI?BITOacNc|1Zcq#y|3E=6{pozqIj)9nUz*zgTRH_v~{2H%B31{Wni15@a6Z
zAMe*P^S@c;`tkd+9)8wQ{>7pK5Kfr?IgN+}naB9Y8_~@C|54?8dFS=}o#kIFhKW}j
z!oMK%82?)R1!n%Ys9cx-^X_k)<zFnGj(<VsG5(QVGyhvv_AeaNYy5gg{f}6*;(vEz
zB0=Uc{*T_iNciV<elMx)Z~aT+!szjDwXRYuR_8w%Yj=44jv#X_|B>q|v5wBXu5z2o
zcGciJw7TKHck)xe@7e18I%2V`&*VFj<`KO%jMGXj6P!PSuOM?R@8;*(wROI0#5y{z
zkAG5nc(i19oE<&be-0!T2l;3)mNbW-Y_cB4;48>ns|V}nK&Ew6JnwkB;(zXu&usBu
zv*)>1^-(NJeY|+2Q6I-({=Xn|E&pz)kNW%nW&SyL2VYit=+P#{Z>K)iOb=G`jm4tq
zp)k|X1N&z|<_SIIQO(~I9r<q8GtUo+Jhx`=fh{)AH{PMjf8dgSb?lVCeSa(#6@YLe
z?Xw_rZTVaKW7GR?cz(oAm2ZF74vp;aU$gpWHQ!GxO8wh(y;1)L1`TAc<=^a&y*A%Z
z|9e(4zlPIYN=Ij3-}<cR>BwrHmRJ-Wb<Z_)bRGP-AoGllyf#lOJa3fa^W92E+g4;X
zv!f&X?SWVfHw0>f+XMDTg3Pr#vThHMOBtu&^c9usF=hSNrrGE(+vi^_Hp5I}IF#^n
z0_h(KGLP~9!7oyTe~ydyDE{{yn6a*&4gPD^9$WQ~#A3?MkMrtbyyEylPAjz)(EiKl
z9|<zo@^5aBYwLIg4e0Yus`QUI-K+F)@Pnr7oz;U_6g|9OY3N}sG$F`hdWhosT<U&V
zAWihZZt+#6ho$|7M^O(}{bjKzdid=dh91~I2r^ITp*HoG8<_jc`&9Ygv19J@cKm_;
z_E{`imH%caQ;@l~{H^1oVOwWQ`^@Qn#sBXg+%mDgjrQ3-|6=iAkdB-MBpnqJZlBp7
z3o?)KuSL#dc}?Yd)@zeyHgJ@Gv8Vuq6Xu`wFUUN`e|yRn{c}6?y2|&QttURS!@vFb
zR4j`BS@5sO_D7JpmVY<IrzLn#X|}{8oE}hmSTcX+7tZQIEQ%h^(>@9JSB@bb5o9qv
zL@_>PJq$4G;h@sP!Wk<Z)`M6SJ<N!U)Po?4=^=`GK<VSJki##?-#2<g>7ntAiZ7k@
z4`NaD@Nt5nhjnPP1zAiFQPjf?tCIp@J@9jaH<cbPerW$!(bI#~a{{p_diX<9q#gvB
zC-mUO_jne|^CtE$l}bmGlTNm6XrmusKMoa(qN9UBLr2^X6J(yyQEeS3<-b*3Y;I@X
zQhIoF`ObFE>Om}u9*(9Odf<McAdBfCitWrPdN`!?aKrZL?VZ(wSQI@RPK(roAdBfC
zih79n`}5pxysh-m?bzlH(bI!f+#wc45B2LCdf@g#ka<E6UW_}!^AmVp`8!HS7reTu
z#Ey<?HvVfhk6$dN;ms0$pctu;e2=k?wpiRK$Xu(V$a(xl)X6-L|6P^anaxYyvctRm
zcuy?WpZv)E4e?yO+e}U?wFgr0w{TE@1(|Dkcf+`&KF?I*J$@c`Sm~jl)1&W2PY+hl
zLB*oz;h)v?AjmwShuZWUH2in7`FX?<RsKh2Pd{p>{A=ci)A9E}d^9wDSUOCGK7GZa
zRr&LCa6#tU^0$5tI+doGp9B3_(eYuyEw=c#?~lcz@ZWK^;g2`MCkryy^6v(JjJKN@
z{cqOAdrA+#%ggw@k&W>f`}I*QDgfa`+Gj!LT0L0TN7Foh=Kp<_?_FC~UY_nK|6(yr
zyxL&?xjqUqkMWNfT>K%YAE;apZuQv)XZaV4R{XCA|ANe8{1+MTx8i=nQI-A14R8M{
zdi-1U%fw=J{x_p<&>iuBAagDMk^M3};4}BjK2+H**>dpmT{irV{Ww4@j^1%m`Y!a#
zrtIgmQtOMp@b~B;2r}35?uIy^5buzlV(ypyMd{(0@3v({PY+i8GO;Ln=<-^m9t4>u
z^iV7NWvqjbRQYfH_n)Fz{#NT3#G;h{lLw6Q&r39rd7}Jl>vK5@pua5sfa9W%l^*t8
zd2*y3e_+2~AQlyXaKi1wS8)b1*XqH#UoeD<&2i}`D&Nfu@~?E3f3bK!(ftrY_`RRP
zzaaA%|E1JU_~&}?SH=IhIh(H7?Pz=?7R4XF^<ktx6lAXD-wpARzD`>FA*aWb9xgli
zNw%|k5R0ORYd?zAgCL9PA&SqXJ5wo@iyrv7^ruP>@0P3|9X&l*J(m`XqK6G1N9sY4
zc|s4KelE>=`kT^Gt0CFN(bJJt+$|PGNBxgQ>PV1zLPxbW?#@B^i(ldR<1?j)9uM4^
zxyMG_VL$E`iwZzE;kfTkyh}llxmFL>aX0cQaUZ9jt9;-6QOmf!j`A-Sr9NJGe(UhK
z825t(naB7qq(b4J$0xr~{FhHF=p8-&t;U1JqVPYyRfzwF=yP_2{soz9`HvhA#{7O6
z5AKd>Nna}7zv%hiHiP&1qnG<{S1(%U?GN9&Eqn90!##VwlGB{MRw`C`_NzyJY!1h_
z1UCsx#74Z<mBu4vD#c%Ix(sjh?|?&Nu_vDjDHq%Akxsy#DWp#TrExg3J$@Hse+Qb1
zV?{_iW36mQ>VmC~)E)ol6JAP)Bc-^5`Ik?ts+tMyd<)CIepOZH0>(KgwfaaidSN3N
zBrPz8H&Q7zu3sGC_2o1jzfr9yu#6A*Dc}pnQNXX&B{)3VkDb0?UGn>JW8U$Nz60*n
zule*HO~9Hj=;KQ?eMcXChsI~b>pRBjJL0L4AD|e_BJ9vjzKD%rfa=9*N&1<`^fR%|
zXEOYz@d|zhHiC61HBiVKDGWb!#$$5Eem;;u34s&5kw^(~TAF^-rU3?+Mw(x%s_KuM
zX7G-9tqEOCLn({ef!a<qg8GB#Or$-K4xlSh5L2muZUWW0da)FsSjJ+zfFvIaa3eh*
z&tM~%Obz1v!FtrfuQLt;h`(S)eF-z)8sS@y(#ZaE15swL7ZS7f;<-Ve-JDixOA?62
zgFjKQYwM>Q`o#s5tc_)V!Ry3OymTB1e?~tv_vKUl28;fu(1X=;1F<N2_-i#i2r^IT
zp*B4?$mMdEb%I~%rB5__?7yN|{#N}Lu_)zVzBkez2r^HUe{Jo*us;Zoi*OwGccq7h
zx9#0!#~;}5zlg=t=|PaWRu9(w7w|9fGpGMh{P$^G<uLzZF@fs9=Nr!rxP30bd<sG4
zZT?Rv{#%~4Ao103|54)TA8rrr>t8HxZ2#LQn!Ivi@Kd{P_}7gKrfw7d1(`SbM+c2X
z=ZE;ReXT06IU(Gy=keN!QZB3Nyi_o_QeS73to_t~Prz!twxzPz>K6@j3kCz`G)^nE
z_2^Y>tZN{1ZMksVdNwLKSSBxy*XGLlW%jR=l#c2=d0t$h4ISC9-(pb#2q&zg-O!OB
zbFGfJeLH+=J<bi+V;-+4Q2Bl~t=sVE@ozOgBo?I}54t&2kB@-+At(bu=34%Fd}u)b
zu&yXPKExwEg=+t6>q<Hm+0ecHe!o~;`Q)r?3gJK7yufLtRu0}f)-jN|mUpxNtgUgr
z-nhzh3QmiZ9-7SU(#2Ulh(*!E&3`oX&;*(gWHCKN@p<^jw(!NG2X6U`l^&Y?<<cnX
z!D<{xEQ%iXRr3#m%oBR3P2)g3ysM7`aa=T6m4B<}n_g<iAJ~tJ#G(QaPPlzwe;~+Q
zTmGksi}J&95%d2mm2YiAvBUg}#V$l$8UV#Yg+%xlWM1Rncy7#b=@gag?H_zPIC}cG
zic7`fh&al`Gb&o4kR;=A&_x)j7i6yGzgk?H9}$=GBS-!`*nI4rYaESB#p3&AWmm32
zT)KA_r<K}3?hC;02r}35?uNM3PXj4e;t)<tLvo;17o{z5Ru5uP^ssBTp@&DH2|*Uq
zLlooETok`g^uX~+nbO1eIhRIJ4_0xhSQI^!|HjY*`v*bh2|d)NxHSBHlH;PARr$ZL
zrE;+ye_%f@6^nSI@fD+?M2SPCeGp`>E&tQRrNt3(=~Tu4C*?iwb(Vjzr~rf$;a`w>
zjejF9W&M|{eBb$>iWAQAFBa!qKo7J2a}*NhpXbyGGOzJp5~2TTD%WpJc{6LRjri2Q
z{}GGQ{#>*?vi%Wc9^?Ps71y!uWq!(Z#sA|6)-HL<2LJZQt;OQHMlYp5iT*)hb51L@
z&Cq{a^veX9Yx#FW|9}>LY>ZQKTsTAN;omKSOP$q&SQI@BIp5GjCT3F#vX~yC*gwED
z*20K!>zPUqU3c|~q8_aJ2Vzn5klMn~1N#R-<_SI2rv8CGQ-RwDZYO@N%D>~4*DkZ;
z5A3(kVo?DIC(=F$GS`;>Y5E7o^L*ximdf|L?=3#C&PMxepMS9^^>1WbqyDi!7Gxgd
zA4@1CKH~H@ivJ_~l6E}pDF0${&Av^SeLni>VJjBqUGw$aRX=0>e}u0f^BDi&+suE3
z;{Pe_Z!bLSDF0%y0ak4wFben2gnvQiUH*Aq*KEaq)tuH_?C@W+{=uK|K2ksRPVa4c
zAE{Ur|FdJd;eS~Fg3Pu2oBIbmFR&TDp`~4T2PL+68Q27bWBR+O@N0s;yo(os@e(gy
z8diWovt0bj$JUKlgEW=8;#VguB-7X9(=;5x`%OWv)p9cXwg@YvcnO+;GZQ$<u!k41
z>7P9ErI_ah-lBB$=Gj^A*wK;wc1$duPDg^wwK}qnBNAzl_)&iTdaL69f!<eq6g~c}
zp1+F4>h0KS#1PFf&M(MZ%YWqaS3Gf(b)(#$o}+kQv;CHai}Rv2ui9$;k67HWF{{O*
zJff95Ijz*jfb(R$KU0vomUpxNtgZ6`d4*`i^Vi#y9v<9uLAtYg5R0ORL$4Tm7=raD
zf-I(oXpXOxph-4Af4yDl;U=u6kDeZ^##h9m=wa|KLl5j91equFP;19m=Bo0)uvy+Y
zcFNy=TqG71fN;X?!`q0j1(|Eh-#RWr{gb$e(|Ic2$1l%!n18VtCSGkY|Ll(inb-I)
z)cKFsg47S)m&tS$x;A*(E)7SACQpB3hBNEVl2W=qu>|pu_`mY^BmLieDHy!1f<N(%
z@Spy7KU;QPGVajvXHP;t!_g0ld`(BYYJH=2c$Y-=K3qG>)?fBffPUMQdDnL8y?ABT
w()pL{8$4=jUQO;eO4+yy_wIl<Q%u$g<XB^Z-aF)XQQ$oU9$$B+|NW}}2P;K|(EtDd

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json
new file mode 100644
index 00000000000..c08bd704ccb
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:01.6107262Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4730,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4730,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4670,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..7d89753f06a87bd182ca4744ea607c598bd288bc
GIT binary patch
literal 69632
zcmeI$S!i5U9LMqhoh_3|GD$3vQrntpY8OegYSfxqjah6l)+KQRm&PWssaZ6OHpYjb
zEp8wbsxP95C|U#+M3CZ}_#o6ONEP+X7kv<1swh+#fB(BUNwn7e>3hPRyPWNRKIhys
z?R1R{bq|jW+TxUoAI#|-SlX;ESX|^E-`6cIeejPPp#cOCKmY**5I_I{1Q0*~0R#{@
zp+MKjP{+=(JN1A3C>`%S=h^yE;L<9y7kkd=i%S3fPw(g0nqjq8PAhU|KUbI?&6<6g
zDL?nCro7q3`WfP{ro$(wb3lE1TA@BY{TP=&6hHT8PwCmvqIfRR{ZH|aB+C}{F&ek!
zbq~bXSE_8c+B~?Z9WV2Lq%)Eqbmnz-MAqxqYfdZuH=Zc1y>Czc(8EW9+90s%;F0T}
z$s{%X`ty(W_P#arS=+_$Zf|@|Bk@x0_4d3jeSn@0R%flt?y*4|vnky_q$9U0&U~vj
zYrAdKMwB_JjBL<qJ5_AT?y`&QEd5Q|4m}xEnSNcj=sc_^6E?29aT`*}7Tu5Q`B`?a
z^2T&N$IjN@dAd5=F4X7XuiZ~BxJw14()XIHWZuU6a@K1zYI!Q`Q474iRJuuVB{TZ%
zY~HR8d%s704XD(Fa?jV%oh-&Hp2*lX1v{!tvtrSL+>P;iSl5uT%WXQWsjOP7O}D4*
zN)@{=F7ZQu#XPL7)~UQTI&!|`yqR^M7VH`|(J!)L4SzTc!Rd+_%cY8G%VmNpJ53Lg
zmA<sH!mf{t4NGcFd8uNRWip!MmAXlm_`u<;^{AlF)ks*#yim%P>t=bpPP=9^))&sj
zoneubcNkcsZu}MS^vcSdU8M>1X>lU&F7TGJ)})){&Dr&S-mXygjOJ}zjstS{qFHOm
zi2Z8a?2B7$d%Q}W4u_^4DmthDe2NBCCgkzA$k)`S*}{SuOe%>dXZ7izpw&{|OS;oF
z^R%y3gC4R+63M5E1uJ+gdsQjf5T5(4$~wYg9>+)+Ny2)w%5`_gZ+PL`g0-u~DFyDU
zWlAHB+AUUCZO%6ZpZ3;w>dm{3TJkX+r&5hCmr`j|eI%R6n{QNV0K3D$r^Ak->D}US
zXg1AbDSTWRuh|_cIH|ulioE4>zP0+)?%kM|@Xpva0Vq~lJ{{DB%gHxmPY-H|cBo{(
z7SdQ4w@+G~1(~2!3ISBmC$4QQA3}|4DR^+vyOPQV%k2h*u+5tFif+(KxlAu?kIox)
z?vO=`7Q~3%t_nWOExH~Tqpx_Mi^~*4vPnPNlGk+mv`s7Wh}i5@mB=Og^-xdFuG5&k
z_jugZwj`Y?*4wI#our~#n&F|9tS_`^lzD5gywxjLuYj)n$Xg*S7e3TSx9;k!R!3lW
zr&sAo>ik)6P^ocl+p909ec#Mzis#hmCsAYC7ZvBi4XjxnzHtp`ocAi!=HHB|S!-fi
z`94A~d55ija!=pxzWrNYIJmhjz4q;z#R}1OUHNp=5#Q83`E~2j$8PERV&D3iO{aW#
zzg`zFrCGa6m;OELsq+C}QptAR8BRgJp8HPNrL%wU`pSBAJfq#oC&+VG>&W>Im<@{I
z_AsFs2bG!7Cp%)QM&Le;7sPF?E7z=BP_t7SzUljT%e57+*Y;W-$tmU9l?!V3s@{O5
zYErhu%by#UUl3=nOmDYc;rb~@n$%23HCyAF;WiVEuvYW)do{~ZYC(Cg8{@iXmZPj+
zRQLBsnT_iIiKu&|bcc>HEp8ugF4{ad#66#0?ztx11fs2IL}T{(>5-Cu*`;bK{;)^?
zHuGJ{x5sJqH8pQW@=;A6qtD2Sa*w_h`z&mUd-1JxMtxPPMn*4_*~xl!s&y>4CE>9w
zzW3KJrEAakvu_?A=WUAGzxt=OrEJh!)1$qkOOf@NzFRzH8}xDOONE>@weBDK`0Lki
z&_;B;yzc{3-2siw*H|Pm5iV(ubbjk=UQ{zm&BuwPIm`|J-4tE%i2wo!An<Pq_y+v>
zu?G9bHXr&*|6WPX+pXq3zfaEAxGKE25BwX6ga85vAb<b@2q1s}0tg_000IagfB*sr
zAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_0
z00IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@
z2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000Iag
zfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}
z0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*sr
TAb<b@2q1s}0tg`RUkUsIpLUPI

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json
new file mode 100644
index 00000000000..6a960e13377
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:29:49.3586766Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4731,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "test_group1",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4731,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4569,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..46444d89b396fb36016ff4d864e7774bfd04293f
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<39tA7go+{v;UOT1ydgXc0SO|tRTD{49(m9tNDxYcqTr+Q
z5EY9eQu&L5iVBKCL5e&CK|v!b6v3*+`ala-t^WS$cV_R|oecxVsXNWgZ<pV4XJ=>U
zeD^!wJ@?!@cP4`h3o<4Y=2Oj=NA0LYsZk73idOTG|N3*vS=Dd+*C&adAj&|LfhYq}
z2BHi^8Hh3vWgyBxlz}J%Q3j$6L>c%|1_l)t3>aTL31j@g>vUx$e~n3j`SpnkQ_sIP
zaJ2RR+0LlP@91niLo*-I5A}#n#1b9z8owcG6-U$y(-1%Pwf9GU^Ehnss~K$a>l=0a
zYid95TY`NBHSqMo=Wo>{$vHJ_6sdFZZy#6N!*Of|&iPV}^YAf0*Q*NLo$hs^Oz6}&
zplw_DG@j>p0<Vi6nRv}>bE~vuO`}BZ_AyJn@=M<S;O$$pHx?Z1+3VGu7Hd!wKB`|T
zJ&H}PAirKpjHN+zBjr;umE-dqynPeZmm8B~se+2A5MP$zi&(8IjmKf-G?^}=4)|9_
z<FF?m$K+x=9pwb<DWwv8Dxm@#nU2pT*x!Ms;=5v$ov9=Kb-`9g>W=^OgXYV^K6$k2
z>XY!5_^o8LkFseR&Rnirguwe%SN{^Y#G_wLkE4;g^&4R;4@Z^a+irMgh#0T9*GpLd
zTZAu({C?7WW0fA-H1^V9nxg*_UnNs=OurZ!j>B$JM|_=I&p_5t8i?;&<LzU~@oCz;
zmq1tI6uF>m0;)ejhrrbNz2x)wW60;#>eDZ<LzI42d_5YY4x0d`it(MtU!S~Q__#Sf
zh{W^u#!@B@WM38P2N56Sp{DrIROxikbT5t8eKAQt#KQ(PYJm^j1o-t-b03X>1KBN1
z5u4NaOtI7oAEf0>d_9h?z}M5@w-WG}2j2P6SZeGA?IZDFfjVQ)yX(W~1fA0XI5Zys
z*hP6bMyH2c5o_x5=?P&Tlplc}AEm}<2~bNYmSn^v8Q30$6Eb8*5@6orPoM<Gaw~o$
z0b%(+>(c=JFvd}+BN1AEjpH&hR0~h|DuMdpjO75%YAHue1LyVEqhuck1$KMaZK=ej
z183qoo#sbLESKu)BG`~1vVL7WDo~*VpQ0NIxOWKSfH#S;BpirWnjMD&%kWR3h@&_k
zhgNp&tv%wv@OZ_o5a5rexEL)(mlFqLe%%6z4#1JQ5K^&@o1K<Inpdl?)(OCY?6{uA
zaXL{&kOG4Xv=vXR)|9RWge+>0CfW%~>5m4RiLwXE0pKDXf+(aL@B{X8I<`wdBP*VL
z(H|HjNH0r|gS**nQ-C}`G0}NA!YA>%Ak#-zq0Vew)jN?I#(4dy)Y3~0a44jyzoBGw
zXn|VBQDcguRD6pjfGvK<QG$M)z7zjt;8O}E<E_!wn3mY%={AE;h*yhB-;wJ^a@_R7
z#g#Z|s`>`ay=DMw4?Z|><)NNa0k!=pb!rbyOu_eDLq761bisYIM^}tqG<3yFy?e%7
zv^A+F3xROmb5z4v=>&ND=})V!&HU<6)9*GP{zoaA3m*lq6=0M5S$++?nI$FRdZ6xt
zT<qsa*b621yR57`O1y|p>>&QO8QwmQfU#&|!$EeD?!VGtB=jVKXm(#4b&hjGzlaa}
zMK)@fN1h~&8uIa%sN*jP9q-ozP$^i*hk0?X#9U93Ct&GP^-H#>u%(3kav=ETZiN{Q
z{W|6hI63f%UBT%+1I}!C?FO2tD>Q^uei<A1Wmkn$4`cxjlc4~!UxrZn0w{Z^-(DQ5
zV``1xn%A;k;P<BNhTF~rOTWRp7|n<Mf~LWK>7*>5AF`aJhnYaID@2{yKbc^cyHih6
zJS=+AgwT(n!8E0Y)C6Us+UC#asL$N^;6ucMEb0a2=fO+tqrjO;b<uH{Zl{hA1(adW
zK<w)k7C&TPD2kvT;#X{A{CC~T1Ru5Px~Sm5@#juz1f(1y%jtTc=Okkaf>$TB&rC$A
zLBKMaPWS7p5%Ny=9iRF1^)Q~j^<y{<UhVnKd06GjvTqin3^eE-(^A%P{$&=oup2Qd
z5VumWT{CVm#r*0IYB_EVL77G^LG{qIVQD}Zc=ctAi}I?1JLHS8$n-BqGrm)HoT;|8
ziE=~XSI&}3!8ofXUypp8>=oi)>D+5N^<KC<Yw_)u>=`_Ib6#!EI9f&0tDw~mdJe*8
z=O7j6p}7x9)GF@ETi6hl;Tn3W9%Xx4R}xisqe|@I{C5bbyi3(`)`EjN8$Xr*<XZ9n
zSMcwp-f6uJ{ENkP>$6%e$Rk>NoXaXr_!nenR9kJ>`d{%s?%}q*&P6xEf?WwOG{-xT
zx=Rn34u93u2B&5`g5XwJh*rt@2P@@z^!`(+D?W8XR?-<qR3OpH$G&MGmm^2b;evHr
zRHLU(M_kB7j3|bU@w#C2&#WKT5$ov>N=G>Z65{WL7k{dbthZyaXr`k?v|~Z$SRI+S
zW3+2&$IHO~-HQJ?6LOD4j{hEdJ01_QaZu4;eZ^t}O46mCqrPYa?)%~`$Q;YRZ%h5m
zOH^9R+gamgjb8O;iw(zj`<wA@m0fa1-JhF#pl8D;_6xU<6tt6hij}UDI)81&Kedaq
zD@@|7Sd{j$DrtlsXFCG$B48C{j`fc*&Q69fInJKiFQlIm)3OoE0(~%#Ehl4}$5uRl
z!vn}6h`)gh=}d9AAAUC(t_>gAoEk6nc*r^sJ<L~n_<X@YoAn?TMGuP&dYFw2OprzO
z5J5e#_chT2hs^~_4`XufkDwkNFo_RhQS?yk504Lm%oTdb`w8(OF#E*=|6;t)oPUKM
z%X#^a$AtFmcgdd?D*r#b`O9yu^bgkaC$V_0J{(0hr;u>}kcj?4kU7@>=J}J>H<&+F
zpr5`+)%we%9WnPuEPqWl$)Chx<v$<jH3f>8`}GTBKL?r=<W6f5j|G`y`8VcI5Ihm{
zE&bpk#ryNayaS)Nz`OOlNGvwlOAVgSBU*fb%POrrf#?<RF323qyA$#vnx3})T4O(W
zuhPS$?e}FwP7h}NpjZ?=^m!*-4}#1UdZ<hNpguz)@!&q?|GU>Mj-da|#z|sP{D0?r
zA^)#TBobt<@PAz$C+QcwB_33wpSWM?;rsXlL#@OE>v@q_G}A*R`UpYhSUs5MMHuxm
z?~<1;R{ZDm+AzXi{>7pK5G=TV=JqJaT*g1$^N5lE2UNWmlpb4XFaKiElSuw6p@<xX
zg!x~Kw;*#F|7`>F*`ohHs#;&Lq|I)7`4@{4e{MM*-X94vm+_C~PDcGNQT+GF=<}Jq
z{EI~eAXte01)0nE$DF8<{|8mQ$Bdit+w~U4XV&{)u^1#?Z7}~lJ`-f_=Kmp8>*M>1
zXWGlZSTy6`i~d)TxtD*Qr&y}0f6t$ez42ni^lvsVBo-z9FTYsR=O>Qf8dD4KFUTCr
zfB3u*)<qcSg&vmHKBev1fBD@{zn*M;UZ`AIY<hY1)-Asy+A^5SD(&)Q%n5;aLFQQA
zoiH!N>mjd}aUhq=lpY!!|NdNi^&l2S4;zPt^e`E7w1O<EhX`IT3)2H%H+e+qVdcDb
zO(UlVvw1?XD0(O!64C?52SMfvJ=CRn!g0pyWy_WScl=>Xb1VM0o|lS61t3^(|G@D;
zkU7@>=JP`6pN->!KdE{j*f;Dvd-)fO8CaT*1TDB;LHHMBF5@5K7yfzO-J^>C_uh!D
zu)=@s@}r|B>jlK3#J}Xxq4@U>#$|%cvHTnJBVM=p3%sqbr9AVxfk?004BW(3j<rm@
zuC!1WO}=s6<_e{w?1JXsThWpAI4TwufMCJxI0tV*=2#uoDvti2s`rz3?>c{*g>jB`
z{>9?U-j)M>h$!p7c=+p2fQI?c!&{KKjDJHM<#EMhivI@hcH6pirk&$Vu~_-+o;gcr
zVg=YnE~~V;ShCOa>w?U&{2SwFUA^9@-w$IPXRcIwIC|OYo%ZTMEQ%hsZw~399W)`x
zqI!tnI5SKSJl=R*>0$qk+N+V%gV{J!EQ%g-{~Xc-#|J^?3O&@Nab~e`ocV<E|H)6<
z?Xu#3>;1D>Je~gqnPdHLo*&g%f3QmN-(&F6-S+Y?7JK3rZ{s*q`e#ArGXCk%GcwNP
za<$@r-?16h4_nBOtm|JaivEZ02*tk^m}e1WF5|y#`1*q<75|kdnzdeLEB|6q0SFeX
zf6hk)nalV$tUus!@>8nbCEs4!*9!l&n`be*KUOS?{u{p=(m(Sr$Q;YRaeUym`(vRR
zuYP|uuOng|J*{+fbMsv`>qsn$jussZ*O4HL>PWvE@P9jBSMxq={kZ@#U&rMdrK6aJ
z3m<&cLVr-Zcw{#3D;7mZhd&M1ksx!8j@&lyJ6UwZdEGNgM^BD>=av-~bYwlR6N{;M
ziU$O(-#*J=IImdWD1^+hIx-*E;Q1WJy!u(i|E~Tk?zNYHv8Vu?!oMJM8UJ|hjgkN7
zRP{R^KIaR2`4@}Azm$?!3o@7SkJfJFf32$a@Db-Vc+A%LBNl~sDP>$Q$lT5UI#ul@
zE0=s?FaKguc$bp-pMm%<$lT5U^QzkW`abP>+*bVuEfOA81{668iNqg4<}&_~*Bj%{
z3#!%~`|ZlKmw&OS00h^si2enc%lOB0AC3I4SJl6F`}$4x@-G&Je<?-(g3M+7<3Vvo
z{$Etpe(Qxt=m}fnk60Amr4;@JnalXc^9+srzoe?&%RhV4YFqgiiwQtr7XJmA%lJoK
zjr?y={FgTwvF%w~`4@{#@Q_d*|K=zptp65iM1ss^{NwprM*cUdT0e1r)+5i^%D-4t
z0D=YcKf5uJAafc2cp{pS|39mGFYUZ`uf6<>#USx&L--eDF5_QoFwe;UCROW-f8Fzq
zz5I*C)A29JT*g1DYvg~ks{Vz8dW~OeYy1(5X8iALLL|ss#{bdV76|`*pWn->`kVh2
zKR<H(o84C_7HjgKh<kVV{vAQ)SpLKBtHgbD#``L_sA^XazEi6o{Cg+0f8KWOt{<5_
zUq>uX=`;Dxgt<ho596{*%LM0-;w{J=%e(P<c3oZX8g?HYx5vLIJv>&nGscP@tX~Hb
zi-SBg7`HSBuWYg&#^No=9IFTO>p+J4sCeD+R>l9EL!VmW-+Fr#i_#u19vNznW3m2U
zkU5rrC$vZX`Tw&1oQH$2C_VIOo8-099&4uuv-QSeQS?xh8PWsCXF=u)J>*gCpA#Ma
zY}Yfd4+%fEcF%z=F|Ie>ru;u}QNMat{BJ!Ti$w(>SV;dY$Q<i`^LT7{-VLvh*skjB
z?b@NS75;12{>;|<iA8CD8?Fttzk&V`GRN|7jK^+U@2CGgD_LK|<qoBzv#)J)R^)VK
zwoXedijKPHhII66#Bo998XdW9omOz&DCg%pm5#P7%W7^#N7nlTu^8+K)CTtl9FGK<
zV|8TSAE1^pPr>D@s@7wt^k1D~VZ3aef3escD~S<Mg4YRTd?d(R#{ZFDB?<qW7w=O1
z@7XtfO{xX{Yu6u}%~y!Ur0pN&rDDF~_<k;{v}Mr#D;OUMGRN|7?2qf}d<6~Y^KP<?
zkGR~e^sxU(v$gi>K`e?M-mePjVKp=%$fA0P;QhJO{W4#Q=z+uHYf2A``wfqv9?Zte
zVo~&P$D1KNaC{JCuFykW8ZS3Aj+gf+|KGW7&I?xJf%X1bESmX$Ba|t~9P5Ac{Ak$b
zS<*jqxmWT3$A>meY+#{(w$8s;-0!DDX8}n^g@pTOj>m$`W&CU5>sVe_wVwI<q!|ru
z<zFl+0KtO!XZ;H@m+_xY*`j~$hu%>2p1t|Rr&jp4o}Y?Ei9hqc3-5mfnPd5PLVj9?
z=agnkKEmZbrH4hg&-mP4J%~lo!+F}r!STv5<RgMCs)q>Xr>utoMm_9TdYC_bnaz3-
zi=v0=G2wa;WKlgtP!I4v{t7wbg8Y4>H<ccmOt1XH-uNIEMGqgvh4ioneYPNr>LG%9
zxNc>FFQ^B;PVkn}!^IEp{W5ZTFuP757DW$#N(k43AajKt-1r>N61m>Q@uf=XXmY~I
zc8x5I1FYwvVo`Lo-yhNukHZ9+D|A#>=Slf*RhJn1nYWc59$UJ-y}f!6i=v04$ss-P
zxKNNq^$@{+<`g{~P<ps->rLtQ>Om}u9uB62>p_r3^$<Zlg#G<_?l<01dgyj+V~5D;
z!7T3(i=u}H4MKY0{z8zsLJw}tJA&&IcwPCsN=FyGwxP_5j%qjmYqpMGET-Ve5?-Jf
zsgV4DxsG<YxlxcgR!8CM_=~BNaUK7As<ty)l)Y_*ckB6{SZpx)(FYpgx_Gx4Tvllh
zCgE@4p#2Im$MWukc}IPnspNZnJ?x;;Lt&@K4o6N8X4gT*qUhmYHS{3JT%m`$bR9JK
zceD9=#3AMXL$hu=YQ_Jxi^FO7dmtVfnl>yACIhd&V$sb1d>venIoAK?*FmS!G~;!k
zzbZODD7@Jc|JLKNSQP#{&I-lj^@z!W%(47CAs*xDCZX{+>*BD|!yoc8K5J}YKE`@`
z6pIQ#u#o;)kU3Tl=Izn2j-UB|U)6iZrsY?p*~-6I3=*$4n161Mg3M+7BL|mw$mJ1L
z>%px*U1u-<V$qEMwcuZnxs3nf(DSW$oN!cCze%IpzKk6IX5%ukSd;&a7#nm)J|M^(
z%YXQ|3>Wx}<FXG_waYf`zhZ}lxMMvJ5Q}5BU6i&1<FeAdTvlm)F&6#-BLqR_Sl*qG
z2NdBM(xt|6+252Np8bAHR^;?xHZBv3qK7W8hwDL*xk3+ha$Lqb_)z(O^S}QRLI0cG
zzaSRH|4;1;`9Ci{gv=HGudCPP$cOQ=!~@QYK2mzvGwS3>EAhbkxIio_0KtO$hc9D7
z$Q-K&^KrotDlz7zAFFz|D9j&aFaKik0ip*Wgy3^Og?~ZjGXBe{z3|WN;O~n6g4r9c
z+-YlmBo-wezWqUXJQQS(<=+YUk$#`F#6vERDLq_v^5blK^&l2S57&Gct_MLD)k6fY
zOLwMnst`T!b?Hx(9^NZkJ0@~^FuN`-7DW&1J_^@^AajKtTzy@d_4E&=qt-*ROCqNu
zv%Fg@ijMjp3)hh#bA^uTY~Gy%|4Urq{Nq!lhaL~!mAT78-eEoO7K;i%u;9G!E<8&?
zkU3Tl=6N^jDS024pQ(D^^I@x)-L~>C7NtF2cz&DUycmyz1)0nEFQOvhpXVn(SNvB@
zE9@OP{>|ot#iH;(zIA~AMi_H;g#HDYWBCuC561d_nGf!cWl3Ks-aqeocuR=)+s7>R
z-liV3&f6cneQWl{f`dJKy_(a4qgFER^6ZyNUThA>y9_7sO~gj5)|JL1Wh%#CZMqCk
z^zVSL#$iuB6;Up>(@{>qo>I~mfKmaDOvmRE?C(HR@m(>>&bU{$BXz-6N9vCM^9c_n
z#5d(QgYlC`tFE2_?R*Q%o_^KU=K{t#@LB_u8NIOK_mk!u%Nxm*9Mdm`@c44N37^rd
z$hU;Q@RHBtk0GB|t4|1cv==)){`%zg;>5h;8+`}Dt5@^rJDP$ukKe;T(exdC^c@->
z5v%Vg(09aAV=q84m<8COn|uiyejlaAXbJj}$Mhqy%||l)X0Zx>1~&ZlDA`xU8%Yd5
zaKz(s#9sa)j^cbLcq5+TVzd<fq|JN`FoiU)R$bj6C(Ym;v078QnubyqwFkAGXaw~K
z(U~ZFpd3J>;E1VINH>7$T-_~&aLYJs7n0Ot9!{j!<5_I@6RBa0*Plu)y*lF{fcOn&
z)SIyKtufxIltR|88;CM{y%?Xh8`ll`?BudaTNFn$9{h=d9os&gFfJ~nL~R_$3%*Yb
z?xo`>_%-I?Ij@`=H(2yPhaSwX8;C{G!{2M@L6EsZ4|VCfK`#4U?i2h{_de0Aao<JI
z|7PPCu_*qp*c~1Z1eq)RUsuO391nu?BAmy4rS#C~*4;a-!~^T&7qNIcJqR+#>cM>c
z0{$g`=JKD4|2|EsZRTGr#!)@Q{Lpm+?w<>>o<fkhoBtDv|5j(si+?RRev~}=$NNL;
z`WK7q)9-k)>8mFOKfU9+@2;OWb&K#X$lS?4252lgFT|JaX<doU3Bhqa&(}^AzpSYD
za^c`A{XU~a?dSe`0%r5It(3*qziO0QI2bUeaapCU#i(L^{SY$8`i1k>v(d=GGP!ZS
zHdpRn=J+~E>8RdQ=fxCR(2@1_Efy7kV8J@t2^|SC$Lfgtw}Yp)<J@37=J|?3Rqy9g
zx($yU|7P<;Vo}=hpc@12_z<`s0v`x6$MVnfLj(E;bw$DXA)e_eQu|+DQ`V{2g6^%4
z`^Dn&r)K`L2=TM+i(FP|72v&Ny$~|T@@|Zubv4h|J6E|*!DX@1L(@53y4b4+u_$`D
z@y{VWG=(MvSyT@ZydFNX9b&QQfqVWErHAH!yEKA&Fq;Pwi=u};HR6LHbA=x2(mW7P
z@9OhFoEJ@2{%`$4vrDbS1M7K_SX2Ol1@{je4+NQG{ePOgC_k7NG5^0+_0}eo*v!9J
z>_XI~AyCX$NQ8eu<~IIA*Nr(ZEmgJNdgPPAk<-6fUMdzx#84)#QPDDmBoUW`F2YQ`
zAagALHS*H@u)LHnIr8hF7US+(Wouq47T=#TWz;I<rMqWxS)~o+u>j(ZAagA5PRL8W
zG>~#758<*rAO~7;QOZ1f^&l2S4?AXs^zbM&A;_Y7h+tlt3-^0O51gM&QF{0x=h6u3
z!7MKoi=u~$--q<T@j;NeLJxH*FAZLw<h<xc<^LBqRV}m<53J{<Vi8X?zH$tdD0!&#
z4}#3G{y$A#S`wC*PF4JWT+#DBd-)fO3P7+B{so!a_z&f!tp5sC@4NoL@`Szoi^bU&
z&?Bt>9EF7W=QVYL%x(Oah3S8qs`Z<tZ)L5vke^zQKVnh(pNp1;_dkNnW&Gc_?ANS&
zS)X!~;{S<#s~0_Ofq(1s)?#r@<CoK(!uX)51(#LYM(DpC#$|%cvHUw>d_eO*3e8h;
zUN~Lp;omL&i|y5eSQI@BIX|R_Osu99WKlgtaD0GetVLn-)-#kIy6)%`K|Pp_55%JA
zA-QEp4;&u^nJe^Am&OPBN(Js8xS#l)@_)xs*DSFT53KjkVo?DI7ScZmGROM=G~<KN
z^?c@krmFXQhZpW!W1)Yx&c9fc_BXO!sQqy~7Gy5tAGc6Qe#GVP75|6!By4-eR{q7}
zsy!Pn`)tfJ!<Nm@`{mbjR{VnX{~_Lj%w_z8ZzKPeivOpzf4umdt^A9{hPZ13iBWKT
zCj1LB_wvu{x@IZ<t7o^_WQG6QjSv2c=aG7;cUo`5^GL;_#Gh?9h2jtEUywPLf8+Ro
z*9A7mJ8)|ko<WH%z71>w(lPy6RQNPOzrBlZ0^?h}_|~vOOq%85Q$Dt?$2~|>sVhEp
z!i{A5{rEHu-{ASCAlK}6GV8VocS!LqXd#@Lz%d1T_$D^}l}DZ=<GR3`m5$yzJL_F5
zI<nr6iN(|DNRT;JN9K7%JPndK%GY0SQT#vH`^pa^$G_S2SFu>LA6tnWq6Oyp1({>{
z55NA3D{gY%D37OSE8bUay}8lCyhyF9HoN~vEUsIh)p9`|(emwFR%v6wc_N;lDaahl
zyD@&&)pdb<hiKUK*IShy9@=n0n!S1ui=u}EuZHw61oxi^vZx*+IloedF4=hf^){u4
z8*n#$<n&-Rzakbz4}*7v^uX~!khww+b#{Jbj`IJ7&GXK&;(zOTkyum!f(7>v?;yVx
zWRCT}d0vF}CwUQ<b5*^MUy*M!|6(ynyxL&?IUWl#xA9-3^B=4EsUL<flj$l9ZSb&N
z8jb-?p8muPd+s|+Nb3INBIH97|0>=OkAJs|WAL;Je#JJ%fBN73Y}Iv9!GYt?orHXb
zV;mIzn2z=}#zyV&EQy+9xb~E-KkTCr<F?Yd*L3Q=aCz3^+b`KOc=YDH+MIE;vT+s8
f-2qRgn5+}XxyA&2bjZ)5z;g&(e&3n?_pAN`g|2`E

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
new file mode 100644
index 00000000000..0423fc5379e
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:31:58.0398598Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4732,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4732,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4625,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..97ffa2a63ba2fe0e8e60bc2442a34b7a90712508
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*P*DVVDj<lwAv_EL2_m&si6kkHJZKUm2-2V^Sgkxn
z#iEE*{-U6wf}&86A`d}O(1;46ShZLmXu+!0-#`7%>^(cPVZb=;PBZh{<+t3~+1WYY
z{mysKJ@?L?$-sjAj0pvKRQ=^sJ1S6W6i1Y%RX^lE{+xD3)$9N9Nn$66F%V-Q#z2gL
z7y~f|VhqF>h%pdjAjUw9ffxfZ27Z!(fd%>f#}`e)7(etnRawDbV^Uy#U848sk`bY!
z?f=hqZd-l$6Z09G28e#FLv%cz=&0ZP4N=PkqMn$B__?pWKk=K#V3S`>VUu6qs^ec(
z`+46I?8~o)r#C)-rzT0xs%E25or{0_nA#qOV>58h7pt9zkNI!CD#6{UUgyh%PPGHt
zw1H0(d5$Oax_8d%aj(v;)KWE#lC|4MFZIhWdHch+Zq449f3Qc-SH?D9gPQPBee2O9
z*yIZG>&4`F8b~)#9u-j;KF`5BFj0NEF*TmbsgMfrWhuUh*SgSn99Bk?=~C)|f2A}I
zd-8Bh4z}B)oPa$gRE$r>l#e6Z<8v|gcc7{Gt_bBt)DizWW2+-|!~c0<^Q94=d|Fl2
z3HVC<Ry-;|*)$DjF4HYS;C-vAehFOS(XXc`&<Nf74X~Aqqe}2?SG+SsjF;czr!0Ui
z#Fs?DAZdXyN)N3Y`DqYM(SM1rQYkgAZyXK7VK=HHzR9U$B5Mc@z;~_i4zT3-G_BuF
zqAPHU98fj^)t{h4VCsT?3iyI?6!2?x=@-}`N<Sm94vkiaO#o9x_|6xsOMX9m+zcN?
z;<<a{DH8{>uL|^oh!65n6MSf*bUJXlpGN7vn4}-#V}lws#|Lf#{CcukfQG|?>=veo
z&1rn5cxs6c(sCxgmOz)|>uK;?F?h@c?|f)HHS&XYjwlP%8GGDS7e*)Ooc70|c>usJ
z%Ed7{J=}^|Q<qIoitwQP2=oM~UYwQ$wHUD^BQC|n_DGzNAv2N?^S)pbB{7y;@goTc
z%l}cA`s;@=jshKt(E4i}myw}bc+%HN)E8$g18`PL8EP6jZ?F!f1~@3N+q-P5M{GKD
zCa%*dew4y;sj4c34GALa*CnC?<vQ>wx}lJJ2Qv<MlNd|VfkdU*aX7FP{}hS@N(gXh
zW!K)?Jpl}lSKJB#!9+@k)6#S~aWLlBEs$t`9GL?l73sLyX=$YSwW=ze0367U>rs@T
z6IBQ)Ft|`#@x^OR=qf<SqIPJaouHI{Xt0?myQAz6F4{v71#~@rz+P^T?PAc#if3Q+
z0|p7w%i1Tv-R!n0Kpvu)=o}moka(S+8K5gsXSS~DolFhl{K0zE!cX;aD5R;sp=5Mu
zp;{(TBTArp_!dn7Tl`L-B>gyjC;rR8r!-2%TcfRUEwIPe^(H<cUd=0xK0NVij+=hC
zxB@3_puRzKuO7hKfe#K`xv1w<Ky7zYo!UVYQ}8|4kdOQgop<l-QRSl+4O#JGuO4w1
zY)z@oLMUAK7}+3RIsx8(>a)sgGQU35<onHs|6YRT!bibt`Pk%smR|#IW=To79-zA*
z2m3h^_C(43E-UNz#ePI5b`XEt6z>2>z<4yVVIaFu_g_gk68cg=G`p|0I>*_@FA^hu
zk&PPWk}pN027LU*>iF}F<AZttDgg_5FfY!PnCnaNg)Cj7e#sUUwzP;}4glZWtuUj;
zuj5XGlLMdF6`cOl;LL{CuBVB*LJg$y%lObQyC|G`APaGr3I$mG(m)vqq3o`Hd!bRs
zdewewUCTP5-&?X9X*&}v{RZzMG#~a0ng;u&ld^oSVL3$)GofHtfI72(GQlo)r@oX#
zSoEU_p&vtoX+jOCG0J4M&7aRwpSkhDhlmAP)Dz0jg_qbzp)-}}qT?{#RvjS<D8-%u
z*w-^6e#kx}il86jS9~M<ckRlg0JZG0DF48*XHRGZq#Pp4=sKY1Bx4GKS0}X3Ohl=H
zz%q(X_3Nt;@=o;~pZV1FFrU5Eqc{y-?fA`kSjEcHZx^EsHR$fs($;bQWfixu8!;*r
zx6-g(J#I0@{OSj4Ic^O`nNBT0^^o+T=|C8I^<j&Pax23-<cl%L^e;m*zC(7LuC_Ia
zazo%(&XP*NIIAX4k9?f$72sdV+^akFTDUxG@$DDy88m8hZcWZON=4Euq16t04#H>W
zAQkGNxerO!%J0lw*Z`H`8v3aYW&2uH5LI=h3hd$hcQB~DQ`K_Tf`d96KbQa18u9-g
z`1ez<^j;?Z#p1g4SuGai60JSPWu+$k3$oLyttM>!ulOJLP@A4-qZ?ttu7nqw;T=ld
zr3Y*ee^u88r)E5Y;8t0HR>}DXE9E-${!^(7K6OG?auJRwN1~O7ebYcLM~>>l1^c$B
zT2I{`aUlmWq6jv|>w?igvwm1dtfxOH9gXdulz0!k_;Yn+za5K3D;*`H9Sbto>d3ks
zqg_ioUIzZ}QvA=Ekn=(G`0uW_<M9w12NnI*M=aK-6kY0L)fWxHeIL99nQQqEY^j@h
zu}W)sJ8RsmQLEl)zTw#JU{l_$vP;gW`*Cv*^=$aWe&P0!hITSfvC?JIMc>%*PtD@&
z3X3=^7NvcxN*S)l*^U6b2v`M~YyD%6vy&lAj<YBC3++#eY1xQnp+1<$mXoo~V=JD&
z;Q{1e#NSYcbh^0P7r&bf*G7(PPL7v)JY*e+9_A}Oe6e7F!+H>lqKCyMJ<LW1CdguX
zh@u|Y`<m#1!{!2|htXs2i=rOxw}=m7QS?w0jEoP0%oBRZ{TcBgH2cK^|029kpMOOj
z%X#@v$Aot5cgdd?D*r#T`K#~j^bhv)C$V_8J{(0hr;u>}kc|F8kh#|X*7=jxC!9Z(
zqo2N8)%vTH9dY+XEq_h5$e+Yw#Xs)vIR%QC`_1!Xz5tpu<W6f5j|G`)`8VfJ5Ihm{
zE&bpk#rtzZ{R5t}!MpvuNGvwqOZA`2C0cxd%Sx>*iRfkUF34QVyBqQ%nx4M?8goB*
zkJ7`W?e}IxPY+i8pjZ?=^nN>14}#1SdZ<nPpguz)@!($N|GU;Lj-vmq#z|sP{C~&0
zhW}S46A3a;_`kM}lk^MT5)UfSPu!>U@I&H(A$H<{{k%vlTIrzzeS{!$tsboNB8+;O
zcgaf^EB?p!+%Vi({>7pK5H7fX=JqJaJjOrW{jiz;`&GRclpI~?EdOHBmrTJcpop;w
z3G=@eZ$aiU{@aA+vqk@ZRJA^DN$cIt@-G%8{@ijbvOf}J9^)U&oy_`QqWJHg(fe~}
z`4@`{K)4Y73o?)Kk2z5@{|~5oj~+MUx9e?;&+PZVVlhm-+F<^9d?v`e&Hsa{*2nf0
z&2*N3v1rA=AN{W&^Dh59Pq9>0|L#8>ef@=~>ECKzNGwYHUw)yc&rf`SYfR0-zaVoh
z|B>@TSQlZQ7kWrq`;<0k{^h2he?8g$yil34*yOURty^v)+A@gCO6{^#%n5;aLFQWC
z-7qi2>mjd_aUhq=lpg9I`{8V7^&l2S4;zOXdYFtkT0s`mLlm!<Md*RAn>?)auyS78
zCehP_)jXkC6g?CTHuS*pL6CVu54CBYaGd#i*>dIo9e>!;%#Q!<=cQs%0SFh|KX5z{
zWUlqU^}G=JXY;t=PpaMr_6<G9S^mXh29~BHK?|=}5dH<3$M}c%g@0am_lV;E-PhyG
z?eJf-{OE|qdI7O0@h^3h5&z!CxJ;0_mVa}8#OpSHfw%p&l&4=e5bbrFp_{nMu$GC}
zl@{ot$uqCpT%mN7o!{&SJ36u-N5!H75H7eKkHuS%xmHItilhIh>ixuByUyKaW1M53
zf3f(Izr}z6BFg$NANuA~pke-V@fKtr<KGlVd0g?R;=leoUAHcs>Et+5ELJ?TXU@`@
zSOK<?%Svr7mhAKVx*&5c|K>PaTdz0j_rsXSnJbkZj$FEWr?Ywxi=v0^n+-j*g(d`9
zOb<~UXGZ9O#~Y6+J?y_hdnI~$uo`EIMbSgfpA9{5d=O-w&_it+XBL^qnU5>~pZK)x
zE<66W-#?4RQ~6(zxz_*I`BAm?2dfnS-3J}n?JWOdu?KGPHjgu<e->mO<DU*aE#pis
zS1bPa9i372kd6GvzW&9c=zqu#BmOnVJc}Un82@b|*B?Bg_^&wLwAC_4`4@`{K)7K2
zb3P)-JjTCi{Q-}YpH%fO{_c`KcKEN^Jd4%+v0_p5-{>7f|IEK2b1nbo@qyRwkA-Ud
z`u)|sj)-;il+w}7&2~AgBe5ttT68c{M}jP-BmHi`|LuHT_4};#=K{!l9hYmAj^Y|D
zeBcoq{Xxy*k=4AfSQH%{{wz{Qg3L2I^4h%bWYH1lbx$iDJu&X>TUOZ6k^Q_*EY`zQ
zJRoTO_E`qQdBysM1~S*`$a-9Z=X03z>Sq-HyZWuT$65Zxq5^Od|ANe8{NuSdX8xa5
z)$e%ttS_DAUn~m$Qc7Me$UMeBTDzJ5wW`{~hM!aaQAgvCSQOr+lySWv^EUtMRJE6^
zT=J>2{EJ25T}tME2I9XU^EUs_scP@*^OWx~NA(}JNO)8kP>fYbB>o68kMWPZ-W-3P
zSGDfgcUPvf{EI~eAiRD>^e@Of#y_6>Xy$*ts{TFO*Kcx`f3Yb1ODXynWFF%m4~jGM
z|AMOao6kQ?k2@NF#G>#nrSLDvJjOqsXK3dCMOE#d!P%2mJIcRUOacO{_%Fyj#y{$6
z=6{3YzpU}_ZO=H$zgTRHhlKL@cdSCf`fr|2B*;9*Kc25;=6|EA_2c(tJ^ZYr{EI~e
zAY3s2vl|f!GLP|(C!(48|Ff$1(u>yab(Vjz7$#nA2>*i2WBhCN=b8E6q-tIM&%3{M
zmVdE$D*gqT$M{Ee&HQgx)jxk=&+%&=jXz@1ivOLBi3FL)_&;*n0^y(U^Lt5EfAe1x
z=SPo!tNSX&Vs-wLaqkY_zaz+8%YWp3mAH@2d|%}jRqd)lcW8CPfA6H`&)crq^&_k2
z>xjiEy(iz1G?(bLp<GsKnc(~pyakzSc{g9ruC41`BkrT)_V^d2heu0y#@W$>{p&zt
zaiEU|;g;s`l}*;e7`z3UYxQ7#9msSa6|Xzqs`#IC=rddV+i#CzQQG5$BaHSq2J8O?
znQQrXLwnSp|1ay$c{up8(nI$)DSkWcv1WR(T5l{CMGu9Uh8{RR3o=jWA(v|Yoao4B
zyPkf1NaV3Kdk$=|dA;#A<^KVT`qr`IfBW%REGhuuLi%Sx=34(-$79p;Zg_pfc2#eG
zmky2W@L#j`XSLo>EK2*^aE;Oa1_TXcuI1kxkG;0uPyc&Xvc87P9ZE-MUeo%F=;_F6
zot9V>9d*kwbo6V)aY5!89eHh?R(Rbg=jS_>j<zhzYGy}A_WJ{|814wv2KNUXj|7=(
zb!6Qipq4UE!R0He)?=phTb*WOylkI;vDgeNi4jo3*9l~NB*;9*{|CQH5&k(Z-lh28
zvv2yEdN%m4S$}LbUm+G#wtt*k5Azkr_H$XOEra%7#`s8(xt4!(e_UJVE2w|(cT#11
z#N}?Khy5QkUF)nK#G>fo{Ypa*tDy-&7Slr%@6V-fmj=>A4;&U>ReD(5cUTnlU^QMA
zi=v0$zhUTs<AWgcgdS?sc)5Xjyu3&G|Bh{Qp0^VZ?Dx-N(aQfDp-e&MTK`+;M?*Ky
zlKz>?y^8-oKDcROeH;C=eg4Jb{vaJX14ue5B-}r9JQidg<6nzh$MTx0^~~2M&1m2#
z|6)-A2p7yh>tB$0jQ{qOE&Atv=yg@^*_)4lW`}?K`Kefx_%rYO$o@x=xt4!7<fo;0
zPHDE}BV6uNdRTP(j4zzkgIE+joTGgb9<LllJ|f6sdWd3v%6jN;*28|KhxyZ&Ijje<
zD0-M47pVt97Slr%^#JeVuaF}y$lo`5L+PRM^olQ?jSpf`^zd<lp@%i-vjtg94^h;^
zwJVbXVLkA5f;W{OE_`V3SJBgh)pY`~D0=u)QluUPnJ4t%#piey%k?IXFO^D1lao%g
zZD?a0U_TEPi=w0bK|@D84ijXa&{1ujC*{9YU2N`W-covabm{hX&gwxdiXM)n8hYSy
zp&*OtA&ULXNqRV-^l<Ig8{0dp2eBx6IG7fx2SFCoLlpH8@%QJs-*{W;q3h9&9ipcP
ztGq)jiXQ6MH}t^$g&^~U9=w=$gx4qVy7G6Fj?Q~^L#Z7d)olLPY8}5=Ov95U{6H~6
zA^8z=9c^)Qqabswjw09b7f~nkI{tT6ZD%wueajB-_VYclSby>(_cz3K@vbwttkfPz
z!Qa9``xRua<=qYQj`})N$@lnr*g>U-f=-Vfj-DQ@u7iq2(ZfHh=|PZrLJzg+I%xRs
zX7lxkL(2b$X5Dzij{j>Ghtu)*KzuYLeP}vNhF*QdqLu&oI=CQnt^cjBgHEMs=IcQ3
zDLOtZxY-u}_T#Zw6#hHTGUD-i#AHF{TK?S-kMVR9WBkp!IIQ&Whun<M8`+qTvELrW
zq5=>uq<<D<uGNEedo-=%Xa3(;_1>{*`Q_=3@-G&{#H$VFpWCA#^BDig!6hDY`GKnS
zpjMx)bC!RxXvP0p@Gr<b#($CVd@CL&98uM8-0-%qqQ}40xJ)co=YJ!{2HlVk2r}35
zA2}|=1wQk*>_b)U(oOp>-(e%}*v|vR;^=J`r0>AEtYj~jm0BN+g@42dL6EtYcQ@n#
zg?NT^iFsW1SEYw%e%O)~Jv~^B%fzDSq4R5zdJtru&_k^pm$42$QvTokufIgm|5o=e
zh(+=Lllu(+=O!A+JmLS^dR>kJ7%xja;JoN#rH4HuPmHh=5A2T%#G(QaF1UaAD$YRW
zT0K~g3kFlMIWPT0)w_8?-biQp7mN23-47vzpZh8N3o?)KUq<bOe{KhVQ~c-8-f+cE
zNAn}GDDm*E4<qBDAagDMZpe@H`=liva(Ptg;nEYIWIL+|u_$`D`lCoa2(p+SqIg~U
zA}XVD(F0$X{#5DV-O{zAqo)U}>(XLT^sw&ZNIeKLPw2tZ*QHrce^)wcH8{ICdOEVo
zyTzjDsNc~@9SJf|=&07_-DBZ@i7T9ce5Ul!{ee3(ciG50?C0HLQ2_`SocG;{XDJ9W
z*XqGK??yc(@8j}wRqwk$Y8kiNQU1lEw8!($Z5^H$<8iPc^BDhyR4DxO{Nxvk|MF=C
zy`smz)qJp66#mDz3i00%W6qAyzaVoh|B>^-Sl=)6!QHSd=}X1?7d;MdF?hdy^iuzA
z>Ot$g{oz};W^c?t*rVqwW1Dl-O2u8Cee01Qo5S!f#YqAau@SFzq47wW%J5g4F2xi5
zJK(Ev*po+vl!NW|C?{Y~3F!+!DIZ6+$LC_~??6-WT@lKQaIb7f>Wr<9)D8dV5gtm2
zZ_026^CzEHRW$?J`3{zSeXFX@28^@dwfZPCdSW9OBrPz8H&Q7zu5TRS@#S<QKBHMt
zU<rTWr+_aQM*+W9mk{u1FLwHZb;<9?iFwDj`VNFwzvk0-Gy!YAppSo|={tJsJ2XBb
zUf+?g?}(>Het=>y3$Q~s`64!g0jd|LCFw^V)sMtBAIb2W#w++4*a+64)IcF`q%i!@
z5s%3cd-;n5N(db1jYLX_)6(>lHVrVqG}8Q9RaHNnG=q1<Yfb1X8bVpr4%Bv{;nWXA
zXQJ$mvOkT4Bc@UTT@R{rbhi}1E#t6VKvIu+IFVkDXRr}WrUr5TU_EN#*BJ)^#BVU8
z-h`EJjqt8VX=MMpfhe=*3yE2~aowQzPA)68MF~XX!JjDDwe8al<KhBJ*2ZzX;QPej
zUOI+?U!xzI^YY1YgGK+}(1X==1F<N2_**qS2r^ITp*CGN$YH<BeS%-<-Y1$h?)xbE
z-)j6K7RCSNyCdU)AoGO(YwP%h<3V^{g!8zsl^z=2x_gJ6cwm40A{I}j2SMgqJy?%l
zz`x|rT>eAx-@9>@!~BcI1ge9WZ(KLv{<#3_DFm6f`9H4sZ+XVN#8<=PN6Djqx<9n9
zf3di}{qLV>^2+f+Pwlw&`|IXS-6H%8GH>#a0UC?W5AkLDT2)|kLU>%y^R*MjFDvT2
zR4}Mgzt1RH`)~g}0jv4imdawQUp34r7zCKpxUAIHVpOrdu7S+8e&M|JOf+(^OkSL?
z&5`?;IlfL(I;!*JIdO$HbY#DMi$w(>T(FLILPvtkwL0Sd?cmAnI49hWdA_1R)%)4B
zuEV0ozt#MZSd?}=@P<%3J_POu!v})Qwfyt^Q2%~mT~T;`h-Z2V)&AGkly)kzp?mw|
zezCax$(g?_MEq>?0+*FqIe70_$3W&<-p%o|w&wYI=PK7JxGYk7XfmgBXJ_>w7DW#?
z{Mpb$6KFz^#q<!x>)|8XA{L7txaTicdT937OQNU;t9c-?D0<jaEj|b`Pw1gG%>(iD
zu09XMdC_F$|5nd8y~IvDu%8!+MFk*SaR0#ZK#;lC|EI`{^1^u$^Z#2_Z*4-c!~BcI
z&P1IX0L6TTMEDnEUgO`mZp?XUiK_M14?Z0fJ^fqdrDAb-9A)Af6)jUpl5sic0?gD4
zGS~87EicWB$V>T>BflPOKJLy{j^?Fe@%<@NMy^6$x_c&<mD&Iv3n1<YGS~9%hP>2I
z11LxG5H8C?a-bC#q|I|y4`NaDuw#~?hex0ZK^D_P6!X#?xZfvw;QVBY(!-BqFNvZa
ztnyN^D0(RWouLPg4}#1SdZ<l#Y54ji=S4Rt|G%)Qa-p4gU_UPvi+G~(6{Dd<$wQ@o
z5M-|P|0(j);)uL-s^b5X@*ej(%fDDu0K$dvFUY*czmb=+{>xRp@BIIY<IeIg7H6MF
z53~NqDkRK5uc;GcUgN(sLjTiLt=}klGi$Yt{M3H@5sT9QT(C5<{}E&!<Nw}ezh>Rb
z`ji_L|Bvrmz33?${M(<m7K>{dy_EhW#s`JXxvbPSLjP?sE)!&~<=+kC1DgM_F;B^P
z;dG^kf3*lMc2*B!QS>nQTtg3;SWPL&VtR<;_yEgT3nS*OXDB^%+0i?SdaxQFh(*yu
zY70XT93KRkC-hL8#s~UJ1@0fXpSVf+zvIZOm)MC1_WNhCr~rfu=^q4{YyE$U@quwY
zpZTAu>izEFh5Odn=%4NLFBYZ!jc9AMKaR(O%wzoH77EFaxcr^s|InVKZBIMOzgS$g
zXTznRkA8aSviZ5c{ASLIU$Fi^!dsAejDPTL=D$Mm|CILk7oK&Lf3esAcWods3Xji(
ze?jJ5{&`*3EX9A-?ADv?@L#j>!FzZfsh@hK_cA??R4hvT*><B5e^~#5%(eWR#|OMF
zuo>Q=Tf6WKN^J3MU=xsz>Cd9VrwRJ)U3?Q5-{Qr$h81AaEC-+Ruyq~oL7GZk@Tn7S
zB-8K5r)l^G&o>3RR=1Pcw?()^if=(PaApF>6zt)f*z{K}`BKd50&iA2dh^VzckJlM
zem^D_Po*P4=2{(D=MjlCP~s?Gf4xQV|3I%RK8hayR@Yy}V)cG(C31-7nCBN{uH`@S
z`YW!u$$g_do}R6EU$yn-h6{6}wXWLg{vWZpZhcmZ1-V4aw{uykjREJ$cz&iJb1m=Y
z_*q-m1@axD5!YXDReE@E!+Gh>>Om}u9uB->=wUGKKM`axJw$VUr4(JV`TFZ^N)OlL
zZu;oy!D@a*EQ%fm?J)Gf@j;MzLJzfeer1mG|M|^w&$8ox`+1RAQ~<&S_YZF)zZPV!
z^}lsqg!U(S5tnmSy^md<=P>_bF-*MLVE#EC3o@_qU#RmRuLY?uhA)%pN(^oAuw5F4
z0Zp#{#0+QdJ4;IG_QWFOLlXbW-;a!cw~J%&v<iO3H^P7V-~DXaWl{ctW6z#|e1>5h
z6#1BrcGbp4?eHv#>SMTel&wGPqX6T!lDSuR>a}or*5cbQ-ZN;_=G>Z`ag?%gCC=Re
dPo|ix6Ue#71buYK&!WI{2t0n@nf~{y{taHsg9QKp

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
new file mode 100644
index 00000000000..ca75b7d5c50
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:14.8941288Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4733,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4733,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4627,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..d3d06502c30aada232419ed99b89bf4a137bbc27
GIT binary patch
literal 69632
zcmeHQ349gR^*;0R@<>AR64tl?LPZf|7m%gw5Eer~gGg<wi6kjY7D^HcLTOMGs0)jz
zSQL@UUldeSP!tMMWET`PqC!>Nigm$OthW05r{9@(&zpH+&^YazX6E-EzsH?7+xhNy
zzkBYvckZ1GEiA~GRG3dSKR&gi5~)UUL}^;hQ~u-MX=hcx@*m$Mc7qrLF$Q7`#2AP%
z5Mv<5K#YMH12G0-48$0SF%V<m2N@VzSTJ~E@f7s&L!UFHm3$b30-KVEX79b`wb0r2
z|7SbzzkbIr%y(!WAo{Kz(U<W=C;a9kM6DBu`eGR3$9@j}z%`G+CV!g4CV#$G=f9-(
z^S<TSS5N~_fBgPN4U(Kw!$y(17hn5`+8%{-GjPx6Yuty=apF@2Uadau+M!Irt(5!i
zQ*(ax()=ndRnsV0TQF{g|3Z~Z-hS`(o3pnR9PQJ0Z%)hg$O)e{umL@UP0k>Ho==Xa
zp>#dvQ!$m{_dI+9lhwg3sqs`nMO27`r8p3;b*G6qt&FBpZ|a19r8EJ1@^MZswmTx7
zggw)!1iwnC0B3f@?-K0qMALDs7-?7PjDOv*)tP$Y|NOA|(uiL^t-AUY%1X+uWNd)4
zX$J0Grdx!-2Ub`A47j93|28v$#^~0shpjxEH4R65;F}?0yzDMNWdUpv4iW`}qy@$+
zJ+y7&r(smCUx`Dhlo~fMjz;0M8`K$J<<>KiHG+oVSQ~r;EIGbS+qaVFa@-;plubhR
zC+QHFx}cu|zF-^${91kb33iCm&q}OE<J4)Bz*I4g`GWPy??)N8zz>ml-obdv#ED#1
zh5AXvC;6xuel$}$9XiubWA(C_qMzbpgBrEO53U0IdAvn{Mxy|^SePO<r}3TQsWpB`
z&6)gi0$ql~Gf-|N;4u%p^QrOF#1GoX;KyQh$3Az|htWwor-N~7J^*kL<>4Hi9<D{K
zsh`eFiYP(32=oM~L7bKZwHUr6BQC|n_7%7xLuMo)=6%5=N@6TG<05egtNvb}2J5FW
zjzS%Y(8}H`BSY2jq`xK6K-{qmz*#M2$Z6=l!FrS$V5h*v-hF2SV$-2Jah}d_Q3}hY
zy1EE9#EER$n1~Ei=)lW$L!sgw&Nxt-#8{G!Br45Lz=@^!r%)tNLV#T>7wyfx62S08
z#jOw!Or(T3ElrmbJ7fOb1c?sDnYj>Bv5uPyEsZq4R$Z+VfD^gk`V=SVL=`~_3@%hx
zeDPW{x(X1or~|5K7bs;ADr_dwUPuRni;fUPAzg<HxRg6$y96|{;<+pa0fRW{l^qjM
z++1wsKpvu)=scVe5Pw~e8K5hXXSS~LolK45{J{p)%1;e(Dx|4@p=2~@p<E_V6H1^4
zIEpHOE&e7@l761P6aQu4R~n__tI@~4R@md~F`I9QPs_^Q-_0mszv)L2SK_8k)e%(p
znhvZ3_+ZDChkQ;4)DEZRsRJ}oj^ms|KJ!;}!QFGmR*YRbV)gU=`ovwdBc&z_A$L9Q
zoAUzf=-FlS_Pp1+UbCQl;-2kg!zZU<AD@L%^JA0SS^f;UktHSWdWc>Gx!BL1a41r4
zcUf7#EAhiSaRKqs3-ArF2aMN(x_g)gjQKby)Qd;-rGRiQ#!J<`+8S4;MO--qY_QYk
z{2EsSFJH}9F_LqQs}m!x&c=0l<V*2UBR>BUb$$fSY;bxVP1f~eAeAfQLRWTISL$vi
zl*3e%kJXh1N(hRr_EOhgY@lpV<67%n#)q!21?o(&^ecReA#ToZAmlu|D9h&?mQ!>m
z5OPI@$TOEuCRpOe&X-aT7FpzI>LBN2e49}t{VTt@O8Bs!D>7emE$+b0a5<`X7YL>c
zRGf*rJQP|TOYrsliEo1cu33{5pw``&792VG^i^;SXF7IDBV3z@Qs*)cA)BU4jGeOi
z?rk2%ZSd)UZ(q8S;}x7yO6?)Z!PsN=AF|KzBHw4<DtBEYY@g}s@&EOlby$=L-?66j
z>t#qo6}s1qw2fSut^5{tqX0vGD-GK<{T3G}e+Hot*>4R;nog}ys3X!xri1&?X8>DV
znpYLxAqU3SNBfHEd#mg?6BAsHwefNzP|_SFamleR^L5Y1!CoQ$O`CspmwroDWi4B9
z$$?>Gx8>F5j$@T4y%M#dlOBWc-PuWnT4-)VlC_H4@|HA0W;lm_sz=$rHkCxxJ*X0U
zIQ|_DDsNM{oU{0-&c=`BKebl;{~7%Isb6|O6aQjy<EE@ui}Q#!oaD4h6aEF+_tvA@
zu=T&<f5HRp`ksp_%Yt2lQfPs1D0G(=up`Q=rZzY<;~oV2oI>~<jz3r_*P`{GPTldV
z3!;*)IHLlARzCL40J-c-YIYaw+ajee17{|1l*2Z6Quw3)X8o{^SWma>yNPlJCnes6
zQv9(xvR{wIqLq%4QI7?gYjtE@k5R9s9<K!dcPRenP0D>Ydi?j&>+wX0jh%}A86XxL
zQi?A19Ce^ExF3M8AagDMf$jA(FHvDFZ)Z)IGj{E(EjORsA8gLMRdmS_^&qb9p*9=8
zxLmk?a0t3kvC@4?*RSl9Pwo8dY70Lr7NvfyO&P8G+0FpG6j%kBYs<&%XQx7#>}OAJ
z7doEi)3V{qLTxbjEvI6e`&K-D!yU-s@V}w>@B94jKwLK!MH|_(=@{~lCV#2>L)L-l
zVUg0qXN!k8tOv0udRS)C!(2pQf-I(oDC&VrUlTpB+gz;lFfQkwDC*%}3;!S%MGwWn
zNdF+nJfVlYAK@QDqhH+dFUI%#<FCkbIWGTUpU{EJUE-%Ds{EhY_Qf}L+6VjblUO`g
z@Ax8`Q%JadNJjf0$Xr|g*71`zARIqcpq;)`<@$@1-EsFsEq+b4h@Zq_<=^k^TMk9c
z|LWQCp8-u8Vy6x8$AZkY{F~z^2%d=fmUeKd;{BPC{vprU;N5;)Bo><<q=wJr5iL8y
zX_Z!%MD!wf7i6yG-3@UO%}n3)OLIGTm(s(OU3X_hPY+h@pjZ?=^nW8#4}#1SdZ<h7
zpguw({@`v^{&#F#7RB<n>L-asDgRsFGRl8VGLazjMETd%ev<ycTl_&K+KGFV9==UH
zGQy5OupbwRMJqj2qKyz_uGNEeT!daP^Dc4eGR1#R-_4_)<zFl+0O5q&XReQe%wzo1
zoe!G%zgOjZ@w5|5oaJ9E`jRPlITVqjkTCxn@D*ep<G)>KJX`etdzI@8mbcySEdOFr
z{Lf7%BikcE<}v;;-N~%~<%<7a8T~(XmVdFR0E83KzaaA%{}>ZB^M9Yp_qYkOe!a;?
z|IB{-D;C4Vs}1I#`)7j8+x*|Ja((hp@oZ=L7mHT>`_cXiGVk)w;}k1Y_V4_|iC3PB
zn*OcEg~X!x|5X=j`uN1Vc*fKc{0lPI@*g=agn1F>aiIsKwwJd%`%l05@z0a(j|-J4
zi_Lyoy<_`th_(;ov`YJFD#nDsyC8Ed?`{|u;`xwQNk5R&l}Zl{Pkwu@vw9GVqK7Rb
z4LwZ77_A_S=^={G%Odo^&rKdwdRViteY5E4!D^gPEQ%hAhZ}le{~*Xbp@+IOPB_8*
zylj;!|J}E5Z(*nW?Z>5JQ2_`i+&-{B5M-_`f9r7}w9n>#!5>t<j~p6#p0oUm#SBbM
zM}QWduOR#jGLP{O@eBVv@9rVR|68xbSJ>gdcJa}1i}?a#QT$)(Si}Flfqt1Fb1nbo
z_=x9i{sdq9b1A=n-axeHZH5+cm0>Ou&nqp|MU!uyx4ByBD7&D=w{~=7-;at#1t6So
zJ<h>bkhxYzweq9?r}F*S9sADTX``QGpMSCVg1^;}06fa3&mZ{eW1wOF^Y9g99^>ES
zN4a0|u;Rbrn>}`{nC)agQ!G|Kbzt6#*_Z*gh0`i+KBnyR__`o-E&paeT34Sp@>-o!
z=6>cHrHA9a*X?mu4`NaDuxp#4hxX8fAdBfCiv7$8J#c^H5v7O2*K2#Drw6NkrdSj`
z<o?mn1N#R-<_SI2rG93yxu5x{D*sa-x8G-{{Oz~TV)0DnFUVY5{?_qPjrj*_75}}4
z9pCRP|6;KZmUx@{nbJNBGLP|3$DWjaCa3EZ|A$V@s(!#md}Lq$Vo~%zVz=S{T4J0<
zka>*%c9HWB9#i~Re%ZXuN=Nw@iwZzEVf}MFBFH?(ziIvf_mdx2`7Zh9(gAk(uiZF{
z)%sYmDEe>mrlEi4Uy!+$e{=u9YwKg78o$22n&%O*j-F6Dy0OJRhjk<tMMq1IM(RkA
z#dM^v2K?WS*VSBSt-lvQ#_Kp;uXGgGXvuvK*=P@H=Z~z$eZ`{a=<QD;btK3<qa&}4
z`%V=daa{ML($QlR-nePC4ISB!>%?LMyu|~8)|byR7>+A8H8zmBR!7$T8oZyw99KW3
z_}@2Z^<B>LFBTPm)A$!;9^)V5d}jWiR@v|T_Bo$B%fDC@{w0;TT9A2+f7Es}{~J`c
zM~yzO;lqylAF(LBODg?(LFR4#H>zweU$gvUXZaV4!n>r*|19`_LFR4#pHbO9G~fx}
zBaZ4nY>^U)$F*`467fHR%wzl`t~dLiXH~8{58RjOEdOFr0SM1u5&a7?kMWQ9KAQR8
zq_Th4u1#B=<zFlc|B{OS1)0bA$BW|3{6D9%{o1n+(xZ<0AF(LBODg;eGLP|(_Zgb`
ze_my~Z*cCEb&m2c7L$O$%Kr;8kMWPZn)%<X_%CZZdgoJ)@-G&f;yt_E|IJZISpO~4
zi3FL)_{aOT%=~XrxqkGXtOuWVlz*|P0E83fe{K^ZLFO_3@kTT=|9@2ZUeR^KL1+0F
zi(%r`hVU=QJjTD)aG{z1tt!_Q|G4vOXZaV4XX0Owd5nK#*UbMmmHi8c_MN!FQU4<r
zt@z*5lt_?yjQ``eEEfKGo!<*8``g}6TogV2t=3hF#hUylW9<&F-w|Z4<v(&=CDzfI
z*Hvy;*{&XTt5!e!_fBg6zU|sQKeBqij#w=3KlRq6`9v>|<g`l51m_RoE67~SyZL!`
zU7hb5v5t=G<DZls9xmMzXGahAp96`-p*|XhCC%X{o2-ZN_zE)D>cRRskZBzi&pY0s
z_@8&|6I=Y-ua9C;>f^;@jQThp^Zx~zYx#FWebnFoFZ0j2JNTl~L$7uzemnKCc6zXy
zZ!8u?4@H@V9@sw%GEe9sk81y(=*V}we*gTC$a8D=9@rA|eB+&}{D&+ZSkF%R+xN#}
zQ2_`i(mo3^*OtGvKQ_JZhUZ7@Qu+3G@6^N&|Fx@sR`dPDqSU|5zclLKkf4Fgwfvj?
zvDfDN>3`2k=GSn#Tj}WRU$#9fdOEV2rzI9eM?G^59sL4+T#$K2M_!w!6`nWB@%bL5
zqwOoRTG-K%{q{gCh8qI4!R-P2BSGd`9a*;r$fb-^aJpCJdVKkyb!j&G%l7#fi!Csd
z7!D=;oIv_Vg3M$5zx(qP;h*E;eTx4Bhi0yCV1xhKwZ~TD6=E@E*N1rxFkW%;FsD`8
zN@)K@^p6CYYxy^~$8~kQf(G}0GgbOWobFe8IQ(w&4bJL8EQ%i9sWSAi4w?{TF+D_a
zeJ=Iv9Y_;Buv>gd>0#NxQBl-`RexD5iXMLVs-Xw=4}#1SdZ<hN<woZI@&Q%;x9*(x
ztQ~(~zkL>qR^`71$`oX-Er09yXympz(mr!~Q1So!`?pSRXrq0$&%ana9He7s0ZC_t
zgxhEK$AZjb{A-c(SYB4Sp8fKaS&ba!Uo0vB;e`2T{R=XW@!yfMMgQCmy`u6xciWer
z*x}!Pd@2^j|1A7xWcwq?T+6>3;?q*Rr!-sQ5l#;&JuF=?>oaHdAQnXr=V>2>`zt39
zj|j4u9-<hZvK|JT^>A3}VbRQ$4(mZIiXLXhMe0G2#q<zGJ)rdQSIFTP<nJ53s`Suw
zX65J3`UkNndiXHG(8GGP*@7&lhbZddnl(v*upan1!D~tn7e8?Di|FaW>N$Z}6g~VQ
zDN+xD%oBR>;(I(x<arbOmnx;BsY$2WH@49aupfttMbXjWprIq~hY2!I=%}ualk(rH
zE-|+=uPZ$~ykb`eXZ0W!MGwbQ4LxwbP>{v+5XE-pG(8+qdbnoC4IQ1;gIE+j98HVV
zgCL9PA&Pp4`1|wRZoHxN(Bs6GPSMkYRoo#KMGp-d8hYUNLXdev4_=Hr!t)b&Uiq6!
zM;E-bxzvu1YB&CCHIH8`rs2&JexMkmkbH-+j`mpGD9Bu^qsV#u#ni<-kN+)|+gUA3
zU$?`%{di9-Hk|s<y^Zl)yvHm~tF-%4@V9VKe+8Lqd3VFOqdw16;yr#Ic2w!1u*<`5
zM^6t{&q2ka=;0qV^dQJQp@+Kk95noQv-x?%F;)J@=G<`HPWji)52xerf%s@d`p9&c
z41ETOMXU1X=iq|OwdHU99CSL(Fh2+Sv!dg@!W(VzZ{Ht_Md82m9K#=Pf=?D?uI1ki
z{upmJG5X)Ei?@{?ZqLj3w26)J82j~6EGhuuMA~OT=2|^i*GJPle&+ujmG9kKS6!Cw
zDF0$HOuX7){<%I1GLP|(7+m}zr|+s<4{P(uMrZjKi&p$^0RMu_WBeBz@3-Q9!f}=T
zrj2j;B6|E=^~=O!P5!r_Z_pF*fFN@%|B?MNJm53;%idGjF5P<gvfVcPj{P`5ERNfG
zQTlH5%cdRVv`QO*zVLVGAqX<p^6rK>pa}1fo@VZsy|47})VJHSqNfL|ewkPlJ#>3H
zQV)X66MCqV{W8|U2dezH{p(LrEPt!@3t~~q|M5dc`R64X$UIU0b@jO%1<+p>f536k
zhe{6zt~fQujz6&9FA$3gKse#{;fpu}nQQf6-7gqUCFZ#FBbD!#h51)F%fDE>m*`#y
zA^hG?;a`w>jQ=v~ApCPZ_>1DdVD9G2_c$6KiAC{;ufG@R4+WWP`FBHnq_2|}f5_<x
zrH9_9KFW4h4`NaDaP<d~dJtqWJw)-jbXO{)3ef{Um;PAk;jPjQ<D#brtLM^UQS`9!
z!$>^{GEeBi)6b<@Pk&W9YBM~$Bziisio3<4=xET1NF50>Pw1%5#@#t6fAK3Ee|)0!
z(Cfb2GWXetJM72ZVo?DICmi?PhIc6lGS}+CI_^e3CGO+&Q<d*KKWH7d-%<X>qSVI=
z&u<$Z7vp}gAoCdiMN}mG^Z4XvivNlkh5e$(ztwoKSQP#zwh8gy7=6yp(7zyaE&q|@
z!I<AK<H0>KE$MT``)7UL-fr-|VB8A-E$T(<y#3zmH)n4tINGQ0-kg@~wNkOlb6^AV
zV{;U~rMO98GB)D1?lci0QyKnhQ*XS{zY`8kz@B_6qFiiuL^=t3rjb4YlnQWWNBl0q
z{!TO<$BL15#ah|U)D2smsVDx=C%lvpN6K&q^Dm!PT|Eoh`39DK1FNgg1&ni0Y7LQQ
z^u<OnNLpY#Z=_Oc+`u@(>&xi|{6@8+z;Zs|r+_aQM*+W9pWyK5Aa?qK^~vwYjd{n{
z`VP2Pzvk0-Gy`kCppP%n^d0^69U7kzukR?(cf?Z@KR_{<#n_>nd>$LY05yoylJqlA
z=x1V^&t&+`;}!f2Yy|63YM_WWQW$>dj7Q{*gM1)?5&~cHMj|D|X=(aRn+F(R8fkv5
zx_S_9n!!8bwPth`ji4;*0BXC?Xc`2fGm-W}I+(6NK}@GYx(-z5>cvusVwr&LLXvze
z#EtZPJcW&5GBt|x2OCf;zs@)aApU|G^(D-FYl3eBN+bKv4MdrJpG(ZzkLL#c_i$RJ
zElnVr2>wLDuC1SL=oc4KvNnPJ1+NoB@zO~o{2BMaycbXR8!Y<&h90b*8;C{G!(VFX
zL6CVu4|VCeK`xiOtP}h~FMXmp6aE>+^0(^0h(#&?iv5xPK#+N&{OfA}h5bQzT!iDe
zzbQR5zIp#{JO03a|3xgGNe_a|wR*7bzkq*<pE>=z;=g~>YKQq3iwRT@KHqq5!0mG(
z=2HkVZ}b19;=lD-3lm=o_a7yW{^9n}zW&AHrjEaRtl8c#hdr_TntxuqaQb%PUyyl|
ze{|4Tbbg30+t;QNo0G!*dLFNxEakGg-V24ps`Pb6$=ZMW?+I9q*S1y`+x)z7Zs9P%
zoWW_8wgJ70P4x|At}PdiThB%%2g~He@!DKjzs&x1iqcWN$Ipu^vY{jU^;;||0O5pn
zv<Es8WUkc_w{J&JugAIJdd%Y$g(}}qr}Y>WJ^ro6hs2`P<Du7w>hUpfKOAKs$Xv@m
zj}HwV6xJ1m$A@^Nr%3I8d3|Y@VjH@*-|rWTs~(^Ivm*G<cF%EIrB#6U&h-pruI1hA
zKkI6ouQ#spoPyJ0rH5wox^;6_4`NaDaQz<*Jv4(R1X)ZEQG6agragSI=z&}Q5~YV0
z?_U~4Jy?wciAB-Ffg1inka<E6b!i-khj;aHAdZWss`791Z1YR)_yhZKkyum!!U?wz
z><<K)Ys>!(aZ!FaE@J+Ft@5o+Dsh;9vDl5MTO*)Yq>u>zg3N3D8_$h7E}f=wz2n`F
zhec2SR&l9V934lQct%Al6_R8;4!Q^<^@7Z`{MU#}^CRL?e&ooX`&&-9ZLOnmsaSlc
zy!?u_h)eg+=Cn#1!hHew9YN+=-rW$F`e_K|N*uyzSx64F`l7Uj&gwxdiXL{)G4${d
zG$F`hdWd3Nnv3H1i5@sUDOY;<F6YuH>cJ{56^o*Wir*S~VE-V<JfVlW6qkmdPjXyz
zy(<6bwpJ~%;}7h|rD73pG`@Tslqhkiv=4&JwdH??xU?i9E}gFU|EQwR-Olna78QVS
zBK!+7ukmlhrL6x7mG9gBzw%3G`4@|GFQ5lm|2YZ?^UrhY1ew?PFOAUu43+Cwr@fZ7
z&PIG{-~Wh3X@4$S5!wC-GLP|p_sU<e?qz<;4T}Fq53O7Jgbn`fk6Vky^-W$#e;oaT
zqL!RiX<MNG_UM-hGS~9&hW-I9`p_7s<hXFA(!;-61(!Li2eBx67=FH?hfK_-6l5_y
zM6rK>X{<#N<JPm39=h-DA4NS_^$*0N=pnV0p$GO4g3J?os7w6=eWn7p58O`tMwNf(
zE3RH{#~;{lpT(jA5Kg3h5M-_`|1<OtjOY2x|7?}-x87cIXuXa0**^bbQR?5A_D20<
ze=Nv6#y^%&NPNWUZx#Q?4kYb-(oz1!;@Sh7dw)9a$&o7;<^Aldd8>cI`u_l5LFO_3
z!MB<JO2z*Z+Fzf0+EM<+Vk4~DKwuQ^p9%kh%)9*ayskNl|LVDIx7y*qcKw4t<9(!l
z>X+Wn^gdFtDE?>X4Tk?={R=YJ@^9`R@Vvkl_=c8t;T@FN;$>iy5RU2ZqQb99`tmMb
z1jb9ecxhN62F-HuD<50eVhz%C>W*Jsu#ik&k54mj1n)NmxmL@`?As!&km4n12F^_2
zD90XN#HN4p$d_WC7kH!6(Q9XCy=g~B_S-SBcqSbQGS}+JI*v%Bq2fpR`Rh%J|NHt~
z{z3Hkw|f367HhU+YY;=U#5lhob1nao&tLJxP1cQae|oOseeI4L8!yR=*1T$~^*>^9
z<EE@ui}Q$9?c%gb8xPKt@%~If=33s({<E&m3*;4|5zk+5R(iO9^9AY7>Om}u9**oa
z^e`OjPXt*^578W7DMgcPe*Suk(!+IFO&>iySdFiUMbX2s-G(06KL|2U=%LPzugp{B
ze_@NfbL^DA{kTXhDgfbx+lMz0UkftVmcMmeg!(6O5vTK2zE573?=b&jF-*MLVE)-3
z3o@_qU!?ONuLWr!x-V1dN_1`TvRxX54o#l^#tdiHoh7C8d~7M=A@P3|??n2)1yV40
zTLpjOo8UkF?|!!KzO>-T$)`_2KBLeNihNB+hZ=pO4tSSD%|2WQ%GO`@QHXxqwE0(e
z>9=H6*0Kec92hosTV8GMI9A!X68G+eH&aa23FKH~lHNPycTwOy1Rh^^rvLq_e*?J@
BhZ+C?

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json
new file mode 100644
index 00000000000..237347ad76d
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:35.1274042Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4734,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1v1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1v1"
+      },
+      "event_id": 4734,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4630,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..47e2d9b3f4128741b39539624d5b799515a88bb4
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<39tA7go+}_QvpHb4dG!3Xb`Ebnn*%H@}MM<Ae070!D8hh
zDi%eg@&^SK6%>Vn6nO}Of<{y*idBpCfh|~V_4iM|Gked@Y#1<3yVK14cKI!Lc3$VZ
z-~H~n=RRgKsBm27gu()<`SGb8l}I&;BTCb1p7J06PCKjmjsN&2u^Yq~h%pdjAjUw9
zffxfZ24W1v7>F?tV<5&rjDZ*fKghtK!f^w}7f(bVKlC|WTFHkoC@`cx(UFzurJ=L!
z|Ic=`eocFr@6aqj^nE>|6Y)gH{N^J>trCcOVHo1ae)j#qHIKt4f11H2f4))Yzoz!{
zz9rZ<t_Gey`2DRKBsr&sjUsg~zV>moJsjs|;+`+nxDTJ>#OFd8&@maS0@rQZqD&Kc
zj3@Nb=B^q0+MFsaRnsV0yKD4Pzg)@NAHID@&ZcpPdiHuXx5ZlIgwN`iPLE-eGsvHp
zlH+L*-9iOaOl9~z8{fdq>fol-c&eZxD#SsSP`uWa#^baynnagVNBk?LvDj09bMmm=
z0qF$nnM@`4RYK!%W(WK(!Tydk1;>h!UP7JluM4(1QFr`b5H?>L@yn-GSD!>#Nx7Ab
z3Q!JB#huG^ix7Cf>gt~Ymz3z=rX|ow-TE!Cm5;L~<7hX0GewM7-sh)mfGxs7qF|7;
zz!;^6HjVu>n9B7laVV8i<NC$XaGZ9lI^*lSdM2`l(m)(*jc<S@$G2(oUJ_k}TjYVV
z3CR8g9RgDq^i#kWjH7^Gt4}|{4pI79iS=l-I&A`&D#kHius-?yDC6e%ArjBu7f)F@
zk;|%3KZ*DxA2r2~rb?%Sruk`<UKSJeQ+#YtqZatVRe(QFH4o4T6d)H1Q^e*pzEeE4
z!VjrAH@}`hSK{zglv@dS%m?p$YCJXegZ7d5u|VCi=RNgdbb`+50GwI?09-`*I7g?4
zYY}VeifKs^B`6nxo&crCX-QCv;Y%{(QcP@LjT<s#MiOG)7fhlg#&QQP5{Iz-@AYYb
zej4K_)R73SKgW5QnW}~-{Vj?5;f`eh&T1(`PDA$%)}zz_I|VNGuG`azO^5Epc{<HS
zDJ+-j>LS<>C$eFEA~H~+125MNg^G6w<3MQ=V@W!gs5CnkCzj%$LXkiT0d}oiw0HDK
z0K?-Iw?aTLkrLvxG+j>YjQMjrBsu_R=0QlsI&LnsG}8Q9b+t|aPUM2?S)8B~RRk$8
zxKLg3#cNIJT0qFA_Nbzrp_KlpuvtiZARPcMIzSMGbQ3P%Qtp85641zs=d$Pz4C17h
zbx1&QbFq~Jd5B`7^KeE${Pno309}JTvvrm4WNH}a52jN~KQ+Lqkf#2HlF^`ra+yGl
zDS^^)6jcCQ{7s-F{XBgq{>#L#G)l!+qp5K%vB%f#*L*{KT2$UYJLEV0DB?=ow2?Z3
z>R!`<wFe*Uxbl(DDS+DklsvVECdzS~bI51@f-bm!)~Je6i-xXvsdvw~i?*fIWFh3P
z6CZ9>#ZH|+yxsN0-0KJZWkK7iSDgFibW|5U3#B#*o7~RwXW(rtDRI{W^&-f_e)fce
zkaD}r%KA--AKr-zh>u=?Z-6~uycX2m!(?DAz(Jv2JfbfJgmW=orta0oxH2u`%7I{m
zoj&K+xEgr*YQBn*oNHX27;$wDuFEH1ijNxd`IoBmBXH(`)0^mKT|Wj=xiT(vWmk2j
z?q)(cOhx%vU1^|%px7!0GmP?L17&)RYprt`AG*F4sI$P*FYqmfxH-Rpkn`-UET3;!
zPSKq}$Q2bL&s;uPV2K+$UrN0*TIAM@y%M{}a@Z;}l}JM9O3owawV7d&T``x!5M_m3
z>r~iE#1(#2CN!(4I?4DprH1-feslHnVL$)ol${6Tyb-9m=`V*%=?sx}M$O5B{}=>x
zqX_K_f8rbCzZ+I11*lcmMdJ=0f9_g1qthKbsS&QtNB&r6AvPxKvSzgAySHA6+u+mw
z3~1WxXXx=$1Ohu&U}-+$u*y}X-z-KNs?a^Armg4r%gS$IH+)pcZ>3?orr%<c`O_bS
zvfmnlG=o}#;Gr4AGQdOV)0ZtS%C8FVkON~7>0g2BJ6Cp`iPPG6xuIa4qom0wTh?WP
z?)f;_E5yIabFS;$d*Slz#dlr0ckrk!`L(&@DCJ47L2c-$#~^%nc2c1hn%j_Mt>W(d
zg$<Dz&Y_>`QI4;5B~f)Zs>B{W{sonHt6a`pa7bt4$MT<AEB^lk{{7TDqqm8FvABLi
zcFP6%MC*=oTBQm9g6xc%t_@rNEB?nm(ze&Ra1|`rRVan#_=ZAvX#qQ+ylQHLeGhvc
zuK$Io{~Uj?Qf`D-nnGRit23gKOK?U7yi5W1O$E7JuWNP}?AxLmEp-QYpFG_oawmm9
z`tKpg8S9Ak^jm#5QSN}G#QRW+KUPQf>#<n0(or(%u^@A;j;!l3>b2D4W#IoF#sBOH
zc^^cN{~mfh9uKjxQ_(+t#bN_W(WRcN4m1Myeeo4!uH`?lwSLy6Dy-%0?6EUPt$wq`
z#^ZZ}&3LzpE;*v^&(%HDe&QFG3)hb{)RTFNm97&n`PxqT)XvYYu<)~DQR>I)lo7h0
z?F7J!fK`yWwtUQfb`pfie)iOMp~ERYEeF0V)CP0kauT+=Z^h#`+<_bd{~L<M&g6Id
z;krpE+Q^>Gss2*;hpYq9!+fQOFBS}RSPx=R^sv~Zhgpcg1X)ZEQPcyMz9xELx4A&+
zVRY^TQPjhO7XCpjiXMuCk^VuDc|s5QKf*tRM!&e@UySdW<FCkbIWGTUpU|GmUE-&O
zs{Ehb^3}I?+6VjblUO`g?~EdvQ%JadNJjf0$Xr|g*71|pHyl4zpq;)~<@&3XopBFD
zEq+b4h@Zq_<=-FdRSreW`TB)1UjR)SVyAWR$AZkY{F~z^2%d=fmUeKF;{Ewy{(;Zi
z;N5;)Bo>?OqXy6C6D>Z-X_Z!n5t~=QyC8Ed?{0{TXj;aG>&@-peM%1#cif*DJv~^p
zgJMzi(C3{<JqR*S=%FsPgZc=G_=EdZ`QNjCaTLqns-GklrTpi<XO#b{WFkT4iSn<j
z{Um+DTl_&K+KC609==OFIMj|mupbwRMJqj2qKyz_uGNEeT!daP^Dc4eV#R-MuZ<&|
z<zFl+0O5q&XReQe%wzo1y^oste^BLn!Q^8Lo#kIF`jRPl6%>)HkTC!2@D*ep<G*ca
zJX`etJC*ATmbBU9EdOFr{Lk&jBikcE<}v=U+{vu}C5rzZnSDNYmVdFR0E83KzaaA%
z{}>ZB^Z$^__vo?Hf4RX%|IB{-D;C4Vs}1I#`)7j8+x$PQa(#S%@eF7A7mHT>`_cXi
zGVk)w;}lC(_V4}uu{U0fn*OcEg~X!x|K%5J`uM~Lm}6=I{soz9`HvhI!nz3axX>d~
z+soUY{l{PZ`1xe}<3eT1V$&<Cw{86u(bmD7R%utHVoV6U3o_U8?uKz8UJrS#^aD9v
zru5L@_;=?zs|T?tde}6~(8DB*(F(Gd9-=s37NG~8H+fX)Vb#2LO{1p=t8qfHD0(O!
zV(5YWgCO&S9_rFK;aKy0*>Y9>JAb>ixt;R2AD4<n1t6So`@sG{kh!+}t;dDXKAZam
zzgPJ_xPRDr&hjr7GqE%s0a|#yg77cMJjOr7FZ}bmyT=s&@4XRUVTb?P#Yaai)(eP5
z@qekK4FC5I`elO5wfvjoBVM=p6MXHjr9AVxfoQMW3_ZkEhP6z*uC!1WO@Vpc<_e{w
zoN>*+v!f&XepD<f0O5q|aW1}s%(XhIl^^{-mG39-*?s<Y8~q&n{ENkx{VfLu;88Yw
z`N-Fw0uA$@kFOx}82=_e%KeI!ivI@hcH6dehLinFu~_-+-q}lMU<KGFPOG#zShCOK
z>w?U+{G0t~U7c^_=Vnft`<bhh9*$nVW|y;i5R0OR9a{`Nw1XxDSxgU6>}N*kf%_Ye
zD?J>zMSC@Rda&weibc^w-X9D-uzwI_p3p;G>Sq?4`<YLu@;~`$yWMum-+ucn7Ef3H
zg3Pt$Zyg`iSbwlu@!w<c(LK)cFBW^^5pQ!pQ`%=i<}v>1@H5iS<aCYVfB&)R)sNVS
zkL>GTEQ<bz?lk;g3yiY}GLP}!Hgf&JlZyY!6U|yLbCiFvr~rf$)<4H1g3M$5o7Nw2
zKlv$@?~-pX>uZPq+KsbVJs&F;MgNW8HT2K?3o_U8Z|)y>?fF=!#!oWN!s*jWN4GWK
z?XZr-qUdPRp-3GGvY3warvd-B<8?Kkv)11WVAj!ErK7lp3m<ySMte{@e`Gc8D;7mZ
zM?Q<xks$Moj=VPRJ4tlJaosaYM^BD@=k^sgbYwrS6N~A1iw7K|{`f3|;kaT$BLkUh
zb!6SI!TUMParLu`|K0sp+~+L+Vo?D&g?~ZjG5#^mXXgJomHkdf&iT?={>7s3FR8@U
zg3M$5qqdv*U#GG?e8hPTRyyi`#G>#nsr2gwnYa00ud=;l)sj!0<zFlc?~*eA)8YRG
znYa0WUS)fK-=}?#JF5S%MZycpfFf5R5&t8|JjOrbdb9s|LFKwrzuj5R@-G$@fbjYi
z(Z3+`82@<hqnZB=D*N~C*s$4I{>7s3FRAEXka>)MyeQ7h|BEWyZ@us+J>jVT5sSjR
zq{6=-^BDhlpP`xmmsGZU1!qlM<0$`P5mSg{<^Khl$M{EH&HQgv{FgNuvHe*``4@{#
z@M=)*|K=(rtp64nM1ss?{Nw#vX8t#+TtD$Z_M^`^%D-4t0Ky6LKdUj3AoCdicq5vb
z|39dFFTG^lK4<wCi(%r`hVU=QJjTD)V4j)(%_`Rw|G4)XXZaV4r{iCcd5nK#*UbMG
zmHi6`^%}p<QU4<rt@z*7gh-HijQ^u|E)f3tIlq@x_P6{waenmpw|cHpEY{>d8PD$U
z^E-mfwfsjuSBdB7%+FPBRoSi{JXfn9{(C32f8TcP=8vr2uOk-A`%IdfG>7Q*VVqWJ
zS>XIJd<B_nc{k5z*VXl|5zo<aef*=+!^+ZKadz}ze;!CI4)W1pJkm@uf5>_mgRdZS
ztsboBflSX)@w($}ivQV%KeNTZ{rV^tr9NIf(x{JPu>N0=xt4!7)JOgO|FZs^yMwPN
zJ@jas;<r;DYo`aR^~PdR^iY&#=z;ySAoGMC@~QUkiH>}?>zUVwM4nr__rR8z*BftF
z<v(yyzj}7c-@ZQ<iwZzEk@i`TxwibR{juqNH@rS#hsw9VYsbcR_^)04vs&*b7N!1e
zyxypP1A_)K*Ya=n$6j0Sr~f@GSzp8HPNk!>uWxf!^mJskPD?C`j=JX=I{G>MxFGY4
zj=Z)`E4*%$<MUlgM_ZR=H@BlB`|W{P3^xR7gWCi4M}o|?I<jsLkV_e-;Ph3M>oMj1
z*QD9#FWcu|EH=kVVmOrWJc0C&1ewS9|KMjS!av8wyA}U?_fK1!ZiD~YwZ~TD6=E@E
z$H)2U7_T^ffYT~%8MOZj`bUDywfvjg<GMOtK?C}{n=1VyPWLE19QdHwI%oAD7DW&5
zR~dR(15F6Bm>#0|d@gmrJdh@OV7K_1(!=6@!=tDNtNyZB6g~XrO+ydt9|V~v^iY@j
z%MH!_<-Mx>=Wd_<f*pTgzkL>qR^`75$`oX-Er09yXxNsS(mr##Px1e|hd1Bcz()IQ
zpMSA<AV`PL0+LP&3AfMej|G{>_}3!WvAnKwJ>&I>(;GU<zgScN!U^-w`WIv#<G%yt
zi2k`9dPC)V)|L~W+2P-Qd@2^j|IGVmWcwq?T+6>3;?q*Rr!+_65l;6jJuJFw`WMdX
zK`e?M&eJ{#_g9V~9uZ_QJw!1+Wjzcq>*0XX!~AK>9M*$a6g^Cfi`0W4i|HYXdO+#p
zuaLtp$lo`5Q|Y0}w8}4?^$%iE^zd<lp@+3-vjtg94^h;^4Xcs@VLk9X!COiX7eBJ^
ztLW*$YMwwWiXMKS6sZS6<_SG`@jad;GT+4hrAp~&QqswGjcoJ-?8l*EQFL@5Xy}Oh
zVS>yPI;yMVr2Mz4OU&)e+e!~Bm+olqtRBRo=;3Ipp$G043bL3UqS(%yqKAV@4>xSP
zwS%*I5R0ORLurwE5M(huL{SeBe}A6ajdzqDx*glpF?xEiiaW%j=%GOaLl4|u2r^IT
z!HaQ6czpt|D}Pt%=z`ZamfF!#?Z$tt*71wQG`v~D4-_L6lJ7Cr(GCwc3NqK~C~_Tt
zF?BYt<9|=(c6y7_x9#w5Ki(6I4JJMIU?a?ncbm>>mG)2y{uU1EuOM?R?`{}()Yq9x
zyvOrlhm;-)JFh$vJv~^>gNjAb!#`^1L6CVu4|QoCH2in7c|PK>D*wYXZ#`<K{A=fj
zGw}C7d^9v;SO!dnK7GZaRr&KgxFB<F`CHF}PNAvhd7wWjIzBAC%@+Um{jpdS{yWVy
z{P70(WI^Uy{@vh@@pcoV|INBMqV(|F{LIfA+Zd0rUmwMy0uWB5eHLV{)q{0?G_B)j
z{@+*m-nn`Cl^KrmFBZeZs}1I#>!Tp^82^aD#UFC|fy(vZ)}O6+mVdEm#s50+FUUN`
zf3fj?EAA&8RoQRS=+3XA$G=s-Of1&qe-ru!-4PE6GS~7S*)PKcpSfT5p~`mY<^xym
zwBdK`#{pt-^!AG~cA{T4c^{`$T3_^qzef*2khzw3H^c!&c!%_4bHD7*N)OL|w>3L@
zda&x3iAB*vm)9fpAjmwShdS9WV;y{?%74qh{ussbw|ag-EK2!5wcjZJ{6qtpC(6IB
z&dX5%{blh792b48^sx8plOyf;1N;2~v8Vuq6K)^AiZhV8Ru9(wf+195j!QpL`EF5I
zaJ94ii^T_t9)u9W@BI}11)0bAFQfLtKi7l5DE`OI+IZD2N8=;0DE{#64<r4dAagDM
zZitWc=cL6Sa(YbZ;qsH8<T$Gbu_$`D?xRRO2(p+SqBt*o36)WW=z-^@KUI2ouXNq$
z=;^^~URo@Q9@c*xsRu#k2|ajvUYhmvSEZxYLvl)@rz5MlTP%u>`X7tbks$Mgj_PdO
zos04pzryjyXG#w}9=bbgw~e^Ne%vh<6@YNUao^o|mx3U3tsbo7Zsb$qK2ASZ`M&p~
zR&jeA<zFmHeZ27eHsNtG?gtApkMUnbMZ!OiPky2Jub5icJ9_+EjR%WG;eUMV5dV$P
z=j;Ui3o_U8A2}Y3_5Cs)+#So3zEr$_(eubwgZH~eFZJK4UbN2JAHID@&ZcpPdiHuX
zw*`BxR6OO`FP;3@9FA`(ZW6c|8}V9K8jp~v41cxha=g*MBMyzlo&qYOJZyJBIstno
zlfD3y#^KBk_+5hi9cc=V6(hX_&&qb9F4*cs-SK|`;iZH)QieO2fBCfP>gmwVx3KK%
zS6zKBV4Q<eYk)Mf7dC=H(gI_6Bb8F)`o$4mUrx8;H>wo{mhb^T1$@Cc3i!491cyia
zu+tZ;Pkujc%sal(cfh^+HJ`qtDOmFbeSC?g@93lN(D;maeaAR`M?5w50~CW<fE~KY
zm#`5GP<ot}q@Q_AKNH)0Cc|$Qui$55BUq1814X=%!tg_9JT7PK;{yql5IDgbiIfnh
zrRg_q7GQvBr1`b#>i)QCChv&Xn$op2l(MNksO?N6s6U9#LfQlA0J<6lF@*~0CQzNH
z7fT_EWh}M}N%AodH`4R*EH;A4)G*E;OsAH9opBIA`~@@WOIZ2V7~gbCBm46PqRd_|
zCT8!!yg{E`oK|Uz5{SlwKT)u2>!%y~#f6ltjb(qq&xxUU={OSpjDBSHE2sJm7X5!i
z4_5OAVo~()ml}EyWS-DNU79z@<8qhh1i#WtpJ?XTe@3zVt@<xwQOdt!PozH(WS%Jh
zy4rtXe-IuQ;W+MZN)L_h*t64)Kd|3_5sRnOgCKLQ9<2K>;9ufrPXDg>@6)8(VgAKp
z0@Z`hH|7nveJ;d$3PI*={!b|WTb(s8@wIUOQR3(yZV&D2Uo39u@S7)_zItNt(>rhY
z=Z*8GY!&_mnK$`I2aQGNhxl@Qtt+uPA>6O$@!FfETvpV3xo~im{+v;=_TT<{0#@U-
zt(3*qKWmg%I2bUea$2RWL$6{(eFK?m%Z20Cvr);xGI?>lHcy^kX8$@->8RdQ=fxG-
z(2@Q6Efy7kaKbv;1sw@8*XoGdw?n7a<GgS^=JAR`mG9@$x($yW|5oEeVo~bxpj$%q
z_%OI1f-(?fuH~P{hX(Wy>x#nTLp;(`r1rnQwzPAx4c*)C_lw2lPtEvg5&UP{7dfrc
zD!_ZEdImDr@^1E@bv4e{8&{d9;Ivrjq3P@{U7Xc}SQI_n@&`i?O`!=v7Slr%=fg*~
zgD)06aLZq!^w9jzmqk$zR^vcoQS`94hJO%bp3p;G8VBOxU40yg<DyBb{9C`!>@qw4
zz<yjL78QVS!tDe513~86@;^;nR1l7fnEzj@d}|X*9Ohpvb|LE05Gdv=B*MQS^BVug
zyfMe6lU1&_eemhv=;_}oE)|O-;wTGqRJ2SXNyc>0MHs0UWUl4EMqFAD5ts6mBYz%l
zG4}4&j>e^8@%{4ht5+i~-7|yJDs3S51>koCnQM7>LtN^ofs`k42&ZKsInauW(&jm<
z2eBx6*g4bC!(-5dAdBfCig9Tkir*)C;P|9m>EZj_%c7_UtGHAwiXJL{ZRmmhgCO&S
z9_mtD8lIozxabyD{x5E>T4=`~*pExaBHn0x)o3VD;!tTH1et5g|1@!FNkm*aMe+Yh
zMbG=4<zFl+0O3UV7i3=J--t_D{}n3VcmIFo31|5ii?c4EM_K>53JLSiYw84<*Z41u
z(En7G>o+IAmA%GBd}`nSh(&3CE?OGd{s=OU@qhoapR?{|eafwh|0njZS@g6G{_T%j
zi^a8#U(R?6{ez+woK|U@p#OI0mkBc0^6!TJ0nPu|7^md8aGKJ?zgh+tJF5q=D0&!j
zzM+RKtfmxXF+D`Fe}HAIMG@oH)0G~&?(7pqJy`V*#G>dSwWXm4_78&06MCpi{R4fa
z0=Ey`PW(!hf2XUjTVlr_*l(Z3q5=?3q<s)%t}Xx5^bd^reCB_K%J+Lm7VckbqkXo|
zzgU#|H?o~k|JWZ3GLP|(M<^sd;`G;w|HFHewm;)2|6+0V-i?=kKKhwq%jW0*^y}Fx
ze!}|y2wy?wG5*1~ng2?~|I^xEUwqC{{>5TLJhg$qDBM32{sozL`R8?AGZp{Uv)XL7
z!+-7i2Y<r*Nd441qqpgOq+(J0&-Pml|HJwhWUl4k+&|!Tfz9y^J=%qLP-2T81Dk+w
zOn(;@eofFH@8XBR_z^FDG^`MVW_kEkfUO(x4AK<pieH`aAesI=K260Dyx$b$T0Kr?
z-xlEsDSiaaz?lUc<=DdyvFV?D@}-#91>UA~^w!zg@7mFk{dP<&o=!)C%(XhQjw2Fj
zkoZxaf4yDt|4{F%K8hayR`ai7v1U8A3Nb_rjPnaJ*YY1Z|B4wmd2W>Z)3X%stGC_O
zXkmV|)>T_Q|05RHZ^&-BAfIUY4o<7IG2lEI@6QxuuI1hAKkMqcKz>3rV*d3GrH6+%
zUXbCe9>k*P;oz%=9){rg6G0Z!Lo~-%O3@^n=U?wsdbkNs(??GaR^uyTQS>l)r=bV-
z4}#1SdZ@GGE3;MkU)VhV96RN2KQ0oB3P3pF_Te4G*MiKo<!>Dqq5er+#OWNB@8ee%
zILyCT3=^+5n1A-ig3N3D7wP=RYeDLV?#m>)23;GxY?p?kLzAz+F~gbX&XQ8PKe-6;
zkodof_apt^T~aW3TLpjO8{<Fy?|!!Gx@g?N<IkOhe1@YR6#1Ht_BHxO?eQ*&ntizT
zl%v1wqY(YJ$#bsj+<W2j?8SFox_9uXE%~*%<0xh08r-`h-b^t`Cy--}33~64-$jA<
N5P1B#GyU&Z{Tq(Ne^&qi

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json
new file mode 100644
index 00000000000..30109fcd090
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:30.425487Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4735,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1v1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "test_group1v1",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1v1"
+      },
+      "event_id": 4735,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4628,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..376d98e16d84eb65823499b2c55f7f3315cbab7d
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*P*DVV3kV`_NB~1XgNU{&k%WTeRgy>$N`s<cwenQ4
zC?b`=D5$8QC={f~Ll6`+qC!=yTC5MOV71lXKmE?^Jv*~uz&PzrGxOW!x7^uzo$r44
zyXT&J=ibSXf(aRu3i7Gu$ES8wBGo94C{3$*%76Sj?TqTz|Kpp)ZV+Q2#z2gL7y~f|
zVhqF>h%pdjAjUw9ffxfZ24W2SC<8+ZCJdTbG#P#T(C1WXB_GD1K<D~Iy}tc=QRr;@
z|FfM%Ju?f;cW53U`k@}t@pz)6e)AEc)(J#?FbwfiKl^^<n#W+1Kh0s2Ki{hJUsd~g
z-%{+GPy<gt{Qgc2lAKk;MxnYFU;CKa9)WW+aL*TO+=tI`;&Z+X=$MREf$MhdP^O7I
z#uNH{eNM@Jug<N~QZ<c|wL8Wv^UIaI{oz};<!qX8sCS=N#<g6FobXu#8qg!y<P7rX
z#pHMzLN`%96;T;}&%rlvqdK@LHJ&P{kP2|H6bIt9?lcjnl~D;@LY?rhl*VIEKF-O-
zc1NU>uxAPt<5w|Fz?mKKyBPaB(Nr8OLfVx&<6k#yb*7&9KR;}~G~$;}tFAtQvXXKu
z9vz?@nua@<=@udI0oB!41DBNO-=`<gDBb!^u$70irr>A~d^1Fhm)+y1Y=AAqL84%g
zw7^)Uhqg`plu70Kl{l12sc{41Xar8XS)K7sZaouO!)P#$wZS*QlH=R7eK(0N$1QR}
z*(79tk`95X3;HSG3&v5vuhplYVTUOFjKq30Mx8bZOcmjnFIb=aew1+w{1A!f?Te=@
zoXBOx_0Sh2KFLST@S~a1>5%Du8m*VbWc?H$8`P*JesC4w&yy_zG!g~K#ljTvoix5v
zJhjFTsW~^kmOz)`@HCWLF?h@a?|f=JHSvS?QTVYy-Ld!G^<i|9&gmeWnhyY6M0q$z
zr-y41YwFVJNf9L|7lEDtHHg!apcccIWW=SI*uDZcWXOyp#Jn$<L`jV0He4hQVa3<=
zX^?&z<0#OP2(7=sc^Mh1h9~_!i3Z?~WdP1<DML;}_YKyg)BrmLF81!*8xWfg-HG#b
zii=WMF4fhAupv%l!}>&Iph5>;t{Vy!?@-2p(j>-`bTCnAc05ij#Xp52ff54jTDfR%
z>y-e8Cn|1*fM6me#A#`|oY)!j=T=B`5YEhnkcxENTxe;e`L*h5odBH31=qVMK_{vZ
zQebeQy5fu1n$cB&kWC#>MY}*L15shKkoH142wZf8APVRPT)?H=5!=O}krmHnF%THU
zNiXl1fa2z2D+lrr#YE@ejDYy-30VQU5_x9pD&NV}D9#^jK&|}L5T`<#`WH$@gBHqV
z0yUuoYJj7t0@&hj0ww9^={xaX27aYcD!v-!#<jv8UyoUQLws6RzTPb4H~lE$O5F5P
zbp+MDrUUB$KG<>PA)iwLwZlny>HtlY<2dJ#&-^8wckk@c6{8mqTlr$&-f<UfOR331
z$XzEs*t&|HI)8Y(`|&%k9rD)&?WSFN_8T)$UHB}NS_w9}o#oHqTUb)!t_SNykc<87
z35Ou%c9)g)+hRYw6BiI4JrCaid%$=tsJn+Lz?hGNLcMrIUkV84V!T-0tF3WmTEvxu
z!3H~h&aZJb@bcAs6(c#@xH>W7>Kt5`N4^vvHRAIxQs+nD%mJr2(2cr&45V^pT<FT~
z>Pp?sgmRdQ^0B(oKnX#y)n4k_3k{SFYFulb%lOdswLqN(mVSwE5yZ{;4TPL$7iIZe
z!*Yu51VXN;0D0!}$pTB<*!fcGoz^0^X6%*NJ(j~(nW;n)LRWGgxkQ>97TFbZDGXIs
z*tJfBtwdbmM`c2@imH>0Z!>D7f8{q<KOgqXmz@XWydJ2z=`V*%=?al{Ma{{A{}=*v
zqY3Q`f8v|qzw1^d1*moR#S;!5dv+|G(W#D|&<NM&A%Cp15F1l;Su<Mm-P=5h+u+kd
z{|C1k(Bq^i+@D>JZfQQ^u*y}X-!4HKs?fcrrLE`q%gS$IH+)pcZ>3?orr%<c`7;p2
zvfmntG@V+3<YDQ<)4@aN)1NIa&Z`RVkON~8>0gTKd#CI;9jCSNa>KwnM@dsqwyev1
z-Scs<SAc(0=3djK@4^+?OYXR6Z|3MNd9}IYXyr+-L~ZD##~^%nc2c1hn%j_Mt>Uh{
zg^iFI&Y_>`QI4-oB~f(`s>B|Se}{s~yHqY`EjXmJ@l*Lvtrh=&2LFEQo8H&NzgS$q
zA-mOrJfd~SIIYrze?fLyP1lC4{}un^A8Oa<Y`6**>?)K(3w%SNyR?8EQC>B*!M=w*
z57++!)PIgYSSi=TD@~>D_|*kbNmrav0WXt}ebYcL*Xx?y1^c$BMoZlh-X~Z0h}=ox
zkN%tW!#ZL;{Z8LaG;UB*;yozEpQ<DK^;j%g=_ncXSdh6^N7nTi^;+uja`1n*;(yMh
z+z+D1e=ofrPlVXmspy~nVzD8m=u#i24m1Y${qYrKuH`?lwSLw`Dy-%0?D4ZkuYRND
z#$$Ve&3U(qE;*te$kjd6s^J%x3)hb{)RTFNmF|<feq*P6YUgKHTKHM9DD`7?%1GVM
zb_U?Zz$(aGTRvt#TLNLSpFO!<=y;M(%YiQowZYuCEWtMSt$6%~JCH-+e?zg@>HO{h
zTvvjkjqKT+>@RhH$T|=`%vXB&V!>dC^&l2S4@*pXn2iWbkj3;6MLlroYoZ5sn+ud4
z#*Di!ih8);!as;b(L+%%(mx0?Pv{}<C-{fZ=ofeVi|{>t{1tgF$K^ln6FP9YOZ>D@
zmH#tazWUBi`(QtQ5{qZ+ol!({3JJFl$!H%0nQP16I)2jnhvTOTw9|`JuD?pz8FydQ
z;@4D*_(?2QetmzRawuZ%H_wm#0%+0@JFSC17G$pF-yA<d@I=hFw1bNk@6QeQ4}Q)D
z@Al&&vDkDUHGD3QXvslNtF*EtqL;zDAagD6ZitI$disWI&F$blN)MBF+?x?SJy^Aa
zVo~(a@9juE2r^ITp)R$9`Ur{mgL_r^-@SfG6wBYLpClHg{O^3%DF0Q-M1sr{<zH9(
zN%{kC@duS?C+<^v_&)LAFgyOheq1CLt@KcdHbRiORu9&35qiDMyTqkS6#wJ;Y#iw<
z|6)-A2q)Y=bA1$K9^;=DJ#6OxewFV9Q;sflmVdG6OQzuEP{cTeg!x~GuORan|LsEK
z*`oj7t6ZPAwCx^e`4@}ge{MY%*&YcpkMWP`PG<ctRs8qL==Zs^{EI~eAe@N)1)0bA
z$C#*@{|8jQ$Bduxs|_~#XZG7)u^1*^Z7~1bKNDo$=Kn#J>tp+iW;)BiShV8bkM>uP
zd6$14r&y-4zvvG~Uw<KL`nMVv5{u&hS6ry+;}aj?8B<H}FUVZWf8@9j=0%vtg&vaH
zUf%A^KmGcrKTozlE>xy0HoLTX+tyzbZO!DgO1m@_V?y9vkhzw3H;fDMe8{V$AIRx)
zrH6*czCYVpJ%~lo!=~Ye9!fAqE68Gch~o3I2tDv~lZTZaR?TbQEP8sd8YdKsqKBfP
zh91~I2r^ITp)QRRjyFFqTcOH-=kK<*uv7l_<5IDx0E826AJ`uVGS`;B^|%n)XLG;c
z4=UdW_YXhES^mXh2BxMXKnu@T5dH<3$M}c%g@2xR_lV;E-PhwQ?C@W^_~?kmd;zg2
z{x5a3;s4%7zf6$1mVa}6#Pc?PhOhm(l&7CJ5bb%Jp+#I}n9IcTN(*$+<eTShu2ee8
znb6{UJ36xON5!H75Kg!rkHc4xxmHKD@}vK!^8Li!yU*Qjqn~4+f3f(Izt!LXJj#YI
zANuA~pke;=@D*ep<KN^*xnJ?9;=kcLJ+>{I>101sELJ|Vch0hzm;ttl(<*H)rtI_h
zx*&5c|7Jg0SD!cXx|tK^e&#Brha;D)+2yPr#G>e7#}-2m?V$-l7Slr%`<W4X;Qq#A
zN)HEa(q4(49<2JAVo~&v`$t0$>>mV~C-hL4`k6)Me&*w<{7-z^ez%?Sx8FXC#Z#5P
zAaiZ`TgOK=<{zw9{P)T{vd3Be#bR$P@izA}rF|A;9^;=5KP~-CPS+^@_aB{6{g93L
z$iDu?qUe9vPQ(AT#5ju}^BDi_BIh4Gq4=*n-n`9nNBI|v3P3nv{c}7b$UMfsY5oEC
zlb=-iF8=P~{&x7U-8hTY`dG0j`fu`%p?~IIkhzwBbN|3=>tmrBzrMbj=Mk}vo>Drx
zrNwTCbtD!=M~e?d>PV2qbfm8a{NIk()m&$-zZXEp>o{GjbQITU;RBD@Xb)=VkF3Uh
z#iHowz0V?bB*;9YBd?A7mWYlxu6tVP=!x-f-@4L<j_k*EVzB|<;sHVH%V!x3#}ykI
z8^~O%BkO(*-p^r<tDjN)?;g1F9%uO%iweL={0lOV@sDvnGyl)3?00_etS_DAUn~m$
zl1f}H$UMeBYP*^Lbt>B<MxN8~QAhocSQOqRm43Y-^EUtMRkoL|TKcK8{EJ25T~g+M
z2K>Ju^EUs_sci4>|CH}BNA(}JNO(aRP>fSZ#Qz8~kMWPV-t2##SGn#yV0V_Y{EI~e
zAUuCX^e@Of#y{TsXy$)|%Kkk&Hf(m5f3Yb1ODg&oWFF%mFN!ns|ANZ)o6kQ?k2~sr
z#G>#nsqinzJjOrXXK3dCMV0M7!P%47ILg0ROacNc|1Zcq#y|3E=6|E&zpUxV?aw&M
zzgTRFSA%l@cbr1P`fr&|B*;9*Ki;op=6{pQ_2c(tKm4qt{EI~eAe=D&vzrhJGLP|(
zH=>#O|D($Hvaaj)Im^FT3=^+5gnvQiG5)oN^UVBjR=KYD$D(hY<zFnGihn`oG5(QV
zGyhvu_Rk;EXW}|X{f}6*;(u3DB0=Uc{*T<gK=|i%elMx)Z~05&{OIv-wXRYu*5p4K
zYj=44jv#X_|B>q|v5wBXu5zo&c6H{RTK(|fJE{HqwrltN$m;z%VzInm$(>1aiC!Dd
zX_b}*&L6>7khzw3^YiSwI^Q*79Ua%lKPf#tTDmLFjvnkk2NH`ze3XeL&EY4TtcS7q
z3NqK~!TLFnX&n{MJKm=FpL6&#Tm0Lvk77~k<AtM)`ZyNz{{@+A`FBHo)ZhOv^Ut|E
z__ESNuXZVZJN2=4da#;rEEYu%g;|Ck*gp$0Pv{|!YX6?-$alM*ett;gxwU%_Y_WO1
z@pe`IgBK5|XQ%w_`(v@F0E821p9Ps~%ir1`o8EWB^CNbseEYk1YGQ}~+SNa+`F>(i
z>fgp|jrun@XdrVf|7L&ewfTPf-?NhWHJt8LIy&>(wr507M^^K+#G>e^XRe{6U%-zG
zGSBG9YxA_i^F}#7-=%c4b$NCRJ36x89*D(oL!dUeJz#$%$Xu%<>-GS-lyM49Us1Up
zTRw12nvMRleg4H_3(O>jLkT}8kp7V%^BDgh{5(bY=eT&c;(zb{>1!L<;J<e5vDJ8m
zSWMaRab5$AR~$RQX_dAd+J71SBSGd`{>|-iT^+BWLH*uImHrW@dz2mye9(NIvw9GV
zqKEgZ3_YxYCIneb4^dp7OFb_Mq=_EbExxMsuw=l9DC)tgzbqC-55IlG&;$DiLFNfP
z)TRD%BXfUwuPXmLx6gUrjz6&9K8r=G^4|ny3NqK0zjb^xe9J6ppE=#9`2YQbn{RAr
zqkXo|zgRpFq{C+bNoR$G+h_L2g3M$5YmxI<UQ@ZA`P$?ejU44)EGhuug!yOv3o?)K
z-;r`e|J)9}uJS#5%kj_b@NYjp6^r73=KV9W{SjoY<=+kQX(`@Qnj`TDr~8#27T+=B
z3upBp7DW%|XrF}pD@PHJ2(p+Sq8OjD9tN59a6su{{`BPz>p?7v9;U}d>Oqjj^bkco
zp!D%q$l({{?;E|L^w4yA<(JO-2eBx6_&CAP!&<c2f-I(oDC*(5RY`%c9{4%In@SHC
zKD6(v=;^`gIe}OdJ^UdlQV)X66MFFCdpwKfc@z7WDy5^6q!aBM+vo?_k3+?x=;%Pu
z&=L2;1eqsvR9DAI`EOMho7<VUlpY>kwxffydJv1Eha;(m9=Km9$YOekVmot^9u6u!
zT(|A!j?U^qEQ%furA6vNkj3;6MLk6P{dsOT-d1|(adcCs=;^^K?huQjhlULeJ#c#=
z$ULD3FUB3=`3XF){2isE^IqLpYDY)48~?SM$1fJs@MZ}=P>fPYe!y5qdn|4gWUkdw
z<UIZ&>SCV9|E|jIjFzQu+2P%OyeAeLmOOHQV>}n{F@w`8?ST~hEgaNeLFQWC-7xN`
z&oh;HkDrGfQhF%p^5}cf(}UG>P_Za__(u&r2r^ITp)NfK4gcM2ejagHmH**cHy^Q6
z{<ZVN>G*pfJ{p!jJRK%OpZ;Res{HvmxFB<F`CC5+ol4Wp&w>7|==iYU7F+z=_s3#U
z`0qT+@W&hAlLeV;`FDdq#@kJd{x|F5J*9`=<z;-{#Kw4x{rV^t6@YLe?Xw_rtsboF
zqiG&L^Z&le_s-2LE=zZmf3X-QUTrY{TptCQ$M{DKF8+|y4^*x*+kCd(S^mYM760qN
zzaaA%|3$|8t+=0XL}kBe<J-TA9{*PTGO<{b|4rx{^h7)$$Xv^RWWNj#_{{yX4^_5H
zHy^lcrwzYjKMoL!W42$Az7zejDf>9B()yz>`~!Ljg3PtNyCDuJ#5<&?nEPdaQF?gh
z`>om0(}PvNOe~5Xy1f>u2SMfuJ=Dp58SCI9RsLK4^`|J7zt#E$u_)#L<bI?4^AZhY
zo+$si`dp3z=r4;u;JD~xrH8#&oET-tAK32~h(!e;oN)W_Rh)s$wR*7b7YwChb6om~
z%6H3x{41R0Uo75FbU%a;e($I7FUUN`e;IWU{<$9fRq;Pz_QuP1IT{~{Me&DkeHiHv
z1(|F4cSC%nuag#k$mvm~hf7X;lH;r%#G>fonvWv&Ajo2Rh~jhUu2e=9q6dC1{i)K!
zyQS;KL{AS^&!xqp=wbcGk$Mnhp3sA*pG&iz{-$))W@t`v^mJqucZ)^Q(ZHjTIuc}_
z&{3U@yT_sY#jkMu@tM*?uLthR+HE85upf7eMFk+7aNKtn-lZVOT&oA`xEuMDxR2A%
zRlXN})H-gDqx_3SsgLKM+crEd#{FPH<}v;YsZjXm@yRa~{}s~;`bLj`tMOp5DEv=s
z6XL%y`kbAie?jJ2{v*eOF~48NgL`6H(wB<&FM7YX)!_Y(G0Xh7s~4^F_J?oXma}QX
zq27I78P}4%Rw`C`4roArY>vRU6gLUnh>duyJ55B$REEFWbP3+*-wB7tV^2O6QZBYT
zBAtXiQ%IixN)vEqNBl0v{!TO%$BK}4#ah|U)D2smsVDx=C%lvpN6K&q^Dm!PT|EQZ
z`3{zS1FEaf28^>%Y7LQQ^ub0jNLpYlZ=_Oc+<-X3>&xk8{6@8+z*0Wor+_aQM*+W9
zpWyIlA9nhJ^~vwYjd{nn`VP2Pzvk0-Gy`kCppP%n^d0^59U7kzukV<k?}(=+et=>y
z3$Q~s`64!g0csGZCFy4#)z8E>pULo>$1C_5*a+66)IcF`q%i!@8IQ>s`}jZtB?ON1
zMj|D|X=(aRn+F(R8fkv5x_TgPn!!8bwPth`4Wn%80BXC?NE!&Dvyk>eI*6`7K}@9r
zx&c(@>cvukVi}L^0+M{p!;SQOJcEs3GBt|x2OCf;zs@)aApU|G^(D-FYl3eBN+bKv
z4MdrJUP#Q|gXaeQc5zyzElwbs2>wLDuC1SL=oc4IvNoRm1+NoB@zOCQ{2BAmoR?4b
z8!Y<&h90b*8;C{G!(VIYL6CVu4|VCeK`xiOtP}i7FMXm}<Nq1O^0(^0h(#&?ianA3
zK#+N&{OfA}h5bQzT!iDezbid7zHQG=JO03a|3xgGN)Lj}wR*7bzkq*<pE><n@!zj$
zwZr_2#RRGcpKm-j;P$xy^C<+GxA{M=_-}p2yu??-{YQzTf4n`kuYa+)q2q6#X!gqS
z%%^r<_s{F+P2DQ|3o>u=j}97(&JXeB_}Wxrb5gip&*QZ>O1Z48_fkP-mA=j>S^IDQ
zJprrn+SbZqo1Zt%Eyx7SX`EJR>(Hy%P~Sl2+H&Ez^-NT9uuNVYug#V9%j{n#D;?E)
z@|?Ir8#=OIzr~^g5KdS}yPzXM=2{(b`*!H$dYl`s$2?w9pz{4}T8|OY<KJq0NGwV{
z9&%Ht9v=qxLs15T%(eXU_|Tw%VO>#pe27PS3f2DC)|PfDvY~tX{eH2y;>np;7s7wG
zdx6s`tpdDvu4f=~E$?RkSy$tHy>XT26r2_*Jv5ust(&uY5R0ORoBn9%p&2wG$YOek
z;`8uP?cs|>58Uz>D?POM%f(UDgVi{YSQI_%t>GU8nJ4s6m&Sp3cvl|>;<%_pm4BP(
zn_q0lAJ~tJ#G(QaPPlzwe;~+QTmGkri}J&95%d2mm2YiQvBUg}#co918Ue+8g+%xl
zWM1Rncy7#b=@gagZ6AD^89n`5#ie3#WE^GT85J#8NRsh5=mLz?3o_U8Un4HfkBCe8
zkt2T|Y&rg})sDucV)6a*@+(#&F5NSe(<*H+_XXg01et4jcSBt2r@@pfaR{enAvw^>
z3)1E}s|T?tde}M3(8D9pgdmIQA&PNnE{fkLdf@n^T<PJ5aTiBX4_0xhSQI@}{Kn7&
z`v*bh2|d)MxHSBHlH;PARQbQKxoV*ue_%f@6^nSI@#SNnM2SPCeGp`>E&o%*rNt3(
z=~Tu4Cl$T#b(Vjzr~rf$;a`w>jejF9W&KyEeBbr|mB*dsUo6f(j~-_Ik5fpPf1Xn(
z$h^jXX@vf#sa(G?<<0ChHsVwJ{zoiI`*Xpv$o5B&d5r&im;ZuwFY{AwR{TG{f6d~j
zZ18V?+*&NIZSqq3ljt85w&b)*+XVf$N54#vxt4!7^bctM$Hq7%$A#0C9{$xTxWrjK
zh(*!E&~ptvWMMX?AdBfCiv0sjV=asrx1OQ&(0ymWDC)tge;^h`52>vTJ+OZeWS-DN
zUFsj`GZnaf;CABIs{A`&am`XY{=k0wEEW}ja3bx4AaiZ`pQ3+YJkMwTXR3U^``*I+
zYi+d8_W2i!QvXJ^H|ihzV?pLI{;`BY;v-Ifqxe6(H);FRj`A-SSMS|;$>(F99=?2j
z-qqjCS@|>8|3~-=GLP{OzRmnsD*m6+{`SJNj`A-S8)4N30;6#MO!yaM-sPX?b<I-z
zSI=&{*$)4;>mU3X?<4h7-}Jtw_mPT4@ju&dHvA9kUy!+$e{=tU=LNRFH?*`1@1VpM
zF9Vx|a7=#}6@E?9mv`|ZFka%tOT!8<XqJm#`PjN1YmlZ=cl_#tg=G4Ae42(Mc)uyg
zwOUSQ-xgto6fZ$DaApBVIri`(HvN-Fz7+Gkz+04#-aIq=9XmR*-;RmJQ|U;MxmHKk
zaYP~w5kJb$UvE|XKhXE`kD|xF)$>=eShF2lg&3kG#`y)AYx$3S{)#7VvTl_7)3X)t
ztGC_Kcwt_&=2cs*{}GGpH)OY3kVmv)2d7oqSa6<<_h$++*Ya-mpLKO!Ag>UOc>a2u
z(!+xr&r5e!4`NaDaPSpF4@0s3M3BYw5Y6$GQZ&it=dZUbJ=}oR^wHCU)%c276g_0_
zH1xp!L6CVu4|R5YWsWNU^IPPdWvBe@$3<dM0SG7DKD>?iT9CQ6{H^06)IW)fIGwBV
zeeAM)hxr$aVdB*W^UwZRka>;&LY@D3El2~<eJP<U(Y3+Lc4-7UG<o_PGn`p>mXy--
ziN%PA#Q#;iAL;+@kb=S6D)<xM1pn!O_p^2P#S;!5d-eq6GXnjf$k%jqsL?m-fOkpM
z?89}S9Q|b<1?aa;nR`u_z6)1mFS+BQy_uu8<kjYmqm_*-aqmueGewC`AjcY$^xh%A
QivsT<@c6nj{qI-(8xjP5^#A|>

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json
new file mode 100644
index 00000000000..dab1408d799
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:57.2710608Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4737,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "-",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4737,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4668,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
index 2bc9cd7b28e..e3d1af0b744 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
@@ -35,6 +35,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
         "NewUacValue": "0x210",
         "OldUacValue": "0x210",
         "PasswordLastSet": "6/9/2019 10:30:28",
@@ -51,7 +55,9 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
         "TargetUserName": "elastictest1",
-        "UserAccountControl": "-",
+        "UserAccountControl": [
+          "-"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
@@ -112,6 +118,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
         "NewUacValue": "0x210",
         "OldUacValue": "0x10",
         "PasswordLastSet": "6/9/2019 10:25:21",
@@ -128,7 +138,9 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
         "TargetUserName": "audittest0609",
-        "UserAccountControl": "\n\t\t%%2089",
+        "UserAccountControl": [
+          "2089"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..db249481555e46bf54078ca741cf72b2fd8a8615
GIT binary patch
literal 69632
zcmeI$YiQMV9LMqR|J-(V=FYanh*Gn(Ok-2iSvI@aE*UMewyfyp^lUmk+f27|*#oJh
z8w5s05Jg2%J}8O^!uBAD9t37WSWrFcNj)pOkPm{>=lj2Owv}BW5Z?dsKmW_`_Wiwn
zm!qe%JkT{*?zibjDt@t7*TB+djluLR|M|J`w91kHTnQB*fB*srAb<b@2q1s}0tg_0
zz+Vb<mIvCm4sX~0@uTBJ*S(&s9|bP2Gdq4;|CdqjfB)(2eDqZ7)01nMlQa9J#_Wfz
z**BTVDP{}uW|!z^h<|z<{);jP)TSSE)TSRl$N3M%@BQ5~dN(jFp3C%nJpPg7^l5Dj
z#dUev1M&Se%G;$n4^FGc^ZXyjxycVYlNviJ>&1&TrnUYXPjt+Gcg35B9y%H{1cA*6
z9^UX=CMoInUwyi-XJX)swo5+TIPVSh#B;4_vX^x09rWYijI4FqUDj{IHmc_bb>_Ck
zi4zT3+igQuR^l!tWP?`Qs%)dS!!EWZ`rBoj^`>8W`gGr->!9B3v=Kdx*no1j=y^o%
zm)PA(8`kv#TdKbmx?5@&>9ha0=66kbN(Gh5j~c6F+(vqH)??$Uc{FTM6MRjja<k$}
zM)cU8ysZygze{bElxwF_SL*CaCgaslW^A2;9a5rMv1mc=rg%Oqnw7CDZ7eLQqy}q9
zuSwfA%63nj<EOrwNmy4|htd}6%=wh_Y8HK7u<KMspU4K){lPE<rz>VGmnx<$mkH|Z
zY`sWk`f0T_wjs_oD5+tkrHXZy$!Lt{>LHoprNde4Rz@GIa+t|HQ_5!RVRk%EJNIO)
zHyn%YVV0CP7}z{L_!98r^|?8_Rs-n6;zZtD;5B7!fgX~Tv+d)&U9IGCjoXMEOLF(D
zS(}v+`+7a>k85mutWJ#%hNkVx+OGh7h)T*6^7tz9IkkFEVaf<5g~XGyrgTuyY^m-g
zUFrHs+SjW>57{G$<Wt3h6+D)GDwJ#pFMeNV?O`^LqZ~$(u->YCU0v}CFB~h_8r3+e
zz<suis;5!C#TskK`KI8*-ugk4dDBr%-lr23s`u$qsSK%&WD|Mk?OJtUcNq9s*ibaQ
zYdsE)rg<!d&uZg2yIC1`=`W5VZ~2^Wtv<B-R^=tUHMUIvinW$c2aVx$^3B+f`!z+|
zm9tM1X*i7A2d&Y9Oi-zW0LthC*EXCFp@uXSJh*7Bq_V+myHO#mvt}*PWtu5hXu)>t
zx=Pn}S+r<Elx>p=_$asNengBu<9#fyPz=c?{d`Ma!|lU1rpO~=von<=m+aRA-8s8K
zefHMle$TL(=}fW7&dS&+%Brauo|?(}LW_Etw^^3ACZ%c#=+4i)6~cVsOMP_dsnHsA
z26kuqEWJsseB3M4F>mksf#t9HzM0Vw?^UH8af+7v^bM?89=>sv)X%#WYV+^<)T}u%
zrgZP2=iFlFJoP~D?%pS^dimg`ZRzvgub-|EZP&HWE;#C&x*vYu`op8Qb$-2n@%ZX9
zKDk%R#dB%YcIei>XZ`57&!<$fU3Y{-(5Lsl6L#wA-@87u9vR7Kck%)9)N^#^d<V=1
z#c+GrsTli}n9wIXVya%?K8zQ}buFrvY@AZELmIy6dw;8?6|a}}QXa_})zY<7O82N-
z$x`(xo9X$N$N8tk*(1|Uwk@1L)ku?)>8NCDTr%8dq8>JAeEz6pHA+n=Z*^5%_WWv;
zP1DN$aWAt``M(i$x0JT%9M<Ia{^p|1b6MQ-{A$bf;U*AmMP>Eb$ERCL{$-b{ulds!
z{oBlUCEp&$)Yj;v5y?j-y^lU3bE+-+R_vp&Hg3hY)^W8}s}dP4CbLtubY|$BZ8O93
z^!VAAUrP6$?$=($>T%wosQs&dOk2uwt(tD_9i57-*Yw@uM|PGzZhy6qvjweB41D(O
zTQ_SXI#Jq>fvIdsee*dMN$d=#v`0F*_Jyyg8Xe6ih@?484gcK~-SLS40w=S8FZhYY
z3++3*<%J1t6v=g?UHYCsCs#XC3ZHG>rzdlFi5&q15I_I{1Q0*~0R#|0009ILKmY**
z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0
z009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{
z1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009IL
zKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~
z0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**
V5I_I{1Q0*~0R#|00D*rb@GBIUkbnRH

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json
new file mode 100644
index 00000000000..daa5826eccd
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:33.783048Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4754,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "Test_group3",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3"
+      },
+      "event_id": 4754,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4676,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..4efe97cbf151c8bec09d965bf670c625892c6301
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<39tA7go+}_TR;$bLwFbh8l-5eCX!H)JSa&d2&F+$uv!sB
z#iEEPe^F3TK~X4(2tg1OG@?RPtXixOY{6=)zkm9j*?V?o!+>$xoo42@%Wt`}^E%)C
z?sv~U_s+eOp@kDOCl?k_?T=6Gs6?t!98sE9`;`CqciL$+Z~VtMiQOQ^K#YMH12G0-
z48$0SF%V-Q#z2gL7y~f|VhqF>_)!Li7ET;Isdx(d_@U3q(n>yzL4hs}iKc9=*%mt6
z{{L(z>*0GAoA1yfK=eZcqGRzyNBrg^L~Rm?`eGR3r+)VS$Tg3_CVyJMCV#$F=f9@*
z^S-6nH?bC;{`mc!8YDTRmW?8HFTVCMwLJ>wX5yYN*18X$<HYA&8PG8qs|MHY+oMbq
zd5kCYxn@_NmtUJ-t)*%jC2O~iTjrN5dHbWcZ_e2?@nE06ujaN|i=6OT1JmgdY;p$q
z^I~#54W;X;fQqRMzvtl_xK171lp0SJR78b1Sc(JjS`V6p)5>TnT|}MnuaqWWPXW%!
z!*(a6ld)$SmEcziO~jd<@Vf;2JJWO=D@NLly5L`TY;~bt_`e`*zBJ;OPphdpj<S++
zD;XQ09GZbUm+2NE@PRcoR{)ok=-*~0&=}qN^{|zXv!>x_Pkb{)jF;T)r)+>N!a<^7
zkhH*frH6J+{WOfq^(%2Gl~Usd#?dI8c7r<Oo4f`lvPRGl9BYejfF;MbY4=_dU5Z=e
zfwIZS{$w2jQy278z!!|8fM07!Kf?}D`e}&`Xq-B2GMFmHF<-DD`TZ#4miQqO&)*wQ
zSvZl)s!%_P_#_`S$B*Vpr$cA@X{=rrQ}k1OY*3?C_`y|xKToy{&}bAO7YkFw<}|)j
zJhj0OsX5oZo<Nu2@C=k&33$v0?|f=JHT8q`G5E1i-LcOd4PkV$&go#BS^xlCMEN*J
zr-y41YwF^eNf9L|7lEDtrN?PWP>bP9GUHNAY+r^OGGs;)V%`@_q9n$0GcFQ`u;T9x
zX|R48<0#aT2(7=wd6}82h9~_ki3Z}1WdP1<DML;}_YF3n)BrmLF7_VV(}_)o?!<XI
z$wetFmztU)*bpbOVSOSpP@w}a*A0b=cR1rfX%b^eI*_O|I{_z_;-5m1KnVeMtz5J>
z_f7!AlN7f?KroRK;<PkfPV9{Na}y*w7-!}|NX0sCF0?e#{8~+oP5@5ig6mV9pc7RD
zDKNNDUGc?h&FSZWkWC#?MY}>NgHU0!koHD87+iFMAPVVPT)?H=3EL&0krmHnF$fsM
zNiXk|fa2z2D+lrr#YAV}jDYy-iCF=<9C>EzD&NV}IL;qTr`CRIgi|3+{R<_dK?~(F
zftpeRrQ;~70Jiv>KuP*}`cC|piC<}yimyg_ajmh(*YhsEAwI1tv#UaW(~lyq#7#%3
zBdG4R9au;3!Hz2*`J4`@9Z$$pM`)rP$2o_5=CA0Sd*+U<7`u4H$`||fi92swN^KTG
z?mF>-Hr4FZ`NP{ij@@?E(7!BfKjY#v-<*Z&!e^n>rec%ZS^f;UktHSWdWc>GdDzdM
za41r4cUf7#EAhiSaRKqsbMOtY2aMN(x_g)gj0HF-)Qd;-rGRiQ#tYTG+8I}-MO--q
zY_QYk{2EsSFJH}9F_JTls}m!x&cSv0<V*2UV?O@^b$$fS9B_IqU8n2EKq^<pg|6(O
zuGHO3D2J&iAFC@3ln@kK?X9jo-$0pO>ssqv#)q!21L`cW^ecReA#ToZAmlu|D$8dZ
zmQ!>m5OPI@$TOEu7FgoO&X>~Qloq))W3R;Su^hI_OeK;Kx{~wACDOvM$gY@6VYsrw
zu5|`%CE^M{DifMjRGnmen^R-`E5Et=`LJKUV}X@%UIWzJ^q0e>TmX@FL(R#8{}>8%
zV+rjGf8v|szpGaz1*lDr#S;%4efA1Cqmvywt`V-yNB&r6AvUJzvSzgAySIH5x51~Q
z{!icJI4P=@aQn(trQa@rolu4DJtJ*B$6r={3%lW?LVha^+qL}`lgyt%AeQ~saHJX3
z8YGX%7?}YcLZ1O_adCcic!wMqk4XPwRNvcV$Ei52i<cV#);UU=hO%W{7U-UjgS|rh
zn>PQ-uKgCR$X;^m1$%~#-I8CIJC0SJ^m5dO&Uy^OcV{ORYN5FeN!BWE&tKFSnc*Dz
zsR8Bq+Ex<P^rTAc;rMqrsJva}a?ZkoIvYQg|I|A1|0nS8r+yjzO#F+*^&7HVFU%)e
zca+m=P52jNr_^*^*!o}bKjFdleb0oeV8O0JDYV2l6uL_b*a_uTTN~_q*z<7xFGT(4
z_=A;l4ZPBH>VaQf5tVeq85Qs{1=u$O<Z`{P-CeM6i)yvho#1`)bdSiL6#nSHSwE~J
z*3<9x-9)*AlM?SnDgIO)*{{c9(Mm_jsK<iLwK}q{$Eep*kC%i0I~4!(Cg*(^J^p*^
z^>`A*#!f~53=oTrC`Ffgt~$^J+z-H4khzxsz}ALY7pSn7x3eeA8N2$;RvVA*4z}Rk
zD!Sx|dJtFlQ2U8rTrONc(ojzpC{}t*>GqAC@~NAjU1{NG#iG=Y)hVNOKidU>7Xzyx
zb8Y#U{p?f-ll|<8?Lwy$d|D2CS*Q)>zU5SGbKi=`Z@2?F9R4>Hi=E2v4#ag+QM8dg
zn-l$|?hjc9qK7+`9==>S#9=*%MbX0&lOE<G0uy90Jw#CtT>6^mf!*dprH663_eN0<
z_gVM{u_$^d4o3P1LFNfP<o^W!5E}jBj(;(}r;fiO&*ixM$9+OaE_aEa7OC=oX3N*#
z*=Zl_$4_GMOuaLTXig#F_8}SVgCKKl`CG?N+JJEURDpK-E|u%AQ>x<bjavMgY7sw)
z#mc|m*S8#snE%c5<G%!&G{jEp;Ex5FYxy_FPY^s2^DXV5JP3Pkq<_eBHh8xm7m3AY
zd#TZL`9w<&a9XXEB@w*>-UXR!d3QrxL^CrsTxD(t?^gA2%8q+7qo)U}c2F#e9{Rr%
zsRu#k2|d)Oc2FN75r1%xD*rpyFNtFLTlJH~qLlw_?-}L4Dw#--d7}L5Yd=YU;4S{3
z679sjN)O*B9vETAAJ~tJ#G;iRD$zy=GS}+CIxa%5mwA`Cbcy0Wx9`T$&hjr76@YNU
z?K9U$LFO_3>8^*&{NJbYy>Qx*Mb7ds7JbPSycCMaRY;isb@&Q0kMZ9=G@dQ`|AWf)
zIZNB^c9ws!DE{ZBqmk{AAoCdinC@iO|5C+&@67&RILp6SQ~<(>=wFa|jDL)Yn)$z9
z<$K(OS-;+3qkm?<{S}L0;?)N8&;2t&=578TP`N(3uXwhz{EI~^{{3iw1(|pG=W&W<
zD*JameB_N6qNabVaUroN{(r^!nm#`9A)Ya{0{?={wfskp3t?V_d0gm0sqN+MPk;G0
zKmB>K{c)i(WwH6iHQToShG^?BPOG(xQ!yq4-UXR!d3VFO5YLDFx%2}$U9R-d=;-%n
zI;#h<D0<j5($K?HjL{0Rm>#0|yevWw{M_UrrH54uIy8@-9<0U*#iHn;c(|bl_78&0
z6MCpm<Af8;&&yV*@~`^+)|Ph4-+o*w78QVS!tDe513~86^0yurLi=p)7d));ePG|n
zvz+B$EM{VAIs&xtd<EfOka>)Mh+p{Ud3TQ}{@;5ezQPXwb&HP<Tg(>_i{k%M#~S|c
z9rVitnQQqs$45MG^Jn<lpG$e_c>~d&w;5W*Rff4tJg>A+7fpeA-sVcBqnwE?zqg|!
z`+ig`Dgfbx>v1l=g3Pr#s*@l6Kb7w%?$~wqb{qX1`}~W=m;9}V1mICNeD&Zrp8*Z?
zpO3E~^BDgoKg#`zM-~5#-tD<<*=#5KnPRc>nLYEC&BhF{O`KM1^D$+g$JYg!Yxy_(
z(fazlk=M-}H}^AFDLov%Xw6P%^&l2S4?DIPdguU62(p+SqS()j&;$239#eYQf4%l<
z^z>lW&lHQIhrB-;dSL$`$ULEk`qa-XHup0hSLJ{FvktrLl)wG<SuCEc`~{h7%ilUa
zsx|*$wc@|`u*18Z<zFoJ!4hwCKU3OgLFO_3>Cn^C&*XHC;(y<fSv3#Zh>z^+Uo49L
zM^qX9uNB5w1ewS9Zy!1T;0eWl<*^oRmpjV8SX2PQ3G1KZ5kclL{!Q}_xS#x_%6G|k
z7Y?w)f8EAetk%bhMbUrLcMbhB|ANf5{G0m+URxgv)%f-G)jW@gb@Y_d(Ty#4IjkeG
zC^}kvFj7Z?ET$uUHQ@htysq{-YyG_dGG52&TBW17#*6NM#728iH-BU`?kg5WNAG_g
zsUtz=86A0T+;^(zh~v7am5!d6@Xk#uZRp5;TqhRO@fHsVT3<fPU^uSW(8NIIS{+&U
zYw&&!b6ow5;(ynmm3KSKzgScNPT*gVd5nLI^O^a7R%O4-`)7RREdOFr_?J}TYC+~P
z{!!b_{I65l9yR)`Mvpq`f5f8jE~)hE1(~<`U$3&gbk)+&oaJ9E3h$CK|Fhu#1(~<`
ze@<n4-+-rlk2$LUutmZP%77wQArb#0$UMeB;(D|Hd0yqZ%fMY(&hjr76@c*k716&S
z^BDhl@1vRj4J!M0@7S=}S^mYM@Gq(8Uyyl>f4nHp%>N52+iyMp5Iydw{}GGAyQIRu
zAoCdic%Pw}{})xZ`v&JuS>q`GVlfE_to*+q^BDigtC|0eivO}^qqjffDF0%y8D0&_
z{oh=Lg!SJlgGi8hjDNge%gp~KmFvgv&3@=vNBI|v3P3nv{^vF&5@a6ZA8$l6^Z!Sc
z?`7TA?RA!au^1*^Z3zE@%wzm(jTV^s->h<7@sGQ{b(VjzcryM4naB7?cFp{6QQ1Ft
zXx~Ze9Q8k9(Te|_&4>h<$M`>d%R=Fw*ZIAqvcKieiFZbif2(zsVzD;=$ymF?>vsg1
zYx$2{SBZ6W=5>`@Rkmw}-KI4R|GksCzi+#4&yTF$uOk-A`%k?sX+F{GBRQ?svcUNx
z_zE)D@@{^fU0>(BMy#Xb`uMWa!=t4;<Lv0c{&OI)IMheOu%tQsWRvwU9$!J`T0K}l
z2Qsar;(5p06#w%MeQt|?`}I*QN_{+kj8PxQWB$J&b1naFsE_*l|7HF;cL!fldg$Fg
z#c!uR)=dvq^Nq!#=%Faf&;$EtLFNfP<Wt?>6CL?(*Hh0Ai9EM%?}05b&o|z#%74h>
zfeq}GzkPo!78QVSBJHyvb8Y!s`(xAlZg_sg4wY|zkIqf)@L#w3XEonXEK2>`c$HEA
zh6D{{uI1nCkG(eEPyc&XGQWn?Dy5^-uWEN%^mJr3PfIL{j(X)8I{GF2xFGY4j=VNc
zD?D$M<MW+LM_ZR?x3r@p`|W{P3^xR7gWCi4M}o|?I<jsLkV_e-;Ph3M>+$7-)}-0!
zFWcu|EVjf<VmOrWa{}of2{MoI|KTrEgny2UcPak&?3=kZ-3I@4YmcqQE5u^Tj!*K_
zF<x<WKd05&a%le*^p6CYYxy^~$Mto*f(G}0H&yyaobFb7*#BXRb<XNREQ%gJs5bPl
z2AU9LF+D_aeJ=I7D3B(4V7K_1(!-L0qoSw>tNyZB6g~XzO+ydt9|V~v^iZGr%Z<(b
z<vptWZ`(fac{~2Ve)}vIt;&BBlqtwuTmIJZ(a0@xq<!Xeuj2m?4{W}!k&X7*KL28I
ze~=EH1|(e+5^kT_9}6;%@vlYBV|iWWdiLv6W;J${f3c_lgcIhU^)JXg#(yWu5&d&J
z^oGj!+%3mGx5K~v_*5*4|5@<Q$o5B&xt4!7#HXcrPic<CBb@G2dRTnxtS_C_gIE+j
zoTYsl?ynp{JR-<qdWd3t%6b@V*28|KhdXC3cUTW%QS>k~E>aJIET)Gj>H(#Xzd{bb
zAb;QJO{IrsGb_Jx)<1|v(ZeSRh91_U%@$-aJw#CtSFcJ6g!RDB3EonAIRC-DUq??5
zR?i8<qUhn_q)0soGEeBii|_F)k>^e9U#gXkrY0Tl(8NYRz<wMm7DY$<gNBZ{A125=
zp`-dbPRf6)y2RYhysh-`=&~Ihoz;U_6g?bHHT1y!LO~YOLloPY6ZCLE>EY^aH*|7V
z4`NaDa4;=W4}vVFhbZbH;_uIMyYY_FL(e0dI!8|rR&j?|6g@O*Waxq03qj@yJ$Nzh
z2+vR8dFAga9i8*q#!@>vs@wRl)jWQ&n1(k?_<>@KLh=K~Iyzu+qabswjw0vr7gJaB
zJpT7oZfCVBecKN2_TxRV*l6k__cg(D@t(6dt=8^O!Qa9`{S{=c<=qYAj`}=PiTC(<
z*g>U-!mf|LA3Z%-JqHzwqKALf(t{xLgdXbCbI|bL&F1G3hgA6=nsdWpJLO+DKb(QT
z2jZg<86z`bGV~cB7Ol#kpMwiB*OtHabI|ED!~7iRPl}F@3U9Q<zkPo!7KQ&Va}0mH
z0X|ufxt4!7_+z}?#OQysF5Xvq_<ern7fo%9$JnorVo?DIC(=F(GS}+Cx;~ob@iYG)
zsC-v#UU5l=qx_4-F!5@G`RDp5$UMeBVsP<?oPMZsJ*@5L>z(CaEL!ou4*Ux;kMUn@
zyx)rZ35Qkon>D%R>*(=s)h`o^wfWzKzCka<1A@%8{73f7@PN<UFZ)PkyL9vZOR8-6
z9s6;BSRA+gyo@UJ%ckw+v|1a0zVHv|AqX<p^6rK>pa}1fo@VZs{aNYZneVq|M^6t{
z{W7sAdg%Uoq#gvBC-hJ+`(><yk5&0^`Pa))EPt!@3t~~q|H*wu`R6AZ$UIU0_4T<N
z1<+p>f536kCrS@{E;~NPjz6&9FA$3gKse#{;p;d9nQQf6-7gqUCFZ#FQ<d*lg$0*6
z%fDE>kLW%KA^hG?;a`w>jQ=v~DExCh_>1Cy;@pjw?sPOh5{u#w-~K4l9||(p^6!TD
zNM9!{{*conN)Hzu|1`&0J%~lo!<8RL>Oqjj^bp18(%q<xDnt+bT>3Mmhxba?jf<Wh
zte#7YMbX3hPa^do$ULD3Pd}GtJ^fYbsO|8alIZEkD()7GqN71aB6TFlJfWj{8+YfT
z{Kc<u{PDTcL+|@<&)Q`p?yw(si$w(>oN(NCJKm)r$Xu%j>$n^Fl(>)6FI2wo`nXNp
zZb$hSi&7uYJ-c0aT#Wm{g3M$57g3S$&*PI{D*h{G6!wcA|5oF{Vo~^?)HcL_6ZAQ|
zK>vcwwfskp2V;J}j0g9^w4|>T?_c(Lf2+a!t>c#YZ&5E==k1T)zBy;p#DjhMzM9*L
zy;dq#c@9h`KQ>3<TZ)?muER#W)`KP?WGcg7ZMq0=^zV#A6R@X%iYO1;osdq(o@t~{
z0HujIvlD)oV1H+tj$_40yJ4+t7wV3!F4PPE7Z6@bh$CgVgZY<FtErg<?R*EzzJWD0
zX9C6<D78jNGy7sA7$hw)o;Ok{HEv)W;q~Qo1Ae1gQD7+_@KeASjH7^GYe;Z-v==*l
z!G`4b<Ho$>TYU%It6%f!JDP(vU(m;wX!?%+`VNiHh}U;a)OW;FQ$Ij4n1$G(n|u))
z!2qSlX-WE-NAxqX&1W+F7V!#xCN_c%C^b;T8z~GwbjD+H#$G;<Kna0kypc!=aax*w
z(-r{+m`0jktEm};n`ZKkc&$18oJLSKbp*9tX*3N2(OF1)BOOeap&+JHAzcfq^YmgV
zM6pc3b|FbV7T`vDKAyowFqs<1`Ge`y+OIPX0*Jq0Mtuo0-<sl^PHANSxq&FN?+c09
zyYbwh|4vS;wZ#cUlfa)S*tPZ34gKOmO4cT@zu<LZC|){>gg@gRocGF!euG8--_V2A
za|5v`diYB%JqR*S=%GG6H^}31mvw?)>!nXLXTm?DSpHW17qKYiU$HyV9|$r}lz)Bg
zzpy_DkBe{|_cx`7CO7Y{vf~fz_g}=~$@Cz|T&oA`{tNh*_?gqcEB^a8t8tirv6w&&
z;PZ{=2HZXuVm^f+^EUs-6#s2bTafr#xc?||^pCfP_Vq6oH+1^l6U|>eHteaYtN(e;
zg6Ug@e?jI={?S2W(fJ|19ADc?Y)%gM>v_EPIw_Zx4PGi7R;{lyO4k0{e^0<_yta+9
z*!CAq@(PCm<_u1&wRPxKY-ng8b8WeB+<H1HIanqyj@RbN`epX7Q<RPxJb6}JkqsT$
zuis)(0SG6oqn*%^AakvbxP3c#Vm;0a*JB>9C{+1=Hm&EV=<#ngJ|q^U9uK`fRF4mV
z`{5`9LFQWid3<Q_ps=neJU+xDJw<B&>uXE97TeIh{eHh#T=C@WD~jMh+rPkRwN?S%
zyEHJ6xt4dc|E#ZZzTUXXa|%w2l^&YU>)zd2J%~lo!}WhO^w1od5M(huMDcm}m=5s8
zq6cpIOOzg3{`tZv>cMIpNGysT_SEtZg3J?os88cSJiM!q194n5Rh56+=UZH8#~;{_
zi^QS=5Kg##V1FRUTwDGpiHi!taS`+XYn5+pa*4zIi^c9l-5UeNoeGKYFUY*czwz9d
z<I-s=*V{h)Y*_U4Zxxq{#nEw;g=bW>Tp>xu<Dl~}QZL9{%YUu7v>+lb<wuVEd7#yV
z+gCdpmx{#?%F8cXjkt98Y)-4SA>0>$-w|Z4<=qW&sh@^Wp2Q)XmWAX%E6+<?;H)0R
zqUfP&j-iJ~pb0@1(?b;F(mWKuPxQd?Nx9O)54jgcQ4dyesaO;}RQ%S^1N#R-<_SI2
zr?@oye3Ij$>s9%`u(^7X9e-dyE)|P-qw%HVphSs7rF{@&t}XwQ#HA$>ap`o$|ECpw
z?s1lXv8Vuq6X9Qwd5wP~E@k~!sC?i4|CPs_<zFn$J%=7*{pTtq%s<bm6J%cFzcfPs
zGgPkMoc31s8XNJceg7jCrTsZ?S!DYo$UMgXJ<ET|x|jJWHz@ue-?wJ*Q#SawKW;4+
z*EW4A<4N=nidu16t!;w-JD^`C$Xv_68~O)y=O@NECC7y`l^*`pI=IAHJ%~lo!|<~W
zJ!D}vr67yxA&UJ2Ok*vI7`L9K^w6WKe-!m#)jtr6qKDMhh91~I2r^ITp+5Bw^qC6W
zK5#qn8&&>YF1vE69e-fIeHM!fKsb^1L6Et&{7=$9FrMc#|Fc!T-+O=2zO^>mXZ!q%
zMX7&dIvDkj{jnhP82?y8A@LEXzg7Gn+LN^XX-D}Ni>vo+yy%N@Pmf%FXZ{u6%v<?0
z*8j)&3NnxJ55CR(S1SIW(*F9wvySpF78_&L1_GmS|4jH7WZvbU=XK3d{MXEFx7iN=
zb?YDe3GXBIQ@@OUruUJGMe#q|Z!r81>tB$$mVa~qfae9a#5c6G3-6%B7B2&vjBreU
z7ZrX@)|YqjA~0U!#Y@8qF=&>DUj^8@25XR}QxE*=iiKqQdVHFJBY3|l$hBHdX5SWJ
zg%mGAGjL`BM>+QJA~yY#PrelMyucfkj@~*w`&~Oavfqx0#gpkskhxYz)^S844HZAi
z&tGp+{NLa2(vPFZzt!_su~@quTZI^+6~_4mnQQrveEy0jZnAEa`_pq3@2j`n*kn<D
zwB}V?t^W~=>o;V#UYJj`Vh5+y+IVoDjQ3{>GS~8M_Mi22ULda!jd=cgv(m!@8_&sb
zRu5uP^l;!+Ll48T{zQ<)^bpPQl~Odx=I5`sC_P+@)%4NRgVp$oSQI@Bt1|S!{y~s=
zLJ#$Jd}W?0|8raBpJAu`?Z-u8Q2_`i+&;X6_*#&;w*0N*BGf;Li#VOH@_qD@0*Cn*
zi(%r`2J_GUSde**|013Lcr8c+(S4apm!oTgm+jIhbZGMRH)c4q?kp*#*At5o4~hS)
z_#o2%-6{oxw^i^bzA66G|L$j-9*ZX)IQr~y$Y&J#L6NWN=vb?7)DiEJsNIL_NICk;
zJ_^xqn>PQ-uKgCR$X;^m1$%~#-I8CIJC0R0F2}t)<INOPbpkoon5_2>`CSxv4}r(m
Jo#}tS>fbarfr|hD

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json
new file mode 100644
index 00000000000..02cc1f19bfa
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:09.0701134Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4755,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "-",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4755,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4685,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..eb53aad92c81cd2722ab1e4f4e45ffe27a52997c
GIT binary patch
literal 69632
zcmeHQ3wRXO+5Tp;S(1=!!Zlt1p`r+K7Z6155H5y*1S#68M3NLF7n+L%p)@E8Rw{x~
zu_z*yUldeSP!tLxLJ$N6ji^u*s}}18ELio|=g<Fsv*+8H4HJyh?lv>eZl2AVotd5Q
zJ@0wXcfNDxoY`S{xoK1La;WCZqjr=d)hLE2MXPzrzx_Gotm-%a?TbV&5M?0BK$L+f
z15pN|3`7}-G7x1T%0QHXC<9Rjq73{b1H<xihfFD$hCY7aRa;ulhcPIyv>{Q~lPj+Y
zoNfO<+gW(B*+=FpwDb}E*nsF{EYUHq`3O<lIHG<ShWNR!eLwM?$6=FSEn$;i->UOp
zSNnP2GVIH(foA|df2RgX&Z%J|UtNp8`?%U3jdRm*&6jFihtK&>y{f=nZLbRz)|$sV
zbU>NL^B7Oyl~LLEmDd+kX~~*KiP{|#mV4!!y#3KTw`Fe5J=C|~Ym-{9Lr(atL5=89
zY;p$q^-^Li4WpYVhYF|!pXcN4yHOq7oE%GKluvm$Sd0U)T2GpS(@JPMT}EB-S4@+!
zCkN+bVY@TZsn}CQh4@rRxj3^kJ{Mwt7n*@%1xUM7SN!$BR#)nc|2aYP#UY<OT6Og)
zl$DfQ;dmcq(o9^rM7Icm52~)d8n~oHzn&FGV|D8{!B#fTD#FoTc&CXNuejGs833D)
zgG7EmX}*a{5AB<IX*iYY-^8J0N{$&6L!)up&FYMAvKpAk8c9QOtR3DymK<NE{rd@Y
zB`%Q#%BCXwQ*{VTo!?77k3WWdUacYh0y{+MXT>+53F@?|V5$JeJpP8{^`eYh;e$v#
zdtWT2<3uj2JpCl%lRVS{A6h7#4x8nr@p@TI(@*iRL5*7D16KilJ=MxbV^DxxEKCub
z)A&lU)D|D4=G^#399@CKGf{4Z;4vG#^Qp1a%nRDb;=^Kf#lCkngwd%wr$caR4ghcw
zW#b&39<D{Ksmo_2gp{Cs3H11=QH+)VwHUr6Ehfpt_BdRSAv2Ny^B#W!B`}uT@Fj5w
zEC1P$hUlj;jyxTS(E4kfmzJh#c*55SGzeEL0dQ7J333{^uD<~#``9UPvG?53h}d-C
zN}Q)!zLdmrsjkk44RInHH^d_YWjgRu-B6%-M=%bQCNY+TgYinUlW}4({uGKhiu18+
z<)Xc<PaGJYqPP_T{P7eQqowF_VrR^+TOrXQI5P`ED$sFrp{0=K)vBv?0&pT1T;GB?
zov3_Bfx!jpiYHcULB9lq4C;g`+6_t>j0&5Mv=7oD;G#1Gkw-V+3tY;bv0VrnS@B#J
zgMmSu^oq`LC~hvcQXmgdOmrU3@QJ_9P504N$TM44`A(!JF<yToYU8EGI2F>=-%v6d
zv_LN7s2RmkBOFB)z!tybC_z6@--&-|_>@A)cxzM{(*}Dyy(;*Ec(pD+vGV99_M2W5
zaXBuUu8yF(*K}Z=zy~|7Y~*tWpmsVfPo1ENQXJ<T@|nM(3+|gYzHEHO$W<@(?;CT`
z_N1CD1l)DsaZO^S5#a5oKd-tr{p-UmzTbM}A4RAxd=^SA7n|J9@@wcVEGco<L-iua
z!hZII{g86I%gXvgp%>nX3y6=l#M{RnFcwv8G|0}^%daTt2|Y<5nv1W!y2iQ2H{wIS
zk%=5;lP5`|CVc)S>ii3g^ZmL5Dgp~RFfWBGKG&1v30S&ReUmLJY$+k%916a<Sz$(v
zZ^xVgCp$i|D>%Jpz?q3syMb=h6>1=rZ^j0`*;C=v9a(_GWGKMun+8f>0A(Nb-HVMp
zHmdPm>s&SneBYAYP}}KX={I;6p!#sRplWcrbW@hkH!LUVZYJRD@{ngPpLDRx&8a6T
z9u~c*LTJZOVOmfVItOW@+BSdY%7-$9FUX*NP<}Q_iOVQ(r6OH)?4~=aGeiN!*fSLS
z`i1xp*=KkWv_t%gZH9l>txoV!+nyD<2ai8@N+allU1SMe5A+;ll)`ykg6hy6bu=BG
zY8dd0r`oP?HQZip$N1{C=f!;Wc8}pQcy;1`<*SRo<#;Smq5I5C*}(CamEXc{_^5#2
zO2Kwbzr_^uYcQx~zcm7BDzyRCBU4AE0$t!WkS$hZR|R*-fr*IpFGn@LQ+Avwr*-ji
zBT=p#B^7~jR!xrX`8e3i!(Y*YYr6GcvNB`o9hdAKK7MO<U9LD@dD5$()h>Dr!dGV}
z6=<Qk4N26>7G^JLg3NFZz0`m*J?+Ygs(Vp6_Hg_=0#q(kxtzQBkj}=><v+Pj{QnjF
zd#QhFe-r;=al^)pHjA@~)*t7zN)!GC*%_5q7q<Re{7-(kL%(y;jIdx=qZC@<9SGf}
z1?-ISs;LbQ&A11_wK5O2lH(6n%JpddXHZXk>V~MKJI*LWpp}DtGeItUj+)&C`?jb?
zOWhehAqzgD05+!Rg3&*-eppAWr#~tkO&XFAe=kb$=jzCQJr;{rI!Z)67G#dqk##*r
zy_R~s0{q{l_@6&D>%;Kz-$$><Qy?~WD*9`nSZqv5y3{AB15LsGK)eN+WBK=OYnXnC
z3Tt^gWAfbbYu;+T>G&RhOWv)bOOB`qb9E22YWT$E!u2Bs^<<G^rRTKn-`FXiy7}2v
z7JgPNO8r=qG)DKcT>-cPSOuA5%g5|zr$d<RXHRbzI-lm#GU3YtZ7}yOr(>J@Ry=;g
z9mo;zzkvwpOn!F|zBe638``ru-CyedkaZw>xLfJr%f&+@tOv0udRS`G!#qS_f-I_s
zFzSIzUlTpB+gz;lFk#aDVbsF|7XCpjiXIC5q5eUTxk3-wKf^x+M!&e@Ux4?S<FC+j
zIWGTcpU{cRUE-%Ds{Ehbdg41f?SuXJNi3eLcSjM;DJ0xJB%*x~WR5L=>-b3<7>u9F
z&`#f@a(yDHGUooU#jnX0@sn6A|K|h!N}-4a-@GvKOQ1<X?6e;KSdclEe{=i<!4omx
z(hgQA-k%@k9s0Zt-tEUlVzK!?YW#dQ?gky?v`Q;UAbJ(N3o^&@?u59AW~FYt*4z%>
ztMo8!=Y476(}PtzC>BKz1KthQgCKK-9_mv&sE?3{Ke$ho|6LoFhOzvu`blC@%Ky&y
zjq+ceNF>NyQU3L{pQPXL7JpEVcH(}ehach(j<n+s?8il7(Mk{HXd?ufWA$Ji7ope7
zyh~iVRPjHl-=;B<<zFl+0KtUYXReQe%w_!3J&&0Ae?aAXanZ3Qk>y`3dJ@ThB@{79
zAz}X4<1NTs#(#&vc(&;OPb$|JENj0fviyrh@jtg74{eVGnalXcbSJa^mnr`Hqz(8Y
zviyrh1t6G+{so!K_{W&2ng0h>z9&qc{o9Q;`e*jrU$Gb@UTrY{+&>d!?&kj?mFwgC
z3+6<Yf3axAzZdPVAagJOJWjD(W&fT(AA9q~u<74wTu3a6|6h5rrjJj2h<i+}!M`AL
zEdQb7LYNm}9v6C8YI|vivtRk$&%d8+e_W_US!{86_4aMQBic5c(<<%qWQ+-ccR}V@
z-kmTm#PcD4Dg8iBS13I+KK{eGk=27(6g_MnW$0l##%KjuR1aaiUlyVVzHjn~(!=US
z9b1G?4_4!ZVo~%^Fv8FS`v*bh3O&@Pal*;w`(-Ot`B(mNTPr)|Z$B;-iwZz6;r4<3
zfgp2i`CE?*p?x;@3;wL~eQ^J%^CHW?SWLszbOdO@`3l0nAafc25Wn!x^X?v1{J;NZ
zY?&SY>lPm!wU{p;7RCQ1k2n0^yXcn*GRN|7j*ocW<}dKJKbP{%^9I5_Z!@rns|0hI
zcwT9qE}9(kyv<cgN13^;ez2n>`+ig`DgeQR>+vMK1({=YR3|_BKPul(-nIMu9X9$o
z_W2i!FMHbz^}(ZT{OaLvJ_8!&KO1jB<}&_Gew6zak175ezt?N~@;Q<0XNtx0XZOxu
zJ_j?vHgj5~Ex?q09$yz^j^*F%N9*hTMtwbuxu3aO>EY;QYj;If4`NaDuyd=ShmO#M
zAdBiDjQz|IJ#c^Haixa?H)*ehPY+i8OtC0>$oh++2lfww%oTd5PyNgSb3gM5RsN?w
z>$uxa`P*-w#bRycFUTBQ{?_qPjrj*_6#spOAKepK{>5TnEb%t?Go^hNWG>^M4nHIP
zOitG-{`Vi7UH!0)_{hHg#iHncWToN%T4S6=khzTi4x#f8o>csopKRG~MMU`*iwZz6
zVf}MFBFJ3EziIvf_miJe`7ZqK(t&pPuiH3_)%sYmDEe>qo}qu{UywPLe{=u9ZR=y9
z8n3>-n&%O*j-FOJx~0|b2<u2JijFD{h3ZI<MRlaF2K?`i*VSBStv?q)#_Kp;r*st4
zWXXe%+Gr2z=8vq#eZ`{a=*Z`xIuc~A(UIH6eW#0#IIep}>FCMH@7}t~hK}sVbz-p*
zp5g&P>&s^u49684n;OU*t0U`v4W7?oj;o(l{O=yT>fXrmFBTPm)A$!;F5@51y)pCu
zoXURJBj<b-S^mYM@Gq&v)q>1r{G+y;`CqTHJ$lS}jUS7s{}GGAyQI>u7i8|{e}l^Q
zvenBzi!A?QQFxb>`JWB{FUZ`@|MM!_`v*Slc|4-}4_YKVsthP5DJ0^51eweDM_h0A
zKQE|UcOA4lJ+l0ZMFk)@e?{~!$Xv!hp8II#f1}F&y*oE<i7fwOQTUfs^e@O<#y=hu
zXXgJ!mF>4*c!ZvasQ(d*!n>rxzaVoN|9GCEng5qmw)^?#O<NmL{>5Sf5Lo$tLFO|4
zkykVSn-u>g&ByF`HlqBC#pZZODEEISDI~1_)~Q5-%w_!J`C4ZFH>+Gfaeu}m&qb7f
zv8Vt96Xt(jGa^CeGXC*IG&BEyQTblpef_@3@-G&H#H$VAUy!+sf35K%GyhvuuFL*)
z&$p4~Uo6(fzaVoN|H!VH|E((f7Y^$;Wqm~bk65(ge^+xNLFO|4kKVpm_~&(gFRSct
z{agIq;p5+GU8Pv8$$ui&?(q5@LFQQgL)TSe9i4ey<u;Y=>fv{44THaTQupU=*X{n1
z)$?`4V(EbCcP1<#dSeu)Ra!bYe-v*)=2+g%_p|HkeAke5bX*@_QF?f+cvp-aJ=nhw
zBo>ExXgHQM2k&gM9wy=~$Q-K&>-#{abyPg>c)Q|%{^8GU@o&FAibbi97mqdS<3!B=
z7i5m*-wE|mfBwJBKj-e?t4a@jIwX1R)W^E%!D_y-SQI_vryF`;|18K{p@(d$`*Wg0
zpY3|)`5~d_*6lg4h35IjJ5>1(tr*n6PWjvS$6`?d2qw}#3o^%+zqLO$J@1C+N9<Jj
z_V(=3%ntu`tAAGW{lucwzfIQ~^>3)(K;~Hf&HmVJ^ZoSSvy%BWoK`9woqcWlv%;q%
zt9e>tQFPQh%h1uU;l~A;Yjotcd0N4Fqa2^_QaakUBBPZZ9ocUW#A2`^P#fGHus;%H
zj@6NMdw^WZI0dJ#sa#Ji9lSQhMt|8p|6;KfW)j1p1n(0_|45LzjQ<aRl_dOgT)bQH
zzjyzvb&YKBU$^$yYP>=$ChhzryAj4KjvwH(N?QT#zl#2mAagAL=JvS0j#to-0q-SC
z|A^B)N)HD<Y`H$NdJv1EhYzX@J*<T$1X)xMVO*a}y)W~nh#uH2zOMAJbkOK9>cOhN
zEEYu%e|XE#1N#R-<_bO3r~YyibANfSD*roo%zwd-Kd|3Ei$$yQ-wb66GRKy`b$m2x
z>s)D{Io+rD|I<TTZftC$eYVfPSUljT!)F0WSA~SzXZFW}%w_y*q4QYYP`RG-#<bZ@
zBFev5Q~-hr^UwMhWG>^sGi8eYxgB~_<$K=Nlb_q+-+p{57RCQ8`aZP%5oC_#-wE+)
zF`iSJDe(xW`;{Il?wI{$Wc45xMGxm`p9cFY#}JPQvZx-y7@x8phM4tmK<VM`St}x}
z2eBx6m=zPM2SFCqLm2gd(#Nlm!!OA18@;9U(0o?;SCRD(Vo~()Nt~gFb!f8%SyT^U
z)WdbF6MR8E@O^@}l^!mBc;AWe>A~tgfmjqh{5c_14}#1UdT`@&JPYN16Z@AcrK9Ny
zr#d#Z(GRd6hl)kf(E-1qBkqR@GFRxRzK)afZ&eqX+nINi9v)l1vr}aCAQnXrN0SXb
zaKBKHMfDKIcIGra98`L^Zu`xhBdZ6oD0(=Q5~>G57S%%-^$_y=^W1K{tMt(8*yb+b
z(}PvqAr?gsjT;+!;Pyh0xk3+aj5~t!6L?<vdrC(ayuPW}j*jX!{%bXlUo58J$r4_m
z7^{%{h_Q~2SllSc9IK<ydHe;`%{-6)eU;nUt&88W!@K=>Pb@Z`{^$cuabLXGY)-4R
z2b1tyIH<pZ%(1*XVcb!lXDaa?-w!*a^pMx>u_NKrgVlXdu_$`@R}DP~GFRxKKHUcm
z{%$tkk2tK#|M1+KkJ>5!y7}Q${2qvhMy8HRg~`Bcpjfmjf4&bc$Q)b#*7reY&`k4v
zpuZ|QKFYhr7XSABu~-!TyUsQI@kaP$LFQQgo#2o0bQ7ch&AK?E^zg^*v@e?37>}`E
zAH|{q5KN?f7G#dqgLQp0&EseOKT!Fu+_LhD)QIvg7K6mA4d$Qgqabq`|A@iGA9DJk
z%JuMepKpjP|6<XK|MlQskhzTi0^|8s+)p^FvfsSv?I*&=zg53XEY{?IGx`R-5f2D5
z$MPTAFT)K!bHD5(mF?m!2d=2J;dkuE0b+5&j*C(&(Jw37$7z)|5Pjhv(L)eqj^*76
zaX>zvAzftdm;FuY;n^RyWrR-;R{b)uD0=AeMyMVHnJe^AFZ*SzgO64DZ~fm_!dU)R
z>lehLl>bxvjq=ZqH;}oa{Ojv|Ir5>uEdGGwqED0__KrI>){Z~0-!Bl03P3R7_TfZ~
zfy}Xbu<jR(ph9z8`l-ry>%5$Ck>y`3K0x#Ugb;l0r|>VxT*iM1brSx$9{gSLpF3~U
zmAfJuABjcrhwpq8>JJ5(WBGSNe59|F7Jta;F{OvgPJNmgSv`nF(Ze+#hw4F)MfDKI
z`_kR1gvvw@d|&!ArHA*6*G~wa9<1(5i$&4HhEGEEAjn*y2Up*hW<C8w>8Ra^%);>L
z$SUp@i=v~!$3k@^$XubLdK-67Livkd;rQcorH4KbE==ETBkr&tcZ)>@AeeC6w-C=#
z5M++kgLT}Ed`jHM=@%;B_k7$oW=}-<7mHFKFFe0}a9oW0!Gg?X{O41?@XzCuUn>5~
zX6E$|AOBY4!D3PPpVBVCe^c~1yF&kh%(483jt66Yzl;a>#<Zlb6z^a5J+jT<{f-IC
zy|=3et@HLr@7$KTIrmWCey>ex&0Z@Rt2_raA}=;a<6Vr4_-@2Ttk#pJAY>}RuQpwV
zC;E56p~={jL-~}2?aoN2Vowq26F?~!XLiQtLhSECGjOZ`X?LuZ?Mgkc)s=eVe-7cH
zgg8=yE0{ldwCd{F(9U<T>={&DeJ)^}gHmgZG_4;t{C?7W6L}+<l4AzN5FTGnH{&y^
z75SF&0WbMH{uuIkwT1+TNBgkT<8Me_FD}eGzSVcYy?Ql|zM}<L^Y}gd6;0nUK;NP9
z8L|3~Tzy9@HS+=#gISCny2+QY;rCIa7%f3R^O$}nw)sqk-!fLgPs4`40VVtLc_WG8
z2hMn0&e+EX;wa8{k~iWhE=EhyFWS<_08>cwYSq<)anUs15v#SJU(!g*piZE+8;zmC
zAUYjsAEZNQ913Cv<<SkGI!iB>JQT}hZ0C{WV-YT-=i^yy_!Fr~jMv|Y+IV%wK>+a^
z%&0eE=36to8&L|`zi%MQ?Dt}P#va@^7_f`eDy<@pXbSif1v|EWI-y^jM~T{G_7}WP
z48=>wk??E6!}DJ~-EXky{}Xz!x^EyBMGt?kp$9?c3O&@P`vzHD?y^qsgkJhYb0>cv
z#`3r7zlcRC|FS)y{y>nqqWtS?|AqZQa9o7rxUZESn%=gj(vCl{-+vK{wdp~SIaUwW
z{TJ{r@iV9YRQwNUUL9fn#bO*afX_GX8*uxahxrtO%-#H-RQ$I+Yf=2`!TzJf(LdcD
z+Sk8W+}QaKPqujN<nX5}ulxS`MKiVu|ANe&{G)@$qVqz0nVxp#*qj>d*YkMojZ!YF
z8oZo0yh>kZl&Jlue^0<_ytb{f*zQ+Nv+{-m=1fkjwDss!Y;0&Cb8NYA+<G=DIanq)
zj@M?%`epX7)0B=HJat}7z6~AOuis)(0SG3nqg~LEAaksaxP3cxdOgkx)?*&8$W!@#
zE~VG#@bPaoJ|q^U9uK=IP>&CT`w=JuLFQQgd3<Qd;GnK3I6lN9J^5<?8|#X@71+?d
z{eHh#T=~?TtMlPMJG{tgl~xAcyEZV8IhJ>`|E#ZZzTUXXeF{zslpb2l@6jW&dJv1E
zhnxOl=%EEPA;_Y72;=?mu^r)yMGxHa7b-op`rD;p)PvPHkXRHw?5*J+1eq)JP@l$u
zcz9PI2jaMBx+?#6FSNYWjz6#;7l}m$AeeCb!2UpxIkx<3iHmZAaS`+XTa|BZYGH)=
z7mGcJdNcuwyA=}QUy!+tf8)L}$E8Io*V{k*Y<T$eZxxq{#W69Ij(b$JLLo`S?VyV=
zQZL9H%YTiyG$$l3<y(&YdZ_i}g=-=jmx{#?N=wJBL0r0L4yRSxQ0@!B?+7x-^6rGV
z)JsDtOX3htO9FDBRTrf!imV>QqUfP=uAzrVp$S12)k7HL(kv9eNA$q)NvYDqkCQG9
zqaLi{Qn4s{DEqyk2lfww%oTd5PjPAR{v^jmH>vV}aZA+_JO03aTq+jvMB^(bK#3BE
zO8X$l99#ai#HEEHap?@j|EFbr?~5$|Vo?DICc?iUa~uCgT*~?{Q~6%_f8{45%fDEh
zcL6=Z`k$nbF#kNKPLR2c|Kbq+&s4d7tLW{FwKn2Y`~F8PO8axs^3e82khzTi`&Rs#
zbuaT%ZdUw1v43sF(>D0GKW;4+*EM@N^(piZ@>_FSrEP}(JEC7E$Q;YR6Z!{q_b0|U
zCC7!clpg-Kjelum^&l2S4<pVu^pK9(l!7d(hcNaJFpV`oWZZhT(nHV60b$gGRsTRN
ziXM{N7<yp;Ajn*yhx*h%&}S-e`@rqQ?^OAB9e2$#JO03a`z#g}fM6o+gCKKk`Pb4v
zFz)9w|8rEn-#@Zs|2iA(vwi->qSU{!9gX_O{#cN?jDIYlkobtx-z)wP?@ie8Ohow?
zi);37y6lSy&x~4eclOoa%wP2j*8j(N3o@7S55CR(mn;6C*8cJ0a}niVEH=Ta4FpEP
z{+aME$lS|6&+D42_^+PVev2Lc>()Q`E1pN{rT(e?P0u40i{gKF+-&$C*1sTgEdS>I
z0nZC;g?C_S7oI_hEnWsT72%lvEGm4OsxR;2MPR(di<gGwVbClKpK`EuJ=P%2pq}{D
z4GYQi_4qUsNAP@8kZZM^%)Twc3MpQKX5dT*j#BL5MQr*jn><P8d4abm9ld>a#(Q>j
zWWOB~i?!)UkU3UI)^S8U4HG}g_g`;S{6E<L%8$dxzt#O$u~@SmTa6f^HOBb`nPd46
zz5j|kZnAEa`_uCj?`yW-(sW67xaL(`t^W~=8#ZRNS)5I@awn%%+C*@ki05YtGRN|6
z_Mi22ULda!4Y~h%o6^HWn=VL=tRBRo=;7dNh8{*>{fQup>LHxtE5&G%&G%n#S9-Vs
ztLek12dnWFu_$^NUTNro{evKLg&ykd_{w}${uj2&KF3b^+mDOHq5=?1xP5pR@wFgx
zZ24QqMW}xg7je2k<@@**IT7YxECz{J8_YlZV?pLN{_}PIV>LewLic4lU4^a<9=1!P
z(V@xKpO_Jub!Q1ly`QW=JS6_F?1NDMcZU=Vo>sxH*k<^r|L$koo)x(Vk3V+`@)?bO
zQ0QYiI@RbKb;7eGYWCqeQKtT|k396-iWXect^bmh8B6cDWbg3tTeItO#qr9<Rk(H+
dJegv;P9Vn`Q}x~<KZ^p-A#nM+GyV6g{vSD_gf##F

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
new file mode 100644
index 00000000000..f6fbfb1cc13
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:58.4130288Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4756,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4756,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4684,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..36d7f2ec261c501724c5c294316dfa5b7c308081
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*peTa81q6{dgohy@K}73=NRoo&L6aasC=H5&)ruf0
z7Dc4;7X=j+6orC_JOn{OBPtZds>S+13s$ZE{^@sS@7b9R1IB50nwj4&zva%(&d&Mn
zcfWh?xv$Bfg8Yn$1$k8c<x?jrkZKf1l%`d`<UjtLc3Rb&|M5*?H;6G1V<5&rjDZ*f
zF$Q7`#2AP%5Mv<5K#YMH12G1EmVrS9`2!{tO+p_(^g3Bu!CzxgU{PJ7v+EC89J<>6
z|7_=#woMAncW4?Q`l$}lv3Q~*e)Bg(Efa`(VHo0<zV`ggZytwDel>+netoB|e_fsD
zbBl2<zZ#xC`24*ZBsrs+jY4%V{_W%HcsQ=jz&&58b|1dxzxApFcPD$DCj&awE@;yR
zWtzxiJfT;E{J*{W`rJw_RnsV0yM4?Ozx<MqKYHiZ><#$`diHv4T=Uh)318K(9zBXf
z&LF>DN{**NbR*?a5tZTd9J~WJs4q99##1>JQUSg!#TW5fSDJv!%4jlOOdasAl*Z#s
z9<Is3aeJf_ai)Zd@u`^dab<gaF2?x|G!@?!A?-{Z@vjSxI#PH1pBFY?8u7`eRaG5F
zSxLDSj}A~aO~akbbc+ypzpAP$flEsCo9PKOQn!91Y~|vr5`5bY?+g*+rT6+N3t$WJ
zB~dU)T41cwL+eI<8cb94U*fA&N{#CmN5gU1P3nqobLyDL8cGB4T`Rl;EIGbS>-UrB
zGTb5ulubnTC+ZNGx}cu|zF-^${90W)8z)5RrzO^*G3v63V5$h;`GR%H??)Lo!v~Rg
z?w)wc#D!c|1^PwA7x}0OJ~UA}9W>ofqxG_wq+jA=gBmr*2d)DAda7A~MxX$>SePO<
zr}3TQsU<#0&AH)?1iBPoPeZvCgU4L(&X>khBR^;#i4XJD9edtY7e*)QoDRUHc>usg
zl#6S0dbk#`rY@PD6j6fmBhV9|dU0A3)MEIOjJOmN+oNzphRjGp%=>~#l*CwW#gD`x
zEc-`Y8lYdsI0|$mLhIGIE+a$L@T6~&s2}cF2H>ogGUPOL-(Vd|4X{(-V(+@O9<k}r
zoj6Y?`B4hXrK*ZOq&SgvYZH-yavk^--B74_hcFJ5CNY+z{fSDm<8fgr{wWj*ln`Lo
z%0+u?j|4D0L2)Yt1QRJCPD|6}#Lk#sw?Lu;aAgjJRHWnPLQ5mfuT@p)1mHq0xSmA`
zI#Gp?0)q?H6<@s8gsuRDENX`;+6hYOj|!WKv<K1w;G#VQQ9#$@2VBbSaa;@<S@B#J
z{eeN8^wRbTC~hvcDL@{gnCL8A5fFc!pBbRbk!QB9@|{c#;{3sS)WT2oaVey!zoBF_
zXrWvtP$Np9diWMq07v{zpd|e|{UrX&z^61y#apB8aV>Dh*X>@uAzsZZuG`u3751Bc
z6mbP^nx(!$b+7Kg+JO&tT)D{SR6uQaLY~?|6I1X#=a8@bHJy9k?9t_;7Y<$iQtzH|
z=Wj`=&O*pt_Z-zAUK#;De){vuYcjt%*yM*zhyGrI>cUr{)ber2?JU0r-prB`cRf%q
zf*hP@PuL47x4W#Y-xvGgow$Jb+opI2*aOC+iVX+Zg?jmwggv1z1w?c4wO02y)A&VV
z#4oau!(8&EXw-nOzffI&u5o=(cR(dzArI!IaK-2PQhXsx7pY&eMTIRb;+F%#H#aNH
zsPXH#Q{ZIBCw2v={}ed0QEJ!I4Z1=Nr1H!7&@a0xoVp_mahM7PSpCvK83>{5p?-UT
zk;i(~eruh}I-%cNvKwhT6D<82?;=zmE*De{E|*Tq@;Qd(6y42)oLvF(%;l2_cDXtA
zr6j_lA5{qL7%EH?YCvZoO;*R|&s_OXhVTVh)C<bbMJaI^h3-_Mi;mrNTXlsfpcH2Y
z;#{u?{~_lLFM@W6U-6Cb-?b}}0@SkW!u<V5pF6G*^uaE&jIINE4l<^|d0mL=&>3|!
z6P{`i@QkLD-Qh~Oy_0>%cRzVv%y)0~7;b}CJN~a?Md^1OkA*69k7;RZIsUTpTR06L
z74lnYIIixum|}kQ2es_Ch9FI+7NB})`ml7M3%&ZX#f7<*;S=)3SVa1lpc>yHCr*{q
zns~XPC|8b>O29a)CQtW#9PAa~U&-97I`v+#ENjv27w#TBdQ)yq?l@X`(#xUM4tfm2
zcV{ORYN5FeN!H5m%w5m`nc*DzsSaiPT2&BLb)yQL;rMq5sJv6<a@PC<Ivc-~|I`}s
z{}=G@r{3wkP5g_+wd=B4%+DoSbClCcP52jNr&L-^*!o}bKmOr1z0O24!h&6aQfP*E
zD0G(=uszDFx;8j8;~oUp$^z6%jz3r_*P->FN?q}(6QYvNxS||^Rvykx1G(%us&^Oc
z+oEbMb$j@P9QcSL*qERTM*qzEVI8ra{-AU;Za`Avy(q<Bsw4aLSS(uUC>ixwkhxYz
z*7X?mTI%sq@PC)$f6m0552MF_54|2wfY{in=&!zFu|B2fQXi+jXbA56;w{Kr%YR^V
z-OLMBSj)#*<7bUt`BwAwM|TCA@@W-aazx#qt9z(b!zV5mt{-WrC-W35T_<(^)=v4<
z%+D^j@Uvo3>c`5I5xSr42*3-0Rgk&1e9V4!GK9%~_QZCf{RuuT8@?>m26NwXGLE@#
z#p5^JfgA$=8;X!l<#+qxcau@Hkv*Fe{iW^?SqGwryOkckoIlWEJ%~lo!y=O&W+MU<
zWHCKNQ4d`Dn&^Su=6t1xG2`x!q8=Ww@DE~9^iULx^bdl}6MD$~1^yv4`o$gpBD_x>
ze??x)arw{tgmzr+5<e|a<^SxaufMm`KG=_+#NwHHcNEc_Lc;AsGTH}0=GyYNj-Rx?
z;rOW>?esk=*I%b>kGnr=@oTC@{3I4D{_#MsDNw}RZ(kVuCD5cHc3J~}EXZ8Tzd3$_
z;E9-TX$Kc7-k%@lANaft-tEUlVzKcas{ed0W`p)~TB(&K5xolD1(|DkcSBr6)6>^o
zV{QlUReG4T?Y@lY>A|WU6pNyVKJP~AL6CVu54EWs)JI6fAKa(P|E{%*qFDY`{Uos{
z<$uTfM)|KuCK6<xDF52pPtqs6#UE6low#4=;m5@NL+$tj`*D$2w9-Qb+6Y1BT0L0D
zMd<Z1?-G|TQv8qWwSI)N{EI~eAe?af%=J-_d5nL$=Mgji52$?4FFCTnS^mYMFPVau
zK@sB=66Svm-h#|y{I>~>XN&&-sB(So;?}#I<zFm{|GDL8WP2pYJjOqkJDK$_3+{Sk
z^!dVB{>7paKsXWo3o?)Kk1<g*{|~Bsj~PGXH|uQl&+NCqVlhm-I$-{}e<sMh&HqCx
z*GKmj&2*N3v1rA=AMLLo^Dh59PO(H~|DHb`dGp1n>ECKxNGyu~Uv`0}k57DvIi}{|
zUy!+$|HyG6tcx&@3q35geM+0tU-|7XpHH?wE>xy0Ho2r~%jVw_Z63^NrFKaw#)QDT
zAagD6ZWtHh^^jLcKakU<N)Ppq{&=RddJv1EhYiCFJxs<Jtssl(A&T>55qjWxlSh;u
zR?KVLBzk(V8YdKsqKBd(h91~I2r^ITp*D>ZjyKPjEmP&c{STX)*(rbfaj95T0Ky5k
z59|*FnQP16dRz$Yv$<dJCzbF0dxxFnEdOFL1548ppoP~f2>*i2WBfz>!auLOdsOlN
z{+sdTcKEMZe011iy?|I0|Cc)2@PF^3Una<0%fC53;&q#6<86N}<*C;VM0?$4XcJc%
z)-v(B(gIyHdFFMS%ax9@^PBx>M@RPks9010!U@;oad-<d*XpQ7e)RuTzMs5n=Q&$#
z^mFX<FBV_+w-^|JM_KpP!{2@eG|Yc4-h#|y{G0qJ_bVP#{MUc4+m<CWo$P0d#foQl
z&sj1PE5J5zTB*&&l6@Xu7i6yG-|R<g>wKfWAI99zT%q)E_~KPNoYjL^6g_O)WayzS
zG$F`hdWd2_GeQsC-*{Z<Vc(6~Ythq#RX<ZKiXL+QZ0LdggCO&S9%@rRv&h`fd_tA~
z@z2`sv{U}}+h?(Ovho*Xt}TD-_^8_YgO!T^9)l0>a+ZIw*b`g4&HYSip9Pu6_@{%<
zNI#R)Rf_+;M`lz#Y$HChuYa*9`X9R8@PExQ&LYS>#($g0^#@NX{wt0(ZMD=<{>7pK
z5KdVC9FGVxkMVC>f583Zr&PX+zrU!j9sX-J&SJGcRxFDC8@*@fpZOPLuI1m{Kk(ZA
zSg6LY@2}={M69Eym5y$1w$ou9iAB-T!UK^y5@azQ>AL~{x8rry_gU-D1(5MNPFE`(
z#Wh&);G;I$gPQpxt8rhkC^|ayd8Cd6nP+t5wQ=9cq9cy$o>4k_a{RluEVrQ}`*EFE
ztcRy~K+yX3Sq8&##kz(DGS}+Jx?h9mbC~1mXBGcD`!B!OS^mYM0&oKVg3M$5<GD9x
z{-0CX?|A5pubkyyEDHaUN?a|-JjOq2yP5wrD%-<HoK^oZNBxgj6y7D3e!U>`Hvel?
zwimBh{F$@-i$&pGQs#dK{J$XcHviA7Z13&+wC{08^&hrKcvKlsj8jO&{|GXV@sGIP
z?0;TRx$f9+XQs3Ki$w(>ynaRWFUUN`Kc4$&=6{{a{=M7QZFH7@u_*jYD*6{>9^)Sm
ziZk>7qRRH$FFZm|IO>1IqVO)M@Gr<b#y_5CXy*SVmF-@^*^^c|%D-4l0s<@lFUUN`
zKk{nkf4$<rtnrAg&pOJ#SZs`kgmV9PoI=9-Z=Oyh$UMeBp08!*e}l^P6ZdC5@|>gm
zi$w(>oG|~h8xaXIkMWNuqM7;sv&#39&TIBK%fDC*6R!@0e?jIk{<Zq^%=~Xuxi0_b
zJ>NOYzgRpO|ANe8{3E+&{x_-YpEs!2gf))(AF*h~|Bl8)g3M$5AHHqA@X!1FURK%P
z^w-3@qsPD1zDluJo&RL)-QoQ^g3Pu2NA9b{K05Qh%FQa<RfF%)>W2T`NzI?PU9<Tk
ztLN*8#VLIz-;p$z=#62VR%)5x{879GnQM7B&u7=x^{x^7=(s+<qV(`s>5e!%dayqa
zBo+txXfU=khi5if4`cBbWUkeN^*oSi9~G}V-lF)QbMSLp{M)aOVo~bj1tX36I2P;w
z1(|F4cSC*DpZ_oG&$&DJs?tM`HYt8P^|5Apuv%{{7DW$*nT8(NKMOKX=pmPC{+#H@
zXS<$yeMscBHG2+hv3b4mR#pB37xt@Tr~K{vW3i|JgcE6>1(|Eh-`XFWo_E9RBeto0
z`@42%WQYHn)jzBCeqvGT-}-Be`Zq9WAagDMW`FFp^?v%_vy$~SoNiY-I{li~r$tXk
zR_nCHqUfl5j-jKg;l~A;XLRJXbz0$dqa2^_P&(SYG^?2%9ocUW#A3K1PzT%|us;%H
zuGNusdw^WZI0dJ#sa%hp(tlN&jsCKI{>5T5tR#j*3C|Nq|45K|jQ<aRl_LCeT)b29
zzkBcW)%9%fU$geuYP>=$rfmBpw;skTj_%{MQd<h`zl#2mAagDM=JvR@j#totKJTSU
z|A^CFN)P)!Y`Vr-J%~lo!v~dy9#%mUf-I(oDDKat?iUBrL=Ws1Usrlq)Ngnc^<dRs
z7K@^X-@j$(f&GIZ^MoF1Q-8UExxc(ymH!=E=e%IYAJ}i7#iCXDZ-6odnQP16IzAe<
zX_mClobFNl|M8)XH`KS$KHKMCEba@^!P9`Gqe8;%Gy7vf<}v=Y$aO4ls9eu{W73QU
zj`A-S6@YNU{ImWAnaB8VPuZe>Zin7f`JTP$*yncmw;!L1Me#rLeu!*;1et63cSC$y
ziszJOOFY8qUZsbHx6k;}Sv`nF(ZgBVr{Vs}5yT^cET)Gj#;2@@0cJhyQ+l|2`cjAW
zAQnXr)8iubAjo2Rh@u`)`uHp4@C)+yjowmvXgs~*D`)+KSQI^cl3?gzHQH=J7Slr%
z^>FQqq(E2?JWuep(!&K0@A*1<da#-&5R0ORKP5%#L6CVu4_<tZXR*vTv45#lI+~nx
zylq1p{Q&!Ms8|#o?F$+@;(nMQ^MsCS>o_U@t?FWPJM)gx!(&UfwR2VvVo~&PIMvVt
z_X`DCOb=0PXHL+=ex-+Nx7^g;Sv`nF(ZhkXNIeL$m>#02hlsyF&+W#$N)O$RZ0Ha@
zJy^vZVo~%^zrLXdZZ8CxC-mUOxFftif!CG4r*w4g>+4JH=%{AnzgFw`#bO$sEa3-=
zkqXIA80%<@&5eT0wK|Gi$6rL9%<K5ySGk?hy!0JAyxWiW#A5x)k3P^4^WxoRa9XK7
zn1a8BgZeATT+6!~#vS!_rV{V*eAoe{hk{Oz9g3bFtmZ+*qUhnD)$}09JfVl$G!Gj7
zyV*P+aZr{2!C5yQwp0E!^TX-*dmug<nm#NYCPS~jV$rJnc^+JlxwibR=Rv2^H1j;r
zUlbi572Ir#fBXJeEDHY}XBqx@9elDNb1naF@W*(%iP8UNT^v$+_(N{S7maL;$Jnor
zVo?DIC(=F(GS}+Cx;~oL@iYG)sC;kVxa`t&NBI|vVdB*R^Uw8Bka>)M#Ngr&IsH)O
zdT^`H*E-9;ShV7Q4fq#i9^=2rc)k_)6Ar8FH*R>_*U{tOs$V7+tMk7BeS_|Z2LzdG
z`H$?EVS>-xFZ)PkyL98eOSjwbJNDxMu{dVy`RUuyFDu!@X{FW|ec_+bLl9)H<=qW&
zKp~zXU1IK+{Z;AV*&jD&MNbb_{W7sAdg$^-q#gvBC-hJ&`(><yk5&0^`qwK_EPt#0
z3t~~q|Eax3`R67Y$UIU0wRK*O0_ZP`Kj66N6QzgUqmGZX;}7ij3&f%V5Kg##_&Ux&
z=2|^i_X~zlu{kdNROP#QLEb25`4@{15Iq1PgrEB<{0lOV@n1&mgnzCFe^dPD&t8Ao
z4oBl7u_*rVosS~@p&)ZD|89tn^nKFe4>>)e^l<U<PqUrXgIE+jT=j9J9t2rT4^f<#
z?o4G=E_&d3>CcoN-Y;D<CVG0XnwJ)fqKCDgMCw71c|s4Ko|k4l{axv()sXDs=;_ER
z?iP!pqy9%CbtK3<p`%(GcaKB)i(ldR<8!5l9uMA`xzk46VL$E`iwZzE;kfTkJWD~4
zxmFL>aX0cQaUZ8&sC?h^am%<}j`A-Sr9Pf_PV4Zv825t(naB7qq(b4J$0xs3{FhHF
z=p8-&t;U1JqVPYVRfzwF=yP_2{soz9`HvhA#`=C45AKd-Nna`6zwCKvv%&lAW0v@D
zQx96_<B#6CHG4z;fu6ly8`qq@Rw{OR_NzyJ91h336gLUnfP;9gD@{PiREEFWbTOXj
z-vM8Z$C*4Tq#PW#M>-K_N=RP-O8L05Jw6xXd<U9}?~0Ii#$MTu)CET!sXPA9BRrH4
z-<07F=1)GYs%i$b^F1v4`c+k(2^eRf)aoP6=!Jt|khH*9K1ik1xPEbj$CuMh_>5{r
zfyMlVp8~#M90mMZU4p}-JviwL)+N6mH|7)H=_lY`{hCid(FCmdf<FF<rl07epV0V<
zc>P4aej=V4`2mW-%*P4c<V!dR2B=<~mZV>KM86Wpd?mwg8n57I;2>CsQUis2kizgo
zS3E9P?BOpGC?Rl+4-zRMPD|5o+BCob(@67cRaO0Q(+oZluQj17Xeeb-J5bw+Mo@nc
zor$yu(g8FI1u>Nh=z36{qZdm7ie)^G3rO-Y4>!{D@hlF4$<!duAFM|${5s<xfcOn&
z)SIyKtr6b!D2?pT8;CM{y_lG_3-bnjc5qs$ElePq0RBY5uC1SL=oc4IvNoRm1@99>
z@zPNw{2KG{oL5iu8!Y<&h90cu4aB18;cwOSAjmwShuSo6ki+FJ`vkw%OP^@g_#dKJ
z{#N}Lu_)zVzAMrn2r^HUe{Jo*us;Zoi*OwGjnYHITX$`@;}7ijU&P|c^dQJws|V};
z3;37#nbUtL{`)kpa+rUym_T*l^No1}Zl4RVo<fj$oBv~q|CXoCOME@tf0Q`-=i5X3
z`WK7q+W-E^Ca)bE{Pgx~f4FYm)Xl=bAoC{w=%BIa{19KZuT=#OCx-j=JYIW)l*{ru
zFBc51)b|-BYya)PCtx*R+frF<^{a+C1%m-|8mE=o8uTjG)isd0wp=)FJsp)CERz?<
zYjb4(GW*v_N=J2`IxDWwhK}slZ?UKVgcH`$4(LdbxmHKqz8yHR9_NJXF^^XisC++{
z)@^w7__rD#5{pug2i+K|#|Odv5R`!+b1nZoJ~W_zSXUGtAL5aoLUsO))uo+^Z0O#8
zzh5jaduryDh47zkUgWe=D+li#>lnyf%e&cs*48**Z(L=bg3}_UhbD8nba7S>Vo~&P
z<DU&ZG=U}rSxgU6oDUz_7QR^Yz%75V(nGVqUKB+=Sd9aTMbX3VYW_ixc|s4hX&i`$
zclB`~j*BL%@^AG*(~Io*1N(82SX2PQ3AYdI4+NQO%l{;CQC>JMV*Y=l@~urQc9?&$
z*oCM|1E9EDArbxsnb-I?=8ZWnEm67N^5JKLqo;qXxKu2Th@(u*QPEO`BpK5|=VPQ^
zkhzxsYH?{^L|n>Kj{JJ4`S?3mIvSUX#Sf-T8MP8|>8_caR%!#eF95$I$Xv_28{$$w
z4Wt~2LpUu9$$^%ipEl1~J%~lo!}eK*9v+1z1X)ZEQH)D-Q2aj81IH&*lpcN>cTp7e
zU=^2&MbSg~?+iV#e-LDz&_ivCOT+V%92ecF%KycUl?&|n1N(8QSi}>JFB=0TN*pTf
zgCKKl`JW^%Eslswrz-wGE$?}sv;2!i1t6RV|ANeG{2Os8>%Uy(`_BKbIOZ(>VsZAl
z^a$&JoI=9<^O`zA<~9CHBlJH_<@&9Xx3gB+h)?bNAF(Ly&-qIt+aE#ZG5+scdNu1_
z)~DR0_<v&Ws)bM6;NSkZwOCx;=;idM&_5__&S|B#0s3!?ewiS1E&p!lAJE;O7~_;2
z7fx4t_*aYIB4_m=7DW$3&N1|miPe;XET)Gj_7AX(wJ>7bdWO<N*X@0xs0XY5fmjqh
zq_!~h!2Usyc|s4hsehoaRN(f3+lk+*^6xn6s>OEvf&KPbEGhuuMA`>I=GyW<N&mo@
z&u9K;s(inHXu;mqHri+V{EJ1Ye<Rx(^^g6rAoCdi*g_%k5vRXX{2$z%wDlQB`4@{T
zcdx(ri!sj(TY7iymEX=;em3j>W4r~K$M^@|X8tP_|4(awfAKj-`4@`~uxkT>QMi95
z{0lPg^3UtKW-0!wX1CsGhyR-O5B`GZk@~53dT-P7NX4S~pRG3;{)hE1$Xv_6xqrax
z0-NC-+S-L@P~wQUflWj>ray}cpC;<tyLb~AZ}H--VFeg8%fY8S99@S!NK>gRK6S!I
zGJQWjO~W^MzA4DH+D>NQ7GZ}JZ$UF~W&+0)oZ(Gu`YV@wDdu&7H!B^zeR|e=c64OF
z9TSTu(~%%^t&XhYh(sDBew625Z&Ca|*!!}NqsPD1{Hs{3-j1z64AC6p{DRE2{725e
zV#ZDOjdFi_w&H!|mYW+c$c@&zYODP}VsY)dtQPZgiI#2Sv{D-j&Xe){OhM*a-p&5A
zwyq209ikEQueT~aJhcAYbZ7M-7DW&HUo-SD1p7|}SxgVn9A7C#lWd-Uy-n%idhDi;
zo*t~mSHz;|VeocC59}WVnJ4s6YsXjSsPaFrS?(Ej%HMumBo-BbaKi1wyNIs^nQP16
zIxa%}lemb}xhmgBFU@n9f3X-QUL7$1?2iSR*Z42g`H$Cv)DPX4$#gloHh9=B4M&G2
zSASxLGyBexQo2965b==szw!?v{on0UFnC%8zv3I=KmG51w(PnvfB(_vjzd1f(GQAz
zOh>zFeWP}GmPGYFTsz9vANEmzep|`ht2*^wuq<oQ?HBGIJbF`ZP3|~a*|;3{?tmv#
bOx6kHSYx8zJLG3k;5h^y-*=|}{i=Th2*!as

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
new file mode 100644
index 00000000000..bf000399f21
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:09.0701919Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4757,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4757,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4686,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..e937545b684857234b3b751307a1d66acf3bb8fa
GIT binary patch
literal 69632
zcmeHQ3wTu3wO(g38Iq7p!ZSVqLj@7!Eg*=zApr~l4N|mL6G>7YdC)v02&F+$pjr_`
z#iEE*t|+LepiwADk+-0r5f!Rp)k1w>3s!se-rRqk*=y!ZIB0s>IXCBgGkn87b6)G;
z|Ni&dYwxr7$%w*&^eKh;RQKaiJF1Xs6hoAv)jj3k{+)78?Hm90O`<o5G7x1T%0QHX
zC<9Rjq6|bCh%yjmAj&|LfhYq}27Z)*5rqZACKpdbA3yLpTUy13F(^=-K(wd*zGnkx
zTmPT!Z2EM>eB&Kj`-r}8M06^a=(yK-gs5E{(EtoX{Hvb>KXT0zu*sj+u*siq)cLQe
z{k(5E_7&8@GYG%GRf8nw)v-~e?#0(Wp|;21+;rUY<vRD_bL{xkfLF6mr%otSa4Y40
z{fWQ6`r3jTEm_kjQCm1+h4&(rOWywI?c1|A7aZw7U{6lkdgO%98q$Ow!zO2tKQAZ7
z(g?bl@~N20@taH7H&q?noE%G)R78b1ScU_!T5p<+)5>W&T~6KbuZ$*PPd?7c#dcSu
zQ?RF$O7N?M3UFpu{4T-%ZZreOijnrD?)cXWTivNI{?8AZFAMwS(Q0c?qpYOdO2+#r
zn`Yw9<+?=(d`NBWwZJ7M`nOqeG)}jEGi>GItWq59gKxTs@yh$Wlm)OwI7sC8ljfVK
z^w6<|molhAzY>R%DLH0H42{8Qx2Q9|&TV8MYZMK~u@3n9SaN)uj_)PVRk%eiD4T-p
zPthSTb$&1TJpLH+d9}v$6YLPBpA+ARCaBY<fT>~}^Y|N+*NZZ4gC8RCyaTb6i4(c3
z3iXqSPx4SJ{Ai_gI%1ZW#_MG<O+UrM1~p2<53U0IdAf~{#-aeZSePO<r}3R)sU3bu
z&6)ao99@aSGf{3O;4u%p^Qp1a!VB8R;m2Zi$NqOWhS4cHr^9e+J^*kL<>4Hi9<D{K
zsVinBgq5IN1bTebBt}bsT0*`gJtoP(_SLu{LuMoa<~{xdN?<Iv<05egtNz}YhUup<
zjzS%Y(0V=2OHWrdJmGH%Gz51n2XIzPIdU4fufGu```9UPvG?B5gxGZ8PMoK+T$IFe
zsjV%74RIpX8{?6IN*#EGZYWT^BN+!ulNd|F;drIlNjR|#{}hTiiu18+<)Xd4UmO^o
zthf~d{P7eQqowF_VrR^s+aS?lI5QVQD%Npxp{0=K)oN>X0&pT1T>s)Yov0#6fx!jp
ziYHcUMLz|EEb4+P+5<`%iVB;Fv>(!8;G!!8QAju80xspQ*e(H$tavVqp}-(cdS%x*
z6gL-J1&{|QCb|G;_{3iqWcuhD<e9Cjd?!+~7_Ywxwe?a{oC;~`Unm(3S|FEk)Pmxu
z367!)V2i(Tl%Sud@5F!U_?1G*_-b^*(-wO?eeUNQ;*(a@tl%%Y-}Iu0t8mk?>IkZP
zT?f_$e6ZunLq2B!YL_$e)CHQTz;VtYpZN=FfB(GkmE)I=TK)3C{xKJCPpZp8z+F%H
z_5vR}dUn~oJ^!tqH!Q4}yn9>u$f+sV$7i9`yx8P+mOsO9Wl4#<9<CQbF7~r09D$VE
zT~^j_O1$t+TtIxZJ-$BnfU%licMqk&n2&=(y?8`V5(wvFyiDDzW9Z71uq%gy4R-pR
z-_X^-%UAPNjO6^#)$w6hXXCm&@+5hv8J~ZtIzJ3&HaNYBrt10$A(bm*0$27{SL$vi
zki%q@kJ*(Wln@kK?WeB2B!sd_oomf=85_919;h?H(l78WhPXMuzJT-Wp)6k*vYezl
zfq*M2M4q{PGQkozcAlh0u*f1uQwKRG;@gUv>0kNHRl<Y)<8d8db0hA+&2R;(_oWa_
zPpCK(b$JA|I-cO``4ig$|J|@A!AI?SFD*EH^7(7w7|wR=v_`l#52em!9za&AON^be
z@$MZS$8GTGf^X@9>o{J?TDI`g{Tbu8=GCWujaN198nD()Z>!inu$Tj$oPABAR(V(6
zl4gx{L&V$Lwq#xV#FdLO{->tTTJ}P!_HgSz6bQJ6ur8<8)#V7>o0%%r-66M#Tnie3
zZ)6y*r4eO&I#glv9sK6_s|x9z_|2cHHD%u{&6D`6-^`SaT$#=M7Ivcm1AZ$7+jadG
z7bt&*!Yuo(kw{aiEeds1>gZI4qJIX9McE<gL{M=BfD5u8EXVqk!YGt9M@gm76YDZx
z_k0}e72+Stwa36Et0Gvg;q2G;(RpY7M}o?`RJP|XK4OXg<a+V{C-Cp3fvE!x{ENkn
z)md#9=Mil<$!U!y{0lP2@;~X3P6N*83ImGQK!k1Z4TSE}0(ONS>S}{SGwwlfO)7-X
z;rN4<awA&*8PprUdLSz4i8Cq@Xys$yOpwdIq;7Y?x-F{HQg?;N%Y_FlhK<R(VD#Ut
zAF0Q`RXWNUmJolRt@T(en&~JJ^;nQOR!8EW!|O5Hmn!UG{#PQsTk$`CO74e|<G-I?
zk0(QH3`YM97K=?ONtb$#I?x>455`xJIhKFlw#J#4s<4)~vnI_QzxK_vO(*yHTk~$!
zK5|5@w~v7~8^5?*xO_MSU8Gp)J+0^0R?4S-es;BqpB0NzKh`FV)%|RD0A32Lg3Phy
zWAwArAx!qOXST~-&+uv4@MVEEnERH~vCVxe9>3uZ<Vg76K>YVZes>72n~tIl@7bK`
zFZFRH)`95Z9;Jsb77w>s4`NaDu*{%`dGSPoEUJeH>VZpN6FsooT&(mkA?JYz>fu2X
z{~#7c55@j){~*X*p@+PG!9N5>zqsRHjPDP}U*YF+f9uD6LKiM~iJz9J@_%mYSKnG`
zAFTI-#NzpS#}_>@g@oIOM6?fr%(3Nf9zSV=gYi=(+Ua{$uD?p!74tyE;@4!8_(?2Q
z{r$lK6;Q;2uV0+_1<<4*cG>`cEXW+ozcGG-;E9-TX$O}o-d`B)9sYs^-mS+)VzK1`
zYWhMR(Xzvw)@bDkM6ZH(LFQQAoe&q%tkmkC8{5JAlpdz-ygxm1dN6AT#iHn8&^zIJ
z5M-{<Lqlo@^$`;B2luP;zkB1d2$sKDKS?Y~`QQ0osQlL?5(zR_lz&6*C+QEo#UE6m
zop?a$;k)?5qpbJ?>v54-G}A*B+6Y1BSUs4>Md<Z1?-G|TQ~c))*fiE&{>7pK5KOpz
z=K3heT*g1$`>2us2UWfommXhYFaKiElSuxnpokoWg!$iquOM?7|DDhSGU)$zD%b6o
zcid+$|6)=6&uu5e+ap2dGX62$$;kh5#ecu_L7&^pzgScNf{Ex~khzS1jENfge@Nwf
z!lc>1thUfUv)=xS#USx&gZbzFnILmF{|~ENpFCJR$6o%$q8a~Qw7-JPz5Mey#R`@E
zdw+lYjh7;(f3tBRu_*q3)g_ufKJg(QDW`#dLFQQg!^ed%FTyx3^oZ2<icaVL@mK%)
zyb$Z-LgmV0t1D`^Z~GO|whT^dv@4P^CIsFEnPYi(!nhF6hy1DZ136u(^w9L=cjw!y
z2eBx6*gQI<hv^uj6=YF8MDTf8m>&4K$)idSYZi5G6*)bajT4GR(L?dbkRI4S2r^gb
zp&^YEPBK0(Tcyf>*KfDAu~Pol<5IDx00a|mAJ`uVGRKy``M40;XJfzM_bT6q501XT
zUjD^mI;N&0Knu=S5dH<3%lL=*g@2xR_n6}Uy*FYjt?*yJ_~@9)d;zg2{x5la$p5{A
zewiS1EdR#%i05to1YhfODSvq0K&0nw1{QIZV=fcVD=pMTlW&~2xmxKcyP(Z?R&-?D
zkBUVFAeeAH&cRoZIaWvY@}vKy^8M7^doSE!p`T-&f3f(Ax9xBrJWBPKk9>UsXqf*z
zd<B`y_&4}b?pHjn_;31dpY1E=*xAn%i&f9<pTA-bW`J$xv_@Ni^#?q@F323qztN92
z)aQ-7R_C;_pSecq;n?NtcH655u_$`jxizGR&d`J)i|QeQ{md{uaDU?orH4Z|YkMN6
z2eW>rSQI_v{vo6X_78&06?$k${mf!xKl4dd{-;lL-fN}&t+&r&@oeQU$Q)b#=J8RT
z`3Gwi|NSzK?X#DEvDhC=yp8=#X`cm|%lN0G&q_a&({+mfgU4srK4Kw0vaWxzDEc3@
zE9C#uFwP>#T*iN=@c9Q%DgLWYweGOeR{q7J0uW4C{~V79GMDjhn18_i<fm1>OTN8q
zuoeF6H_l?VK2|J>{#(2o(m(Sr$Q;YRv47yU^|4TmS6^Sv^XOPd&nO+;+GelKIueVb
zqoqf}btK55I?`7I{{N2G)m>+;zZXEp>o{GnbQIHU$wQA>Xb<Y=kIcq>#iHow{m;U6
zB*<K&Be#wFP8S_<T=%Tf(NmM&xox!t9a)d-#9|Y?#RG!Ym(Ma7jw`C0hmbi|N9O$+
zym!SIS3jrt-#c{mefIJ%78QUq_!nd@;~(REM*g2y+3)`Td0*PgzgQIhC6%~ZkhzS1
z)OI8P8&tN(jJ=@g<F@)Au_(MtD*bvv=5GEss%$S`v;2g;{EJ25T~g+MHvGRJb2tAl
zsB9k`{EX)bTlF8bNb$tuS~&`d_#Z*$GX4?Q8~x9VD%ahI?9H^7f3c_l1m~}a{so!K
z_{V!6jr>=u?BBPudW*gMi$&pIQqjL4a~c150icopmsGajdht<u(pLW?7KL|7g?~Zj
zGXC*CLnHq$t85SO&zrW+R{q6e0uY$_e?jIl{*hNB|C<#5<t@kVc+OV-#bQgmXP5iG
zISL8uKP?q+hgZK{#y{S#W#oUe%H@*}WIg)4t^A8cp;=Pqe_jhBLFO|4@kTTw|9?=~
zUeR;I0ekrui^994!oMJM8UI?-MMnO&sBBmM<KA!V<zFlc?~)4tg3M+7Bb!G4x2kMk
zG-ANy4Yv9pu_(Mt%KYzcNhHWz#{aQ977PEp&hHhK?X7=~zbA71o2{!9i^994iCDYC
z>vsg1WBCtXSBZ6W#&wn3RCa4K?$jCw|K3Uc-?v@A=SODm*Aa^qgQnk^uz=|G(VW(3
znc(~}d<B_fc{e`KZm9EJ!`9Jpef*=+!{cSUW31@G`g0($IKo32SkfGPvdMawh_4`X
ztRBpt0~yv)@x0^hivRgXKeNQY_4+6lr9NIVE>s^UV*bA%b1eT(sE_*l|7HF;cL!fp
zdg#|F$!n!P)=v*+^Nq!#=%FYxqzCrTg3J|q$fNqdCp!Gyu0K3KB>dd^y$80$INx}O
zD*xe2hcvQM{?`4mSX2OliL}px%(3Nf?vD-cyW#l}J5|2Dy}Pxr!hikhpV@pru_*O#
z)6YZoZ@52%%(46%{juBT`{{qrO6J#ax=ZQk+@E(mCvrM6o2MlfMMr&eLpr)1eq4~b
zMn`U&rxlzx%JKPbrK4>tv)WkEk@faKECw3_wZZKH`y)Z-SRI+S2gs$2Q*gRR<$7Yp
z&~+&m`pee&7mIB$lNb&q_?$rcM}o{{{D1hfB;lXq;=PLh{Rd~QZ(@P}`nAVq;}v2t
zY3C<-O)y?@@(`yr+Dd5uRrHSpnPd4kw#N;1yn==edN*16N1X0cdN}l9>kanmK`e?M
zKBx)lVI4Ff$fA0P;QCzZd$}(~^uTWMHKm7TL&ii<4`%&ku_$`@&6^=TuzwI_uFyk6
z>Mu7l_Lujo^1pM({1>hG1MBUxSTrmD%}}Nwb8PvW$48^L&Xx9=(*uhC-#xr#YEujC
zvvvN(;vqjBJqJj-D<s@Lvp*JOF5_PdpU3jL%JrPrr_F9=EB|6q0SG3{KkHwRxs3m=
zlr8$_cIXY2?|EBKeP)G!>+z{r6#uj6pW*F~AagALPKZy-@Sf6aiAOj+sPwRO;p{K$
z)q_|RJzSuD8tkteM?50PqI!s6e9C$lX4JzWrH6ZFt+ZJWVo~%kD<)hIf-I_s2<ic)
zkH10=zaW3#=uM@Emb0q9wAVj~MbX12aUngdN1H9kqI!s+9&T8Z;0x-3pA)>L^l-@|
z2fm7&9?YH-h(*!E?-RoHAjn*y2RFXQvqYXZv45#iI+~tvx^r_2{Q&E6s8|#o9rA~C
z#QiWq<_aA()NxY&Th%4TcIIuRhsRg!>|(DT#G>foSaL`Y+%FVlQ9VSkojF4fhm{^~
z*nUe_d-Wg|MGr?(!u24?qI!s+9>V_qJhvO~C_VH!zPVfE^k5cuh(*yu)21OkaC;%h
zT%iXy#vQ@=2|Ta-U8SS;uWc%`qNDna|C-I?7mF!)vxFBY#wjG<W2~by7B>nq$Lc72
z9)B_QFwWzDPvv%YTG`uHc()$!iN&VVAA7Jlo{RUH&1sGHP!j$Y4(hKUb1d&p7<bg?
znM%CJ&%=%=JrwqM{Qb!3!R$GxSQI_{qmCW~nJe_rke-7E|86!vk2tEz|LELXj#(-H
z`uX8h{5=p4jY=Jz3X_4)V6kXc{`?$VkU6&e&7XtLpqa+!Kz~wnd{lU=CH}4ZW3edw
zcb^;b$JOx3g3Ph}JHa30?IxlAH|yekrH9|<rGMVS!g!4J`Y09^fM6o+vmkS<9?a{b
zVIDv8|AET)t}UysOtqDNu^1#?Z7}~_9|f7q_(u#b{*coTRjxBSe74bE{>7ph{~N%+
zAafc2#i93GaX;ah%6`k{cYGB&{>}PjVzDm&o6$Gui+DhgIhOzMei<I{8T(})sce^R
zIdtVN3x3CX93U1a?6^2}7y4zT2RN<K2BR<hJ$eX&%(1*XAr2_QJETjE{jxtRJv{f_
zwyenM!K_~<7DW%eUJuuUAajKt8f3qWb?~t&|E>T1#|W0c+4=>sDCPh3!BF|<#fOl&
zqWl}`b2;*%zbyWM<DyTL9`;{-dYl!1V7*@;78QVC!tKLXF(G7*)q{DzU?i0o<I+!6
zzS9cxueO(evG^d-gAhXSy`RFrAafc2<<v#^=X&rL#ec!PO;_!<H9iuH;t${cDBK?k
zGRN}og!o8bCoTSv)8k4Hm!JML+g?40MbX1`ABXEfkVW+n!ROLFshlcB5ByyEgwn%%
zWg8|$P7h|!rNyG?VdE#^dJtr;(1WX=OS7K-s&v$0WOhm9bYvEHi$&4V(Bt7c5@fE>
zQG<=Ub5Q=`S2+IoOzENDLw9BFwGek$kGsX90uW3%?z;=`QV?X0)q{E5jeJVn$LZ%P
z-}ippE@q#t{EJ1Yj~89oF*q*9{a``nGX9IGNciXR$uAWDl`{(mMvi~8@nEqi{7>!>
z;J-QgoZX>+LFQQg!^eX$zhB0K`(j$smx}i<`oF&|#QVYtE4+887p?R5M{nPry}95>
z{{ee)(%5SyW0mKSCgjED7<|ic6W>&9#A>~1GD4<u{MDw*@kak{I5Y`+@~Mb&vE3Ev
z6znM_eF7*I;LNW0U4s4HXa<fIBkhT`vfZf{wz^Ya{GU&FDIt!O;||7O9<8=^Hnj6C
zEPIC3)}9X-=b_Y^B26EF4Zoi>-$dR>rsS9*F@)Eb(=GUoYDK=~e85XSk3WWdUac{~
z;n4x?^!OW-*NYqTj&JlGaIap?qwi=1);xX>U!v(d2I)IAJ|kA&QK0XLr50X*Vla!b
zLpS*{HvB$n5~C&PXCBwj#5SMF@LR_!`03d2H=<-;5pN_h{J<Gc$QcLtKpe&SPVq)O
z#l>hT`b}H=7+?x%UahuvC~lh0J7Tp~^ivu|S=0s8_Move6hvnt?T2(2U5$d6L4|Y^
zsLs`kr4Yq33EPDv`B;P->G^mL8~#LU7UT6dp|)O~aS%ZK1vBbPnEBQM-zJno)}I@Q
zG6%dApS2Iq4F>Jzv_@MRM>HAyiGm$lKb_DoE~G?l68j5YCx+sslSue8;gR{Tp6NGO
z^#2Jxm_0WTi=v0W)X{?=bA=un(sP4cE_Ycc_?2GzL~|$oGlJ!B)_)O;QvQ|u!u^3D
zb4B?#)cy<mgW$Lb$8mpCdT4(8zFk)Qf%X22SUj5^1es&?VBUWL{}MlQ`gg_upq8~Z
z^Dh?Ts1baA=(z#6&xM#zA;{d#|0%_PyK@%BzZUF2N*w*;?V)x3i^b}$zj><Fo>Ljm
z?7HEfH!hm7P52jN?&KdGG!~r~;>-4QsKVxyV85QnYo|)NtZwv5VMdL<&L~m)Pyamu
zv+>$?%3_C~HP0=~0L+=3)@U2htEg@qLgv_V;kfl&RC2IPZXB=8mG#T)U#BS@HG2Aj
zm?8^0vR=Q%q5=?1SVy~|BSGd^9dY}1<ji`U8?47XUQwv>{d`KFF_GinY<x&8N<AKN
zbD$m{1@|LS27=77{PXzGu%SU+QE+^SM|z6X{@2%+^(eNWd+YsvvAF8#IoB4!e|CC_
z(;BT3ymxODLgrZBjsCNt#`${VD$gl6EmnGHHNRIcd-Wg|MGrUsA*6>^(1ak1>LG&9
z!^d@oFBUy;%U`1O(B{vVMNkiB<3M6j^sv8<e-LD@&_hES2jbyfeH@76qUoyqJG|KX
zGAsVTdR!zH6@XyE?F0J*LFU-<KTBMcAB>Bb|6i(nYg0;W=3gxKBI?x)DDF{6gnvQi
zHvU7;jX5qYRk_~&;fajM>EA3a6^mnIC=<`9Xr)4uh{r(}W29b?IhOxAacO>7T*{9e
z`SWnvq`TJI8kdU24=O6IUW>SN-yBYBwBg(rfZq{hj^*76ajBPvQ?A4zoR$aVK&vlK
zS!Ays#G>e7*W8dE9)l(XSyT@Zj7xJ-{2tK*$0rp^58vlp7C}9j#ie3V^icWhkRI4S
z2r^gbp&`Yk!RM147u~GN|D`Q8ORV?<>v5@A#2byTngAtA94hUDAaiW_pCv9W35!c-
zDE>dK?0>(#{EI~eAeadMg3N9FhvHJ!f2GRzUH@Bk%3l7(;=K0sDC<8*Az}V`PMsig
z8~<ft`k$$C{buP~S?essr`G+CSd{kX;uYcTk05gy|M#!Fo^>ztQ*KfGKY4K7(q}C2
zZ++ZaEUs_yO6t?-9~7l=TBB`-{yU>zCdeGizZ3cgbk8TDaY~L0XDL1WcU%85d-Wg|
zMGqq{4Cx^gvnd5xR1XpCA7C15QP{ZkY^8_Zy9Py24`%%Xu_$^-ZX41A`v*bh3OzKW
z{((MIf!haeCw`^Mzx&nKEw|zithdi%Q2_`h(mn_>$Cm$D`Uj!s`ON<umGAf7UvhB0
zh4$Gx|6)<<-?+}9`p5oQkhzS1ETNG2h|^yy{*UfY*zv5b{ENl4`!`+w`GjXjue>Mk
z+OOxY{t4^<V|)df%lHT1M*gc5|IcWDed&2y`4@}LuxbN=QLuj|{0lPo^3U_S<|_Vc
z=XKm-h5!2X5B`Mrk$P!h>OjN$NX4S~pB=Y^{15A2kU5rrWB-8X1-8LAu(S*Bpu`q0
z1Dk?yOn(;@eofJrckv=HUgE_|!wNBImWyBc*t!vGkY-SC{OW;)Wcqr1nu#NLzbVKy
zTTW)(7GZ@HFF_08%mj`K?BPXh`X`S(Nyd4Bw<;aIb#B(XR&->&9TSUZ(~%%^td7j%
zh<F+yew3fT-lq6}Xy8>JM~;89=dWV1ZacOHF+>{1`30F{`44~oiYIQeZj}4e^AzuE
zx8K@)NnWJpRhzB<5sMqEv)V4sBU-hS(;96eI8Vg;GX<Grc{lpchB_~hSBQo^f4yDl
z;o(i~Q|;A*SQI@R-V@TpNUT2*WKlgta(tx>O|tR%>m5oDH(@n><n&-Rz9JSy4;i~c
zdSL$`$Xua^20OkoUzPtwZSu~uQvTNCBC)6d1QTu_-a&jV$Q)b#=5Z0~pTtF+E>QVC
zd1b!M{ENjP@oIzlXMZfn+{S;A&VQ`try=OROs8wmwZY4FX$(3vdHNeO>{)k~kkt37
zrHF^b|5bhv?*A4_!QgEb{E2OW|Mb86*{=7}g2N}DKMnbeK|d(`H62~*^o_dUT@rQs
za9t={f7wSN`fa5PuIn*y$*Qbn3oqTDF@9@aeeO73*|-Mx?uIv0OxFqISYwLbJLGp!
P;5`H`Uw5Ye{i^>1E!~VX

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json
new file mode 100644
index 00000000000..e199f55ad76
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:13.5502867Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4758,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4758,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4687,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..f261d5310b41c72bff6a2fd9d99b944997dec9e7
GIT binary patch
literal 69632
zcmeHQ3w#vS^**!NEJ;W<;Ta!*p`r*vcnAn0Z%6<`K!Zqat3(nCl2`MPAe070!D{7U
zR4j^!@)rda6%++QiaZ2CK_e<u!K%gjfC^Sy{Wbm0>^-})VbD13&ObB1U4F}*o!9y9
zcfWh?xp(fJ3@ezFF{L1%>V7<GM-@_yVu(_-x~Kftzf;bredE8rN%RI$2BHi^8Hh3v
zWgyBxlz}J%Q3j$6L>Y)O5M?0Bz>hL8tYFfR$wgDq#}9l?msas%3<@l0OqBiDs^fvP
zt^dz<N@sNV$asg=KBDg%5uJ!7I_fnZA!-*#)DOcDKlQWsN3MAcHu=*UHu>|7I{!7b
zpZ6`nzDafP48ZSi)gZ}Pb!-%>d-1i8sqIlXHv{*4vCe(?96LVe%YcqDRs){-)3GDU
zG@i$J0-t}6^!@R*c{N(Hrct7H+qk7(xsta(eEXK1jgt=c?f2@0v^B^HpEalnJ%UZn
zAb(y=jHO|81Lac@mE-qZe0|regBz1$sgeq*00+x(AXe*1lW|%(mCz;B1^>!uBKG9t
zoLp?DBb|ahrBsYx#WV?LrsH=p_IIIaI97zTJ9Wjs9@y$iz43p3(0p0gFOODRdlF?O
z<yJh_M>#YdcP`g0Lg0gHYkv-0QlfvK5l3Tm>o>qw9?mMo(O&pwh!`)s+e_I1TZn^1
zem`lx@k$RJT6igwD)cLHD4CLD2F1`QoOYu+<Llf;2C_!bP#kNIua70ix9RX+0$q+<
z<btv($o>=^0#oPrlF#FhA)i-kOh3a8QTiG2jcA-YZ3>tw!ZDA(F?qcx<2Lvq63^Qk
zOIbLP%c?*>iTETBwZe~9N~gnScxkL&7E|?8JZw;-H2mNyz@I1E_-Hf=kc)*WVsjeb
zDVEydht!<wUyq~9aCkb(tr$G!fp<PNmRfj0`xyLKsP5SJ&c-l0Mdx$~PR$1ZE}}e~
zqtnB+h&6TTjD)Zfl#4)*kDA122~bPOmt@2w8Q8u8H)P0+B*47KpFjzW<rZ8d4q^FM
zjcJH}8sjL?kqE87#CaJRs)i^0J%I+{j^zN(YAHuf1NZeeqGTUC1upiU+nNxY4%~_J
zbefBjST41-g|Hz`Wc|8$WS~+9UZEQb6z_1xfzl+#l5ikiX?7w`EW<yAB97vG>{_{K
zZ|M^Uh9@g-g#dp%#l>hTx}4Y<^XFzrbO_GOg^-GL++1iWq<OX4TAcu#$OYH8C{8D;
z5K>@pfx6;})mqV2fRIg{QAN8!DT7gAvyk>dIs{y#Ll6aY9WLNfPRDjJXk^86SqugS
zanj4u<51jOY!yHrpqS_!oZ%CHJt@maS0c}BUFAEGn#FkiO{lGxn&MPQQ~yHAXwU+=
zjH4D5M@?`PRRCN3jiUtpJbfqr%fPP`O2${CmtxvtkEhrDd_#QFs=hj><X-lhUKDW^
zZrV>BL3OX|z&e8uc3gSL=QKd=d`g}=LlYG^&N<{We@*AzGiPk&*y<50UhLmD=7OzB
zby*0w>vQ`Y%NNJa+s|Fr`0`gO_R_b9SN$Rj)rHSOsSU&?x3l~idJ{`Z-1Shs2y(HX
zJz*wNZg*K(zc2Q}J8=Q=QN0qf2aMH{;o{gmSD@I(Lh>b`Ui9*7Y<rSGITz$b>Tc&D
z^#!i=>#n5~`OC+RrP#!qdXj*aue?}Y*&%dgO4yY{VV@fe<|=fxCvY`i#kn{;bai~#
z)j7B>4>)6}*=cd+Ab;1<^}xv$T#(9@-oTYTm8CFt%&!cgj18ddqprO$gt7^AVYF(V
zOJCr6Q+C6z&jL%o#<vI+gY(-c;CQ<!%jbqHC+Q9(;KmA&XD**Cu*40eCn*jVy@Z&7
zs!<ir!Z#7$R@6-Y%5SbxD1lS7od&rTp{%Y${bui%1~!XuZ<b&wEO5O~GiWL;Oig@#
zIr5NJkNalop5(ey?wF1{uwyKzYmqb2Zg(K)j+&VT|1=EsZ!Dqx;!kV~{CCaD1Ru5Q
zSv~2%v1iA_*`4m#NsVxA9@NNM3@}y-1dO>f?C$L!#clBEjIY|_IIL=A**A-k1}b!)
z=_%_t{xb7h*bN^Q@LMVRO~U;a7YKg_qY&6{4M&<vZBZyAQb(o&XW%oCEmr5%1b4`R
z@rd*<MdiI+cKlGD>*M7{fEA9CxRe9s&7O~gy#o9zop*J&{)?7pFTU-fJ(*)S=hf$q
zW0fbp5{mAk#~^%nW;@VAvz8LI$~*EFHA7}NhhAz#IiB`aM76!B3VS&I9S$n*P`RAF
z@Sx7dPvt)uxBhYd{|x@U)IYVqfq${MZhdy!g?U74k8xU~3IBrZ2Q^n8w*J5PpZH+M
zerLl0vtU=E6x!e$2;HRxOh<Xu)dq)V+=JlyS%6lB;}2HKweY~xs3(4PgLb;(j7qdR
z`Perd<Z`{M+g-43i|Vx0>F^G@@X1B6F<BRk{+so~I$}NjLFs71kc9ZVQHnoRN2kUg
z^{vNZ(M(5)sK<iLu{tuZ$Eep*kC%b}I~D(Pr{o@v9RGdvdOR6oW2d5j28zX|l%z|2
zf;!L~+z-T8kU5rr-<HN%7pbt8x3eeC9=qzzv<=60`&;vF6<u;fJ(#O|pjE>!E*GvJ
zDX1s&6)QcbcK_N+`P9$Pt}yYlVo~bHs-)4npY003)xavq99up{KU)G}vY$P*T}VI0
zr-j;J?pt#F&V4H$zu^w#aQNRqtn@>EcMz^CLD7cyY)<u;x<6zch#nRwJ$$insLgs1
zi=v0c20hF{1SZI$dWfJNxb!vA1G~+IN)O{E+#5kX+-Kq+#G>e-$RF+>1eq)JkoOb(
zLtylaJO12n`{DR2{9KO9f7~Z@=5m+#X^|@bXEq=I)=K+eJ$@34XX_nTL~{xWw-1SE
z9|W0W%ilbH(gp_Or%JTbcd1+-PudZ4Z^Yu)WRv(wELMGWU%v_{V&2!!kN*N_QV=_>
zg+CT#j^*DNKSA(B%(t|I)r$A$MtX-nXMuO?agkVTxtE$gmq)bt0H-xtc>>WZ;9Zb8
zmUkz_MKmLI{jZGe;N40OQ@7uf5jj1WwS!_&^f2I^a6JezSLmT3wS)QyiTHziRQcbz
zZgB+5->jb`7Nz`ee=k)2D-($XnJdb_q4tyX2j1cjs?bi{tMu?){DBcx{DJkjNGzJ^
zp$ct;Aakr9%;O^TdYN~LOBXBtC-mDe+Ft&}q5=?1xP9jOD9BvKKi&0^k^lQtz897r
zU1Tr+V$qXG{>!0=2?`1GzZPFX<}&^}2F9~R|9@1uK5t2f-S+Y?7RCSEd@Q^@5@asp
zAJd(T`d^~>?~^g$b9?z0iwZz65&a7?m+_D1l1BdTSNR?{aprH<Tj-xzZ-2#Nka)Gh
z{B!?Ikhz=x2UM<)?JJsPFaKiEjDIiMUqR+x{&}2YsmlIc4<CKwg^20jY+OhzivM4J
zp{9>d9L6)IH1IFT9Ls<BxDe*S7{`Skl-gd=@ytK{_NPBjwmvRYt}M2?w07&3-x6)f
z<g`Y+G#O(;;9Zb8mUkzN3-Nr&tE3;u=`y8<rpLZJ+g?40MbX2?ks&>lV2oCfMfDKD
z=Vf7f;O8a}DLt&5->FsP^k6nlC>BKzMZ-gSVE-V<T%m`CG)_3t_`GbnD*qjS*wV&I
z`CE@m#i9ZbOt^hue;~*lTmI(bLTI0j{ep*8z7Omhd5*pOi^U8~O-FzhoUb7K3o@7S
z5Ah5CJn!xi#s7P6#8z72zkc!25tI1>Vp05G^4O67dk6h8LFQQgjqwrB+x!{6*5^|G
z@VtRY&)W<v;^JA@Jg>As7frr#-sTFWqnt@?zO$ku>wZ)$DgeQR>+uA91({=YR4+gJ
ze=6Tk+_~%AZ5H}D*7+BUFMHb#^}(a8|MJ1FKLr}*KM!9)<}&^bew6zak1GC~zT0c-
z(ph%)GsR-nGkfMPorM`-8#%4f=3&Y{kFN_d$MSFVqYd?WBd=>YY3ygNRC+ja$?Bc<
z>Om}u9=2}|>7f%eA;_Y7h+sc6Ob^`OcueVG{|(x!k<)`&KT|A<9&%p_>4E)&AajKt
z8d5*A$k@+(T$TUHPdn|hQvTN4XR&y?@)u-|Er0X)sLuR@Rf_*UnMZcp%fDFcizVL1
zex|g~g3M+7)1jxOpULTJ#s9veGix8T5Fc6BzgQIgkJu6Ne`y$J5o9jozhn6PgC`XK
zRVP}vUuG-+Vo?DICaiysM+BM6_&3Zy;C}LxD&NK5UOdnW|MeSZF<T!i7DfLp-VN!W
z`4?o4<=@ypaNGJ=sK%?WujY9~tfQxtj&5qR%Vr&kMbT09!EhZ3vZ#)*>aU@#v)11W
zAmeqMu2DLQX}0M8M=Z1l_47w&<Gx~1boBmb;W`pzuF;X(#(hgfM;zBZt#tIn#CL99
zVL?aM<2td}1n-T2p!Mam42I*1_02=b9IGSqehuEwVT`MvQT*>3yy9+q`4@`{z$yF-
zGMDj>aXuse&#LTqegCX4?d4xA3jdNyTrJ34#y@Jik^i+S+oMLG)AUhW{f}4_-X)cO
zy&!Wp|Lat?m#kd!slEJ*Md4ji=6@#qzaVor|Ievx?;H4(=P_ILAGC;9nen*R1cgNW
zk05gy|9B2>^gqw5Tz4I`E6ZN~#i9ZboWCOa7i2EuAMbrM^1ohX|L*PUH`&X-SQP#x
z75xh`m+_Am#Tog3L1p``=O3cSZS_B5QFxbB_!nd@;~(!cH1hwV%632hoT;mA<zFl&
z0D+nR7i2EuA9*$Mzd`X|-g5M|XKdwPEVjgZcDesMK_OxNr==1JGMDj>_iGvX->7o^
z_`TT=J!>ofVo?DICd~hw7DR%~W&GofXh!~DQu$umeeGU*`4@{p;?;)mFUVZRzt(iV
zk^fC9*OmXc>l=Id7mKIkUy!+se`MFl|7Ml_^N01Dyw+C#BNom0-`SE#khzTiBeyOT
z{&}6>%PRYu{}R6-a{QaEs}zfM`A@{!9bUg9$Q;Xm__|80qcg6n+@i8wn|Zs|IQaKY
z>i@p&`aM4~d%uoYtQb&od%`@T*GF<%qh*2fNAMM7j^*9>JiDRJcMV%d$Mx|~N)L~g
z?ToRa2kXy)#NsdyWnxKl@X03YVLZNq%&~efe-30=N5%7ww<`YU9{S7@|JLiHSd{vB
z;h0c;9FO_`g3Ph}JE1=6@Bf$i=iD89Md_hW$0V<n`dB|bn9Vm9i=v0ZtdJhqKMOKf
z=pm2l|DNdZcf0=Zdam$u>-QemV&i<{ZL0i-Ru5`qrTne?W3i|J1QThW1({>Z-`pP?
z-gm?EBetu2dwX_iVTJ$t)jzZOeqvGT--cg>>fca*2$^H~H~M3@&G*y)o|Vk6;dF=6
z(V4&Ma7N^GWHwJrEQ*eL=Z19jOZag?<{BNjZJt(e-YCcCJC%;MEX!_VMMu`#1F;xv
z2-F6*2kegonPYWi-X0*AGETwit18#yD+aGlvCv<(&c9e}gPFu|D8c6h(mxVpF6003
zFOr0Rj*E9G{`c&gv8IUy{_EEsn~hh9#iZ>Y=QY82#j*XI)@aM1{a4UG5@e3$-`E~E
z)bR=$GT_~0=^t^rTj^o{;nr*I)q_|RJ$z6T(!*+KLXbuE5W)4i)cX=&is*se;%iC|
ziwBL0pdQTn%VJUV@cTDIdSL$`$Xua^hSXnfX6!HTQRRR8wz<z+@dwu1XR&Bj{u`l8
zLFU-<H;<1-Zk{deGpBnM|9^a7)Ada)w9nT07mNG-bm$Bq>8g-$`^^4WkhzS1Eqor!
z>nhi?UY|O%nXUYbMFk+3F#oK7LFO|4(<w*v&+X6~D&KQ9pZLrQ|JLJEu_*p${y)Rp
zA3^3={+$q?mf=06ITDX>x=-n$`nH*0*sBMzD0(<Y`y|+3If{5hkVW+n!T6N*FvO^b
z{YnoDW-PN=4`NaDFe4^h4}vVJhY0EcrH{Wt4!<CO-{?)Hhn6#{zO>grh(*!E$8jM&
ztU;SC$fA0PpdPMSncxfRfu9q+rSx#&gL{uhP7h|!3B;o4;o*dEJqR*a=)sNe@hq0-
zP3&K4l#WUgPIhW;p&wv94i$@{qy7Gnj<_Et$XubLhB{8lf2+FK*v`DI^zi7??Vat_
zgIE+j97zu8f%}DmEUJeHwlk;b;egV^HCt~?w^t8hQS@*yC0q}JEUJeH>LKj!&vU!+
zj?zP~qZ_+KP7h{rhgcLnG;JEv1Gg7~%oTcYW84v(pTP6V-&Hy~@3jqOR&-Rq@n5rf
z{9-W$Z<g=^#TbR;dyI8-!s13j=2#tt&*LwmZpL~1@2T9*Oe=fa3h&nAJ+aud<dOTD
z<GFaRnVi;W_b1_R;h_EsGRN}ngmFiGo~gup{5<TS(nCSFN8gW}9?YJDibc`GKkDc~
zkhww+4e2>(@b6~x^N2&L{145(@raf3ub&@I#oq(*(1_HLsW2J%3>1rI<<HN-1({>Z
z-~2h~G@5RF4)kY5$A<+sS>oTiKNgF^f7jU|f4m+(S&%uFe<%23yxk<!|7Kmhuk`ST
zyo}FVSQwA7ULVDx0uW53eHLVn)q{C`G|b~?{y$Lp-mz)<WvRCEFBXHus}1I#>!ToZ
z8UKjE#UFBdSmipi{b%d!<zFnC@xK=Q3o@7SUle-3755X4sO-0Fe(Ukb@o&~I6N`2E
z--y0JZ^Q$F%(483_sj5r&)6^fP-VMp)BekLSnxa6;{dTZZrcT^JJ2sH-OFi>HV}Q`
z@6kgLWRB(C32{In-XUFT?3evT>EW60wq!?64`%%`u_$`z@p`x(1eq)J&>;I|tb>nK
z`EUN$pCVZPX6qNkqLlxW`$FZP7av0Ait=x$&*jL6{<8Q3j*C84df0Qt$uU;^f%SfY
zSX2Ol3AYc&V?xLrs|WLb!Eh=z#-*RAe5V!UUtur*V(~tr`yhnidq0JLLFO|4%c-;Q
z&-LK1ivLM-He9~b*7!&)ia&h&!*G8n$Q;YR6XGL%owWEvPLC=*TypZ09DDU37DW$N
ze-y3<K^E0R1fNTHr*f(kJ@9ksPn90tD_c7*a(Xa(E-e;C59>Y-*MlH)g&th}T$=Ut
zH>IQY!*hxwrz5ktTP%u>1|JRAksx!0jv8#-Jptt}eud+Y&y*he+<!;bE(>vo^|)Is
zDgeQR<GwraE(Jm6SUs4>-N>iJeVl%-@_pAw?P7M@%D-5Y`gs1i9fIRx+z%FHF5|zD
z3Wa|jpZr4cUpc*?f8_W#8xIzX!vEy<0sfn#&)F6F7i5m*KYTnG^ZR8yxHqOHeW`f=
zqVM}#LcHHLZmIWH^`dp&{_yQvayCvn*tg%S6VljgC1aK6peE$S<|us2a1-D4*of77
z(qx28<@l>jm*9>5U2te3_T*C`<zhP>=@jfKC4B-YO~RS!_+5<sU1%DP6(Q}8wX$8Q
z2e!IWZ~UK6cqt){l;aM@UmmTtb|$p*Ei8Km)z+R37-yl>nj+2UhYi1<G~amMNT%eN
zK{15am(z{-jcP@{C49h3K94_!d|s_F!Qs(f?DY5>lh=zI^Nw%y9dNH+&7<#V1=c)%
z4_~6`I|k@GG(IC%-!Vzw5lbz+0L5SyVux<>MQr$e)Fehr(9b-opNVZgli|0HRq!*g
z;crCAzCzweV)%hG9+NZn@_{&t^PS+0c#4bBQuLd)_A$T|(!5%2?O@zAgLlMgt>`Km
zLD|$9)OMrMG#Er@A?<^72wj1Kn1;VEcpa$D)r+M7#WE4w1tj^Hj~nUvcm^B(L~0h}
z^*5omUY&6eK>P(W>PwjU)&k!qltR{@8;COdy%3+h8_x{}?BujYtBxa@4E{vHj;)_g
z=oc4IqBfEJ1+NoB@zOCQ{2BM)+*eNZ8!Y<&g&xeF8;C{G!(Z#@L6EsZ4-M(LK`xiO
ztP?!0mp;+#iT{jX`J44$#G;gc<?e8QAjn)%{tdPN!u}vQF2Zr#-<2Mk-?Dp$6@Os8
z{~{Jorw2jiSUs5cU%<b_&zydx_#e=+)@J_2VjMMs&ksE};P$xy^C<+GyZJw%_-}W{
z{P@>`{YQzTf4n`ku79z(KK=Jkw0iYK=2JVa`RBFsr)?4b1(`efM+c2X=Y{xkJngHn
zIVISy=keO>rCe4tdbuF8Mqg)?sQs`1o`BhSZ98SL{V$s57GwhEbWUruwdhr>ZyZAA
z*mB{x^-NT9uuN_oug#V9%j{pLDjhX?@|>7L3p%o1zr~^g5KLG{JE0>%=2#tZ`*!fu
zdYl`q$2?w9pz{4}O0Q9o<KJw2NGwV{9(F^Z9v=et!%+r;%(49Q_|TBSL0wUBe27PS
z3f2DC*OYZDvY>nG{eH2y{K;8AFNFW>_yVUjS|xbz+9-s~vAi4oXG4wi^~P16Q*c_O
z^w4T<j~@2wK`e?MZg?rAhgQ&pAdBiDg3rUpbb>DyJ#foktn|?4FBeBp4`$;)Vo~(4
zr;dLRWUkOdLmCI-;az<kh~uIXRsQXtZ+)>9e_%Z>5{n8zFyZ!r{ed8JZ26xiF3Jza
zMa=(iRKB$-#WwRV7JCr&Xa*Du6cXWIkhzWj&~sysOG{O*w;uj9GjjSji%Z4g=orev
zGb&o9kR;-9&;=N&7i5m*zfN459~PJLBS-!`kT&s-Rkp^ZV)28DiYrzjF5Nwg(;96k
z_XXg01es%bcS2n1rJ<B7aR{g70Xfi$3sUCWs|T?tde|{Lq=!eK2|*UsLj>c}Tok`Y
z^uX~+h0??K6E2RR9?arWu_$_|{9Q;7>>mV~EA-Hi;?m&rNsfzdQ04!^rkX`o{DJkj
zR4n3+#+Q$S5+x3m_Cb(2w){^MmllV`rPCDupH%j}$6o%$q5=?1gnvQiHvU6#DeJ#d
z<@=6*SDmnzf3Y~{JbH-rKS3d3{&`NFAafi4WnucCu5$fm>08;WEySnR{f}6b_UD47
z;q8wga~c2lEc+$vUgoFVsQ7<;-|Fh8EbwoA+*&NIY4LLEljt85rg2)MZG`?ip<gD*
z9Lv8G`UkY&<Ip%I$AvSL9{$zVzt~<qh(*!E@N+|Y$ii$&K^E0R1p5b=##$IQZaq`!
zq34bP5!8cO|3EB?9+KOJ^uYc>khww+4XJ;i&s5;{f!m4Ss`Br8#nnr!_yg<hvshFB
zf{C;bg3Phyf13V5=y^W#KTGBNz4sUGTVtVpw$8s;l=?TOQ>gy2KNe&z;~z^XBtGKw
zcZ&Z*dlI%iZ7cs`an+s;mwZ0%>5<D8<o*2XxhsCg`u_-DLFO|4!MBnBD#ia(+TUJy
z)>i(-Vl%ATKwuQ?p9%kh%)R{cysp`b|JpenHd*1ne*J?#<9(!F>Yv)*@IF$pDE?>L
zjUoTT`WIx5<=@yp;CX><@C_{O!aFFj#mm5^ARN=*MTK8e^yOW=2#l9_@zSsY44UQQ
zS3b6`#Tuk()DyqDVIi5m9-pS;2;OfBa?O^LS+_-4A;nA3LO8R4qXK()5u5(WBTtfX
zUf@kiM{k{({jL=qS#QV0;^}lG$Q-L9^Ee`&hKV2L=dU*_{_pR9`A3oC-|YFTSghNQ
ztwaowhH-vD=2-s2pTFXXo2(n<{`4Hh`>L%sHD8n$sd?3A>wm=Jy7k#@7v>Qy-_B``
zHXfWO;{BO|%(1*1{bxg+7sx9_!=At1qV({<hVxSG)q_|RJsfy7q=(^He<H}DdWhus
zN*S7D<MY>Bl^(9cYWm3O!EAg*EQ%g7cZBr7{y~trLJtjgd}XdG|MT1Aon@u`t;a=T
zQ2_`h+&;X6_*#%Tw*1ZGBGf;Li#VO9@_p>Ge4F_fi$UVm2J_GUSdh7m|3aPrSj|s^
z(0wVPE77&V%XVoLIy8Cu8#C-#cb1UU`-y7AL*oA`KM41Kw@Ja^Z58~9ZGr#vzx&y)
zXZ555$DTb2`HVt8DEu`Yo$K_CI^$gub^CCgDMx?VM*;e6rSq=t)_>9R?8UcTv?p`y
p=Dhmcajdd&CGOn?Z>A{G3FKH~irzcqcTwOy1TJ59rvLq_{{U9!ggpQN

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json
new file mode 100644
index 00000000000..a36c3a620ad
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json
@@ -0,0 +1,62 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:57.271141Z",
+    "event": {
+      "action": "type-changed-group-account",
+      "code": 4764,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4764,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4669,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..58e6e280a71b6f8a8dd41b5f8f0046aa89baa8eb
GIT binary patch
literal 69632
zcmeI43v?9a702)FE1M;35@~8gf<#b=3Iru0iYVkEYIw*icn&IP5)uf(l0*WQii&Ly
z^(YiYv}#*U#i|^w#RpKNTD3l^NUhY0+DfYhtq%yGmICSj&U|;XiJ4+6&N;KaU(RM;
z-^~5b@4Mf<cV{;#t*b7pt*fGrEns#m!qTE3QI^%Q%U9mc%5B~9l`o<fPy$Lo2`B+2
zpahhF5>Nt4KnW-TC7=WjOQ5u_y11r(7T)7K&271e596W0s4hew-CpsG)BAt_&32aT
z+qxt93V9KtmNcS0VWOR(<Re7gqeN%pF~on{HXr7kn_-h%9&B>^%=G`I+0XlagniW=
z^qhn3&&@-U?j3B*HrL{F?=$P8(YFlO+|c1V+~-KN6Xk);VJ`MN@J((forEz>=Vv@l
zyQUyJ`kRGYtxU_J3~T88tViX_yuNDtkEd?#dB?Ti8d==50(Zi_Mr6|xtnv+V+mI2a
zQo4$&sGb_J{XM)QGtI$`nPF<C*;I#v4LA_Cil_$N8tF<plLq3afv&)wD)gC-^#NGc
zV$WQfgRMDKjh+LrJqP;-(mWii$MRGv#Lr-?719~_U6nB3&~7VWwYF}<Sjo7}nHZr7
zG#^)Pv@OEHN3^zH3|%s!yRVMYINSPFuvLj(b8+-^yvoEGFT6EGV<2`m4id%VWJRVJ
ze<;Wa(RtKlpNT`6lo=cmq|xZM!1UNRJuL~=`BZ{qeesI0%kgCjw#DcoTw*$q)#CPR
zZ3&Dn9->Gf9;8Uf>O#k3hj@B!dKyhO-D*Lq9>)UlE))u3jC*23T)c8~n99+S$Ewcm
zMBFJrJ+RTk_-X0YA)089#Vor^fDKyI3mZHIxINf2LSr$2JS>ce%~^b<F!jNP%$%98
zMCn2to{w>x1CEv8&RxTl69V>e*jQ$+c-Bo_V6@g|T8yq$5WquJi9R+So<;0a!>*3C
z8$me<cp{V?v|{j<wpdaY?3zS-JTAzRS&2hF5RXxewcLP{Bp|G6=|aVJH`Y;SD-o<y
z(XXt`%<$Om7>&Rc8zG#%r4e`PTsNLZnGp^OJnTi!W)qusuEh7`a#B}zm)6$VupvQY
z-J|Kafo5BHlWoWu-chUrqe-kK_IkSU*(=bo0Y64Xl%f$1tvs|h42^<tjbSSQ;^`C(
zT3NO`aWLj~JzTUHJ*UHw>TTUTXjx>1tk%|%=)h5p2kxx;s10g1T!F<ob0rYAGN}R*
z#!!Du(LwN(k(jXMSPsRq7%Z4LUr0jnPX<IWs604L(C2_8Iu1P|5|yjVBQyzj#x~5|
zWl*<ZD4tFEAvy|O;ehrF{))8a+)I>lC`#FsMVUAnwO>(++5K>e-O8}V$8m#nZ7`qr
zoxX`Lh}LV-UAywb936WMYkm5ug+#rF^Kz?|fq{JqMjk<SwA*OtZXdS#g93-EO8C+|
zNbmoJd+ZNSXu@&6W9~VFPFS&cV)MjX&cA2F@Uw#bp6=R_iW8)Z@|G@?u+HmChYuJZ
zKDYRlrEld#CSsCsFO1bFta5hcR&pIXk_71z+o`8xKgYjPEIHe<KP{OPLQLYx$45`V
zE5dOvY{l)MFc%uDa8QOq;$WaF27rfkh`Cll+nHJI&MW~94)uJ$ZD&I-pUr2nl4IM>
zPH%Vi1e{k%fvy4S#{Ew-{oCoB0H&AIOxvH@l**Yw=gcB=rX5_IJIuuRbarN&N;nu>
z9cs=!xlLtuhjTl>%dm6)mrz{}N;B}PhqLqjMx2n@sp?|Ttiuma4JUQAg#kV{jj~)-
zyPw;3*HNer5h@1C#T4m@R}bn&n0?3z7N(wsiN(__hlXR_iF2G_c|LGZ;PpX=i3rFX
z+`>8db?MJz5$aQPOZDrYto;bS2WPgA@tpk6aitHAk41dB5J`AE)+T|+4qSoTF0(8~
z*)g@l%$$nRYby#)LzJ3|cqJn+31ct-_rXz^uooo>*H5+wx6SSLbG;WPQ5AY}P2?02
z17UL%qF;u!e`(G2nQ(HxEe=XCEKO_1KCaKc53vZab{p{C$_xJ3@>)`T_FEHkI@V{O
z;%uJ!sLwvYD%WS6aP3;m`?~9LNZ`7QBMi@HuCRCr?K&z^HA#(hG>&kxWUzKE)UMiL
zL|pA8sv6$GRZSpnDj43uX)X{q^$PFcdL>br@D8p_67>g*;WTEO<oZG?2=2-6MiSKl
z%jfFAmd_bCk>BGcXLAqE*>(?(qjAZ-l41FxoM980v>$eGCjFB6lCRA9(pJk^F@Bi*
z2lQrQa{hB%jonT1A5UOzC2&N}f8|&nP5Jh|D%&~j)pN!FF6sSXUh6f4T<^4v&@dQo
z3{Xx>o~K_X8y;@PEV=dN?6hb1j9J@q*&Ba(;*{niaZUGG$hZ=X=O52Qo{tzzyX}7?
zr}>NXkcXvX<#D9Qi$x=V$E({CZ0tl%&jNW-)-FOG2}<6Q=b2%e#6Mobz3g`AyuU5>
zmb+Lq0ul@1F3M7qyD1pyuD{+k>gJ5(=K`E}zD|D^i`95L!Vya%%`iwhfR`vsP41Y`
zcH1=arZL`f7mHc%R@}b;Gq2yrJ8mt37U3?+Qj<F;RBpSMANAN$PyJmix^Wj}KIfj8
zwoX2kyeeUT<GAh5E%%hWSj@t=+&EV!$C=NeR+RaiJ8Bqd$$3>CSOn{~?Z3rS?qabs
ze`oHZ%;(%){5``A#<nxw^q9L??2LO260IonIrqf0Z69awWXf)v<_~&jwWt0r7W46F
zgeRlKnb+VU-$qguWvR&>@67FX+nbN>^p?9=EIiow_&EshHTx<`W<m>dUj*)=EH$}j
z8t&t_&b#hjPyJmi=HvNoa$XhgqRi*q`PNKJ&Z`Kdc3U)f!3J-+i^al2FTPz4bt`xE
zUB4e%o`k<ofxn9~pL2JK@7ad?`Ul?rwYS{Gq8oQnmYUr8NdUJ)V@IrcsJoZX3B=+h
zy$>}UN_rys2>iVS{w~T=le_cOmgt(&yVrWlT`W%f^dBz_;W)GVxRv+A1BAOMOHJ<I
zu)UpV`PLzs4}0qGVzD#sOA!@Cna{bqykF&y1i5wD(Quu&+{NO&4~A{u-+R;8#}`b#
zVqM*|S?uo{!CjR3oV!b2{icJR7LToX!CUTP@fiE#(YE(Z5@$r2&$+wQk^D(0w`Ezc
zt{Q!&mw8nz(w~Q1upQ5Vr|i3J?xj%jGknB140%<Q`JB6pzvtT2iPrw~z{ts-au<tk
z+(lVxazDm!e`d|S_f>exT`YFS{S-Wm6lFf=j%+0@`Tc5lv-9PfUre9kDR;3b+`r#4
zuR-EWCEl!xGM{sIsb~1BBHV`DU2$#Qd0xhMvG_0RA-iUj=aD_|f%c7v@1o4-++E^3
zf5(~I!>{kS(Od3faoj=cvRTObxh-jX)<cPK7iFo*J<q02wCbM|#?AKB-^F4+>PRlO
zlKp)!KJ*Y}KIiUINAef{xy6F7Hh9ZjEaswOWO3722HHeqqDs6(na{bq#2NnDI=78y
z#J=M#cd@wZ!($JA!u5O0jBQO&BHTq;YI5(z(9zb6cyCm_r*TFs^5@sUo`^HTy%+Y`
zEoHtTnOsNao11%o#h+>)@RYk)EZo2AqRDn%{j6Xo)HEW-e2AAQOHF@2-f-ViS~=HS
z?qbo6yC_Rd?!687Wt)DmZH=e?E*3B8J$&;4eC{#LC}DrU6JHh+Wj^N~G`EFCa-8X7
zc0cw^U+Y0nxr@cBJJU0sdhz)SzPqXGsnvPuZ!z~PQ3Z%HpL56ENK58^g4y}*jpszX
z<t`R8@J;vRyeiy9na{a%iELUj_Y=*&10`wwz2z<zpN#+go`q1?Z_kiLTcBnoJmg$F
zClF;m=k8L!_ch!n-L-D8x7@{|8+TEbn%w&t?)UBe)g2Fc8sEjD5s+B0zdw(nUX=Nq
zJMKnWa-1nJJDbjY;^JkMUOtZ$i$~!b*Bk`p`OF$9t-<URWj^Qb5@${_+#iS*)p*NY
zEMEEP?PoUu{FJ>jrhEi7!d;Z5CijyK_uGp%Z~mdD{w@}Ud+wg+65Kap97LJVxx2)f
zQw;Z)Cuc;Kd&*rbcE<fB)H9;Y=iFW1H}yB%$6vZ+%?eMsi^X*O<z90A&T-~R_`4|c
zId_-%&i{vo+v&p>7d+-Ecd-~nR!!#Kj6WDI$8!QvmYUoLI@syp<-Z^7EqAf_&WSmz
zF9P^=ANM^LU!5W0F3M7qd!gZ;w`KJo)_dyjV)2*`f6vF<$HCu4na{a%iELVO{XWR-
zyJ~ggoBW@NoPQC-{~P4%{(Eh)_zNq)Bm#Ax?|o(O`%uGwCtnEeqRi*qUE=$xhI`ST
z^mo1GE*9Omi?Y<>ZgA^D2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
o0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW;;|04qb1`AwzJOBUy

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
new file mode 100644
index 00000000000..bb021b9d8a3
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
@@ -0,0 +1,58 @@
+[
+  {
+    "@timestamp": "2019-10-08T10:20:34.0535453Z",
+    "event": {
+      "action": "group-membership-enumerated",
+      "code": 4798,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WIN-41OB2LO92CR",
+      "name": "elastictest1"
+    },
+    "winlog": {
+      "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "CallerProcessId": "0x3f0",
+        "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "WIN-41OB2LO92CR",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "TargetUserName": "elastictest1"
+      },
+      "event_id": 4798,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 1740
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 2996,
+      "task": "User Account Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..a1bfce52dcc60fbbde46e3b0b08b70e83cce1e3d
GIT binary patch
literal 69632
zcmeI44RjRM702)FS2iDPHexCw(L_{01p)>TMKt6?#PA&no`VXSgakscB!PgXM#a`c
zJpu(0t=g7T@u(cFS``pctJaTJq*iK0ZKc(M)>;VoQ3|C0JNxct6EnqDoO5P-U(RNB
zXWq>Hzu&v>-n+A#l+;z1*49-~=jJmzTClaqPZYH}clp|{qdnTTeeH|r1(bjiPy$Lo
z2`B+2pahhF5>Nt4KnW;;BN8a7t1hakpN;qUvF5aG;lsEoke^QUNK5t5SnvP+H`|#%
zv7kKh3OOO7))b<BL89G(#3MvK!$jxdHpGA1wjSY}Ww6OD2R6BVZu&oB_Vd0UVPAD8
zJ?G=~7v?5O&rUYxm}~L5_nGHo(YF-W+|=nh+~;Vt)8vND5ia&?@J(!|pN=_A<$FA)
zJ#y@rUoPHmWm*<xSi=`aACoKd^R+vFJZ<ZVcU<@FQAJIwF%s@om_<wRln2OdQ$~<V
zXg*a@JvHL>_wfkLG6y$j2C13mP#q37;6TtCLN(~tNLSN2G!Q=xbQShgq0bCFAAoHw
z_ROQXcr}-*(Q^P^&&B?Mv;fEIu^mkL_$k1%d^#JytK#MxI=u2(ZEZU+S2AyN%R@Ao
z7UIf{wnaF2VO!g!&?Pgv_nI(Gu&vLBtxEKohokKLrQ(bi-x{EC5IYA4i6RlQLQ{=D
z^ve#=h16u9i9?x`=`ZxtSae%tdVD$~B>~n&RE%SN@CdQX@n!n$NTZ3k#0(&-#qeuw
z35+fhppY-(r%=F3r<1WmJiSM13QaNHYC)<V$9$1=3Is66C*p;;c;(h0m7ycgRh`|5
zxRZ~1;YBawrzO_}sN9~5*>)En8?-1FFL()Xd+@{%jmHG?v@jwzXYrMSbP8U`%9-_A
zm@dZQg_yUw;8+Rn+%-tq0brki7c0ya&%GrbMr&=RMd(@u0X#*O=wsvIRm46u;+nJ$
zGbkqkPl&SoRvNseJ(iUEyCu+`gbT7{RuUuci=<H+Yq=38NkCZJnodP_H`Y;SD-o>I
z(66-AtnjqGX;g?SHbOXiOCv@ayKW?fGD92`c-n`&kVR}db|oH@!%5xPUE12_z=i~o
z4UeT_0L`}WCfiVKdPlPk%qFpxv^P_Y&t8R&4fruC!W0g1XyvKBad;SnYYbZf5J{!5
z--_Dq#KD-`4RFyS^qc`ls<(CXq(#XJSZ!^i(1D{GPu#inVH?yOxB`odtrcI;%A^WN
z7)SlFL<hlBMq$C0VLKe#BCufMd?5+NKN%3lr1Io6L0=3c(MjkLlBir=7NScqGPYqx
zmqFeAfk+nR1?U)bg#+3T_$$&@Y%F2QrZ8nulrnKNY(K)3X7|G>b}PjzK8^uWtv?U@
zd_$k+3!>$=?0K>xougx~5pB;syO^l=NZxL@GBB|Pcx*y;wA)zd?ijZEg93-EO8C+O
zNbmopG4_WiG~qapn0wBoQ&%r3Z!TYT(LI|+p6l=XT({0tVnKRH&ho_)*7^DJkpm_L
zFDQC#`8(O6ax4<=g}EAyr<`566<^PeBtg2^cIp|}&+)GWTh6xZPfO<p5R-WE@zGQ9
z2yxsCS`j-a%!9@%9F(b$IOyw!3E*iRX0Fw*{mf{GGmAlkLp_hT{cPyvv-vDmazgvr
zsU6OqjPokV*Ud-Wx&K+Fe+QkD!SqU+W&2aRQaRHfJ9CIR(+)1N5oTh3x;nF6B^->c
z4manX(XKM9)45%bG8jAmE2u65rI~ot!`XSfp;*Z5Qgsn%*5QYjMl5x;hXFn}g`$qC
zozHC_br`Axgo*)a!Xl(QES2tr)rXv5Vd+^|SiH=#X(XN(LNBNAdOSGI&a<6~gKh)j
z0H?+}<L$^h+=99Im5b+aT5dsJd;d9poPy)y5l1dYvYmuymtfqx;HBJFAuw?(LU}Q*
z(+Zr1S!z%IXCWF*gR1#hw>4nRY6pNKM_Zzl7xs;Nl<TCY&TRfFYrErG&&49DLiXmG
zC{{!agqG1zm0=xNUUNexoScWtK`D*p##%G>aea0Z24luS13p+Y=J%~{B-CfWGBKxf
zefAm7=B1DN>?1to`iv8<U5mM2cU=hyTz7GV;q}ZF7Ei5RN5!iqsgaJu5l)uuW_B&q
zq1s_YT<yfG8s5QGjW1#<7~a8Y&KEKD3h&^0C0?2E4z5h%^#_aLG-jLR`a&uQ?#b^)
z;?)7m=jy<g&lxwK-y<exa}Unhb`OrD5y`!hVfmt*VdI&!FLrPy{fhaLugv+<R?As2
za)kWHtE)Z##axZuP4XWvU~a{5M9zO@*d9lD_P#3HIqjzxi2q&I`@x*HYYDkN);2>!
z0o)j%Vl8p~9*q^V^ww9i>{Zx$#an;+##bTZiZ@<=ybgIiVlwS^;H~WDFRw$Mmd=&O
z(IPJvjR2mn?o07vH*$Iu<V9JB$mu=uyfRFa_{Uqgm)#Cu_?IQ_au<t6Kzt+IMOkuk
zHw7cz_2=70FUv^0FTi={oAh_FSdF(MQBapiGXjzh;vveClRFl)-L{OnWt_X*#bWgR
ziu)H~<@Nn!*R93SBHTq;a&qT{%5Cq;V;*1bs=tdxC+?!m<J{xRHkMB%uS(e8JYnaH
zD_!L-7Nhu<8|Ui8IP(S6iZYLLM-3w_F|W!E3xC~?1FKx+E*87;cjhk2JkH(0-!sf)
z>^S>vm${3@uDI7A(TXyUbB{0Ej&TNertG$5;h^`{x$5s?F%P#!cri+xc>^Bu9VAsz
zmYm%2&fIRdz5Up3ce#tj{6mdToR0us^Jzu#ENEfwE#NN7l9PL;;XY~mg6r>f)!)Tp
z9`4^J=2hV?$~?}Uhh|!0UPU0aTT8*BP403Ri}{CNdAAJe*6iuC@c^_u1Am_ie-~vQ
z=k5^Svkdo*54`)dyWGX16L(RToZR_N0Jp>A3)er?)6M$?V)3%xhZ_zj+>!hR{Jj|d
zF3OUVd+e?)(X}OaKk6=bu{iy+zr8$+<ILWZ*4z&d5bmNZIk_Kedpps}?ZYx3cGcg-
zVprUkBPxnAk8^i;znX2hr|)XG-d*lualuC;b{^=xW&9J1rd+k5Zu)HY_s!rg$~?~9
zA+LVRa9=XM;$?Tai^b#Zk4M|zH%XikWgh45P)G77q1;wPUtc@+95?f-SfoD=8?zJl
zfv0|Y+q}!6<Y)MZZv^tHDDyaX2Y>HjQzv@#rw2z(ah1DRbmA_`l9T)KhWqpD@4c_W
zRqkT3EAD6FW~3<dICo?#X^HPwdzziEE_)?)s;k_^qHw>dbwPu~nM%A_6=fdh?oiM0
zS4FrDySw7Lx(nTm?_%*^)<bs9DEA|K;REfP5#L3b$GJPicm9quw};={b+fzN#o~lR
z))ljn^?S6Y?Ar(>!d;XlC-)qiI?>vHPM$EwReu+Yd8i|~*h=*G0(|Hp$~?~9p^oG)
z{&P$7zuw?3cd^(56(ftA&N9%-k%=nt5M>_c?ht4AYwO%LpPlwyce#tjJs+QN=pS6a
zx6a(r1SP^<lqDzkT!xOezVL(5^{&PlvB;la1A9Eq2=`p<vs==9Lo%_B%rk@gaP=Q*
zA8?hsSj<1LXW|q)uYTTdH`FvD#(a#2C`(R%KiP2KR#G|7UG8GhiMuFEPVT)8_Z3@y
zuw%We{w@|T>pgPoL458p-6&yyzY|{;6J;Lf?l;52CNa*OVs=0Nd>`vUSGkMDsykCN
zo_*z|G2h$LZE$r?>O0K+YE%KD%;VfK8fl5#Pc=K=zxn)-yWGWM2EOT@m{*0nDDyaX
zE|E=3<bImjcd$66zq{PU;xm!I-m@6$`tBRnvJGn1z(X#;eF9PDaqbTFdmqF7lDjq(
zxXWEEI&l|e$;rL1;eOx#C+~R3)%Y$Jjez)u{rx2r^`gw<+%XzyiE*Z%+1Yf?Q<tu&
zbn||sSUd*bxaJ@z_h;5aX$@AVDDyaXhd6V(;r>8)NR7MP#p2bU-F{vZz)#&jbL!ur
zM!1Wz<m7&a;eLD3)~!Eu)!)UUaPP72#W?rPm<LhjaqbRr=1jx=)hQXFm9BCZi(PU5
z4eA+D=5g*0@0<D??vpNGx_-5*+{I!l{&Fv|e&;yz4E$Y`d7QgLeCPi|!)@ruCH)?E
zmAhCBBdaEIZ^j=Cm*GBvC`(T617q0f(3QU}aF@GSeDAdEbrS)8!zX=Cz*lETxQnvn
z<eqQ1=WJW|yN#~;yI4HF)8F$k_X+TKQRZ>(Tq2v6SicW4`{u7}e4GC>QS4s?@&5+-
zrvF}BEdJceD-J>37yDn^{~^@y-^ufTP7!4u=k5^S2OI7~_NBh>E_bo$#9fpn7k7hO
zH%dSWC;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
z0!ly$C;=s)1eAahPy$Lo2`B+2pahhF5>Nt4KnW-TC7=Y9fD%vwN<axH0VSXWlz<XY
Z0!ly$C;=s)1eAahPy$Lo3H%=s_&1zEc#i-8

literal 0
HcmV?d00001

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json
new file mode 100644
index 00000000000..036cfebb5ef
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-08T10:20:44.4724208Z",
+    "event": {
+      "action": "user-member-enumerated",
+      "code": 4799,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "Builtin",
+      "name": "Administrators"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WORKGROUP",
+      "id": "S-1-5-18",
+      "name": "WIN-41OB2LO92CR$"
+    },
+    "winlog": {
+      "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "CallerProcessId": "0x494",
+        "CallerProcessName": "C:\\Windows\\System32\\svchost.exe",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "Builtin",
+        "TargetSid": "S-1-5-32-544",
+        "TargetUserName": "Administrators"
+      },
+      "event_id": 4799,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 820
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 3002,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file