We made several improvements to Windows intake format to easier the analyst's investigation:

Event code 4688: A new process has been created

The process.parent.pid field was added to allow analysts to read the whole process tree.

Event code 4624: An account was successfully logged on

The TargetLogonId field was added to allow analysts to get the user session ID. With this ID, analysts can easily search for all actions made by an attacker.

Event code 4104: Powershell Script Block Logging

The MessageNumber and MessageTotal fields were added to allow analysts to reconstitute a Poweshell script that was splitted.

Windows: registry.key

The parsing of the field registry.key was fixed.

Before: registry.key = PATH\VALUE
Now: registry.key = PATH

This field is now ECS compliant and aligned with other integrations like SentinelOne. It will easier investigation or creation of universal detection rules.

Finally, the detection pattern of related detection rules was updated accordingly (see changelog of June 21th 2024).