diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index d5305e7f3f2..2dabf06d753 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -19,6 +19,34 @@ var security = (function () {
         "11": "CachedInteractive",
     };
 
+    // User Account Control Attributes Table
+    // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
+    var uac_flags = [
+        [0x0001, 'SCRIPT'],
+        [0x0002, 'ACCOUNTDISABLE'],
+        [0x0008, 'HOMEDIR_REQUIRED'],
+        [0x0010, 'LOCKOUT'],
+        [0x0020, 'PASSWD_NOTREQD'],
+        [0x0040, 'PASSWD_CANT_CHANGE'],
+        [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'],
+        [0x0100, 'TEMP_DUPLICATE_ACCOUNT'],
+        [0x0200, 'NORMAL_ACCOUNT'],
+        [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'],
+        [0x1000, 'WORKSTATION_TRUST_ACCOUNT'],
+        [0x2000, 'SERVER_TRUST_ACCOUNT'],
+        [0x10000, 'DONT_EXPIRE_PASSWORD'],
+        [0x20000, 'MNS_LOGON_ACCOUNT'],
+        [0x40000, 'SMARTCARD_REQUIRED'],
+        [0x80000, 'TRUSTED_FOR_DELEGATION'],
+        [0x100000, 'NOT_DELEGATED'],
+        [0x200000, 'USE_DES_KEY_ONLY'],
+        [0x400000, 'DONT_REQ_PREAUTH'],
+        [0x800000, 'PASSWORD_EXPIRED'],
+        [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'],
+        [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'],
+    ];
+
+    // event.action Description Table
     var eventActionTypes = {
         "4624": "logged-in",
         "4625": "logon-failed",
@@ -30,10 +58,28 @@ var security = (function () {
         "4724": "reset-password",
         "4725": "disabled-user-account",
         "4726": "deleted-user-account",
+        "4727": "added-group-account",
+        "4728": "added-group-account-to",
+        "4729": "deleted-group-account-from",
+        "4730": "deleted-group-account",
+        "4731": "added-group-account",
+        "4732": "added-group-account-to",
+        "4733": "deleted-group-account-from",
+        "4734": "deleted-group-account",
+        "4735": "modified-group-account",
+        "4737": "modified-group-account",
         "4738": "modified-user-account",
         "4740": "locked-out-user-account",
+        "4754": "added-group-account",
+        "4755": "modified-group-account",
+        "4756": "added-group-account-to",
+        "4757": "deleted-group-account-from",
+        "4758": "deleted-group-account",
+        "4764": "type-changed-group-account",
         "4767": "unlocked-user-account",
         "4781": "renamed-user-account",
+        "4798": "group-membership-enumerated",
+        "4799": "user-member-enumerated",
     };
 
     // Descriptions of failure status codes.
@@ -1102,6 +1148,28 @@ var security = (function () {
         evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus);
     };
 
+    var addUACDescription = function(evt) {
+        var code = evt.Get("winlog.event_data.NewUacValue");
+        if (!code) {
+            return;
+        }
+        var uac_code=parseInt(code);
+        var uac_result = [];
+        for (var i=0; i<uac_flags.length; i++) {
+            if ((uac_code | uac_flags[i][0]) === uac_code) {
+                uac_result.push(uac_flags[i][1]);
+            }
+        }
+        if (uac_result) {
+            evt.Put("winlog.event_data.NewUACList",uac_result);
+        }
+        var uac_list=evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g,'').split("%%").filter(String);
+        if (! uac_list) {
+            return;
+        }
+        evt.Put("winlog.event_data.UserAccountControl",uac_list);
+      };
+
     var copyTargetUser = new processor.Chain()
         .Convert({
             fields: [
@@ -1113,6 +1181,17 @@ var security = (function () {
         })
         .Build();
 
+    var copyTargetUserToGroup = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetUserSid", to: "group.id"},
+                {from: "winlog.event_data.TargetUserName", to: "group.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "group.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Build();
+
     var copyTargetUserLogonId  = new processor.Chain()
         .Convert({
             fields: [
@@ -1239,6 +1318,7 @@ var security = (function () {
         .Add(copyTargetUser)
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
+        .Add(addUACDescription)
         .Add(addActionDesc)
         .Build();
 
@@ -1248,6 +1328,14 @@ var security = (function () {
         .Add(addActionDesc)
         .Build();
 
+    var groupMgmtEvts = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
+        .Add(copyTargetUserToGroup)
+        .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
+        .Build();
+
     return {
         // 4624 - An account was successfully logged on.
         4624: logonSuccess.Run,
@@ -1285,18 +1373,72 @@ var security = (function () {
         // 4726 - An user account was deleted.
         4726: userMgmtEvts.Run,
 
+        // 4727 - A security-enabled global group was created.
+        4727: groupMgmtEvts.Run,
+
+        // 4728 - A member was added to a security-enabled global group.
+        4728: groupMgmtEvts.Run,
+
+        // 4729 - A member was removed from a security-enabled global group.
+        4729: groupMgmtEvts.Run,
+
+        // 4730 - A security-enabled global group was deleted.
+        4730: groupMgmtEvts.Run,
+
+        // 4731 - A security-enabled local group was created.
+        4731: groupMgmtEvts.Run,
+
+        // 4732 - A member was added to a security-enabled local group.
+        4732: groupMgmtEvts.Run,
+
+        // 4733 - A member was removed from a security-enabled local group.
+        4733: groupMgmtEvts.Run,
+
+        // 4734 - A security-enabled local group was deleted.
+        4734: groupMgmtEvts.Run,
+
+        // 4735 - A security-enabled local group was changed.
+        4735: groupMgmtEvts.Run,
+
+        // 4737 - A security-enabled global group was changed.
+        4737: groupMgmtEvts.Run,
+
         // 4738 - An user account was changed.
         4738: userMgmtEvts.Run,
 
         // 4740 - An account was locked out
         4740: userMgmtEvts.Run,
 
+        // 4754 -  A security-enabled universal group was created.
+        4754: groupMgmtEvts.Run,
+
+        // 4755 - A security-enabled universal group was changed.
+        4755: groupMgmtEvts.Run,
+
+        // 4756 - A member was added to a security-enabled universal group.
+        4756: groupMgmtEvts.Run,
+
+        // 4757 - A member was removed from a security-enabled universal group.
+        4757: groupMgmtEvts.Run,
+
+        // 4758 - A security-enabled universal group was deleted.
+        4758: groupMgmtEvts.Run,
+
+        // 4764 - A group\'s type was changed.
+        4764: groupMgmtEvts.Run,
+
         // 4767 - A user account was unlocked.
         4767: userMgmtEvts.Run,
 
         // 4781 - The name of an account was changed.
         4781: userRenamed.Run,
 
+        // 4798 - A user's local group membership was enumerated.
+        4798: userMgmtEvts.Run,
+
+        // 4799 - A security-enabled local group membership was enumerated.
+        4799: groupMgmtEvts.Run,
+
         process: function(evt) {
             var event_id = evt.Get("winlog.event_id");
             var processor = this[event_id];
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
index eb5794a01e1..0e3fd3f3a15 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
@@ -31,6 +31,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "SCRIPT",
+          "LOCKOUT"
+        ],
         "NewUacValue": "0x15",
         "OldUacValue": "0x0",
         "PasswordLastSet": "%%1794",
@@ -47,7 +51,11 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
         "TargetUserName": "elastictest1",
-        "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084",
+        "UserAccountControl": [
+          "2080",
+          "2082",
+          "2084"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
@@ -104,6 +112,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "SCRIPT",
+          "LOCKOUT"
+        ],
         "NewUacValue": "0x15",
         "OldUacValue": "0x0",
         "PasswordLastSet": "%%1794",
@@ -120,7 +132,11 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
         "TargetUserName": "audittest0609",
-        "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084",
+        "UserAccountControl": [
+          "2080",
+          "2082",
+          "2084"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx
new file mode 100644
index 00000000000..de81fec15c4
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json
new file mode 100644
index 00000000000..1a769e759c5
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:26:12.4955445Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4727,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "DnsUpdateProxy"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x27438\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1110\n\tGroup Name:\t\tDnsUpdateProxy\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tDnsUpdateProxy\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-18",
+      "name": "WIN-41OB2LO92CR$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "DnsUpdateProxy",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x27438",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110",
+        "TargetUserName": "DnsUpdateProxy"
+      },
+      "event_id": 4727,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x27438"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4105,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx
new file mode 100644
index 00000000000..b9beb803329
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
new file mode 100644
index 00000000000..15df9e67183
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:26.8613751Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4728,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2"
+      },
+      "event_id": 4728,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4657,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx
new file mode 100644
index 00000000000..49da30221a5
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
new file mode 100644
index 00000000000..02fa62e43a9
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:45.5433159Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4729,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4729,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4665,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx
new file mode 100644
index 00000000000..c166533f080
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json
new file mode 100644
index 00000000000..c08bd704ccb
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:01.6107262Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4730,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4730,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4670,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx
new file mode 100644
index 00000000000..7d89753f06a
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json
new file mode 100644
index 00000000000..6a960e13377
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:29:49.3586766Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4731,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "test_group1",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4731,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4569,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx
new file mode 100644
index 00000000000..46444d89b39
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
new file mode 100644
index 00000000000..0423fc5379e
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:31:58.0398598Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4732,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4732,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4625,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx
new file mode 100644
index 00000000000..97ffa2a63ba
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
new file mode 100644
index 00000000000..ca75b7d5c50
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:14.8941288Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4733,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1"
+      },
+      "event_id": 4733,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4627,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx
new file mode 100644
index 00000000000..d3d06502c30
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json
new file mode 100644
index 00000000000..237347ad76d
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:35.1274042Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4734,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1v1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1v1"
+      },
+      "event_id": 4734,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4630,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx
new file mode 100644
index 00000000000..47e2d9b3f41
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json
new file mode 100644
index 00000000000..30109fcd090
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:32:30.425487Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4735,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group1v1"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "test_group1v1",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111",
+        "TargetUserName": "test_group1v1"
+      },
+      "event_id": 4735,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4628,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx
new file mode 100644
index 00000000000..376d98e16d8
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json
new file mode 100644
index 00000000000..dab1408d799
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:57.2710608Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4737,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "-",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4737,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4668,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
index 536370d050b..bb3567f8ccb 100644
--- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
@@ -32,6 +32,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
         "NewUacValue": "0x210",
         "OldUacValue": "0x210",
         "PasswordLastSet": "6/9/2019 10:30:28",
@@ -48,7 +52,9 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
         "TargetUserName": "elastictest1",
-        "UserAccountControl": "-",
+        "UserAccountControl": [
+          "-"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
@@ -106,6 +112,10 @@
         "HomeDirectory": "%%1793",
         "HomePath": "%%1793",
         "LogonHours": "%%1797",
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
         "NewUacValue": "0x210",
         "OldUacValue": "0x10",
         "PasswordLastSet": "6/9/2019 10:25:21",
@@ -122,7 +132,9 @@
         "TargetDomainName": "WIN-41OB2LO92CR",
         "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006",
         "TargetUserName": "audittest0609",
-        "UserAccountControl": "\n\t\t%%2089",
+        "UserAccountControl": [
+          "2089"
+        ],
         "UserParameters": "%%1793",
         "UserPrincipalName": "-",
         "UserWorkstations": "%%1793"
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx
new file mode 100644
index 00000000000..db249481555
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json
new file mode 100644
index 00000000000..daa5826eccd
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:33.783048Z",
+    "event": {
+      "action": "added-group-account",
+      "code": 4754,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "Test_group3",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3"
+      },
+      "event_id": 4754,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4676,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx
new file mode 100644
index 00000000000..4efe97cbf15
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json
new file mode 100644
index 00000000000..02cc1f19bfa
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:09.0701134Z",
+    "event": {
+      "action": "modified-group-account",
+      "code": 4755,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SamAccountName": "-",
+        "SidHistory": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4755,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4685,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx
new file mode 100644
index 00000000000..eb53aad92c8
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
new file mode 100644
index 00000000000..f6fbfb1cc13
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:34:58.4130288Z",
+    "event": {
+      "action": "added-group-account-to",
+      "code": 4756,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4756,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4684,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx
new file mode 100644
index 00000000000..36d7f2ec261
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
new file mode 100644
index 00000000000..bf000399f21
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:09.0701919Z",
+    "event": {
+      "action": "deleted-group-account-from",
+      "code": 4757,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local",
+        "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4757,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4686,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx
new file mode 100644
index 00000000000..e937545b684
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json
new file mode 100644
index 00000000000..e199f55ad76
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json
@@ -0,0 +1,61 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:35:13.5502867Z",
+    "event": {
+      "action": "deleted-group-account",
+      "code": 4758,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "Test_group3v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113",
+        "TargetUserName": "Test_group3v2"
+      },
+      "event_id": 4758,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4687,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx
new file mode 100644
index 00000000000..f261d5310b4
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json
new file mode 100644
index 00000000000..a36c3a620ad
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json
@@ -0,0 +1,62 @@
+[
+  {
+    "@timestamp": "2019-10-22T11:33:57.271141Z",
+    "event": {
+      "action": "type-changed-group-account",
+      "code": 4764,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "WLBEAT",
+      "name": "test_group2v2"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
+      "event_data": {
+        "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.",
+        "PrivilegeList": "-",
+        "SubjectDomainName": "WLBEAT",
+        "SubjectLogonId": "0x4a727",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
+        "TargetDomainName": "WLBEAT",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112",
+        "TargetUserName": "test_group2v2"
+      },
+      "event_id": 4764,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a727"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 772,
+        "thread": {
+          "id": 1664
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 4669,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx
new file mode 100644
index 00000000000..58e6e280a71
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
new file mode 100644
index 00000000000..bb021b9d8a3
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json
@@ -0,0 +1,58 @@
+[
+  {
+    "@timestamp": "2019-10-08T10:20:34.0535453Z",
+    "event": {
+      "action": "group-membership-enumerated",
+      "code": 4798,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WIN-41OB2LO92CR",
+      "name": "elastictest1"
+    },
+    "winlog": {
+      "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "CallerProcessId": "0x3f0",
+        "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "WIN-41OB2LO92CR",
+        "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
+        "TargetUserName": "elastictest1"
+      },
+      "event_id": 4798,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 1740
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 2996,
+      "task": "User Account Management"
+    }
+  }
+]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx
new file mode 100644
index 00000000000..a1bfce52dcc
Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx differ
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json
new file mode 100644
index 00000000000..036cfebb5ef
--- /dev/null
+++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json
@@ -0,0 +1,63 @@
+[
+  {
+    "@timestamp": "2019-10-08T10:20:44.4724208Z",
+    "event": {
+      "action": "user-member-enumerated",
+      "code": 4799,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "group": {
+      "domain": "Builtin",
+      "name": "Administrators"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe",
+    "process": {
+      "name": "null"
+    },
+    "user": {
+      "domain": "WORKGROUP",
+      "id": "S-1-5-18",
+      "name": "WIN-41OB2LO92CR$"
+    },
+    "winlog": {
+      "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "CallerProcessId": "0x494",
+        "CallerProcessName": "C:\\Windows\\System32\\svchost.exe",
+        "SubjectDomainName": "WORKGROUP",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-41OB2LO92CR$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "Builtin",
+        "TargetSid": "S-1-5-32-544",
+        "TargetUserName": "Administrators"
+      },
+      "event_id": 4799,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 820
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 3002,
+      "task": "Security Group Management"
+    }
+  }
+]
\ No newline at end of file