Skip to content

Commit

Permalink
Update sysmon and security modules (#13047)
Browse files Browse the repository at this point in the history 
- Add event.module for both modules.
- Add event.output to Security log authentication events.
- Add event.category=process and event.type=process_start/process_end to Sysmon process events (event ID 1 and 5).
- Normalize GUIDs to lowercase in golden file tests
- Improves the diff output when a test fails.
  • Loading branch information
@andrewkroh
andrewkroh committed Jul 26, 2019
1 parent 6629242 commit cca42cf
Show file tree
Hide file tree
Showing 7 changed files with 279 additions and 124 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Expand Up @@ -308,6 +308,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for reading from .evtx files. {issue}4450[4450]
- Add support for event ID 4634 and 4647 to the Security module. {pull}12906[12906]
- Add `network.community_id` to Sysmon network events (event ID 3). {pull}13034[13034]
- Add `event.module` to Winlogbeat modules. {pull}13047[13047]
- Add `event.category: process` and `event.type: process_start/process_end` to Sysmon process events (event ID 1 and 5). {pull}13047[13047]

==== Deprecated

Expand Down
3 changes: 3 additions & 0 deletions x-pack/winlogbeat/module/security/config/winlogbeat-security.js
View file
Expand Up @@ -35,6 +35,7 @@ var security = (function () {
fields: {
"event.category": "authentication",
"event.type": "authentication_success",
"event.outcome": "success",
},
target: "",
});
Expand All @@ -43,6 +44,7 @@ var security = (function () {
fields: {
"event.category": "authentication",
"event.type": "authentication_failure",
"event.outcome": "failure",
},
target: "",
});
Expand Down Expand Up @@ -113,6 +115,7 @@ var security = (function () {
if (processor === undefined) {
return;
}
evt.Put("event.module", "security");
processor(evt);
},
};
Expand Down
72 changes: 54 additions & 18 deletions ...ck/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
View file
Expand Up @@ -6,6 +6,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -57,7 +59,7 @@
"id": 536
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1535,
"task": "Logon",
Expand All @@ -71,6 +73,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -122,7 +126,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1538,
"task": "Logon",
Expand All @@ -136,6 +140,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -190,7 +196,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1542,
"task": "Logon",
Expand All @@ -204,6 +210,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -255,7 +263,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1545,
"task": "Logon",
Expand All @@ -269,6 +277,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -320,7 +330,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1547,
"task": "Logon",
Expand All @@ -334,6 +344,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -385,7 +397,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1550,
"task": "Logon",
Expand All @@ -399,6 +411,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -450,7 +464,7 @@
"id": 548
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1553,
"task": "Logon",
Expand All @@ -464,6 +478,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -515,7 +531,7 @@
"id": 548
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1556,
"task": "Logon",
Expand All @@ -529,6 +545,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -583,7 +601,7 @@
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1561,
"task": "Logon",
Expand All @@ -597,6 +615,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -648,7 +668,7 @@
"id": 548
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1563,
"task": "Logon",
Expand All @@ -662,6 +682,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -716,7 +738,7 @@
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1567,
"task": "Logon",
Expand All @@ -730,6 +752,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -781,7 +805,7 @@
"id": 556
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1570,
"task": "Logon",
Expand All @@ -795,6 +819,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -846,7 +872,7 @@
"id": 1132
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1574,
"task": "Logon",
Expand All @@ -860,6 +886,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -911,7 +939,7 @@
"id": 1132
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1576,
"task": "Logon",
Expand All @@ -925,6 +953,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -976,7 +1006,7 @@
"id": 504
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1578,
"task": "Logon",
Expand All @@ -990,6 +1020,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -1041,7 +1073,7 @@
"id": 1132
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1581,
"task": "Logon",
Expand All @@ -1055,6 +1087,8 @@
"category": "authentication",
"code": 4624,
"kind": "event",
"module": "security",
"outcome": "success",
"type": "authentication_success"
},
"log": {
Expand Down Expand Up @@ -1106,7 +1140,7 @@
"id": 344
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1583,
"task": "Logon",
Expand All @@ -1120,6 +1154,8 @@
"category": "authentication",
"code": 4625,
"kind": "event",
"module": "security",
"outcome": "failure",
"type": "authentication_failure"
},
"log": {
Expand Down Expand Up @@ -1174,7 +1210,7 @@
"id": 2756
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 1585,
"task": "Logon"
Expand Down
10 changes: 6 additions & 4 deletions x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json
View file
Expand Up @@ -4,7 +4,8 @@
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
"kind": "event",
"module": "security"
},
"log": {
"level": "information"
Expand Down Expand Up @@ -37,7 +38,7 @@
"id": 540
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 485,
"task": "Logoff"
Expand All @@ -48,7 +49,8 @@
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
"kind": "event",
"module": "security"
},
"log": {
"level": "information"
Expand Down Expand Up @@ -81,7 +83,7 @@
"id": 820
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 747,
"task": "Logoff"
Expand Down

0 comments on commit cca42cf

Please sign in to comment.