Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 4634 and 4647 (logoff events) to Security module #12906

Merged
merged 2 commits into from Jul 18, 2019
Merged

Add 4634 and 4647 (logoff events) to Security module #12906

merged 2 commits into from Jul 18, 2019

Conversation

janniten
Copy link
Contributor

Modified winlogbeat-security.js in order to add Evt 4634 support

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@andrewkroh
Copy link
Member

Thanks for opening the PR. I'll try to take a look at this tomorrow.

@janniten janniten requested review from a team as code owners July 18, 2019 03:00
janniten and others added 2 commits July 17, 2019 23:01
@janniten @andrewkroh
Add event 4634 support
6d3f1fb
@andrewkroh
Add 4634 and 4647 (logoff events) to Security module
887020c 
This adds event ID 4634 and 4647 (logoff events) to the Security module. It also adds winlog.logon.type which is a descriptive version of the winlog.event_data.LogonType field.
@andrewkroh
Copy link
Member

@janniten I pushed an update to build the .golden file based on your .evtx. I added 4647 since it looks very similar. And I added another field called winlog.logon.type that is a more descriptive version of the winlog.event_data.LogonType value, like RemoteInteractive or Service.

Please review.

janniten
janniten commented Jul 18, 2019
View reviewed changes
Copy link
Contributor Author

@janniten janniten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh every seems OK,

@cachedout cachedout removed the request for review from a team July 18, 2019 11:07
@andrewkroh andrewkroh merged commit 192f523 into elastic:master Jul 18, 2019
@andrewkroh andrewkroh changed the title Add event 4634 support Add 4634 and 4647 (logoff events) to Security module Jul 18, 2019
@janniten janniten deleted the evt-4634-add branch July 18, 2019 17:12
@janniten janniten mentioned this pull request May 27, 2020
Merged
2 tasks
andrewkroh added a commit that referenced this pull request Jun 4, 2020
@janniten @andrewkroh
Winlogbeat Security new dashboards - Older dashboards improvements (#…
7b9c535 
…18775)

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@janniten @andrewkroh @melchiormoulin
Winlogbeat Security new dashboards - Older dashboards improvements (e…
df39850 
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Nov 16, 2020
@janniten @andrewkroh
Winlogbeat Security new dashboards - Older dashboards improvements (e…
c194dd8 
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit 7b9c535)
@andrewkroh andrewkroh mentioned this pull request Nov 16, 2020
Merged
2 tasks
andrewkroh added a commit that referenced this pull request Nov 30, 2020
@andrewkroh @janniten
Winlogbeat Security new dashboards - Older dashboards improvements (#…
7ed71bd 
…18775) (#22598)

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit 7b9c535)

Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

Assignees
No one assigned
Labels
enhancement module Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@janniten @elasticmachine @andrewkroh @houndci-bot