Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 4634 and 4647 (logoff events) to Security module #12906

Merged
merged 2 commits into from Jul 18, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Expand Up @@ -292,6 +292,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Winlogbeat*

- Add support for reading from .evtx files. {issue}4450[4450]
- Add support for event ID 4634 and 4647 to the Security module. {pull}12906[12906]

==== Deprecated

Expand Down
7 changes: 7 additions & 0 deletions winlogbeat/_meta/fields.common.yml
Expand Up @@ -193,6 +193,13 @@
required: false
description: The version number of the event's definition.

- name: logon.type
type: keyword
description: >
Logon type name. This is the descriptive version of the
`winlog.event_data.LogonType` ordinal. This is an enrichment added
by the Security module.

# Aliases for the old fields
- key: eventlog
title: Event log record
Expand Down
10 changes: 10 additions & 0 deletions winlogbeat/docs/fields.asciidoc
Expand Up @@ -4157,3 +4157,13 @@ required: False

--

*`winlog.logon.type`*::
+
--
Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.


type: keyword

--

2 changes: 2 additions & 0 deletions winlogbeat/docs/modules/security.asciidoc
Expand Up @@ -10,6 +10,8 @@ The module has transformations for the following event IDs:

* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.

More event IDs will be added.
Expand Down
2 changes: 1 addition & 1 deletion winlogbeat/include/fields.go

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions x-pack/winlogbeat/module/security/_meta/docs.asciidoc
Expand Up @@ -10,6 +10,8 @@ The module has transformations for the following event IDs:

* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.

More event IDs will be added.
Expand Down
37 changes: 37 additions & 0 deletions x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Expand Up @@ -7,6 +7,30 @@ var security = (function () {
var processor = require("processor");
var winlogbeat = require("winlogbeat");

var logonTypes = {
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
};

var addLogonType = function(evt) {
var lt = evt.Get("winlog.event_data.LogonType");
if (!lt) {
return;
}
var descriptiveLogonType = logonTypes[lt];
if (descriptiveLogonType === undefined) {
return;
}
evt.Put("winlog.logon.type", descriptiveLogonType);
};

var addAuthSuccess = new processor.AddFields({
fields: {
"event.category": "authentication",
Expand Down Expand Up @@ -48,15 +72,22 @@ var security = (function () {
evt.Put("process.name", path.basename(exe));
};

var logoff = new processor.Chain()
.Add(convertAuthentication)
.Add(addLogonType)
.Build();

var logonSuccess = new processor.Chain()
.Add(addAuthSuccess)
.Add(convertAuthentication)
.Add(addLogonType)
.Add(setProcessNameUsingExe)
.Build();

var logonFailed = new processor.Chain()
.Add(addAuthFailed)
.Add(convertAuthentication)
.Add(addLogonType)
.Add(setProcessNameUsingExe)
.Build();

Expand All @@ -66,6 +97,12 @@ var security = (function () {

// 4625 - An account failed to log on.
4625: logonFailed.Run,

// 4634 - An account was logged off.
4634: logoff.Run,

// 4647 - User initiated logoff.
4647: logoff.Run,

// 4648 - A logon was attempted using explicit credentials.
4648: logonSuccess.Run,
Expand Down
Expand Up @@ -47,6 +47,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -109,6 +112,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -174,6 +180,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Interactive"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -236,6 +245,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -298,6 +310,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -360,6 +375,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -422,6 +440,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -484,6 +505,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -549,6 +573,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -611,6 +638,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Interactive"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -676,6 +706,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "RemoteInteractive"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -738,6 +771,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Interactive"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -800,6 +836,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -862,6 +901,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -924,6 +966,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -986,6 +1031,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -1048,6 +1096,9 @@
"keywords": [
"Audit Success"
],
"logon": {
"type": "Service"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down Expand Up @@ -1113,6 +1164,9 @@
"keywords": [
"Audit Failure"
],
"logon": {
"type": "Interactive"
},
"opcode": "Info",
"process": {
"pid": 516,
Expand Down
Binary file not shown.
@@ -0,0 +1,90 @@
[
{
"@timestamp": "2019-05-17T11:06:58.210768Z",
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
},
"log": {
"level": "information"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000",
"name": "audittest"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR",
"event_data": {
"LogonType": "3",
"TargetLogonId": "0x767a77"
},
"event_id": 4634,
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 540
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 485,
"task": "Logoff"
}
},
{
"@timestamp": "2019-05-19T16:15:38.542273Z",
"event": {
"action": "Logoff",
"code": 4634,
"kind": "event"
},
"log": {
"level": "information"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"user": {
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"name": "Administrator"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR",
"event_data": {
"LogonType": "3",
"TargetLogonId": "0x104a4a6"
},
"event_id": 4634,
"keywords": [
"Audit Success"
],
"logon": {
"type": "Network"
},
"opcode": "Info",
"process": {
"pid": 780,
"thread": {
"id": 820
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 747,
"task": "Logoff"
}
}
]