Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Security event ID 4672 #12975

Merged
merged 2 commits into from Jul 30, 2019
Merged

Add Security event ID 4672 #12975

merged 2 commits into from Jul 30, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 18, 2019
edited

  • Add winlog.logon.id field containing all the logon IDs from the event. This makes it possible to find all events related to a logon ID, including when a user changes to a new user.
  • Copy, rather than move, the TargetUser and SubjectUser fields. This leaves the original fields in event_data.
  • For failure events decode the status codes to winlog.logon.failure.status and winlog.logon.failure.sub_status. And decode the FailureReason to winlog.logon.failure.reason (e.g. make %%2313 into a string).
  • Make the processor chain builder accept other processor chains via the Add() method such that one built chain can be re-used by another.

andrewkroh
andrewkroh commented Jul 18, 2019
View reviewed changes
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
var logoff = new processor.Chain()
.Add(convertAuthentication)
.Add(copyTargetUser)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If anyone tries to run this pipeline on the existing 7.2.0 release you will need to change this line to add .Run like

.Add(copyTargetUser.Run)

and do the same for .Add(copySubjectUser) and .Add(renameCommonAuthFields)

@andrewkroh andrewkroh force-pushed the feature/wlb-security-event-id-4672 branch from b0de866 to 7fe48ff Compare July 23, 2019 20:49
@andrewkroh andrewkroh marked this pull request as ready for review July 23, 2019 20:49
@andrewkroh andrewkroh requested a review from a team as a code owner July 23, 2019 20:49
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

adriansr
adriansr approved these changes Jul 24, 2019
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh force-pushed the feature/wlb-security-event-id-4672 branch from 7fe48ff to cc798b3 Compare July 24, 2019 17:52
@andrewkroh
Add Security event ID 4672
7362f90 
- Add winlog.logon.id field containing all the logon IDs from the event. This makes it possible to find all events related to a logon ID, including when a user changes to a new user.
- Copy, rather than move, the TargetUser and SubjectUser fields. This leaves the original fields in event_data.
- For failure events decode the status codes to `winlog.logon.failure.status` and `winlog.logon.failure.sub_status`. And decode the FailureReason to `winlog.logon.failure.reason` (e.g. make `%%2313` into a string).
- Make the processor chain builder accept other processor chains via the Add() method such that one built chain can be re-used by another.
@andrewkroh
Update golden files after rebase
f16df9e
@andrewkroh andrewkroh force-pushed the feature/wlb-security-event-id-4672 branch from cc798b3 to f16df9e Compare July 30, 2019 18:02
@andrewkroh andrewkroh merged commit 6d7e653 into elastic:master Jul 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement module Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andrewkroh @elasticmachine @adriansr