diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c0d9010422d..efdfb0f67e3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -335,6 +335,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add more DNS error codes to the Sysmon module. {issue}15685[15685] - Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849] +- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] ==== Deprecated diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index c7e7415244e..30d2d04fe3a 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -19,8 +19,16 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4673 - A privileged service was called. +* 4674 - An operation was attempted on a privileged object. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4697 - A service was installed in the system. +* 4698 - A scheduled task was created. +* 4699 - A scheduled task was deleted. +* 4700 - A scheduled task was enabled. +* 4701 - A scheduled task was disabled. +* 4702 - A scheduled task was updated. * 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. @@ -32,7 +40,7 @@ The module has transformations for the following event IDs: * 4728 - A member was added to a security-enabled global group. * 4729 - A member was removed from a security-enabled global group. * 4730 - A security-enabled global group was deleted. -* 4731 - A security-enabled local group was created +* 4731 - A security-enabled local group was created. * 4732 - A member was added to a security-enabled local group. * 4733 - A member was removed from a security-enabled local group. * 4734 - A security-enabled local group was deleted. @@ -65,9 +73,41 @@ The module has transformations for the following event IDs: * 4763 - A security-disabled global group was deleted. * 4764 - A group's type was changed. * 4767 - An account was unlocked. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. +* 4768 - A Kerberos authentication ticket TGT was requested. +* 4769 - A Kerberos service ticket was requested. +* 4770 - A Kerberos service ticket was renewed. +* 4771 - Kerberos pre-authentication failed. +* 4776 - The computer attempted to validate the credentials for an account. +* 4778 - A session was reconnected to a Window Station. +* 4779 - A session was disconnected from a Window Station. * 4781 - The name of an account was changed. * 4798 - A user's local group membership was enumerated. * 4799 - A security-enabled local group membership was enumerated. +* 4964 - Special groups have been assigned to a new logon. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index c7e7415244e..30d2d04fe3a 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -19,8 +19,16 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4673 - A privileged service was called. +* 4674 - An operation was attempted on a privileged object. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4697 - A service was installed in the system. +* 4698 - A scheduled task was created. +* 4699 - A scheduled task was deleted. +* 4700 - A scheduled task was enabled. +* 4701 - A scheduled task was disabled. +* 4702 - A scheduled task was updated. * 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. @@ -32,7 +40,7 @@ The module has transformations for the following event IDs: * 4728 - A member was added to a security-enabled global group. * 4729 - A member was removed from a security-enabled global group. * 4730 - A security-enabled global group was deleted. -* 4731 - A security-enabled local group was created +* 4731 - A security-enabled local group was created. * 4732 - A member was added to a security-enabled local group. * 4733 - A member was removed from a security-enabled local group. * 4734 - A security-enabled local group was deleted. @@ -65,9 +73,41 @@ The module has transformations for the following event IDs: * 4763 - A security-disabled global group was deleted. * 4764 - A group's type was changed. * 4767 - An account was unlocked. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. +* 4768 - A Kerberos authentication ticket TGT was requested. +* 4769 - A Kerberos service ticket was requested. +* 4770 - A Kerberos service ticket was renewed. +* 4771 - Kerberos pre-authentication failed. +* 4776 - The computer attempted to validate the credentials for an account. +* 4778 - A session was reconnected to a Window Station. +* 4779 - A session was disconnected from a Window Station. * 4781 - The name of an account was changed. * 4798 - A user's local group membership was enumerated. * 4799 - A security-enabled local group membership was enumerated. +* 4964 - Special groups have been assigned to a new logon. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index b6cac040b74..f223b8f0b8d 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -7,6 +7,8 @@ var security = (function () { var processor = require("processor"); var winlogbeat = require("winlogbeat"); + // Logon Types + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events var logonTypes = { "2": "Interactive", "3": "Network", @@ -19,96 +21,237 @@ var security = (function () { "11": "CachedInteractive", }; + // ECS Allowed Event Outcome + // https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html + var eventOutcomes = { + "Audit Success": "success", + "Audit Failure": "failure", + }; + // User Account Control Attributes Table // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties var uacFlags = [ - [0x0001, "SCRIPT"], - [0x0002, "ACCOUNTDISABLE"], - [0x0008, "HOMEDIR_REQUIRED"], - [0x0010, "LOCKOUT"], - [0x0020, "PASSWD_NOTREQD"], - [0x0040, "PASSWD_CANT_CHANGE"], - [0x0080, "ENCRYPTED_TEXT_PWD_ALLOWED"], - [0x0100, "TEMP_DUPLICATE_ACCOUNT"], - [0x0200, "NORMAL_ACCOUNT"], - [0x0800, "INTERDOMAIN_TRUST_ACCOUNT"], - [0x1000, "WORKSTATION_TRUST_ACCOUNT"], - [0x2000, "SERVER_TRUST_ACCOUNT"], - [0x10000, "DONT_EXPIRE_PASSWORD"], - [0x20000, "MNS_LOGON_ACCOUNT"], - [0x40000, "SMARTCARD_REQUIRED"], - [0x80000, "TRUSTED_FOR_DELEGATION"], - [0x100000, "NOT_DELEGATED"], - [0x200000, "USE_DES_KEY_ONLY"], - [0x400000, "DONT_REQ_PREAUTH"], - [0x800000, "PASSWORD_EXPIRED"], - [0x1000000, "TRUSTED_TO_AUTH_FOR_DELEGATION"], - [0x4000000, "PARTIAL_SECRETS_ACCOUNT"], + [0x0001, 'SCRIPT'], + [0x0002, 'ACCOUNTDISABLE'], + [0x0008, 'HOMEDIR_REQUIRED'], + [0x0010, 'LOCKOUT'], + [0x0020, 'PASSWD_NOTREQD'], + [0x0040, 'PASSWD_CANT_CHANGE'], + [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], + [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], + [0x0200, 'NORMAL_ACCOUNT'], + [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], + [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], + [0x2000, 'SERVER_TRUST_ACCOUNT'], + [0x10000, 'DONT_EXPIRE_PASSWORD'], + [0x20000, 'MNS_LOGON_ACCOUNT'], + [0x40000, 'SMARTCARD_REQUIRED'], + [0x80000, 'TRUSTED_FOR_DELEGATION'], + [0x100000, 'NOT_DELEGATED'], + [0x200000, 'USE_DES_KEY_ONLY'], + [0x400000, 'DONT_REQ_PREAUTH'], + [0x800000, 'PASSWORD_EXPIRED'], + [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], + [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], ]; - // event.action Description Table - // event.action Description Table + // Kerberos TGT and TGS Ticket Options + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + var ticketOptions = [ + "Reserved", + "Forwardable", + "Forwarded", + "Proxiable", + "Proxy", + "Allow-postdate", + "Postdated", + "Invalid", + "Renewable", + "Initial", + "Pre-authent", + "Opt-hardware-auth", + "Transited-policy-checked", + "Ok-as-delegate", + "Request-anonymous", + "Name-canonicalize", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Unused", + "Disable-transited-check", + "Renewable-ok", + "Enc-tkt-in-skey", + "Unused", + "Renew", + "Validate"]; + + // Kerberos Encryption Types + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + var ticketEncryptionTypes = { + "0x1": "DES-CBC-CRC", + "0x3": "DES-CBC-MD5", + "0x11": "AES128-CTS-HMAC-SHA1-96", + "0x12": "AES256-CTS-HMAC-SHA1-96", + "0x17": "RC4-HMAC", + "0x18": "RC4-HMAC-EXP", + "0xffffffff": "FAIL", + }; + + // Kerberos Result Status Codes + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + var kerberosTktStatusCodes = { + "0x0": "KDC_ERR_NONE", + "0x1": "KDC_ERR_NAME_EXP", + "0x2": "KDC_ERR_SERVICE_EXP", + "0x3": "KDC_ERR_BAD_PVNO", + "0x4": "KDC_ERR_C_OLD_MAST_KVNO", + "0x5": "KDC_ERR_S_OLD_MAST_KVNO", + "0x6": "KDC_ERR_C_PRINCIPAL_UNKNOWN", + "0x7": "KDC_ERR_S_PRINCIPAL_UNKNOWN", + "0x8": "KDC_ERR_PRINCIPAL_NOT_UNIQUE", + "0x9": "KDC_ERR_NULL_KEY", + "0xA": "KDC_ERR_CANNOT_POSTDATE", + "0xB": "KDC_ERR_NEVER_VALID", + "0xC": "KDC_ERR_POLICY", + "0xD": "KDC_ERR_BADOPTION", + "0xE": "KDC_ERR_ETYPE_NOTSUPP", + "0xF": "KDC_ERR_SUMTYPE_NOSUPP", + "0x10": "KDC_ERR_PADATA_TYPE_NOSUPP", + "0x11": "KDC_ERR_TRTYPE_NO_SUPP", + "0x12": "KDC_ERR_CLIENT_REVOKED", + "0x13": "KDC_ERR_SERVICE_REVOKED", + "0x14": "KDC_ERR_TGT_REVOKED", + "0x15": "KDC_ERR_CLIENT_NOTYET", + "0x16": "KDC_ERR_SERVICE_NOTYET", + "0x17": "KDC_ERR_KEY_EXPIRED", + "0x18": "KDC_ERR_PREAUTH_FAILED", + "0x19": "KDC_ERR_PREAUTH_REQUIRED", + "0x1A": "KDC_ERR_SERVER_NOMATCH", + "0x1B": "KDC_ERR_MUST_USE_USER2USER", + "0x1F": "KRB_AP_ERR_BAD_INTEGRITY", + "0x20": "KRB_AP_ERR_TKT_EXPIRED", + "0x21": "KRB_AP_ERR_TKT_NYV", + "0x22": "KRB_AP_ERR_REPEAT", + "0x23": "KRB_AP_ERR_NOT_US", + "0x24": "KRB_AP_ERR_BADMATCH", + "0x25": "KRB_AP_ERR_SKEW", + "0x26": "KRB_AP_ERR_BADADDR", + "0x27": "KRB_AP_ERR_BADVERSION", + "0x28": "KRB_AP_ERR_MSG_TYPE", + "0x29": "KRB_AP_ERR_MODIFIED", + "0x2A": "KRB_AP_ERR_BADORDER", + "0x2C": "KRB_AP_ERR_BADKEYVER", + "0x2D": "KRB_AP_ERR_NOKEY", + "0x2E": "KRB_AP_ERR_MUT_FAIL", + "0x2F": "KRB_AP_ERR_BADDIRECTION", + "0x30": "KRB_AP_ERR_METHOD", + "0x31": "KRB_AP_ERR_BADSEQ", + "0x32": "KRB_AP_ERR_INAPP_CKSUM", + "0x33": "KRB_AP_PATH_NOT_ACCEPTED", + "0x34": "KRB_ERR_RESPONSE_TOO_BIG", + "0x3C": "KRB_ERR_GENERIC", + "0x3D": "KRB_ERR_FIELD_TOOLONG", + "0x3E": "KDC_ERR_CLIENT_NOT_TRUSTED", + "0x3F": "KDC_ERR_KDC_NOT_TRUSTED", + "0x40": "KDC_ERR_INVALID_SIG", + "0x41": "KDC_ERR_KEY_TOO_WEAK", + "0x42": "KRB_AP_ERR_USER_TO_USER_REQUIRED", + "0x43": "KRB_AP_ERR_NO_TGT", + "0x44": "KDC_ERR_WRONG_REALM", + }; + + // event.category, event.type, event.action var eventActionTypes = { - "1100": "logging-service-shutdown", - "1102": "changed-audit-config", - "1104": "logging-full", - "1105": "auditlog-archieved", - "1108": "logging-processing-error", - "4624": "logged-in", - "4625": "logon-failed", - "4634": "logged-out", - "4672": "logged-in-special", - "4688": "created-process", - "4689": "exited-process", - "4719": "changed-audit-config", - "4720": "added-user-account", - "4722": "enabled-user-account", - "4723": "changed-password", - "4724": "reset-password", - "4725": "disabled-user-account", - "4726": "deleted-user-account", - "4727": "added-group-account", - "4728": "added-member-to-group", - "4729": "removed-member-from-group", - "4730": "deleted-group-account", - "4731": "added-member-to-group", - "4732": "added-member-to-group", - "4733": "removed-member-from-group", - "4734": "deleted-group-account", - "4735": "modified-group-account", - "4737": "modified-group-account", - "4738": "modified-user-account", - "4740": "locked-out-user-account", - "4741": "added-computer-account", - "4742": "changed-computer-account", - "4743": "deleted-computer-account", - "4744": "added-distribution-group-account", - "4745": "changed-distribution-group-account", - "4746": "added-member-to-distribution-group", - "4747": "removed-member-from-distribution-group", - "4748": "deleted-distribution-group-account", - "4749": "added-distribution-group-account", - "4750": "changed-distribution-group-account", - "4751": "added-member-to-distribution-group", - "4752": "removed-member-from-distribution-group", - "4753": "deleted-distribution-group-account", - "4754": "added-group-account", - "4755": "modified-group-account", - "4756": "added-member-to-group", - "4757": "removed-member-from-group", - "4758": "deleted-group-account", - "4759": "added-distribution-group-account", - "4760": "changed-distribution-group-account", - "4761": "added-member-to-distribution-group", - "4762": "removed-member-from-distribution-group", - "4763": "deleted-distribution-group-account", - "4764": "type-changed-group-account", - "4767": "unlocked-user-account", - "4781": "renamed-user-account", - "4798": "group-membership-enumerated", - "4799": "user-member-enumerated", + "1100": ["process","end","logging-service-shutdown"], + "1102": ["iam", "admin", "audit-log-cleared"], + "1104": ["iam","admin","logging-full"], + "1105": ["iam","admin","auditlog-archieved"], + "1108": ["iam","admin","logging-processing-error"], + "4624": ["authentication","start","logged-in"], + "4625": ["authentication","start","logon-failed"], + "4634": ["authentication","end","logged-out"], + "4647": ["authentication","end","logged-out"], + "4648": ["authentication","start","logged-in-explicit"], + "4672": ["iam","admin","logged-in-special"], + "4673": ["iam","admin","privileged-service-called"], + "4674": ["iam","admin","privileged-operation"], + "4688": ["process","start","created-process"], + "4689": ["process", "end", "exited-process"], + "4697": ["iam","admin","service-installed"], + "4698": ["iam","creation","scheduled-task-created"], + "4699": ["iam","deletion","scheduled-task-deleted"], + "4700": ["iam","change","scheduled-task-enabled"], + "4701": ["iam","change","scheduled-task-disabled"], + "4702": ["iam","change","scheduled-task-updated"], + "4719": ["iam","admin","changed-audit-config"], + "4720": ["iam","creation","added-user-account"], + "4722": ["iam","creation","enabled-user-account"], + "4723": ["iam","change","changed-password"], + "4724": ["iam","change","reset-password"], + "4725": ["iam","deletion","disabled-user-account"], + "4726": ["iam","deletion","deleted-user-account"], + "4727": ["iam","creation","added-group-account"], + "4728": ["iam","change","added-member-to-group"], + "4729": ["iam","change","removed-member-from-group"], + "4730": ["iam","deletion","deleted-group-account"], + "4731": ["iam","creation","added-group-account"], + "4732": ["iam","change","added-member-to-group"], + "4733": ["iam","change","removed-member-from-group"], + "4734": ["iam","deletion","deleted-group-account"], + "4735": ["iam","change","modified-group-account"], + "4737": ["iam","change","modified-group-account"], + "4738": ["iam","change","modified-user-account"], + "4740": ["iam","change","locked-out-user-account"], + "4741": ["iam","creation","added-computer-account"], + "4742": ["iam","change","changed-computer-account"], + "4743": ["iam","deletion","deleted-computer-account"], + "4744": ["iam","creation","added-distribution-group-account"], + "4745": ["iam","change","changed-distribution-group-account"], + "4746": ["iam","change","added-member-to-distribution-group"], + "4747": ["iam","change","removed-member-from-distribution-group"], + "4748": ["iam","deletion","deleted-distribution-group-account"], + "4749": ["iam","creation","added-distribution-group-account"], + "4750": ["iam","change","changed-distribution-group-account"], + "4751": ["iam","change","added-member-to-distribution-group"], + "4752": ["iam","change","removed-member-from-distribution-group"], + "4753": ["iam","deletion","deleted-distribution-group-account"], + "4754": ["iam","creation","added-group-account"], + "4755": ["iam","change","modified-group-account"], + "4756": ["iam","change","added-member-to-group"], + "4757": ["iam","change","removed-member-from-group"], + "4758": ["iam","deletion","deleted-group-account"], + "4759": ["iam","creation","added-distribution-group-account"], + "4760": ["iam","change","changed-distribution-group-account"], + "4761": ["iam","change","added-member-to-distribution-group"], + "4762": ["iam","change","removed-member-from-distribution-group"], + "4763": ["iam","deletion","deleted-distribution-group-account"], + "4764": ["iam","change","type-changed-group-account"], + "4767": ["iam","change","unlocked-user-account"], + "4768": ["authentication","start","kerberos-authentication-ticket-requested"], + "4769": ["authentication","start","kerberos-service-ticket-requested"], + "4770": ["authentication","start","kerberos-service-ticket-renewed"], + "4771": ["authentication","start","kerberos-preauth-failed"], + "4776": ["authentication","start","credential-validated"], + "4778": ["authentication","start","session-reconnected"], + "4779": ["authentication","end","session-disconnected"], + "4781": ["iam","change","renamed-user-account","dummy"], + "4798": ["iam","info","group-membership-enumerated"], + "4799": ["iam","info","user-member-enumerated","dummy"], + "4964": ["iam","admin","logged-in-special"], }; + + // Audit Policy Changes Table + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 var auditActions = { "8448": "Success Removed", "8450": "Failure Removed", @@ -116,68 +259,85 @@ var security = (function () { "8451": "Failure Added", }; + // Services Types + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + var serviceTypes = { + "0x1": "Kernel Driver", + "0x2": "File System Driver", + "0x8": "Recognizer Driver", + "0x10": "Win32 Own Process", + "0x20": "Win32 Share Process", + "0x110": "Interactive Own Process", + "0x120": "Interactive Share Process", + }; + + + // Audit Categories Description + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d var auditDescription = { - "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"], - "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"], - "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"], - "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"], - "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"], - "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"], - "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff", "Logon/Logoff"], - "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout", "Logon/Logoff"], - "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode", "Logon/Logoff"], - "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode", "Logon/Logoff"], - "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode", "Logon/Logoff"], - "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon", "Logon/Logoff"], - "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events", "Logon/Logoff"], - "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server", "Logon/Logoff"], - "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims", "Logon/Logoff"], - "0CCE921D-69AE-11D9-BED3-505054503030": ["File System", "Object Access"], - "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry", "Object Access"], - "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object", "Object Access"], - "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM", "Object Access"], - "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services", "Object Access"], - "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated", "Object Access"], - "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation", "Object Access"], - "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share", "Object Access"], - "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop", "Object Access"], - "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ", "Object Access"], - "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events", "Object Access"], - "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share", "Object Access"], - "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage", "Object Access"], - "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging", "Object Access"], - "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use", "Privilege Use"], - "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use", "Privilege Use"], - "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events", "Privilege Use"], - "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation", "Detailed Tracking"], - "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination", "Detailed Tracking"], - "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity", "Detailed Tracking"], - "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events", "Detailed Tracking"], - "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events", "Detailed Tracking"], - "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change", "Policy Change"], - "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change", "Policy Change"], - "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change", "Policy Change"], - "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change", "Policy Change"], - "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change", "Policy Change"], - "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events", "Policy Change"], - "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management", "Account Management"], - "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management", "Account Management"], - "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management", "Account Management"], - "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management", "Account Management"], - "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management", "Account Management"], - "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events", "Account Management"], - "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access", "Account Management"], - "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes", "Account Management"], - "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication", "Account Management"], - "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication", "Account Management"], - "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation", "Account Logon"], - "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations", "Account Logon"], - "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events", "Account Logon"], - "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service", "Account Logon"], + "0CCE9210-69AE-11D9-BED3-505054503030":["Security State Change", "System"], + "0CCE9211-69AE-11D9-BED3-505054503030":["Security System Extension", "System"], + "0CCE9212-69AE-11D9-BED3-505054503030":["System Integrity", "System"], + "0CCE9213-69AE-11D9-BED3-505054503030":["IPsec Driver", "System"], + "0CCE9214-69AE-11D9-BED3-505054503030":["Other System Events", "System"], + "0CCE9215-69AE-11D9-BED3-505054503030":["Logon", "Logon/Logoff"], + "0CCE9216-69AE-11D9-BED3-505054503030":["Logoff","Logon/Logoff"], + "0CCE9217-69AE-11D9-BED3-505054503030":["Account Lockout","Logon/Logoff"], + "0CCE9218-69AE-11D9-BED3-505054503030":["IPsec Main Mode","Logon/Logoff"], + "0CCE9219-69AE-11D9-BED3-505054503030":["IPsec Quick Mode","Logon/Logoff"], + "0CCE921A-69AE-11D9-BED3-505054503030":["IPsec Extended Mode","Logon/Logoff"], + "0CCE921B-69AE-11D9-BED3-505054503030":["Special Logon","Logon/Logoff"], + "0CCE921C-69AE-11D9-BED3-505054503030":["Other Logon/Logoff Events","Logon/Logoff"], + "0CCE9243-69AE-11D9-BED3-505054503030":["Network Policy Server","Logon/Logoff"], + "0CCE9247-69AE-11D9-BED3-505054503030":["User / Device Claims","Logon/Logoff"], + "0CCE921D-69AE-11D9-BED3-505054503030":["File System","Object Access"], + "0CCE921E-69AE-11D9-BED3-505054503030":["Registry","Object Access"], + "0CCE921F-69AE-11D9-BED3-505054503030":["Kernel Object","Object Access"], + "0CCE9220-69AE-11D9-BED3-505054503030":["SAM","Object Access"], + "0CCE9221-69AE-11D9-BED3-505054503030":["Certification Services","Object Access"], + "0CCE9222-69AE-11D9-BED3-505054503030":["Application Generated","Object Access"], + "0CCE9223-69AE-11D9-BED3-505054503030":["Handle Manipulation","Object Access"], + "0CCE9224-69AE-11D9-BED3-505054503030":["File Share","Object Access"], + "0CCE9225-69AE-11D9-BED3-505054503030":["Filtering Platform Packet Drop","Object Access"], + "0CCE9226-69AE-11D9-BED3-505054503030":["Filtering Platform Connection ","Object Access"], + "0CCE9227-69AE-11D9-BED3-505054503030":["Other Object Access Events","Object Access"], + "0CCE9244-69AE-11D9-BED3-505054503030":["Detailed File Share","Object Access"], + "0CCE9245-69AE-11D9-BED3-505054503030":["Removable Storage","Object Access"], + "0CCE9246-69AE-11D9-BED3-505054503030":["Central Policy Staging","Object Access"], + "0CCE9228-69AE-11D9-BED3-505054503030":["Sensitive Privilege Use","Privilege Use"], + "0CCE9229-69AE-11D9-BED3-505054503030":["Non Sensitive Privilege Use","Privilege Use"], + "0CCE922A-69AE-11D9-BED3-505054503030":["Other Privilege Use Events","Privilege Use"], + "0CCE922B-69AE-11D9-BED3-505054503030":["Process Creation","Detailed Tracking"], + "0CCE922C-69AE-11D9-BED3-505054503030":["Process Termination","Detailed Tracking"], + "0CCE922D-69AE-11D9-BED3-505054503030":["DPAPI Activity","Detailed Tracking"], + "0CCE922E-69AE-11D9-BED3-505054503030":["RPC Events","Detailed Tracking"], + "0CCE9248-69AE-11D9-BED3-505054503030":["Plug and Play Events","Detailed Tracking"], + "0CCE922F-69AE-11D9-BED3-505054503030":["Audit Policy Change","Policy Change"], + "0CCE9230-69AE-11D9-BED3-505054503030":["Authentication Policy Change","Policy Change"], + "0CCE9231-69AE-11D9-BED3-505054503030":["Authorization Policy Change","Policy Change"], + "0CCE9232-69AE-11D9-BED3-505054503030":["MPSSVC Rule-Level Policy Change","Policy Change"], + "0CCE9233-69AE-11D9-BED3-505054503030":["Filtering Platform Policy Change","Policy Change"], + "0CCE9234-69AE-11D9-BED3-505054503030":["Other Policy Change Events","Policy Change"], + "0CCE9235-69AE-11D9-BED3-505054503030":["User Account Management","Account Management"], + "0CCE9236-69AE-11D9-BED3-505054503030":["Computer Account Management","Account Management"], + "0CCE9237-69AE-11D9-BED3-505054503030":["Security Group Management","Account Management"], + "0CCE9238-69AE-11D9-BED3-505054503030":["Distribution Group Management","Account Management"], + "0CCE9239-69AE-11D9-BED3-505054503030":["Application Group Management","Account Management"], + "0CCE923A-69AE-11D9-BED3-505054503030":["Other Account Management Events","Account Management"], + "0CCE923B-69AE-11D9-BED3-505054503030":["Directory Service Access","Account Management"], + "0CCE923C-69AE-11D9-BED3-505054503030":["Directory Service Changes","Account Management"], + "0CCE923D-69AE-11D9-BED3-505054503030":["Directory Service Replication","Account Management"], + "0CCE923E-69AE-11D9-BED3-505054503030":["Detailed Directory Service Replication","Account Management"], + "0CCE923F-69AE-11D9-BED3-505054503030":["Credential Validation","Account Logon"], + "0CCE9240-69AE-11D9-BED3-505054503030":["Kerberos Service Ticket Operations","Account Logon"], + "0CCE9241-69AE-11D9-BED3-505054503030":["Other Account Logon Events","Account Logon"], + "0CCE9242-69AE-11D9-BED3-505054503030":["Kerberos Authentication Service","Account Logon"], }; + // Descriptions of failure status codes. // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 var logonFailureStatus = { "0xc000005e": "There are currently no logon servers available to service the logon request.", "0xc0000064": "User logon with misspelled or bad user account", @@ -199,6 +359,7 @@ var security = (function () { "0xc0000234": "User logon with account locked", "0xc00002ee": "Failure Reason: An Error occurred during Logon", "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.", + "0xc0000371": "The local account store does not contain secret material for the specified account", "0x0": "Status OK.", }; @@ -1187,17 +1348,31 @@ var security = (function () { return msobjsMessageTable[code]; }; - var addActionDesc = function(evt){ + var addEventFields = function(evt){ var code = evt.Get("event.code"); if (!code) { return; } - var eventActionDescription = eventActionTypes[code]; + var eventActionDescription = eventActionTypes[code][2]; if (eventActionDescription) { - evt.Put("event.action", eventActionDescription); + evt.AppendTo("event.category", eventActionTypes[code][0]); + evt.AppendTo("event.type", eventActionTypes[code][1]); + evt.Put("event.action", eventActionTypes[code][2]); } }; + var addEventOutcome = function(evt) { + var auditResult = evt.Get("winlog.keywords"); + if (!auditResult) { + return; + } + var eventOutcome = eventOutcomes[auditResult]; + if (eventOutcome === undefined) { + return; + } + evt.Put("event.outcome", eventOutcome); + }; + var addLogonType = function(evt) { var code = evt.Get("winlog.event_data.LogonType"); if (!code) { @@ -1242,38 +1417,30 @@ var security = (function () { evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); }; - var addUACDescription = function (evt) { + var addUACDescription = function(evt) { var code = evt.Get("winlog.event_data.NewUacValue"); if (!code) { return; } var uacCode = parseInt(code); - if (isNaN(uacCode)) { - return; - } var uacResult = []; for (var i = 0; i < uacFlags.length; i++) { if ((uacCode | uacFlags[i][0]) === uacCode) { uacResult.push(uacFlags[i][1]); } } - if (uacResult.length > 0) { - evt.Put("winlog.event_data.NewUacList", uacResult); + if (uacResult) { + evt.Put("winlog.event_data.NewUACList", uacResult); } - - // Parse list of values like "%%2080 %%2082 %%2084". - var uacList = evt.Get("winlog.event_data.UserAccountControl"); + var uacList = evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g, '').split("%%").filter(String); if (!uacList) { return; } - uacList = uacList.replace(/\s/g, "").split("%%").filter(String); - if (uacList.length > 0) { - evt.Put("winlog.event_data.UserAccountControl", uacList); - } - }; + evt.Put("winlog.event_data.UserAccountControl", uacList); + }; - var addAuditInfo = function (evt) { - var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", "").replace("}", "").toUpperCase(); + var addAuditInfo = function(evt) { + var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", '').replace("}", '').toUpperCase(); if (!subcategoryGuid) { return; } @@ -1282,15 +1449,83 @@ var security = (function () { } evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); - var coded_actions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); - var action_results = []; - for (var j = 0; j < coded_actions.length; j++) { - var action_code = coded_actions[j].replace("%%", "").replace(" ", ""); - action_results.push(auditActions[action_code]); + var codedActions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); + var actionResults = []; + for (var j = 0; j < codedActions.length; j++) { + var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); + actionResults.push(auditActions[actionCode]); } - evt.Put("winlog.event_data.AuditPolicyChangesDescription", action_results); + evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); }; + var addTicketOptionsDescription = function(evt) { + var code = evt.Get("winlog.event_data.TicketOptions"); + if (!code) { + return; + } + var tktCode = parseInt(code, 16).toString(2); + var tktResult = []; + var tktCodeLen = tktCode.length; + for (var i = tktCodeLen; i >= 0; i--) { + if (tktCode[i] == 1) { + tktResult.push(ticketOptions[(32-tktCodeLen)+i]); + } + } + if (tktResult) { + evt.Put("winlog.event_data.TicketOptionsDescription", tktResult); + } + }; + + var addTicketEncryptionType = function(evt) { + var code = evt.Get("winlog.event_data.TicketEncryptionType"); + if (!code) { + return; + } + var encTypeCode = code.toLowerCase(); + evt.Put("winlog.event_data.TicketEncryptionTypeDescription", ticketEncryptionTypes[encTypeCode]); + }; + + var addTicketStatus = function(evt) { + var code = evt.Get("winlog.event_data.Status"); + if (!code) { + return; + } + evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); + }; + + var addSessionData = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.AccountName", to: "user.name"}, + {from: "winlog.event_data.AccountDomain", to: "user.domain"}, + {from: "winlog.event_data.ClientAddress", to: "source.ip"}, + {from: "winlog.event_data.ClientName", to: "source.domain"}, + {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, + ], + ignore_missing: true, + }) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.AccountName"); + evt.AppendTo('related.user', user); + }) + .Build(); + + var addServiceFields = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.ServiceName", to: "service.name"}, + ], + ignore_missing: true, + }) + .Add(function(evt) { + var code = evt.Get("winlog.event_data.ServiceType"); + if (!code) { + return; + } + evt.Put("service.type", serviceTypes[code]); + }) + .Build(); + var copyTargetUser = new processor.Chain() .Convert({ fields: [ @@ -1300,9 +1535,13 @@ var security = (function () { ], ignore_missing: true, }) - .Add(function (evt) { + .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo("related.user", user); + if (/.@*/.test(user)) { + user = user.split('@')[0]; + evt.Put('user.name', user); + } + evt.AppendTo('related.user', user); }) .Build(); @@ -1348,7 +1587,7 @@ var security = (function () { }) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); - evt.AppendTo("related.user", user); + evt.AppendTo('related.user', user); }) .Build(); @@ -1361,9 +1600,9 @@ var security = (function () { ], ignore_missing: true, }) - .Add(function (evt) { + .Add(function(evt) { var user = evt.Get("winlog.user_data.SubjectUserName"); - evt.AppendTo("related.user", user); + evt.AppendTo('related.user', user); }) .Build(); @@ -1398,7 +1637,7 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function (evt) { + .Add(function(evt) { var name = evt.Get("process.name"); if (name) { return; @@ -1411,24 +1650,6 @@ var security = (function () { }) .Build(); - var addAuthSuccess = new processor.AddFields({ - fields: { - "event.category": "authentication", - "event.type": "authentication_success", - "event.outcome": "success", - }, - target: "", - }); - - var addAuthFailed = new processor.AddFields({ - fields: { - "event.category": "authentication", - "event.type": "authentication_failure", - "event.outcome": "failure", - }, - target: "", - }); - var renameNewProcessFields = new processor.Chain() .Convert({ fields: [ @@ -1440,7 +1661,7 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function (evt) { + .Add(function(evt) { var name = evt.Get("process.name"); if (name) { return; @@ -1451,7 +1672,7 @@ var security = (function () { } evt.Put("process.name", path.basename(exe)); }) - .Add(function (evt) { + .Add(function(evt) { var name = evt.Get("process.parent.name"); if (name) { return; @@ -1462,7 +1683,7 @@ var security = (function () { } evt.Put("process.parent.name", path.basename(exe)); }) - .Add(function (evt) { + .Add(function(evt) { var cl = evt.Get("winlog.event_data.CommandLine"); if (!cl) { return; @@ -1477,65 +1698,105 @@ var security = (function () { .Add(copyTargetUser) .Add(copyTargetUserLogonId) .Add(addLogonType) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) .Build(); - // Handles both 4624 and 4648. + // Handles both 4624 var logonSuccess = new processor.Chain() - .Add(addAuthSuccess) .Add(copyTargetUser) .Add(copyTargetUserLogonId) .Add(addLogonType) .Add(renameCommonAuthFields) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.SubjectUserName"); + if (user) { + var res = /^-$/.test(user); + if (!res) { + evt.AppendTo('related.user', user); + } + } + }) + .Build(); + + // Handles both 4648 + var event4648 = new processor.Chain() + .Add(copyTargetUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.SubjectUserName"); + if (user) { + var res = /^-$/.test(user); + if (!res) { + evt.AppendTo('related.user', user); + } + } + }) .Build(); var event4625 = new processor.Chain() - .Add(addAuthFailed) .Add(copyTargetUser) - .Add(copyTargetUserLogonId) + .Add(copySubjectUserLogonId) .Add(addLogonType) .Add(addFailureCode) .Add(addFailureStatus) .Add(addFailureSubStatus) .Add(renameCommonAuthFields) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) .Build(); var event4672 = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) - .Add(function (evt) { + .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { return; } evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); }) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) .Build(); var event4688 = new processor.Chain() .Add(copySubjectUser) + .Add(copySubjectUserLogonId) .Add(renameNewProcessFields) - .Add(addActionDesc) - .Add(function (evt) { - evt.Put("event.category", "process"); - evt.Put("event.type", "process_start"); - }) - .Add(function (evt) { + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo("related.user", user); + var res = /^-$/.test(user); + if (!res) { + evt.AppendTo('related.user', user); + } }) .Build(); var event4689 = new processor.Chain() .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addEventFields) + .Add(addEventOutcome) + .Build(); + + var event4697 = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) - .Add(addActionDesc) - .Add(function (evt) { - evt.Put("event.category", "process"); - evt.Put("event.type", "process_end"); + .Add(addServiceFields) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "change"); }) .Build(); @@ -1544,22 +1805,26 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addUACDescription) - .Add(addActionDesc) - .Add(function (evt) { + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo("related.user", user); + evt.AppendTo('related.user', user); + evt.AppendTo("event.type", "user"); }) .Build(); var userRenamed = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) - .Add(addActionDesc) - .Add(function (evt) { - var user_new = evt.Get("winlog.event_data.NewTargetUserName"); - evt.AppendTo("related.user", user_new); - var user_old = evt.Get("winlog.event_data.OldTargetUserName"); - evt.AppendTo("related.user", user_old); + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + var userNew = evt.Get("winlog.event_data.NewTargetUserName"); + evt.AppendTo('related.user', userNew); + var userOld = evt.Get("winlog.event_data.OldTargetUserName"); + evt.AppendTo('related.user', userOld); + evt.AppendTo("event.type", "user"); }) .Build(); @@ -1568,14 +1833,28 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(copyTargetUserToGroup) .Add(renameCommonAuthFields) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "group"); + var member = evt.Get("winlog.event_data.MemberName"); + if (!member) { + return; + } + evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); + }) + .Build(); var auditLogCleared = new processor.Chain() .Add(copySubjectUserFromUserData) .Add(copySubjectUserLogonIdFromUserData) .Add(renameCommonAuthFields) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "change"); + }) .Build(); var auditChanged = new processor.Chain() @@ -1583,12 +1862,17 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addAuditInfo) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "change"); + }) .Build(); var auditLogMgmt = new processor.Chain() .Add(renameCommonAuthFields) - .Add(addActionDesc) + .Add(addEventFields) + .Add(addEventOutcome) .Build(); var computerMgmtEvts = new processor.Chain() @@ -1596,14 +1880,97 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(copyTargetUserToComputerObject) .Add(renameCommonAuthFields) - .Add(addActionDesc) .Add(addUACDescription) - .Add(function (evt) { + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { return; } evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); + evt.AppendTo("event.type", "admin"); + }) + .Build(); + + var sessionEvts = new processor.Chain() + .Add(addSessionData) + .Add(addEventFields) + .Add(addEventOutcome) + .Build(); + + var event4964 = new processor.Chain() + .Add(copyTargetUser) + .Add(copyTargetUserLogonId) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "group"); + }) + .Build(); + + var kerberosTktEvts = new processor.Chain() + .Add(copyTargetUser) + .Add(renameCommonAuthFields) + .Add(addTicketOptionsDescription) + .Add(addTicketEncryptionType) + .Add(addTicketStatus) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + var ip = evt.Get("source.ip"); + if (/::ffff:/.test(ip)) { + evt.Put("source.ip", ip.replace("::ffff:", "")); + } + }) + .Build(); + + var event4776 = new processor.Chain() + .Add(copyTargetUser) + .Add(addFailureStatus) + .Add(addEventFields) + .Add(addEventOutcome) + .Build(); + + var scheduledTask = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + evt.AppendTo("event.type", "admin"); + }) + .Build(); + + var sensitivePrivilege = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addEventFields) + .Add(addEventOutcome) + .Add(function(evt) { + var privs = evt.Get("winlog.event_data.PrivilegeList"); + if (!privs) { + return; + } + evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); + }) + .Add(function(evt){ + var maskCodes = evt.Get("winlog.event_data.AccessMask"); + if (!maskCodes) { + return; + } + var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String); + evt.Put("winlog.event_data.AccessMask", maskList); + var maskResults = []; + for (var j = 0; j < maskList.length; j++) { + var description = msobjsMessageTable[maskList[j]]; + if (description === undefined) { + return; + } + maskResults.push(description); + } + evt.Put("winlog.event_data.AccessMaskDescription", maskResults); }) .Build(); @@ -1637,17 +2004,41 @@ var security = (function () { 4647: logoff.Run, // 4648 - A logon was attempted using explicit credentials. - 4648: logonSuccess.Run, + 4648: event4648.Run, // 4672 - Special privileges assigned to new logon. 4672: event4672.Run, + // 4673 - A privileged service was called. + 4673: sensitivePrivilege.Run, + + // 4674 - An operation was attempted on a privileged object. + 4674: sensitivePrivilege.Run, + // 4688 - A new process has been created. 4688: event4688.Run, // 4689 - A process has exited. 4689: event4689.Run, + // 4697 - A service was installed in the system. + 4697: event4697.Run, + + // 4698 - A scheduled task was created. + 4698: scheduledTask.Run, + + // 4699 - A scheduled task was deleted. + 4699: scheduledTask.Run, + + // 4700 - A scheduled task was enabled. + 4700: scheduledTask.Run, + + // 4701 - A scheduled task was disabled. + 4701: scheduledTask.Run, + + // 4702 - A scheduled task was updated. + 4702: scheduledTask.Run, + // 4719 - System audit policy was changed. 4719: auditChanged.Run, @@ -1780,6 +2171,27 @@ var security = (function () { // 4767 - A user account was unlocked. 4767: userMgmtEvts.Run, + // 4768 - A Kerberos authentication ticket TGT was requested. + 4768: kerberosTktEvts.Run, + + // 4769 - A Kerberos service ticket was requested. + 4769: kerberosTktEvts.Run, + + // 4770 - A Kerberos service ticket was renewed. + 4770: kerberosTktEvts.Run, + + // 4771 - Kerberos pre-authentication failed. + 4771: kerberosTktEvts.Run, + + // 4776 - The computer attempted to validate the credentials for an account. + 4776: event4776.Run, + + // 4778 - A session was reconnected to a Window Station. + 4778: sessionEvts.Run, + + // 4779 - A session was disconnected from a Window Station. + 4779: sessionEvts.Run, + // 4781 - The name of an account was changed. 4781: userRenamed.Run, @@ -1789,7 +2201,10 @@ var security = (function () { // 4799 - A security-enabled local group membership was enumerated. 4799: groupMgmtEvts.Run, - process: function (evt) { + // 4964 - Special groups have been assigned to a new logon. + 4964: event4964.Run, + + process: function(evt) { var eventId = evt.Get("winlog.event_id"); var processor = this[eventId]; if (processor === undefined) { diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json index e981d6042ea..6a2e7aa85ea 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json @@ -3,10 +3,13 @@ "@timestamp": "2019-11-07T10:37:04.2260925Z", "event": { "action": "logging-service-shutdown", + "category": "process", "code": 1100, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Eventlog" + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": "end" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json index 16f6e120b8a..d124c8154dd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json @@ -2,11 +2,17 @@ { "@timestamp": "2019-11-07T10:34:29.0559196Z", "event": { - "action": "changed-audit-config", + "action": "audit-log-cleared", + "category": "iam", "code": 1102, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Eventlog" + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" diff --git a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json index e75caf10328..9e0b25160e0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json @@ -3,10 +3,13 @@ "@timestamp": "2019-11-08T07:56:17.3217049Z", "event": { "action": "logging-full", + "category": "iam", "code": 1104, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Eventlog" + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": "admin" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" diff --git a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json index ca72947620e..ae6ba7ee57c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json @@ -3,10 +3,13 @@ "@timestamp": "2019-11-07T16:22:14.8425353Z", "event": { "action": "auditlog-archieved", + "category": "iam", "code": 1105, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Eventlog" + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": "admin" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json index 8780c91d12d..48e9297a3e0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-11-07T15:22:57.6553291Z", "event": { "action": "changed-audit-config", + "category": "iam", "code": 4719, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" diff --git a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json index cd4bd32fb46..ead2058c418 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:22:12.3112534Z", "event": { "action": "added-computer-account", + "category": "iam", "code": 4741, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "admin" + ] }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -39,7 +45,7 @@ "HomeDirectory": "-", "HomePath": "-", "LogonHours": "%%1793", - "NewUacList": [ + "NewUACList": [ "SCRIPT", "ENCRYPTED_TEXT_PWD_ALLOWED" ], diff --git a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json index 423f7e92280..6e6d21d1d9f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:22:12.3425087Z", "event": { "action": "changed-computer-account", + "category": "iam", "code": 4742, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -40,7 +46,7 @@ "HomeDirectory": "-", "HomePath": "-", "LogonHours": "-", - "NewUacList": [ + "NewUACList": [ "ENCRYPTED_TEXT_PWD_ALLOWED" ], "NewUacValue": "0x84", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json index a64f1684596..c3dd849dfcf 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:25:21.5781833Z", "event": { "action": "deleted-computer-account", + "category": "iam", "code": 4743, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "admin" + ] }, "host": { "name": "DC_TEST2k12.TEST.SAAS" diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json index efad3a186bd..ee173fa174b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:26:46.8744233Z", "event": { "action": "added-distribution-group-account", + "category": "iam", "code": 4744, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json index 115c5ba452f..6763c6e314b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:29:05.0175739Z", "event": { "action": "changed-distribution-group-account", + "category": "iam", "code": 4745, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index bb1f2e0fe39..4f6767b86f1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:31:01.6117458Z", "event": { "action": "added-member-to-distribution-group", + "category": "iam", "code": 4746, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index 734c1f25acc..1e49b60bf5a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-18T16:35:16.6816525Z", "event": { "action": "removed-member-from-distribution-group", + "category": "iam", "code": 4747, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json index 529c63c93fb..7028e3eabcf 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:01:45.9824133Z", "event": { "action": "deleted-distribution-group-account", + "category": "iam", "code": 4748, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json index e00d62d4e0f..5d8b63f88fb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:03:42.7234679Z", "event": { "action": "added-distribution-group-account", + "category": "iam", "code": 4749, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json index 5cc18e986c1..adc07bcf0bb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:10:57.4737631Z", "event": { "action": "changed-distribution-group-account", + "category": "iam", "code": 4750, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index acad53e1f9d..19365fcd0b0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:20:29.0889568Z", "event": { "action": "added-member-to-distribution-group", + "category": "iam", "code": 4751, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index 6daa89967bd..0ec7e223ca8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:21:23.6444225Z", "event": { "action": "removed-member-from-distribution-group", + "category": "iam", "code": 4752, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json index a202dced9ea..2522fe24547 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:24:36.5952761Z", "event": { "action": "deleted-distribution-group-account", + "category": "iam", "code": 4753, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json index f7f1d4e03dd..ca734884d50 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:26:26.1432582Z", "event": { "action": "added-distribution-group-account", + "category": "iam", "code": 4759, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json index dee61d9d371..fd63349af6b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:28:21.0305977Z", "event": { "action": "changed-distribution-group-account", + "category": "iam", "code": 4760, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index ded73373373..541326dabdc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:29:38.4487328Z", "event": { "action": "added-member-to-distribution-group", + "category": "iam", "code": 4761, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index 4b346ef8e59..ff9647a360e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:33:25.9678735Z", "event": { "action": "removed-member-from-distribution-group", + "category": "iam", "code": 4762, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "TEST", @@ -19,7 +25,10 @@ "level": "information" }, "related": { - "user": "at_adm" + "user": [ + "at_adm", + "Administrator" + ] }, "user": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json index d4069947156..a600ede656d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-12-19T08:34:23.1623432Z", "event": { "action": "deleted-distribution-group-account", + "category": "iam", "code": 4763, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "TEST", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx new file mode 100644 index 00000000000..643fadac216 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json new file mode 100644 index 00000000000..d0a1cd0e18d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json @@ -0,0 +1,68 @@ +[ + { + "@timestamp": "2020-04-06T06:39:04.5491199Z", + "event": { + "action": "privileged-service-called", + "category": "iam", + "code": 4673, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "admin" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 496 + }, + "related": { + "user": "DC_TEST2K12$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "DC_TEST2K12$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ObjectServer": "NT Local Security Authority / Authentication Service", + "PrivilegeList": [ + "SeTcbPrivilege" + ], + "Service": "LsaRegisterLogonProcess()", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DC_TEST2K12$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4673, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5109160, + "task": "Sensitive Privilege Use" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx new file mode 100644 index 00000000000..b4808dce3f1 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json new file mode 100644 index 00000000000..8e0e6c2a6f5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-04-06T06:38:31.1087891Z", + "event": { + "action": "privileged-operation", + "category": "iam", + "code": 4674, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "admin" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 884 + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccessMask": [ + "1538", + "1542" + ], + "AccessMaskDescription": [ + "READ_CONTROL", + "ACCESS_SYS_SEC" + ], + "HandleId": "0x1ee0", + "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", + "ObjectServer": "Security", + "ObjectType": "File", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x8aa365b", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" + }, + "event_id": 4674, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x8aa365b" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5109140, + "task": "Sensitive Privilege Use" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx new file mode 100644 index 00000000000..b878c3bcd3a Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json new file mode 100644 index 00000000000..4f95860bf30 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-04-02T14:34:08.8896056Z", + "event": { + "action": "service-installed", + "category": "iam", + "code": 4697, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "service": { + "name": "winlogbeat", + "type": "Win32 Own Process" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceAccount": "LocalSystem", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceName": "winlogbeat", + "ServiceStartType": "2", + "ServiceType": "0x10", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4c323", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": 4697, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4c323" + }, + "opcode": "Info", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 90108, + "task": "Security System Extension" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx new file mode 100644 index 00000000000..ec779713044 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json new file mode 100644 index 00000000000..f7a098c73ba --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-01T14:34:34.6061085Z", + "event": { + "action": "scheduled-task-created", + "category": "iam", + "code": 4698, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": 4698, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5043782, + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx new file mode 100644 index 00000000000..877b2a43def Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json new file mode 100644 index 00000000000..924af062c97 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-01T14:35:47.822282Z", + "event": { + "action": "scheduled-task-deleted", + "category": "iam", + "code": 4699, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": 4699, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5043801, + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx new file mode 100644 index 00000000000..e45df8bf238 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json new file mode 100644 index 00000000000..6004373ad7d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-01T14:35:14.8732455Z", + "event": { + "action": "scheduled-task-enabled", + "category": "iam", + "code": 4700, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": 4700, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5043792, + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx new file mode 100644 index 00000000000..4ade77eb664 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json new file mode 100644 index 00000000000..229ab491f58 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-01T14:35:04.7030004Z", + "event": { + "action": "scheduled-task-disabled", + "category": "iam", + "code": 4701, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": 4701, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5043789, + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx new file mode 100644 index 00000000000..0f888825b63 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json new file mode 100644 index 00000000000..bd8fbbfd483 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-01T14:35:36.2637108Z", + "event": { + "action": "scheduled-task-updated", + "category": "iam", + "code": 4702, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContentNew": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": 4702, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 1284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5043795, + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx new file mode 100644 index 00000000000..1ff236d3db3 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json new file mode 100644 index 00000000000..4cddbdcea1f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-04-01T08:45:44.1717416Z", + "event": { + "action": "kerberos-authentication-ticket-requested", + "category": "authentication", + "code": 4768, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "2", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetUserName": "at_adm", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Renewable-ok", + "Name-canonicalize", + "Renewable", + "Forwardable" + ] + }, + "event_id": 4768, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5040235, + "task": "Kerberos Authentication Service" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx new file mode 100644 index 00000000000..ddc9436667e Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json new file mode 100644 index 00000000000..0e17ff381f6 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json @@ -0,0 +1,70 @@ +[ + { + "@timestamp": "2020-04-01T08:45:44.1717416Z", + "event": { + "action": "kerberos-service-ticket-requested", + "category": "authentication", + "code": 4769, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "ServiceName": "DC_TEST2K12$", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "at_adm@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810000", + "TicketOptionsDescription": [ + "Name-canonicalize", + "Renewable", + "Forwardable" + ], + "TransmittedServices": "-" + }, + "event_id": 4769, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5040236, + "task": "Kerberos Service Ticket Operations" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx new file mode 100644 index 00000000000..8a2f171f64a Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json new file mode 100644 index 00000000000..f41ce8ef476 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2020-04-01T07:32:55.0104462Z", + "event": { + "action": "kerberos-service-ticket-renewed", + "category": "authentication", + "code": 4770, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "DC_TEST2K12$" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "DC_TEST2K12$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x10002", + "TicketOptionsDescription": [ + "Renew", + "Name-canonicalize" + ] + }, + "event_id": 4770, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5039598, + "task": "Kerberos Service Ticket Operations" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx new file mode 100644 index 00000000000..d3e8a80a371 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json new file mode 100644 index 00000000000..7321a262d93 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json @@ -0,0 +1,66 @@ +[ + { + "@timestamp": "2020-03-31T07:50:27.1681182Z", + "event": { + "action": "kerberos-preauth-failed", + "category": "authentication", + "code": 4771, + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "MPUIG" + }, + "source": { + "ip": "192.168.5.44", + "port": 53366 + }, + "user": { + "name": "MPUIG" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Renewable-ok", + "Name-canonicalize", + "Renewable", + "Forwardable" + ] + }, + "event_id": 4771, + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5027836, + "task": "Kerberos Authentication Service" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx new file mode 100644 index 00000000000..e9017eff858 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json new file mode 100644 index 00000000000..23a60fcb72e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json @@ -0,0 +1,58 @@ +[ + { + "@timestamp": "2020-04-01T08:45:42.1873153Z", + "event": { + "action": "credential-validated", + "category": "authentication", + "code": 4776, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" + }, + "event_id": 4776, + "keywords": [ + "Audit Success" + ], + "logon": { + "failure": { + "status": "Status OK." + } + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5040222, + "task": "Credential Validation" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx new file mode 100644 index 00000000000..5d8653c23ff Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json new file mode 100644 index 00000000000..f6723e5bada --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-05T16:33:32.3888253Z", + "event": { + "action": "session-reconnected", + "category": "authentication", + "code": 4778, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "start" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.9" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.9", + "ClientName": "EQP01777", + "LogonID": "0x76fea87", + "SessionName": "RDP-Tcp#127" + }, + "event_id": 4778, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x76fea87" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5101675, + "task": "Other Logon/Logoff Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx new file mode 100644 index 00000000000..29bc4f77453 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json new file mode 100644 index 00000000000..d3efbfe1bb2 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2020-04-03T10:18:01.8822336Z", + "event": { + "action": "session-disconnected", + "category": "authentication", + "code": 4779, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "end" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.17" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.17", + "ClientName": "EQP01777", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116" + }, + "event_id": 4779, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ccb" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5069070, + "task": "Other Logon/Logoff Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json index 519a58ec959..2fda2af99bb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -9,7 +9,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -23,7 +23,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -86,7 +89,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -100,7 +103,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -163,7 +169,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -177,7 +183,10 @@ "pid": 448 }, "related": { - "user": "vagrant" + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] }, "source": { "domain": "VAGRANT-2012-R2", @@ -243,7 +252,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -257,7 +266,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -320,7 +332,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -397,7 +409,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -474,7 +486,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -551,7 +563,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -628,7 +640,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -708,7 +720,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -722,7 +734,10 @@ "pid": 2812 }, "related": { - "user": "DWM-2" + "user": [ + "DWM-2", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "Window Manager", @@ -785,7 +800,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -799,7 +814,10 @@ "pid": 2812 }, "related": { - "user": "vagrant" + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] }, "source": { "domain": "VAGRANT-2012-R2", @@ -865,7 +883,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -879,7 +897,10 @@ "pid": 2188 }, "related": { - "user": "DWM-3" + "user": [ + "DWM-3", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "Window Manager", @@ -942,7 +963,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -956,7 +977,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -1019,7 +1043,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -1033,7 +1057,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -1096,7 +1123,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -1110,7 +1137,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -1173,7 +1203,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -1187,7 +1217,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -1250,7 +1283,7 @@ "module": "security", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_success" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -1264,7 +1297,10 @@ "pid": 508 }, "related": { - "user": "SYSTEM" + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] }, "user": { "domain": "NT AUTHORITY", @@ -1327,7 +1363,7 @@ "module": "security", "outcome": "failure", "provider": "Microsoft-Windows-Security-Auditing", - "type": "authentication_failure" + "type": "start" }, "host": { "name": "vagrant-2012-r2" @@ -1385,6 +1421,7 @@ "status": "This is either due to a bad username or authentication information", "sub_status": "User logon with misspelled or bad user account" }, + "id": "0x1008e", "type": "Interactive" }, "opcode": "Info", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json index 7aee5aeef9a..5a7f9be75a9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json @@ -3,10 +3,13 @@ "@timestamp": "2018-05-18T23:09:03.2086661Z", "event": { "action": "logged-in-special", + "category": "iam", "code": 4672, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "admin" }, "host": { "name": "vagrant-2016" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json index c1166103e9b..23c1159d403 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json @@ -3,10 +3,13 @@ "@timestamp": "2019-05-17T11:06:58.210768Z", "event": { "action": "logged-out", + "category": "authentication", "code": 4634, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "end" }, "host": { "name": "WIN-41OB2LO92CR" @@ -58,10 +61,13 @@ "@timestamp": "2019-05-19T16:15:38.542273Z", "event": { "action": "logged-out", + "category": "authentication", "code": 4634, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "end" }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json index f2092d9bb8d..9908eccb830 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:24:39.2933111Z", "event": { "action": "added-user-account", + "category": "iam", "code": 4720, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -37,7 +43,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUacList": [ + "NewUACList": [ "SCRIPT", "LOCKOUT" ], @@ -90,10 +96,16 @@ "@timestamp": "2019-09-06T13:25:21.8672707Z", "event": { "action": "added-user-account", + "category": "iam", "code": 4720, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -124,7 +136,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUacList": [ + "NewUACList": [ "SCRIPT", "LOCKOUT" ], diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json index 60548259535..6fa5bb63b42 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:28:46.1631928Z", "event": { "action": "enabled-user-account", + "category": "iam", "code": 4722, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -63,10 +69,16 @@ "@timestamp": "2019-09-06T13:29:08.5737904Z", "event": { "action": "enabled-user-account", + "category": "iam", "code": 4722, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json index f59261c6a02..270ef50ad1e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:32:13.8554125Z", "event": { "action": "changed-password", + "category": "iam", "code": 4723, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -61,10 +67,16 @@ "@timestamp": "2019-09-06T13:32:23.8855201Z", "event": { "action": "changed-password", + "category": "iam", "code": 4723, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json index 83b32607789..7a3c9767ab5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:24:39.339071Z", "event": { "action": "reset-password", + "category": "iam", "code": 4724, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -63,10 +69,16 @@ "@timestamp": "2019-09-06T13:25:21.9005914Z", "event": { "action": "reset-password", + "category": "iam", "code": 4724, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json index 8c8d35b4b73..ccf014d68e3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:28:40.0015275Z", "event": { "action": "disabled-user-account", + "category": "iam", "code": 4725, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -63,10 +69,16 @@ "@timestamp": "2019-09-06T13:28:55.2644212Z", "event": { "action": "disabled-user-account", + "category": "iam", "code": 4725, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json index dbdbea6bce8..df5544fdafc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:35:25.5153959Z", "event": { "action": "deleted-user-account", + "category": "iam", "code": 4726, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -64,10 +70,16 @@ "@timestamp": "2019-09-06T13:35:29.6900555Z", "event": { "action": "deleted-user-account", + "category": "iam", "code": 4726, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index 74625a93246..d85d9a40ea3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:26:12.4955445Z", "event": { "action": "added-group-account", + "category": "iam", "code": 4727, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 7eb4b175035..eff3f51f52d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:33:26.8613751Z", "event": { "action": "added-member-to-group", + "category": "iam", "code": 4728, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index e932893c283..536d546b58d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:33:45.5433159Z", "event": { "action": "removed-member-from-group", + "category": "iam", "code": 4729, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index a859249e571..1e0a1fa75cd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:34:01.6107262Z", "event": { "action": "deleted-group-account", + "category": "iam", "code": 4730, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index d9e51ee82c1..fc1866628be 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -2,11 +2,17 @@ { "@timestamp": "2019-10-22T11:29:49.3586766Z", "event": { - "action": "added-member-to-group", + "action": "added-group-account", + "category": "iam", "code": 4731, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index f6f929666fb..139ab72e02e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:31:58.0398598Z", "event": { "action": "added-member-to-group", + "category": "iam", "code": 4732, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index d94dde1207b..1bc815b3730 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:32:14.8941288Z", "event": { "action": "removed-member-from-group", + "category": "iam", "code": 4733, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index b25a8a36949..3dc919714de 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:32:35.1274042Z", "event": { "action": "deleted-group-account", + "category": "iam", "code": 4734, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index b746c834fc4..88c5d7e4c0c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:32:30.425487Z", "event": { "action": "modified-group-account", + "category": "iam", "code": 4735, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 84dd00dadf3..4cb1c5cc4e3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:33:57.2710608Z", "event": { "action": "modified-group-account", + "category": "iam", "code": 4737, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json index be1b1ec8aa7..30226b8ad7a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:36:17.5667652Z", "event": { "action": "modified-user-account", + "category": "iam", "code": 4738, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -38,7 +44,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUacList": [ + "NewUACList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], @@ -89,10 +95,16 @@ "@timestamp": "2019-09-06T13:36:36.3634107Z", "event": { "action": "modified-user-account", + "category": "iam", "code": 4738, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -124,7 +136,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUacList": [ + "NewUACList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json index a9f94e35dea..9e69876dcfd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:39:43.0856521Z", "event": { "action": "locked-out-user-account", + "category": "iam", "code": 4740, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index fd846c3ba05..c3cc298857f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:34:33.783048Z", "event": { "action": "added-group-account", + "category": "iam", "code": 4754, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index e05ef6843a7..08312b06f0a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:35:09.0701134Z", "event": { "action": "modified-group-account", + "category": "iam", "code": 4755, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index 6d199101b60..1662f9e96ca 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:34:58.4130288Z", "event": { "action": "added-member-to-group", + "category": "iam", "code": 4756, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index 65c09c2b92f..ad2dcbf68b2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:35:09.0701919Z", "event": { "action": "removed-member-from-group", + "category": "iam", "code": 4757, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index 6b41b468b8d..eb6d7f8873d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:35:13.5502867Z", "event": { "action": "deleted-group-account", + "category": "iam", "code": 4758, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 6a876e9689d..7651be3f9c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-22T11:33:57.271141Z", "event": { "action": "type-changed-group-account", + "category": "iam", "code": 4764, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "group" + ] }, "group": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json index 4a494e29010..c10208c9792 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:40:52.3149485Z", "event": { "action": "unlocked-user-account", + "category": "iam", "code": 4767, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json index d66432da5e4..717cb8c8cce 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-09-06T13:38:17.5566269Z", "event": { "action": "renamed-user-account", + "category": "iam", "code": 4781, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" @@ -66,10 +72,16 @@ "@timestamp": "2019-09-06T13:38:23.5161066Z", "event": { "action": "renamed-user-account", + "category": "iam", "code": 4781, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json index 470400162f0..cdc5eb60a82 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-08T10:20:34.0535453Z", "event": { "action": "group-membership-enumerated", + "category": "iam", "code": 4798, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "user" + ] }, "host": { "name": "WIN-41OB2LO92CR" diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index ebcda23bdf1..9048b6b821f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -3,10 +3,16 @@ "@timestamp": "2019-10-08T10:20:44.4724208Z", "event": { "action": "user-member-enumerated", + "category": "iam", "code": 4799, "kind": "event", "module": "security", - "provider": "Microsoft-Windows-Security-Auditing" + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "group" + ] }, "group": { "domain": "Builtin", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx new file mode 100644 index 00000000000..1d14b8cd234 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json new file mode 100644 index 00000000000..930bc35db79 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json @@ -0,0 +1,136 @@ +[ + { + "@timestamp": "2020-03-21T23:50:34.347458Z", + "event": { + "action": "logged-in-special", + "category": "iam", + "code": 4964, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "group" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}", + "TargetLogonId": "0x1d22ed", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": 4964, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x1d22ed" + }, + "opcode": "Info", + "process": { + "pid": 788, + "thread": { + "id": 828 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 68259, + "task": "Special Logon" + } + }, + { + "@timestamp": "2020-03-24T16:36:59.5703294Z", + "event": { + "action": "logged-in-special", + "category": "iam", + "code": 4964, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "group" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{a22b4bf4-ffdc-0000-ee4d-2ba2dcffd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetLogonGuid": "{38fec9bc-577f-76f6-5d29-e0175ce19797}", + "TargetLogonId": "0x7c0be", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": 4964, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x7c0be" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 2608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 68620, + "task": "Special Logon" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json index 9e92d3182a8..dbac75b2935 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json @@ -7,8 +7,9 @@ "code": 4688, "kind": "event", "module": "security", + "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "process_start" + "type": "start" }, "host": { "name": "vagrant" @@ -32,10 +33,7 @@ "pid": 4556 }, "related": { - "user": [ - "vagrant", - "-" - ] + "user": "vagrant" }, "user": { "domain": "VAGRANT", @@ -64,6 +62,9 @@ "keywords": [ "Audit Success" ], + "logon": { + "id": "0x274a2" + }, "opcode": "Info", "process": { "pid": 4, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json index 16a9d810899..98d0aafb51b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json @@ -7,8 +7,9 @@ "code": 4689, "kind": "event", "module": "security", + "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "process_end" + "type": "end" }, "host": { "name": "vagrant" @@ -44,6 +45,9 @@ "keywords": [ "Audit Success" ], + "logon": { + "id": "0x274a2" + }, "opcode": "Info", "process": { "pid": 4, @@ -65,8 +69,9 @@ "code": 4689, "kind": "event", "module": "security", + "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "process_end" + "type": "end" }, "host": { "name": "vagrant" @@ -102,6 +107,9 @@ "keywords": [ "Audit Success" ], + "logon": { + "id": "0x274f1" + }, "opcode": "Info", "process": { "pid": 4, @@ -123,8 +131,9 @@ "code": 4689, "kind": "event", "module": "security", + "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", - "type": "process_end" + "type": "end" }, "host": { "name": "vagrant" @@ -160,6 +169,9 @@ "keywords": [ "Audit Success" ], + "logon": { + "id": "0x274a2" + }, "opcode": "Info", "process": { "pid": 4,