Skip to content

fix(system,windows): normalize SidList in event 4908 #15797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+252 −5
Open

fix(system,windows): normalize SidList in event 4908 #15797

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/system/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.7.1"
changes:
- description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
type: bugfix
link: https://github.com/elastic/integrations/pull/15797
- version: "2.7.0"
changes:
- description: Add NTP data stream.
Expand Down
46 changes: 46 additions & 0 deletions packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"events": [
{
"@timestamp": "2020-08-19T06:07:25.0461779Z",
"event": {
"action": "Audit Policy Change",
"code": "4908",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"labels": {
"origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
},
"message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
},
"event_id": "4908",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 784,
"thread": {
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 140274,
"task": "Audit Policy Change"
}
}
]
}
64 changes: 64 additions & 0 deletions ...data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{
"expected": [
{
"@timestamp": "2020-08-19T06:07:25.0461779Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "special-group-table-changed",
"category": [
"iam",
"configuration"
],
"code": "4908",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"admin",
"change"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"labels": {
"origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
},
"log": {
"level": "information"
},
"message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"SidList": [
"%{S-1-5-32-544}",
"%{S-1-5-32-123-54-65}"
],
"SidListDesc": [
"Administrators",
"S-1-5-32-123-54-65"
]
},
"event_id": "4908",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 784,
"thread": {
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "140274",
"task": "Audit Policy Change"
}
}
]
}
7 changes: 6 additions & 1 deletion packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4432,7 +4432,12 @@ processors:
ctx.winlog?.event_data?.OldTargetUserName != null &&
ctx.winlog.event_data.OldTargetUserName != "-"


- gsub:
description: Normalize separators in the SidList value.
field: winlog.event_data.SidList
pattern: '\s+'
replacement: ' '
ignore_missing: true
- script:
lang: painless
ignore_failure: false
Expand Down
2 changes: 1 addition & 1 deletion packages/system/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: system
title: System
version: "2.7.0"
version: "2.7.1"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
Expand Down
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "3.1.3"
changes:
- description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
type: bugfix
link: https://github.com/elastic/integrations/pull/15797
- version: "3.1.2"
changes:
- description: Remove unused agent files.
Expand Down
46 changes: 46 additions & 0 deletions ...ages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"events": [
{
"@timestamp": "2020-08-19T06:07:25.0461779Z",
"event": {
"action": "Audit Policy Change",
"code": "4908",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"labels": {
"origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
},
"message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
},
"event_id": "4908",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 784,
"thread": {
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 140274,
"task": "Audit Policy Change"
}
}
]
}
70 changes: 70 additions & 0 deletions ...ata_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
{
"expected": [
{
"@timestamp": "2020-08-19T06:07:25.0461779Z",
"ecs": {
"version": "8.17.0"
},
"event": {
"action": "special-group-table-changed",
"category": [
"iam",
"configuration"
],
"code": "4908",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"admin",
"change"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local",
"os": {
"family": "windows",
"type": "windows"
}
},
"labels": {
"origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
},
"log": {
"level": "information"
},
"message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
"winlog": {
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"SidList": [
"",
"%{S-1-5-32-544}",
"%{S-1-5-32-123-54-65}"
],
"SidListDesc": [
"",
"Administrators",
"S-1-5-32-123-54-65"
]
},
"event_id": "4908",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 784,
"thread": {
"id": 808
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "140274",
"task": "Audit Policy Change"
}
}
]
}
10 changes: 8 additions & 2 deletions packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3931,7 +3931,12 @@ processors:
ctx.winlog?.event_data?.OldTargetUserName != null &&
ctx.winlog.event_data.OldTargetUserName != "-"


- gsub:
description: Normalize separators in the SidList value.
field: winlog.event_data.SidList
pattern: '\s+'
replacement: ' '
ignore_missing: true
- script:
lang: painless
ignore_failure: false
Expand Down Expand Up @@ -4260,7 +4265,8 @@ processors:

void splitSidList(def sids, def params, def ctx) {
ArrayList al = new ArrayList();
Copy link
Member Author

@andrewkroh andrewkroh Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This highlights that that system/security and windows/forwarded pipelines are no longer in sync. We will need to address that separately, hopefully taking advantage of new tooling in elastic-package that avoids duplicating content.

def sidList = sids.splitOnToken(" ");
def sidsArray = sids.splitOnToken(" ");
ArrayList sidList = new ArrayList(Arrays.asList(sidsArray));
ctx.winlog.event_data.put("SidList", sidList);
for (def i = 0; i < sidList.length; i++ ) {
al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params));
Expand Down
2 changes: 1 addition & 1 deletion packages/windows/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: windows
title: Windows
version: 3.1.2
version: 3.1.3
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories:
Expand Down