diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 88154f732478..5aa72b534f1c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -325,6 +325,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Add more DNS error codes to the Sysmon module. {issue}15685[15685] +- Add Audit and Log Management, Computer Object Management, and Distribution Group related events to the Security module. {pull}15217[15217] ==== Deprecated diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index a0fc158e2b15..c7e7415244e3 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -8,6 +8,11 @@ The security module processes event log records from the Security log. The module has transformations for the following event IDs: +* 1100 - The event logging service has shut down. +* 1102 - The audit log was cleared. +* 1104 - The security log is now full. +* 1105 - Event log automatic backup. +* 1108 - The event logging service encountered an error while processing an incoming event published from %1 * 4624 - An account was successfully logged on. * 4625 - An account failed to log on. * 4634 - An account was logged off. @@ -16,16 +21,53 @@ The module has transformations for the following event IDs: * 4672 - Special privileges assigned to new logon. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. * 4724 - An attempt was made to reset an account's password. * 4725 - An user account was disabled. * 4726 - An user account was deleted. +* 4727 - A security-enabled global group was created. +* 4728 - A member was added to a security-enabled global group. +* 4729 - A member was removed from a security-enabled global group. +* 4730 - A security-enabled global group was deleted. +* 4731 - A security-enabled local group was created +* 4732 - A member was added to a security-enabled local group. +* 4733 - A member was removed from a security-enabled local group. +* 4734 - A security-enabled local group was deleted. +* 4735 - A security-enabled local group was changed. +* 4737 - A security-enabled global group was changed. * 4738 - An user account was changed. * 4740 - An user account was locked out. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. * 4767 - An account was unlocked. * 4781 - The name of an account was changed. +* 4798 - A user's local group membership was enumerated. +* 4799 - A security-enabled local group membership was enumerated. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index a0fc158e2b15..c7e7415244e3 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -8,6 +8,11 @@ The security module processes event log records from the Security log. The module has transformations for the following event IDs: +* 1100 - The event logging service has shut down. +* 1102 - The audit log was cleared. +* 1104 - The security log is now full. +* 1105 - Event log automatic backup. +* 1108 - The event logging service encountered an error while processing an incoming event published from %1 * 4624 - An account was successfully logged on. * 4625 - An account failed to log on. * 4634 - An account was logged off. @@ -16,16 +21,53 @@ The module has transformations for the following event IDs: * 4672 - Special privileges assigned to new logon. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. * 4724 - An attempt was made to reset an account's password. * 4725 - An user account was disabled. * 4726 - An user account was deleted. +* 4727 - A security-enabled global group was created. +* 4728 - A member was added to a security-enabled global group. +* 4729 - A member was removed from a security-enabled global group. +* 4730 - A security-enabled global group was deleted. +* 4731 - A security-enabled local group was created +* 4732 - A member was added to a security-enabled local group. +* 4733 - A member was removed from a security-enabled local group. +* 4734 - A security-enabled local group was deleted. +* 4735 - A security-enabled local group was changed. +* 4737 - A security-enabled global group was changed. * 4738 - An user account was changed. * 4740 - An user account was locked out. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. * 4767 - An account was unlocked. * 4781 - The name of an account was changed. +* 4798 - A user's local group membership was enumerated. +* 4799 - A security-enabled local group membership was enumerated. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 13ef413f9e50..b6cac040b740 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -21,39 +21,46 @@ var security = (function () { // User Account Control Attributes Table // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uac_flags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], + var uacFlags = [ + [0x0001, "SCRIPT"], + [0x0002, "ACCOUNTDISABLE"], + [0x0008, "HOMEDIR_REQUIRED"], + [0x0010, "LOCKOUT"], + [0x0020, "PASSWD_NOTREQD"], + [0x0040, "PASSWD_CANT_CHANGE"], + [0x0080, "ENCRYPTED_TEXT_PWD_ALLOWED"], + [0x0100, "TEMP_DUPLICATE_ACCOUNT"], + [0x0200, "NORMAL_ACCOUNT"], + [0x0800, "INTERDOMAIN_TRUST_ACCOUNT"], + [0x1000, "WORKSTATION_TRUST_ACCOUNT"], + [0x2000, "SERVER_TRUST_ACCOUNT"], + [0x10000, "DONT_EXPIRE_PASSWORD"], + [0x20000, "MNS_LOGON_ACCOUNT"], + [0x40000, "SMARTCARD_REQUIRED"], + [0x80000, "TRUSTED_FOR_DELEGATION"], + [0x100000, "NOT_DELEGATED"], + [0x200000, "USE_DES_KEY_ONLY"], + [0x400000, "DONT_REQ_PREAUTH"], + [0x800000, "PASSWORD_EXPIRED"], + [0x1000000, "TRUSTED_TO_AUTH_FOR_DELEGATION"], + [0x4000000, "PARTIAL_SECRETS_ACCOUNT"], ]; + // event.action Description Table // event.action Description Table var eventActionTypes = { + "1100": "logging-service-shutdown", + "1102": "changed-audit-config", + "1104": "logging-full", + "1105": "auditlog-archieved", + "1108": "logging-processing-error", "4624": "logged-in", "4625": "logon-failed", "4634": "logged-out", "4672": "logged-in-special", "4688": "created-process", "4689": "exited-process", + "4719": "changed-audit-config", "4720": "added-user-account", "4722": "enabled-user-account", "4723": "changed-password", @@ -61,22 +68,40 @@ var security = (function () { "4725": "disabled-user-account", "4726": "deleted-user-account", "4727": "added-group-account", - "4728": "added-group-account-to", - "4729": "deleted-group-account-from", + "4728": "added-member-to-group", + "4729": "removed-member-from-group", "4730": "deleted-group-account", - "4731": "added-group-account", - "4732": "added-group-account-to", - "4733": "deleted-group-account-from", + "4731": "added-member-to-group", + "4732": "added-member-to-group", + "4733": "removed-member-from-group", "4734": "deleted-group-account", "4735": "modified-group-account", "4737": "modified-group-account", "4738": "modified-user-account", "4740": "locked-out-user-account", + "4741": "added-computer-account", + "4742": "changed-computer-account", + "4743": "deleted-computer-account", + "4744": "added-distribution-group-account", + "4745": "changed-distribution-group-account", + "4746": "added-member-to-distribution-group", + "4747": "removed-member-from-distribution-group", + "4748": "deleted-distribution-group-account", + "4749": "added-distribution-group-account", + "4750": "changed-distribution-group-account", + "4751": "added-member-to-distribution-group", + "4752": "removed-member-from-distribution-group", + "4753": "deleted-distribution-group-account", "4754": "added-group-account", "4755": "modified-group-account", - "4756": "added-group-account-to", - "4757": "deleted-group-account-from", + "4756": "added-member-to-group", + "4757": "removed-member-from-group", "4758": "deleted-group-account", + "4759": "added-distribution-group-account", + "4760": "changed-distribution-group-account", + "4761": "added-member-to-distribution-group", + "4762": "removed-member-from-distribution-group", + "4763": "deleted-distribution-group-account", "4764": "type-changed-group-account", "4767": "unlocked-user-account", "4781": "renamed-user-account", @@ -84,6 +109,73 @@ var security = (function () { "4799": "user-member-enumerated", }; + var auditActions = { + "8448": "Success Removed", + "8450": "Failure Removed", + "8449": "Success Added", + "8451": "Failure Added", + }; + + var auditDescription = { + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"], + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"], + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"], + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"], + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"], + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"], + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff", "Logon/Logoff"], + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout", "Logon/Logoff"], + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode", "Logon/Logoff"], + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode", "Logon/Logoff"], + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode", "Logon/Logoff"], + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon", "Logon/Logoff"], + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events", "Logon/Logoff"], + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server", "Logon/Logoff"], + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims", "Logon/Logoff"], + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System", "Object Access"], + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry", "Object Access"], + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object", "Object Access"], + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM", "Object Access"], + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services", "Object Access"], + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated", "Object Access"], + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation", "Object Access"], + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share", "Object Access"], + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop", "Object Access"], + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ", "Object Access"], + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events", "Object Access"], + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share", "Object Access"], + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage", "Object Access"], + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging", "Object Access"], + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use", "Privilege Use"], + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use", "Privilege Use"], + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events", "Privilege Use"], + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation", "Detailed Tracking"], + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination", "Detailed Tracking"], + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity", "Detailed Tracking"], + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events", "Detailed Tracking"], + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events", "Detailed Tracking"], + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change", "Policy Change"], + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change", "Policy Change"], + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change", "Policy Change"], + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change", "Policy Change"], + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change", "Policy Change"], + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events", "Policy Change"], + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management", "Account Management"], + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management", "Account Management"], + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management", "Account Management"], + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management", "Account Management"], + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management", "Account Management"], + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events", "Account Management"], + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access", "Account Management"], + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes", "Account Management"], + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication", "Account Management"], + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication", "Account Management"], + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation", "Account Logon"], + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations", "Account Logon"], + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events", "Account Logon"], + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service", "Account Logon"], + }; + // Descriptions of failure status codes. // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 var logonFailureStatus = { @@ -1150,27 +1242,54 @@ var security = (function () { evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); }; - var addUACDescription = function(evt) { + var addUACDescription = function (evt) { var code = evt.Get("winlog.event_data.NewUacValue"); if (!code) { return; } - var uac_code=parseInt(code); - var uac_result = []; - for (var i=0; i 0) { + evt.Put("winlog.event_data.NewUacList", uacResult); + } + + // Parse list of values like "%%2080 %%2082 %%2084". + var uacList = evt.Get("winlog.event_data.UserAccountControl"); + if (!uacList) { + return; + } + uacList = uacList.replace(/\s/g, "").split("%%").filter(String); + if (uacList.length > 0) { + evt.Put("winlog.event_data.UserAccountControl", uacList); + } + }; + + var addAuditInfo = function (evt) { + var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", "").replace("}", "").toUpperCase(); + if (!subcategoryGuid) { + return; } - var uac_list=evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g,'').split("%%").filter(String); - if (! uac_list) { + if (!auditDescription[subcategoryGuid]) { return; } - evt.Put("winlog.event_data.UserAccountControl",uac_list); - }; + evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); + evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); + var coded_actions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); + var action_results = []; + for (var j = 0; j < coded_actions.length; j++) { + var action_code = coded_actions[j].replace("%%", "").replace(" ", ""); + action_results.push(auditActions[action_code]); + } + evt.Put("winlog.event_data.AuditPolicyChangesDescription", action_results); + }; var copyTargetUser = new processor.Chain() .Convert({ @@ -1181,6 +1300,10 @@ var security = (function () { ], ignore_missing: true, }) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var copyTargetUserToGroup = new processor.Chain() @@ -1194,6 +1317,17 @@ var security = (function () { }) .Build(); + var copyTargetUserToComputerObject = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, + {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, + {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, + ], + ignore_missing: true, + }) + .Build(); + var copyTargetUserLogonId = new processor.Chain() .Convert({ fields: [ @@ -1212,15 +1346,25 @@ var security = (function () { ], ignore_missing: true, }) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.SubjectUserName"); + evt.AppendTo("related.user", user); + }) .Build(); - var copyOldTargetUser = new processor.Chain() + var copySubjectUserFromUserData = new processor.Chain() .Convert({ fields: [ - {from: "winlog.event_data.OldTargetUserName", to: "user.name"}, + {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, + {from: "winlog.user_data.SubjectUserName", to: "user.name"}, + {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, ], ignore_missing: true, }) + .Add(function (evt) { + var user = evt.Get("winlog.user_data.SubjectUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var copySubjectUserLogonId = new processor.Chain() @@ -1232,6 +1376,15 @@ var security = (function () { }) .Build(); + var copySubjectUserLogonIdFromUserData = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, + ], + ignore_missing: true, + }) + .Build(); + var renameCommonAuthFields = new processor.Chain() .Convert({ fields: [ @@ -1245,12 +1398,15 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.name"); if (name) { return; } var exe = evt.Get("process.executable"); + if (!exe) { + return; + } evt.Put("process.name", path.basename(exe)); }) .Build(); @@ -1284,7 +1440,7 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.name"); if (name) { return; @@ -1295,7 +1451,7 @@ var security = (function () { } evt.Put("process.name", path.basename(exe)); }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.parent.name"); if (name) { return; @@ -1306,7 +1462,7 @@ var security = (function () { } evt.Put("process.parent.name", path.basename(exe)); }) - .Add(function(evt) { + .Add(function (evt) { var cl = evt.Get("winlog.event_data.CommandLine"); if (!cl) { return; @@ -1349,7 +1505,7 @@ var security = (function () { var event4672 = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) - .Add(function(evt) { + .Add(function (evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { return; @@ -1363,34 +1519,48 @@ var security = (function () { .Add(copySubjectUser) .Add(renameNewProcessFields) .Add(addActionDesc) - .Add(function(evt) { + .Add(function (evt) { evt.Put("event.category", "process"); evt.Put("event.type", "process_start"); }) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var event4689 = new processor.Chain() .Add(copySubjectUser) .Add(renameCommonAuthFields) .Add(addActionDesc) - .Add(function(evt) { + .Add(function (evt) { evt.Put("event.category", "process"); evt.Put("event.type", "process_end"); }) .Build(); var userMgmtEvts = new processor.Chain() - .Add(copyTargetUser) + .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addActionDesc) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var userRenamed = new processor.Chain() - .Add(copyOldTargetUser) + .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addActionDesc) + .Add(function (evt) { + var user_new = evt.Get("winlog.event_data.NewTargetUserName"); + evt.AppendTo("related.user", user_new); + var user_old = evt.Get("winlog.event_data.OldTargetUserName"); + evt.AppendTo("related.user", user_old); + }) .Build(); var groupMgmtEvts = new processor.Chain() @@ -1401,7 +1571,59 @@ var security = (function () { .Add(addActionDesc) .Build(); + var auditLogCleared = new processor.Chain() + .Add(copySubjectUserFromUserData) + .Add(copySubjectUserLogonIdFromUserData) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Build(); + + var auditChanged = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addAuditInfo) + .Add(addActionDesc) + .Build(); + + var auditLogMgmt = new processor.Chain() + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Build(); + + var computerMgmtEvts = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(copyTargetUserToComputerObject) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Add(addUACDescription) + .Add(function (evt) { + var privs = evt.Get("winlog.event_data.PrivilegeList"); + if (!privs) { + return; + } + evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); + }) + .Build(); + return { + + // 1100 - The event logging service has shut down. + 1100: auditLogMgmt.Run, + + // 1102 - The audit log was cleared. + 1102: auditLogCleared.Run, + + // 1104 - The security log is now full. + 1104: auditLogMgmt.Run, + + // 1105 - Event log automatic backup. + 1105: auditLogMgmt.Run, + + // 1108 - The event logging service encountered an error while processing an incoming event published from %1 + 1108: auditLogMgmt.Run, + // 4624 - An account was successfully logged on. 4624: logonSuccess.Run, @@ -1426,6 +1648,9 @@ var security = (function () { // 4689 - A process has exited. 4689: event4689.Run, + // 4719 - System audit policy was changed. + 4719: auditChanged.Run, + // 4720 - A user account was created 4720: userMgmtEvts.Run, @@ -1480,6 +1705,45 @@ var security = (function () { // 4740 - An account was locked out 4740: userMgmtEvts.Run, + // 4741 - A computer account was created. + 4741: computerMgmtEvts.Run, + + // 4742 - A computer account was changed. + 4742: computerMgmtEvts.Run, + + // 4743 - A computer account was deleted. + 4743: computerMgmtEvts.Run, + + // 4744 - A security-disabled local group was created. + 4744: groupMgmtEvts.Run, + + // 4745 - A security-disabled local group was changed. + 4745: groupMgmtEvts.Run, + + // 4746 - A member was added to a security-disabled local group. + 4746: groupMgmtEvts.Run, + + // 4747 - A member was removed from a security-disabled local group. + 4747: groupMgmtEvts.Run, + + // 4748 - A security-disabled local group was deleted. + 4748: groupMgmtEvts.Run, + + // 4749 - A security-disabled global group was created. + 4749: groupMgmtEvts.Run, + + // 4750 - A security-disabled global group was changed. + 4750: groupMgmtEvts.Run, + + // 4751 - A member was added to a security-disabled global group. + 4751: groupMgmtEvts.Run, + + // 4752 - A member was removed from a security-disabled global group. + 4752: groupMgmtEvts.Run, + + // 4753 - A security-disabled global group was deleted. + 4753: groupMgmtEvts.Run, + // 4754 - A security-enabled universal group was created. 4754: groupMgmtEvts.Run, @@ -1495,6 +1759,21 @@ var security = (function () { // 4758 - A security-enabled universal group was deleted. 4758: groupMgmtEvts.Run, + // 4759 - A security-disabled universal group was created. + 4759: groupMgmtEvts.Run, + + // 4760 - A security-disabled universal group was changed. + 4760: groupMgmtEvts.Run, + + // 4761 - A member was added to a security-disabled universal group. + 4761: groupMgmtEvts.Run, + + // 4762 - A member was removed from a security-disabled universal group. + 4762: groupMgmtEvts.Run, + + // 4763 - A security-disabled global group was deleted. + 4763: groupMgmtEvts.Run, + // 4764 - A group\'s type was changed. 4764: groupMgmtEvts.Run, @@ -1510,9 +1789,9 @@ var security = (function () { // 4799 - A security-enabled local group membership was enumerated. 4799: groupMgmtEvts.Run, - process: function(evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; + process: function (evt) { + var eventId = evt.Get("winlog.event_id"); + var processor = this[eventId]; if (processor === undefined) { return; } diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx new file mode 100644 index 000000000000..56ade4fdb857 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json new file mode 100644 index 000000000000..e981d6042eaf --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2019-11-07T10:37:04.2260925Z", + "event": { + "action": "logging-service-shutdown", + "code": 1100, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1100, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 14257, + "task": "Service shutdown" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx new file mode 100644 index 000000000000..877656221614 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json new file mode 100644 index 000000000000..16f6e120b8a7 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2019-11-07T10:34:29.0559196Z", + "event": { + "action": "changed-audit-config", + "code": 1102, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1102, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x50e87" + }, + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 14224, + "task": "Log clear", + "user_data": { + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "xml_name": "LogFileCleared" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx new file mode 100644 index 000000000000..5f9b87b3b81d Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json new file mode 100644 index 000000000000..e75caf10328e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2019-11-08T07:56:17.3217049Z", + "event": { + "action": "logging-full", + "code": 1104, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "error" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1104, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 19352, + "task": "Event processing" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx new file mode 100644 index 000000000000..053cf74080d2 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json new file mode 100644 index 000000000000..ca72947620e9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2019-11-07T16:22:14.8425353Z", + "event": { + "action": "auditlog-archieved", + "code": 1105, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1105, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 18197, + "task": "Log automatic backup", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx new file mode 100644 index 000000000000..5d93e0eddc5a Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json new file mode 100644 index 000000000000..8780c91d12dc --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json @@ -0,0 +1,66 @@ +[ + { + "@timestamp": "2019-11-07T15:22:57.6553291Z", + "event": { + "action": "changed-audit-config", + "code": 4719, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "WIN-41OB2LO92CR$" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChangesDescription": [ + "Success Added", + "Failure Added" + ], + "Category": "Logon/Logoff", + "CategoryId": "%%8273", + "SubCategory": "Network Policy Server", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12552", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4719, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 2944 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 17154, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx new file mode 100644 index 000000000000..cdeb09704c9d Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json new file mode 100644 index 000000000000..cd4bd32fb464 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json @@ -0,0 +1,94 @@ +[ + { + "@timestamp": "2019-12-18T16:22:12.3112534Z", + "event": { + "action": "added-computer-account", + "code": 4741, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUacList": [ + "SCRIPT", + "ENCRYPTED_TEXT_PWD_ALLOWED" + ], + "NewUacValue": "0x85", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "515", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "TESTCOMPUTEROBJ$", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2080", + "2082", + "2087" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": 4741, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699929, + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx new file mode 100644 index 000000000000..8ff13f184050 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json new file mode 100644 index 000000000000..423f7e92280e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json @@ -0,0 +1,92 @@ +[ + { + "@timestamp": "2019-12-18T16:22:12.3425087Z", + "event": { + "action": "changed-computer-account", + "code": 4742, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacList": [ + "ENCRYPTED_TEXT_PWD_ALLOWED" + ], + "NewUacValue": "0x84", + "OldUacValue": "0x85", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2048" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": 4742, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699934, + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx new file mode 100644 index 000000000000..64c00c642752 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json new file mode 100644 index 000000000000..a64f16845964 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json @@ -0,0 +1,66 @@ +[ + { + "@timestamp": "2019-12-18T16:25:21.5781833Z", + "event": { + "action": "deleted-computer-account", + "code": 4743, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": [ + "-" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$" + }, + "event_id": 4743, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699966, + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx new file mode 100644 index 000000000000..61be7da1a8ad Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json new file mode 100644 index 000000000000..efad3a186bdb --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:26:46.8744233Z", + "event": { + "action": "added-distribution-group-account", + "code": 4744, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": 4744, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699973, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx new file mode 100644 index 000000000000..8dd6395c88c3 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json new file mode 100644 index 000000000000..115c5ba452f1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:29:05.0175739Z", + "event": { + "action": "changed-distribution-group-account", + "code": 4745, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4745, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700000, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx new file mode 100644 index 000000000000..bf795f569235 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json new file mode 100644 index 000000000000..bb1f2e0fe393 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:31:01.6117458Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4746, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4746, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700022, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx new file mode 100644 index 000000000000..600be4fae34a Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json new file mode 100644 index 000000000000..734c1f25acc5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:35:16.6816525Z", + "event": { + "action": "removed-member-from-distribution-group", + "code": 4747, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4747, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700064, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx new file mode 100644 index 000000000000..7ff600bea926 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json new file mode 100644 index 000000000000..529c63c93fbb --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2019-12-19T08:01:45.9824133Z", + "event": { + "action": "deleted-distribution-group-account", + "code": 4748, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4748, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707490, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx new file mode 100644 index 000000000000..3447d534f8c5 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json new file mode 100644 index 000000000000..e00d62d4e0f9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:03:42.7234679Z", + "event": { + "action": "added-distribution-group-account", + "code": 4749, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": 4749, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707497, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx new file mode 100644 index 000000000000..f0100046be47 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json new file mode 100644 index 000000000000..5cc18e986c11 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:10:57.4737631Z", + "event": { + "action": "changed-distribution-group-account", + "code": 4750, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4750, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707550, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx new file mode 100644 index 000000000000..528c5c98f4b9 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json new file mode 100644 index 000000000000..acad53e1f9da --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:20:29.0889568Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4751, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4751, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707667, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx new file mode 100644 index 000000000000..032e261daab1 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json new file mode 100644 index 000000000000..6daa89967bd9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:21:23.6444225Z", + "event": { + "action": "removed-member-from-distribution-group", + "code": 4752, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4752, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707686, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx new file mode 100644 index 000000000000..e1580b7f446f Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json new file mode 100644 index 000000000000..a202dced9ea5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2019-12-19T08:24:36.5952761Z", + "event": { + "action": "deleted-distribution-group-account", + "code": 4753, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4753, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707709, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx new file mode 100644 index 000000000000..1ce72b356478 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json new file mode 100644 index 000000000000..f7f1d4e03dd6 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:26:26.1432582Z", + "event": { + "action": "added-distribution-group-account", + "code": 4759, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": 4759, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707737, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx new file mode 100644 index 000000000000..927202b07120 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json new file mode 100644 index 000000000000..dee61d9d3716 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:28:21.0305977Z", + "event": { + "action": "changed-distribution-group-account", + "code": 4760, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4760, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707745, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx new file mode 100644 index 000000000000..5928adae29bf Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json new file mode 100644 index 000000000000..ded73373373b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:29:38.4487328Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4761, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4761, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707755, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx new file mode 100644 index 000000000000..ca909040c8f0 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json new file mode 100644 index 000000000000..4b346ef8e596 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:33:25.9678735Z", + "event": { + "action": "removed-member-from-distribution-group", + "code": 4762, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4762, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707841, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx new file mode 100644 index 000000000000..1f75bec6aa63 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json new file mode 100644 index 000000000000..d4069947156f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2019-12-19T08:34:23.1623432Z", + "event": { + "action": "deleted-distribution-group-account", + "code": 4763, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4763, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707847, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json index 4d5bec2efd94..519a58ec9596 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -22,6 +22,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -96,6 +99,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -170,6 +176,9 @@ "name": "winlogon.exe", "pid": 448 }, + "related": { + "user": "vagrant" + }, "source": { "domain": "VAGRANT-2012-R2", "ip": "127.0.0.1", @@ -247,6 +256,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -321,6 +333,9 @@ "name": "-", "pid": 0 }, + "related": { + "user": "ANONYMOUS LOGON" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-7", @@ -395,6 +410,9 @@ "name": "-", "pid": 0 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT-2012-R2", "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", @@ -469,6 +487,9 @@ "name": "-", "pid": 0 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT-2012-R2", "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", @@ -543,6 +564,9 @@ "name": "-", "pid": 0 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT-2012-R2", "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", @@ -617,6 +641,9 @@ "name": "-", "pid": 0 }, + "related": { + "user": "vagrant" + }, "source": { "domain": "127.0.0.1" }, @@ -694,6 +721,9 @@ "name": "winlogon.exe", "pid": 2812 }, + "related": { + "user": "DWM-2" + }, "user": { "domain": "Window Manager", "id": "S-1-5-90-2", @@ -768,6 +798,9 @@ "name": "winlogon.exe", "pid": 2812 }, + "related": { + "user": "vagrant" + }, "source": { "domain": "VAGRANT-2012-R2", "ip": "10.0.2.2", @@ -845,6 +878,9 @@ "name": "winlogon.exe", "pid": 2188 }, + "related": { + "user": "DWM-3" + }, "user": { "domain": "Window Manager", "id": "S-1-5-90-3", @@ -919,6 +955,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -993,6 +1032,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -1067,6 +1109,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -1141,6 +1186,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -1215,6 +1263,9 @@ "name": "services.exe", "pid": 508 }, + "related": { + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "id": "S-1-5-18", @@ -1289,6 +1340,9 @@ "name": "svchost.exe", "pid": 836 }, + "related": { + "user": "bosch" + }, "source": { "domain": "VAGRANT-2012-R2", "ip": "::1", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json index 5b3297d7b848..7aee5aeef9a5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json @@ -14,6 +14,9 @@ "log": { "level": "information" }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT-2016", "id": "S-1-5-21-1766348727-1038078804-3833492317-1000", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json index 133ebc30241d..c1166103e9b5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json @@ -14,6 +14,9 @@ "log": { "level": "information" }, + "related": { + "user": "audittest" + }, "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-1000", @@ -66,6 +69,9 @@ "log": { "level": "information" }, + "related": { + "user": "Administrator" + }, "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json index ed353a5b134a..f2092d9bb8dc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -33,7 +37,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ + "NewUacList": [ "SCRIPT", "LOCKOUT" ], @@ -97,12 +101,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest0609" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -116,7 +124,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ + "NewUacList": [ "SCRIPT", "LOCKOUT" ], diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json index ea7df4abb175..605482595355 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -70,12 +74,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest0609" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json index cb4427e5f10e..f59261c6a023 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json @@ -14,11 +14,12 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator" }, "winlog": { @@ -71,11 +72,12 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator" }, "winlog": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json index ed7ef8cc039b..83b326077891 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -70,12 +74,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest0609" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json index 713f0627c074..8c8d35b4b731 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -70,12 +74,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest0609" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json index 2d3657287840..dbdbea6bce86 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest23" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest23" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -71,12 +75,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index 6311485f98e6..74625a932467 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "WIN-41OB2LO92CR$" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 18688f658882..7eb4b1750357 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:26.8613751Z", "event": { - "action": "added-group-account-to", + "action": "added-member-to-group", "code": 4728, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index c21867417b53..e932893c283a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:33:45.5433159Z", "event": { - "action": "deleted-group-account-from", + "action": "removed-member-from-group", "code": 4729, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index 79fbb2460b32..a859249e5713 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index abad2a27cb31..d9e51ee82c1e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:29:49.3586766Z", "event": { - "action": "added-group-account", + "action": "added-member-to-group", "code": 4731, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index 639534db0643..f6f929666fbc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:31:58.0398598Z", "event": { - "action": "added-group-account-to", + "action": "added-member-to-group", "code": 4732, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index 27d14f380833..d94dde1207b3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:32:14.8941288Z", "event": { - "action": "deleted-group-account-from", + "action": "removed-member-from-group", "code": 4733, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index 760bbb1be507..b25a8a36949f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index 329fcb0ac7b8..b746c834fc4b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 4672aa95fdd5..84dd00dadf34 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json index 9919c7c8b8e1..be1b1ec8aa74 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -34,7 +38,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ + "NewUacList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], @@ -96,12 +100,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "audittest0609" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -116,7 +124,7 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ + "NewUacList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json index 12993e3dc888..a9f94e35dea8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index 31e249f3b383..fd846c3ba050 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index 3da5d675f356..e05ef6843a7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index 031a2963453e..6d199101b602 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:34:58.4130288Z", "event": { - "action": "added-group-account-to", + "action": "added-member-to-group", "code": 4756, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index 4382e0477591..65c09c2b92f2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-10-22T11:35:09.0701919Z", "event": { - "action": "deleted-group-account-from", + "action": "removed-member-from-group", "code": 4757, "kind": "event", "module": "security", @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index e11763e88c2a..6b41b468b8d9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 63b0fceb1c96..6a876e9689d7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "Administrator" }, "user": { "domain": "WLBEAT", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json index 5fb24c952977..4a494e29010f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json index 065859e7cb33..d66432da5e4d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -14,8 +14,17 @@ "log": { "level": "information" }, + "related": { + "user": [ + "Administrator", + "audittest06", + "audittest0609" + ] + }, "user": { - "name": "audittest0609" + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -68,8 +77,17 @@ "log": { "level": "information" }, + "related": { + "user": [ + "Administrator", + "audittest0609", + "audittest06" + ] + }, "user": { - "name": "audittest06" + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json index 36692dbe5916..470400162f02 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json @@ -14,12 +14,16 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "domain": "WIN-41OB2LO92CR", - "name": "elastictest1" + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" }, "winlog": { "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index 13f0f77b9d09..ebcda23bdf1d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -18,8 +18,8 @@ "log": { "level": "information" }, - "process": { - "name": "null" + "related": { + "user": "WIN-41OB2LO92CR$" }, "user": { "domain": "WORKGROUP", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json index 1582ad5f50ec..9e92d3182a87 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json @@ -31,6 +31,12 @@ }, "pid": 4556 }, + "related": { + "user": [ + "vagrant", + "-" + ] + }, "user": { "domain": "VAGRANT", "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json index 7b7f0c4422a1..16a9d810899f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json @@ -21,6 +21,9 @@ "name": "wevtutil.exe", "pid": 5412 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT", "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", @@ -76,6 +79,9 @@ "name": "taskhostw.exe", "pid": 3988 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT", "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", @@ -131,6 +137,9 @@ "name": "wevtutil.exe", "pid": 2760 }, + "related": { + "user": "vagrant" + }, "user": { "domain": "VAGRANT", "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",