diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b8b661b48b88..bb7431376262 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -446,6 +446,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for event ID 22 (DNS query) to the Sysmon module. {pull}12960[12960] - Add certain winlog.event_data.* fields to the index template. {issue}13700[13700] {pull}13704[13704] - Fill `event.provider`. {pull}13937[13937] +- Add support for user management events to the Security module. {pull}13530[13530] ==== Deprecated diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index 533bed552edb..295a0aedd23a 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -14,6 +14,16 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4720 - A user account was created. +* 4722 - A user account was enabled. +* 4723 - An attempt was made to change an account's password. +* 4724 - An attempt was made to reset an account's password. +* 4725 - An user account was disabled. +* 4726 - An user account was deleted. +* 4738 - An user account was changed. +* 4740 - An user account was locked out. +* 4767 - An account was unlocked. +* 4781 - The name of an account was changed. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index 533bed552edb..295a0aedd23a 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -14,6 +14,16 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4720 - A user account was created. +* 4722 - A user account was enabled. +* 4723 - An attempt was made to change an account's password. +* 4724 - An attempt was made to reset an account's password. +* 4725 - An user account was disabled. +* 4726 - An user account was deleted. +* 4738 - An user account was changed. +* 4740 - An user account was locked out. +* 4767 - An account was unlocked. +* 4781 - The name of an account was changed. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 5d17f0b9abb2..d5305e7f3f25 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -19,6 +19,23 @@ var security = (function () { "11": "CachedInteractive", }; + var eventActionTypes = { + "4624": "logged-in", + "4625": "logon-failed", + "4634": "logged-out", + "4672": "logged-in-special", + "4720": "added-user-account", + "4722": "enabled-user-account", + "4723": "changed-password", + "4724": "reset-password", + "4725": "disabled-user-account", + "4726": "deleted-user-account", + "4738": "modified-user-account", + "4740": "locked-out-user-account", + "4767": "unlocked-user-account", + "4781": "renamed-user-account", + }; + // Descriptions of failure status codes. // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 var logonFailureStatus = { @@ -1030,6 +1047,17 @@ var security = (function () { return msobjsMessageTable[code]; }; + var addActionDesc = function(evt){ + var code = evt.Get("event.code"); + if (!code) { + return; + } + var eventActionDescription = eventActionTypes[code]; + if (eventActionDescription) { + evt.Put("event.action", eventActionDescription); + } + }; + var addLogonType = function(evt) { var code = evt.Get("winlog.event_data.LogonType"); if (!code) { @@ -1074,19 +1102,6 @@ var security = (function () { evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); }; - // Add logon IDs to winlog.logon.id to make it easy to find all activity - // related to a logon ID. - var addLogonIds = function(evt) { - var id = evt.Get("winlog.event_data.SubjectLogonId"); - if (id) { - evt.AppendTo("winlog.logon.id", id); - } - id = evt.Get("winlog.event_data.TargetLogonId"); - if (id) { - evt.AppendTo("winlog.logon.id", id); - } - }; - var copyTargetUser = new processor.Chain() .Convert({ fields: [ @@ -1096,7 +1111,15 @@ var security = (function () { ], ignore_missing: true, }) - .Add(addLogonIds) + .Build(); + + var copyTargetUserLogonId = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"}, + ], + ignore_missing: true, + }) .Build(); var copySubjectUser = new processor.Chain() @@ -1108,7 +1131,24 @@ var security = (function () { ], ignore_missing: true, }) - .Add(addLogonIds) + .Build(); + + var copyOldTargetUser = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.OldTargetUserName", to: "user.name"}, + ], + ignore_missing: true, + }) + .Build(); + + var copySubjectUserLogonId = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"}, + ], + ignore_missing: true, + }) .Build(); var renameCommonAuthFields = new processor.Chain() @@ -1155,29 +1195,36 @@ var security = (function () { // Handles 4634 and 4647. var logoff = new processor.Chain() .Add(copyTargetUser) + .Add(copyTargetUserLogonId) .Add(addLogonType) + .Add(addActionDesc) .Build(); // Handles both 4624 and 4648. var logonSuccess = new processor.Chain() .Add(addAuthSuccess) .Add(copyTargetUser) + .Add(copyTargetUserLogonId) .Add(addLogonType) .Add(renameCommonAuthFields) + .Add(addActionDesc) .Build(); var event4625 = new processor.Chain() .Add(addAuthFailed) .Add(copyTargetUser) + .Add(copyTargetUserLogonId) .Add(addLogonType) .Add(addFailureCode) .Add(addFailureStatus) .Add(addFailureSubStatus) .Add(renameCommonAuthFields) + .Add(addActionDesc) .Build(); var event4672 = new processor.Chain() .Add(copySubjectUser) + .Add(copySubjectUserLogonId) .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { @@ -1185,6 +1232,20 @@ var security = (function () { } evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); }) + .Add(addActionDesc) + .Build(); + + var userMgmtEvts = new processor.Chain() + .Add(copyTargetUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Build(); + + var userRenamed = new processor.Chain() + .Add(copyOldTargetUser) + .Add(copySubjectUserLogonId) + .Add(addActionDesc) .Build(); return { @@ -1193,7 +1254,7 @@ var security = (function () { // 4625 - An account failed to log on. 4625: event4625.Run, - + // 4634 - An account was logged off. 4634: logoff.Run, @@ -1206,6 +1267,36 @@ var security = (function () { // 4672 - Special privileges assigned to new logon. 4672: event4672.Run, + // 4720 - A user account was created + 4720: userMgmtEvts.Run, + + // 4722 - A user account was enabled + 4722: userMgmtEvts.Run, + + // 4723 - An attempt was made to change an account's password + 4723: userMgmtEvts.Run, + + // 4724 - An attempt was made to reset an account's password + 4724: userMgmtEvts.Run, + + // 4725 - A user account was disabled. + 4725: userMgmtEvts.Run, + + // 4726 - An user account was deleted. + 4726: userMgmtEvts.Run, + + // 4738 - An user account was changed. + 4738: userMgmtEvts.Run, + + // 4740 - An account was locked out + 4740: userMgmtEvts.Run, + + // 4767 - A user account was unlocked. + 4767: userMgmtEvts.Run, + + // 4781 - The name of an account was changed. + 4781: userRenamed.Run, + process: function(evt) { var event_id = evt.Get("winlog.event_id"); var processor = this[event_id]; diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json index 6ce72ffffa1f..6b80148fc45d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-03-29T21:10:39.7868321Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -74,7 +74,7 @@ { "@timestamp": "2019-03-29T21:10:40.2555609Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -146,7 +146,7 @@ { "@timestamp": "2019-03-29T21:10:40.3805426Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -201,10 +201,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x3e7", - "0x1008e" - ], + "id": "0x1008e", "type": "Interactive" }, "opcode": "Info", @@ -224,7 +221,7 @@ { "@timestamp": "2019-03-29T21:10:40.5055514Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -296,7 +293,7 @@ { "@timestamp": "2019-03-29T21:10:40.6305447Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -348,10 +345,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x0", - "0x129f1" - ], + "id": "0x129f1", "type": "Network" }, "opcode": "Info", @@ -371,7 +365,7 @@ { "@timestamp": "2019-03-29T21:10:53.6617957Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -423,10 +417,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x0", - "0x28d31" - ], + "id": "0x28d31", "type": "Network" }, "opcode": "Info", @@ -446,7 +437,7 @@ { "@timestamp": "2019-03-29T21:10:54.6618303Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -498,10 +489,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x0", - "0x29f0f" - ], + "id": "0x29f0f", "type": "Network" }, "opcode": "Info", @@ -521,7 +509,7 @@ { "@timestamp": "2019-03-29T21:10:55.4587259Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -573,10 +561,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x0", - "0x2a362" - ], + "id": "0x2a362", "type": "Network" }, "opcode": "Info", @@ -596,7 +581,7 @@ { "@timestamp": "2019-03-29T21:13:17.3025591Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -651,10 +636,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x0", - "0x324f8" - ], + "id": "0x324f8", "type": "Network" }, "opcode": "Info", @@ -674,7 +656,7 @@ { "@timestamp": "2019-03-29T21:13:17.5213056Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -726,10 +708,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x3e7", - "0x33444" - ], + "id": "0x33444", "type": "Interactive" }, "opcode": "Info", @@ -749,7 +728,7 @@ { "@timestamp": "2019-03-29T21:13:17.6149946Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -804,10 +783,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x3e7", - "0x3444f" - ], + "id": "0x3444f", "type": "RemoteInteractive" }, "opcode": "Info", @@ -827,7 +803,7 @@ { "@timestamp": "2019-03-29T21:13:18.7869259Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -879,10 +855,7 @@ "Audit Success" ], "logon": { - "id": [ - "0x3e7", - "0x357fd" - ], + "id": "0x357fd", "type": "Interactive" }, "opcode": "Info", @@ -902,7 +875,7 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -974,7 +947,7 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -1046,7 +1019,7 @@ { "@timestamp": "2019-03-29T21:20:50.5840151Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -1118,7 +1091,7 @@ { "@timestamp": "2019-03-29T21:23:42.5201798Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -1190,7 +1163,7 @@ { "@timestamp": "2019-03-29T21:26:24.1764267Z", "event": { - "action": "Logon", + "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", @@ -1262,7 +1235,7 @@ { "@timestamp": "2019-03-29T21:45:35.177054Z", "event": { - "action": "Logon", + "action": "logon-failed", "category": "authentication", "code": 4625, "kind": "event", @@ -1322,7 +1295,6 @@ "status": "This is either due to a bad username or authentication information", "sub_status": "User logon with misspelled or bad user account" }, - "id": "0x1008e", "type": "Interactive" }, "opcode": "Info", @@ -1338,4 +1310,4 @@ "task": "Logon" } } -] +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json index e8d2aa5ede83..7fb416a3f6b3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2018-05-18T23:09:03.2086661Z", "event": { - "action": "Special Logon", + "action": "logged-in-special", "code": 4672, "kind": "event", "module": "security", @@ -59,4 +59,4 @@ "task": "Special Logon" } } -] +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json index e443189eee15..5f12c38c432d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json @@ -2,7 +2,7 @@ { "@timestamp": "2019-05-17T11:06:58.210768Z", "event": { - "action": "Logoff", + "action": "logged-out", "code": 4634, "kind": "event", "module": "security", @@ -52,7 +52,7 @@ { "@timestamp": "2019-05-19T16:15:38.542273Z", "event": { - "action": "Logoff", + "action": "logged-out", "code": 4634, "kind": "event", "module": "security", @@ -99,4 +99,4 @@ "task": "Logoff" } } -] +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx new file mode 100644 index 000000000000..d49e948afd0c Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json new file mode 100644 index 000000000000..eb5794a01e17 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json @@ -0,0 +1,148 @@ +[ + { + "@timestamp": "2019-09-06T13:24:39.2933111Z", + "event": { + "action": "added-user-account", + "code": 4720, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "elastictest1" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "%%1793", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUacValue": "0x15", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", + "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": 4720, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2751, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.8672707Z", + "event": { + "action": "added-user-account", + "code": 4720, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "%%1793", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUacValue": "0x15", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "audittest0609", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609", + "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": 4720, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2775, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx new file mode 100644 index 000000000000..5e95fbaf609b Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json new file mode 100644 index 000000000000..5a21729bfd7a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -0,0 +1,110 @@ +[ + { + "@timestamp": "2019-09-06T13:28:46.1631928Z", + "event": { + "action": "enabled-user-account", + "code": 4722, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": 4722, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2815, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:29:08.5737904Z", + "event": { + "action": "enabled-user-account", + "code": 4722, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": 4722, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2826, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx new file mode 100644 index 000000000000..f437fa685abd Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json new file mode 100644 index 000000000000..93192e02b247 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json @@ -0,0 +1,112 @@ +[ + { + "@timestamp": "2019-09-06T13:32:13.8554125Z", + "event": { + "action": "changed-password", + "code": 4723, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": 4723, + "keywords": [ + "Audit Failure" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2838, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:32:23.8855201Z", + "event": { + "action": "changed-password", + "code": 4723, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": 4723, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2839, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx new file mode 100644 index 000000000000..75c5a1ec884e Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json new file mode 100644 index 000000000000..4de0c677b6db --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -0,0 +1,110 @@ +[ + { + "@timestamp": "2019-09-06T13:24:39.339071Z", + "event": { + "action": "reset-password", + "code": 4724, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "elastictest1" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": 4724, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2762, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.9005914Z", + "event": { + "action": "reset-password", + "code": 4724, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": 4724, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2787, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx new file mode 100644 index 000000000000..640dcd0ce584 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json new file mode 100644 index 000000000000..b4dbc1557a17 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -0,0 +1,110 @@ +[ + { + "@timestamp": "2019-09-06T13:28:40.0015275Z", + "event": { + "action": "disabled-user-account", + "code": 4725, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": 4725, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2810, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:28:55.2644212Z", + "event": { + "action": "disabled-user-account", + "code": 4725, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": 4725, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2820, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx new file mode 100644 index 000000000000..5ebf2e52bdcf Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json new file mode 100644 index 000000000000..a63b5271785b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -0,0 +1,112 @@ +[ + { + "@timestamp": "2019-09-06T13:35:25.5153959Z", + "event": { + "action": "deleted-user-account", + "code": 4726, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest23" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "TargetUserName": "audittest23" + }, + "event_id": 4726, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2851, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:35:29.6900555Z", + "event": { + "action": "deleted-user-account", + "code": 4726, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": 4726, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2857, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx new file mode 100644 index 000000000000..9f521b36a0c7 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json new file mode 100644 index 000000000000..536370d050b1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -0,0 +1,150 @@ +[ + { + "@timestamp": "2019-09-06T13:36:17.5667652Z", + "event": { + "action": "modified-user-account", + "code": 4738, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "elastictest1" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "elastictest1", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUacValue": "0x210", + "OldUacValue": "0x210", + "PasswordLastSet": "6/9/2019 10:30:28", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", + "UserAccountControl": "-", + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": 4738, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2862, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:36:36.3634107Z", + "event": { + "action": "modified-user-account", + "code": 4738, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "audittest0609s", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUacValue": "0x210", + "OldUacValue": "0x10", + "PasswordLastSet": "6/9/2019 10:25:21", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "audittest0609", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609", + "UserAccountControl": "\n\t\t%%2089", + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": 4738, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2866, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx new file mode 100644 index 000000000000..642d295d4757 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json new file mode 100644 index 000000000000..773a6bfdbdfa --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2019-09-06T13:39:43.0856521Z", + "event": { + "action": "locked-out-user-account", + "code": 4740, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "elastictest1" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": 4740, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2883, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx new file mode 100644 index 000000000000..1eb8f2e71ddc Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json new file mode 100644 index 000000000000..ac2b0e821896 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2019-09-06T13:40:52.3149485Z", + "event": { + "action": "unlocked-user-account", + "code": 4767, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "process": { + "name": "null" + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "name": "elastictest1" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": 4767, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2892, + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx new file mode 100644 index 000000000000..72d3a5b2fcfb Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json new file mode 100644 index 000000000000..889702c30f35 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -0,0 +1,106 @@ +[ + { + "@timestamp": "2019-09-06T13:38:17.5566269Z", + "event": { + "action": "renamed-user-account", + "code": 4781, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", + "user": { + "name": "audittest0609" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest06", + "OldTargetUserName": "audittest0609", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": 4781, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2873, + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:38:23.5161066Z", + "event": { + "action": "renamed-user-account", + "code": 4781, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "log": { + "level": "information" + }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", + "user": { + "name": "audittest06" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest0609", + "OldTargetUserName": "audittest06", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": 4781, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2875, + "task": "User Account Management" + } + } +] \ No newline at end of file