Add events 4720 4722 4723 4724 4725 4726 4738 4740 4767 4781 - LogonID correlation

CHANGELOG.next.asciidoc

@@ -446,6 +446,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add support for event ID 22 (DNS query) to the Sysmon module. {pull}12960[12960]
 - Add certain winlog.event_data.* fields to the index template. {issue}13700[13700] {pull}13704[13704]
 - Fill `event.provider`. {pull}13937[13937]
+- Add support for user management events to the Security module. {pull}13530[13530]
 
 ==== Deprecated
 

winlogbeat/docs/modules/security.asciidoc

@@ -14,6 +14,16 @@ The module has transformations for the following event IDs:
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 * 4672 - Special privileges assigned to new logon.
+* 4720 - A user account was created.
+* 4722 - A user account was enabled.
+* 4723 - An attempt was made to change an account's password.
+* 4724 - An attempt was made to reset an account's password.
+* 4725 - An user account was disabled.
+* 4726 - An user account was deleted.
+* 4738 - An user account was changed.
+* 4740 - An user account was locked out.
+* 4767 - An account was unlocked.
+* 4781 - The name of an account was changed.
 
 More event IDs will be added.
 

x-pack/winlogbeat/module/security/_meta/docs.asciidoc

@@ -14,6 +14,16 @@ The module has transformations for the following event IDs:
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 * 4672 - Special privileges assigned to new logon.
+* 4720 - A user account was created.
+* 4722 - A user account was enabled.
+* 4723 - An attempt was made to change an account's password.
+* 4724 - An attempt was made to reset an account's password.
+* 4725 - An user account was disabled.
+* 4726 - An user account was deleted.
+* 4738 - An user account was changed.
+* 4740 - An user account was locked out.
+* 4767 - An account was unlocked.
+* 4781 - The name of an account was changed.
 
 More event IDs will be added.
 

x-pack/winlogbeat/module/security/config/winlogbeat-security.js

@@ -19,6 +19,23 @@ var security = (function () {
         "11": "CachedInteractive",
     };
 
+    var eventActionTypes = {
+        "4624": "logged-in",
+        "4625": "logon-failed",
+        "4634": "logged-out",
+        "4672": "logged-in-special",
+        "4720": "added-user-account",
+        "4722": "enabled-user-account",
+        "4723": "changed-password",
+        "4724": "reset-password",
+        "4725": "disabled-user-account",
+        "4726": "deleted-user-account",
+        "4738": "modified-user-account",
+        "4740": "locked-out-user-account",
+        "4767": "unlocked-user-account",
+        "4781": "renamed-user-account",
+    };
+
     // Descriptions of failure status codes.
     // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
     var logonFailureStatus = {
@@ -1030,6 +1047,17 @@ var security = (function () {
         return msobjsMessageTable[code];
     };
 
+    var addActionDesc = function(evt){
+        var code = evt.Get("event.code");
+        if (!code) {
+            return;
+        }
+        var eventActionDescription = eventActionTypes[code];
+        if (eventActionDescription) {
+            evt.Put("event.action", eventActionDescription);
+        }
+    };
+
     var addLogonType = function(evt) {
         var code = evt.Get("winlog.event_data.LogonType");
         if (!code) {
@@ -1074,19 +1102,6 @@ var security = (function () {
         evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus);
     };
 
-    // Add logon IDs to winlog.logon.id to make it easy to find all activity
-    // related to a logon ID.
-    var addLogonIds = function(evt) {
-        var id = evt.Get("winlog.event_data.SubjectLogonId");
-        if (id) {
-            evt.AppendTo("winlog.logon.id", id);
-        }
-        id = evt.Get("winlog.event_data.TargetLogonId");
-        if (id) {
-            evt.AppendTo("winlog.logon.id", id);
-        }
-    };
-
     var copyTargetUser = new processor.Chain()
         .Convert({
             fields: [
@@ -1096,7 +1111,15 @@ var security = (function () {
             ],
             ignore_missing: true,
         })
-        .Add(addLogonIds)
+        .Build();
+
+    var copyTargetUserLogonId  = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetLogonId", to: "winlog.logon.id"},
+            ],
+            ignore_missing: true,
+        })
         .Build();
 
     var copySubjectUser  = new processor.Chain()
@@ -1108,7 +1131,24 @@ var security = (function () {
             ],
             ignore_missing: true,
         })
-        .Add(addLogonIds)
+        .Build();
+
+    var copyOldTargetUser  = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.OldTargetUserName", to: "user.name"},
+            ],
+            ignore_missing: true,
+        })
+        .Build();
+
+    var copySubjectUserLogonId  = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.SubjectLogonId", to: "winlog.logon.id"},
+            ],
+            ignore_missing: true,
+        })
         .Build();
 
     var renameCommonAuthFields = new processor.Chain()
@@ -1155,36 +1195,57 @@ var security = (function () {
     // Handles 4634 and 4647.
     var logoff = new processor.Chain()
         .Add(copyTargetUser)
+        .Add(copyTargetUserLogonId)
         .Add(addLogonType)
+        .Add(addActionDesc)
         .Build();
 
     // Handles both 4624 and 4648.
     var logonSuccess = new processor.Chain()
         .Add(addAuthSuccess)
         .Add(copyTargetUser)
+        .Add(copyTargetUserLogonId)
         .Add(addLogonType)
         .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
         .Build();
 
     var event4625 = new processor.Chain()
         .Add(addAuthFailed)
         .Add(copyTargetUser)
+        .Add(copyTargetUserLogonId)
         .Add(addLogonType)
         .Add(addFailureCode)
         .Add(addFailureStatus)
         .Add(addFailureSubStatus)
         .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
         .Build();
 
     var event4672 = new processor.Chain()
         .Add(copySubjectUser)
+        .Add(copySubjectUserLogonId)
         .Add(function(evt) {
             var privs = evt.Get("winlog.event_data.PrivilegeList");
             if (!privs) {
                 return;
             }
             evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
         })
+        .Add(addActionDesc)
+        .Build();
+
+    var userMgmtEvts = new processor.Chain()
+        .Add(copyTargetUser)
+        .Add(copySubjectUserLogonId)
+        .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
+        .Build();
+
+    var userRenamed = new processor.Chain()
+        .Add(copyOldTargetUser)
+        .Add(copySubjectUserLogonId)
+        .Add(addActionDesc)
         .Build();
 
     return {
@@ -1193,7 +1254,7 @@ var security = (function () {
 
         // 4625 - An account failed to log on.
         4625: event4625.Run,
-        
+
         // 4634 - An account was logged off.
         4634: logoff.Run,
 
@@ -1206,6 +1267,36 @@ var security = (function () {
         // 4672 - Special privileges assigned to new logon.
         4672: event4672.Run,
 
+        // 4720 - A user account was created
+        4720: userMgmtEvts.Run,
+
+        // 4722 - A user account was enabled
+        4722: userMgmtEvts.Run,
+
+        // 4723 - An attempt was made to change an account's password
+        4723: userMgmtEvts.Run,
+
+        // 4724 - An attempt was made to reset an account's password
+        4724: userMgmtEvts.Run,
+
+        // 4725 - A user account was disabled.
+        4725: userMgmtEvts.Run,
+
+        // 4726 - An user account was deleted.
+        4726: userMgmtEvts.Run,
+
+        // 4738 - An user account was changed.
+        4738: userMgmtEvts.Run,
+
+        // 4740 - An account was locked out
+        4740: userMgmtEvts.Run,
+
+        // 4767 - A user account was unlocked.
+        4767: userMgmtEvts.Run,
+
+        // 4781 - The name of an account was changed.
+        4781: userRenamed.Run,
+
         process: function(evt) {
             var event_id = evt.Get("winlog.event_id");
             var processor = this[event_id];