Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit/Computer/Distribution Groups Management Events - ECS related.user field mapping #15217

Merged
merged 22 commits into from
Feb 5, 2020
Merged

Audit/Computer/Distribution Groups Management Events - ECS related.user field mapping #15217

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
649d3fb
Add Audit/Computer/Distribution Groups Management
janniten Dec 19, 2019
95062bb
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
98b98fc
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
d223e36
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
3680c85
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
f4cba7f
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
4b29b7f
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
bdcc76f
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
bbff210
Add Audit/Computer/Distribution Groups Management Events - related.us…
janniten Dec 19, 2019
6696124
event action description updated
janniten Dec 20, 2019
05ff097
event action description updated
janniten Dec 20, 2019
a8d7c6f
event action description updated
janniten Dec 20, 2019
9415bfe
event action description updated
janniten Dec 20, 2019
85f334a
Removed Group Type
janniten Dec 24, 2019
ba167ae
Fix: related.users unique elements and null process name check
janniten Jan 5, 2020
2fe69da
Fix: related.users unique elements and null process name check - Houn…
janniten Jan 5, 2020
fff4412
Fix related.user duplicates using AppendTo from Script Processor
janniten Jan 6, 2020
946f8f5
removed addComputerData
janniten Jan 15, 2020
c652a81
Clean up whitespace
leehinman Dec 20, 2019
b89c009
update golden files and fix subcategoryGuid lookup
leehinman Jan 7, 2020
cd2abaf
Events ID added to asciidoc File - addRelatedUser function replaced b…
janniten Jan 27, 2020
cd2716f
Update golden, Format Javascript
andrewkroh Feb 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions winlogbeat/docs/modules/security.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

* 1100 - The event logging service has shut down.
* 1102 - The audit log was cleared.
* 1104 - The security log is now full.
* 1105 - Event log automatic backup.
* 1108 - The event logging service encountered an error while processing an incoming event published from %1
* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4634 - An account was logged off.
Expand All @@ -16,16 +21,53 @@ The module has transformations for the following event IDs:
* 4672 - Special privileges assigned to new logon.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
* 4723 - An attempt was made to change an account's password.
* 4724 - An attempt was made to reset an account's password.
* 4725 - An user account was disabled.
* 4726 - An user account was deleted.
* 4727 - A security-enabled global group was created.
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.

More event IDs will be added.

Expand Down
42 changes: 42 additions & 0 deletions x-pack/winlogbeat/module/security/_meta/docs.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

* 1100 - The event logging service has shut down.
* 1102 - The audit log was cleared.
* 1104 - The security log is now full.
* 1105 - Event log automatic backup.
* 1108 - The event logging service encountered an error while processing an incoming event published from %1
* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4634 - An account was logged off.
Expand All @@ -16,16 +21,53 @@ The module has transformations for the following event IDs:
* 4672 - Special privileges assigned to new logon.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
* 4723 - An attempt was made to change an account's password.
* 4724 - An attempt was made to reset an account's password.
* 4725 - An user account was disabled.
* 4726 - An user account was deleted.
* 4727 - A security-enabled global group was created.
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.

More event IDs will be added.

Expand Down
Loading