Cherry-pick #20684 to 7.x: Audit and Authentication Policy Change Events #23659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
marc-gr
approved these changes
Jan 26, 2021
|
Could you please pull in ee485bd to go with this so that they are together. |
* [Winlogbeat] Audit and Authentication Policy Change Events Co-authored-by: Lee E. Hinman <[email protected]> (cherry picked from commit dd7a1b3)
- causing failures on Win 7,8, 2008R2 & 2012R2 (cherry picked from commit d4e193d)
* Add Winlogbeat Security Module Doc * Update source file used to generate security module docs (cherry picked from commit ee485bd)
leehinman
force-pushed
the
backport_20684_7.x
branch
from
62a384e to
7e0bce3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #20684 to 7.x branch. Original message:
What does this PR do?
Note: Although processing of Event 4715 (The audit policy (SACL) on an object was changed) seems to be identical to 4670, event 4715 was not included due I was not able to generate an example event.
For events where exists information of DACLs or SACLs those ACL are translated from the SDDL (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070) to a human-readable from. For example:
Why is it important?
Auditing the changes in policies and event sources is crucial when we want to have a strong security monitoring system. Monitor these kinds of events are also important when we address compliance (SOX, PCI. HIPAA, etc )
The related.ip information is useful when we want to pivot data between different sources. For example
Fortinet Event (37141) indicating a user is connected to a VPN SSL when tunnelip is the asigned address. Tunnelip is also in the related.ip field
Windows Event 4624 indicating a windows login from a source.ip. If we have source.ip in the related.ip it is easy to match the user connected through VPN with a windows logon
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.