Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added related.user Field #694

Merged
merged 3 commits into from
Dec 17, 2019
Merged

Added related.user Field #694

merged 3 commits into from
Dec 17, 2019

Conversation

janniten
Copy link
Contributor

From discussions #589 and #678 and from working with windows events elastic/beats#13530 in the winlogbeat security module many events has related users.
In spite of what naming convention/schema will be chosen to represent n-ary user relationships it would be useful to have the related.user field in order to facilitate pivoting.

@webmat webmat mentioned this pull request Dec 16, 2019
Closed
webmat
webmat reviewed Dec 16, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the changelog, and I think we're good to merge this.

CHANGELOG.next.md Outdated
@@ -1,63 +1,34 @@
<!-- When adding an entry to the Changelog:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@janniten You're accidentally overwriting the current changelog with an older format.

To fix this, you can run git checkout CHANGELOG.next.md and then introducing your changelog entry after that ;-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed (I think so : ) )

webmat
webmat approved these changes Dec 17, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is, thank you @janniten :-)

@webmat webmat merged commit 6d3b2cc into elastic:master Dec 17, 2019
@janniten janniten deleted the related.user branch December 18, 2019 09:09
@janniten janniten mentioned this pull request Dec 19, 2019
Merged
andrewkroh added a commit to elastic/beats that referenced this pull request Feb 5, 2020
@janniten @leehinman @andrewkroh
Add audit/computer/distribution groups management events to Security …
e624aef 
…module (#15217)

Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping.

New Events

Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem.

For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription).

Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope.

ComputerObject Management events were also added.

Changes to ECS mappings

In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed.

Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event.

Event test data were added for all events with the exception of event 1108 which I was not able to reproduce.

Co-authored-by: Lee Hinman <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Mar 18, 2020
@janniten @andrewkroh
Add audit/computer/distribution groups management events to Security …
73c2a96 
…module (elastic#15217)

Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping.

New Events

Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem.

For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription).

Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (elastic#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope.

ComputerObject Management events were also added.

Changes to ECS mappings

In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In elastic#13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed.

Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event.

Event test data were added for all events with the exception of event 1108 which I was not able to reproduce.

Co-authored-by: Lee Hinman <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit e624aef)
@andrewkroh andrewkroh mentioned this pull request Mar 18, 2020
Merged
andrewkroh added a commit to elastic/beats that referenced this pull request Mar 18, 2020
@andrewkroh
Cherry-pick #15217 to 7.x: Audit/Computer/Distribution Groups Managem…
e818bf8 
…ent Events - ECS related.user field mapping (#17090)

Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping.

New Events

Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem.

For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription).

Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope.

ComputerObject Management events were also added.

Changes to ECS mappings

In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed.

Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event.

Event test data were added for all events with the exception of event 1108 which I was not able to reproduce.

Co-authored-by: Lee Hinman <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Anabella Cristaldi <[email protected]>

(cherry picked from commit e624aef)
dcode pushed a commit to dcode/ecs that referenced this pull request Apr 15, 2020
@janniten @dcode
Added related.user field (elastic#694)
43a2e53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@janniten @webmat