Skip to content

Commit

Permalink
Add Winlogbeat Security Module Doc (elastic#23674)
Browse files Browse the repository at this point in the history
* Add Winlogbeat Security Module Doc

* Update source file used to generate security module docs
  • Loading branch information
janniten authored Jan 26, 2021
1 parent 8281bfa commit ee485bd
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 0 deletions.
16 changes: 16 additions & 0 deletions winlogbeat/docs/modules/security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4670 - Permissions on an object were changed.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
Expand All @@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4706 - A new trust was created to a domain.
* 4707 - A trust to a domain was removed.
* 4713 - Kerberos policy was changed.
* 4716 - Trusted domain information was modified.
* 4717 - System security access was granted to an account.
* 4718 - System security access was removed from an account.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4739 - Domain Policy was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
Expand Down Expand Up @@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4817 - Auditing settings on object were changed.
* 4902 - The Per-user audit policy table was created.
* 4904 - An attempt was made to register a security event source.
* 4905 - An attempt was made to unregister a security event source.
* 4906 - The CrashOnAuditFail value has changed.
* 4907 - Auditing settings on object were changed.
* 4908 - Special Groups Logon table modified.
* 4912 - Per User Audit Policy was changed.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.
Expand Down
16 changes: 16 additions & 0 deletions x-pack/winlogbeat/module/security/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4670 - Permissions on an object were changed.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
Expand All @@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4706 - A new trust was created to a domain.
* 4707 - A trust to a domain was removed.
* 4713 - Kerberos policy was changed.
* 4716 - Trusted domain information was modified.
* 4717 - System security access was granted to an account.
* 4718 - System security access was removed from an account.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4739 - Domain Policy was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
Expand Down Expand Up @@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4817 - Auditing settings on object were changed.
* 4902 - The Per-user audit policy table was created.
* 4904 - An attempt was made to register a security event source.
* 4905 - An attempt was made to unregister a security event source.
* 4906 - The CrashOnAuditFail value has changed.
* 4907 - Auditing settings on object were changed.
* 4908 - Special Groups Logon table modified.
* 4912 - Per User Audit Policy was changed.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.
Expand Down

0 comments on commit ee485bd

Please sign in to comment.