Skip to content

Commit

Permalink
Improve user mappings (elastic#1944)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-gr
marc-gr committed Oct 19, 2021
1 parent 8f6cb6f commit dcc9f82
Show file tree
Hide file tree
Showing 30 changed files with 281 additions and 57 deletions.
5 changes: 5 additions & 0 deletions packages/system/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.5.0"
changes:
- description: Better user mappings for security events
type: enhancement
link: https://github.com/elastic/integrations/pull/1944
- version: "1.4.2"
changes:
- description: Prevent pipeline script error
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:04.767568644Z",
"ingested": "2021-10-19T11:55:16.331823600Z",
"code": "4746",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testdistlocal1",
"domain": "TEST",
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:04.888936317Z",
"ingested": "2021-10-19T11:55:16.621125Z",
"code": "4747",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testdistlocal1",
"domain": "TEST",
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:05.313669028Z",
"ingested": "2021-10-19T11:55:17.565769200Z",
"code": "4751",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testglobal1",
"domain": "TEST",
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:05.414207722Z",
"ingested": "2021-10-19T11:55:17.906691Z",
"code": "4752",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testglobal1",
"domain": "TEST",
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:05.791134249Z",
"ingested": "2021-10-19T11:55:18.871413700Z",
"code": "4761",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testuni2",
"domain": "TEST",
Expand Down
3 changes: 2 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:05.889044291Z",
"ingested": "2021-10-19T11:55:19.143941900Z",
"code": "4762",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -84,6 +84,7 @@
"domain": "TEST",
"target": {
"name": "Administrator",
"domain": "SAAS",
"group": {
"name": "testuni2",
"domain": "TEST",
Expand Down
5 changes: 3 additions & 2 deletions ...data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:06.837533884Z",
"ingested": "2021-10-19T11:55:21.246497500Z",
"code": "4768",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -92,7 +92,8 @@
},
"user": {
"name": "at_adm",
"domain": "TEST.SAAS"
"domain": "TEST.SAAS",
"id": "S-1-5-21-1717121054-434620538-60925301-2794"
}
}
]
Expand Down
5 changes: 3 additions & 2 deletions ...data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
"name": "DC_TEST2k12.TEST.SAAS"
},
"event": {
"ingested": "2021-07-30T21:06:07.159369727Z",
"ingested": "2021-10-19T11:55:22.001023400Z",
"code": "4771",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -87,7 +87,8 @@
"outcome": "failure"
},
"user": {
"name": "MPUIG"
"name": "MPUIG",
"id": "S-1-5-21-1717121054-434620538-60925301-3057"
}
}
]
Expand Down
18 changes: 14 additions & 4 deletions ...rity/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.468417917Z",
"ingested": "2021-10-19T11:55:27.016591Z",
"code": "4722",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -78,8 +78,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000"
}
}
},
{
Expand Down Expand Up @@ -144,7 +149,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.468420621Z",
"ingested": "2021-10-19T11:55:27.016600700Z",
"code": "4722",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -160,8 +165,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest0609",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1006"
}
}
}
]
Expand Down
18 changes: 14 additions & 4 deletions ...rity/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.676454372Z",
"ingested": "2021-10-19T11:55:27.450128800Z",
"code": "4723",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -78,8 +78,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "Administrator",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
}
}
},
{
Expand Down Expand Up @@ -144,7 +149,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.676457128Z",
"ingested": "2021-10-19T11:55:27.450137Z",
"code": "4723",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -160,8 +165,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "Administrator",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
}
}
}
]
Expand Down
18 changes: 14 additions & 4 deletions ...urity/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.855345755Z",
"ingested": "2021-10-19T11:55:27.912761300Z",
"code": "4724",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -78,8 +78,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "elastictest1",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1005"
}
}
},
{
Expand Down Expand Up @@ -144,7 +149,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:09.855372883Z",
"ingested": "2021-10-19T11:55:27.912770100Z",
"code": "4724",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -160,8 +165,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest0609",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1006"
}
}
}
]
Expand Down
18 changes: 14 additions & 4 deletions ...ity/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:10.021979420Z",
"ingested": "2021-10-19T11:55:28.349650400Z",
"code": "4725",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -78,8 +78,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000"
}
}
},
{
Expand Down Expand Up @@ -144,7 +149,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:10.021981930Z",
"ingested": "2021-10-19T11:55:28.349659100Z",
"code": "4725",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -160,8 +165,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest0609",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1006"
}
}
}
]
Expand Down
18 changes: 14 additions & 4 deletions ...rity/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:10.186637182Z",
"ingested": "2021-10-19T11:55:28.808472500Z",
"code": "4726",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -79,8 +79,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest23",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1001"
}
}
},
{
Expand Down Expand Up @@ -146,7 +151,7 @@
"name": "WIN-41OB2LO92CR"
},
"event": {
"ingested": "2021-07-30T21:06:10.186639172Z",
"ingested": "2021-10-19T11:55:28.808476700Z",
"code": "4726",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event",
Expand All @@ -162,8 +167,13 @@
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
"target": {
"name": "audittest",
"domain": "WIN-41OB2LO92CR",
"id": "S-1-5-21-101361758-2486510592-3018839910-1000"
}
}
}
]
Expand Down
Loading

0 comments on commit dcc9f82

Please sign in to comment.