[Winlogbeat] ECS 1.9 user.changes.*, user.effective.*, user.target.* (#…

…26509) * Add Winlogbeat Security Module Doc * ECS 1.9 new user fields * Add Documentation * Update x-pack/winlogbeat/module/security/config/winlogbeat-security.js Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * Update x-pack/winlogbeat/module/security/config/winlogbeat-security.js Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * Suggeted changes by adriansr * Regenerate golden files * Fix changelog and remove ~/go/src/github.com/elastic/integrations/packages/cisco_meraki values * Fix typo * Regenerate test files * Check for empty values on target user Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Marc Guasch <marc.guasch@elastic.co>
elastic · Oct 19, 2021 · 04ce8a5 · 04ce8a5
1 parent e6de79f
commit 04ce8a5
Show file tree

Hide file tree

Showing 28 changed files with 217 additions and 35 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -449,6 +449,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
+- Add ECS 1.9 new users fields {pull}26509[26509]
 
 *Functionbeat*
 

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1907,14 +1907,14 @@ var security = (function () {
 
  var copyTargetUser = function(evt) {
  var targetUserId = evt.Get("winlog.event_data.TargetUserSid");
+ if (!targetUserId) targetUserId = evt.Get("winlog.event_data.TargetSid");
  if (targetUserId) {
  if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
  else evt.Put("user.id", targetUserId);
  }
-
  var targetUserName = evt.Get("winlog.event_data.TargetUserName");
  if (targetUserName) {
- if (/.@*/.test(targetUserName)) {
+ if (targetUserName.indexOf('@')>0) {
  targetUserName = targetUserName.split('@')[0];
  }
 
@@ -1930,6 +1930,71 @@ var security = (function () {
  }
  }
 
+ var removeIfEmptyOrHyphen = function(evt, key) {
+ var val = evt.Get(key);
+ if (!val || val === "-") {
+ evt.Delete(key);
+ return true;
+ }
+ return false;
+ }
+
+ var copyTargetUserToEffective = new processor.Chain()
+ .Convert({
+ fields: [
+ {from: "winlog.event_data.TargetUserSid", to: "user.effective.id"},
+ {from: "winlog.event_data.TargetUserName", to: "user.effective.name"},
+ {from: "winlog.event_data.TargetDomainName", to: "user.effective.domain"},
+ ],
+ ignore_missing: true,
+ })
+ .Add(function(evt) {
+ var user = evt.Get("winlog.event_data.TargetUserName");
+ if (user) {
+ if (user.indexOf('@')>0) {
+ user = user.split('@')[0];
+ evt.Put('user.effective.name', user);
+ }
+ }
+ })
+ .Add(function(evt) {
+ if (!removeIfEmptyOrHyphen(evt, "user.effective.name")) {
+ evt.AppendTo("related.user", evt.Get("user.effective.name"));
+ }
+ removeIfEmptyOrHyphen(evt, "user.effective.domain");
+ removeIfEmptyOrHyphen(evt, "user.effective.id");
+ })
+ .Build();
+
+ var copyTargetUserToTarget = new processor.Chain()
+ .Convert({
+ fields: [
+ {from: "winlog.event_data.TargetSid", to: "user.target.id"},
+ {from: "winlog.event_data.TargetUserName", to: "user.target.name"},
+ {from: "winlog.event_data.TargetDomainName", to: "user.target.domain"},
+ ],
+ ignore_missing: true,
+ })
+ .Add(function(evt) {
+ var user = evt.Get("winlog.event_data.TargetUserName");
+ if (user) {
+ if (user.indexOf('@')>0) {
+ user = user.split('@')[0];
+ evt.Put('user.target.name', user);
+ }
+ evt.AppendTo('related.user', user);
+ }
+ })
+ .Add(function(evt) {
+ if (!removeIfEmptyOrHyphen(evt, "user.target.name")) {
+ evt.AppendTo("related.user", evt.Get("user.target.name"));
+ }
+ removeIfEmptyOrHyphen(evt, "user.target.domain");
+ removeIfEmptyOrHyphen(evt, "user.target.id");
+ })
+ .Build();
+
+
  var copyMemberToUser = function(evt) {
  var member = evt.Get("winlog.event_data.MemberName");
  if (!member) {
@@ -1940,6 +2005,11 @@ var security = (function () {
 
  evt.AppendTo("related.user", userName);
  evt.Put("user.target.name", userName);
+
+ var domainName = member.split(',')[3];
+ if (domainName) {
+ evt.Put("user.target.domain", domainName.replace('DC=', '').replace('dc=', ''));
+ }
  }
 
  var copyTargetUserToGroup = new processor.Chain()
@@ -2130,10 +2200,11 @@ var security = (function () {
 
  // Handles both 4648
  var event4648 = new processor.Chain()
- .Add(copyTargetUser)
+ .Add(copySubjectUser)
  .Add(copySubjectUserLogonId)
  .Add(renameCommonAuthFields)
  .Add(addEventFields)
+ .Add(copyTargetUserToEffective)
  .Add(function(evt) {
  var user = evt.Get("winlog.event_data.SubjectUserName");
  if (user) {
@@ -2173,16 +2244,8 @@ var security = (function () {
  .Add(copySubjectUser)
  .Add(copySubjectUserLogonId)
  .Add(renameNewProcessFields)
+ .Add(copyTargetUserToEffective)
  .Add(addEventFields)
- .Add(function(evt) {
- var user = evt.Get("winlog.event_data.TargetUserName");
- if (user) {
- var res = /^-$/.test(user);
- if (!res) {
- evt.AppendTo('related.user', user);
- }
- }
- })
  .Build();
 
  var event4689 = new processor.Chain()
@@ -2206,10 +2269,7 @@ var security = (function () {
  .Add(renameCommonAuthFields)
  .Add(addUACDescription)
  .Add(addEventFields)
- .Add(function(evt) {
- var user = evt.Get("winlog.event_data.TargetUserName");
- evt.AppendTo('related.user', user);
- })
+ .Add(copyTargetUserToTarget)
  .Build();
 
  var userRenamed = new processor.Chain()
@@ -2221,6 +2281,12 @@ var security = (function () {
  evt.AppendTo('related.user', userNew);
  var userOld = evt.Get("winlog.event_data.OldTargetUserName");
  evt.AppendTo('related.user', userOld);
+ if (userOld) {
+ evt.Put('user.target.name', userOld);
+ }
+ if (userNew) {
+ evt.Put('user.changes.name', userNew);
+ }
  })
  .Build();
 
@@ -2359,6 +2425,7 @@ var security = (function () {
  .Add(copySubjectUserLogonId)
  .Add(renameCommonAuthFields)
  .Add(addEventFields)
+ .Add(copyTargetUserToTarget)
  .Add(function(evt) {
  var oldSd = evt.Get("winlog.event_data.OldSd");
  var newSd = evt.Get("winlog.event_data.NewSd");

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2903",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2903",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2904",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2904",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2905",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json
@@ -38,6 +38,7 @@
  "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm",
  "target": {
+ "domain": "SAAS",
  "group": {
  "domain": "TEST",
  "id": "S-1-5-21-1717121054-434620538-60925301-2905",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
@@ -31,6 +31,7 @@
  },
  "user": {
  "domain": "TEST.SAAS",
+ "id": "S-1-5-21-1717121054-434620538-60925301-2794",
  "name": "at_adm"
  },
  "winlog": {

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json
@@ -30,6 +30,7 @@
  "port": 53366
  },
  "user": {
+ "id": "S-1-5-21-1717121054-434620538-60925301-3057",
  "name": "MPUIG"
  },
  "winlog": {

diff --git a/.../module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/.../module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
@@ -31,7 +31,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -126,7 +131,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",

diff --git a/.../module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/.../module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json
@@ -31,7 +31,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",

diff --git a/.../module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/.../module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json
@@ -28,7 +28,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -94,7 +99,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+ "name": "Administrator"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",

diff --git a/...t/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/...t/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json
@@ -31,7 +31,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1005",
+ "name": "elastictest1"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",

diff --git a/...module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/...module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json
@@ -31,7 +31,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+ "name": "audittest"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",
@@ -99,7 +104,12 @@
  "user": {
  "domain": "WIN-41OB2LO92CR",
  "id": "S-1-5-21-101361758-2486510592-3018839910-500",
- "name": "Administrator"
+ "name": "Administrator",
+ "target": {
+ "domain": "WIN-41OB2LO92CR",
+ "id": "S-1-5-21-101361758-2486510592-3018839910-1006",
+ "name": "audittest0609"
+ }
  },
  "winlog": {
  "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}",