From d031fbf7ba6f7bca6555bb8a4e060ea873414cb4 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 19 Oct 2021 11:41:25 +0200 Subject: [PATCH] [Winlogbeat] ECS 1.9 user.changes.*, user.effective.*, user.target.* (#26509) (#28525) * Add Winlogbeat Security Module Doc * ECS 1.9 new user fields * Add Documentation * Update x-pack/winlogbeat/module/security/config/winlogbeat-security.js Co-authored-by: Adrian Serrano * Update x-pack/winlogbeat/module/security/config/winlogbeat-security.js Co-authored-by: Adrian Serrano * Suggeted changes by adriansr * Regenerate golden files * Fix changelog and remove ~/go/src/github.com/elastic/integrations/packages/cisco_meraki values * Fix typo * Regenerate test files * Check for empty values on target user Co-authored-by: Adrian Serrano Co-authored-by: Marc Guasch (cherry picked from commit 04ce8a5f5d0ddea5703e56a256e47d70b929fd2d) Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> --- CHANGELOG.next.asciidoc | 1 + .../security/config/winlogbeat-security.js | 99 ++++++++++++++++--- .../test/testdata/4746.evtx.golden.json | 1 + .../test/testdata/4747.evtx.golden.json | 1 + .../test/testdata/4751.evtx.golden.json | 1 + .../test/testdata/4752.evtx.golden.json | 1 + .../test/testdata/4761.evtx.golden.json | 1 + .../test/testdata/4762.evtx.golden.json | 1 + ...security-windows2012_4768.evtx.golden.json | 1 + ...security-windows2012_4771.evtx.golden.json | 1 + ...2016_4720_Account_Created.evtx.golden.json | 14 ++- ...2016_4722_Account_Enabled.evtx.golden.json | 14 ++- ...2016_4723_Password_Change.evtx.golden.json | 14 ++- ...s2016_4724_Password_Reset.evtx.golden.json | 14 ++- ...016_4725_Account_Disabled.evtx.golden.json | 14 ++- ...2016_4726_Account_Deleted.evtx.golden.json | 14 ++- ...security-windows2016_4728.evtx.golden.json | 1 + ...security-windows2016_4729.evtx.golden.json | 1 + ...security-windows2016_4732.evtx.golden.json | 1 + ...security-windows2016_4733.evtx.golden.json | 1 + ...2016_4738_Account_Changed.evtx.golden.json | 14 ++- ...6_4740_Account_Locked_Out.evtx.golden.json | 7 +- ...security-windows2016_4756.evtx.golden.json | 1 + ...security-windows2016_4757.evtx.golden.json | 1 + ...016_4767_Account_Unlocked.evtx.golden.json | 7 +- ...2016_4781_Account_Renamed.evtx.golden.json | 16 ++- ...security-windows2016_4798.evtx.golden.json | 7 +- ...2019_4688_Process_Created.evtx.golden.json | 3 + 28 files changed, 217 insertions(+), 35 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 139114a9dd0..242170f7ef9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -280,6 +280,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191] +- Add ECS 1.9 new users fields {pull}26509[26509] *Functionbeat* diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 181e2612b46..76ef1f0b21e 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1907,14 +1907,14 @@ var security = (function () { var copyTargetUser = function(evt) { var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); + if (!targetUserId) targetUserId = evt.Get("winlog.event_data.TargetSid"); if (targetUserId) { if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); else evt.Put("user.id", targetUserId); } - var targetUserName = evt.Get("winlog.event_data.TargetUserName"); if (targetUserName) { - if (/.@*/.test(targetUserName)) { + if (targetUserName.indexOf('@')>0) { targetUserName = targetUserName.split('@')[0]; } @@ -1930,6 +1930,71 @@ var security = (function () { } } + var removeIfEmptyOrHyphen = function(evt, key) { + var val = evt.Get(key); + if (!val || val === "-") { + evt.Delete(key); + return true; + } + return false; + } + + var copyTargetUserToEffective = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.TargetUserSid", to: "user.effective.id"}, + {from: "winlog.event_data.TargetUserName", to: "user.effective.name"}, + {from: "winlog.event_data.TargetDomainName", to: "user.effective.domain"}, + ], + ignore_missing: true, + }) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + if (user) { + if (user.indexOf('@')>0) { + user = user.split('@')[0]; + evt.Put('user.effective.name', user); + } + } + }) + .Add(function(evt) { + if (!removeIfEmptyOrHyphen(evt, "user.effective.name")) { + evt.AppendTo("related.user", evt.Get("user.effective.name")); + } + removeIfEmptyOrHyphen(evt, "user.effective.domain"); + removeIfEmptyOrHyphen(evt, "user.effective.id"); + }) + .Build(); + + var copyTargetUserToTarget = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.TargetSid", to: "user.target.id"}, + {from: "winlog.event_data.TargetUserName", to: "user.target.name"}, + {from: "winlog.event_data.TargetDomainName", to: "user.target.domain"}, + ], + ignore_missing: true, + }) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + if (user) { + if (user.indexOf('@')>0) { + user = user.split('@')[0]; + evt.Put('user.target.name', user); + } + evt.AppendTo('related.user', user); + } + }) + .Add(function(evt) { + if (!removeIfEmptyOrHyphen(evt, "user.target.name")) { + evt.AppendTo("related.user", evt.Get("user.target.name")); + } + removeIfEmptyOrHyphen(evt, "user.target.domain"); + removeIfEmptyOrHyphen(evt, "user.target.id"); + }) + .Build(); + + var copyMemberToUser = function(evt) { var member = evt.Get("winlog.event_data.MemberName"); if (!member) { @@ -1940,6 +2005,11 @@ var security = (function () { evt.AppendTo("related.user", userName); evt.Put("user.target.name", userName); + + var domainName = member.split(',')[3]; + if (domainName) { + evt.Put("user.target.domain", domainName.replace('DC=', '').replace('dc=', '')); + } } var copyTargetUserToGroup = new processor.Chain() @@ -2130,10 +2200,11 @@ var security = (function () { // Handles both 4648 var event4648 = new processor.Chain() - .Add(copyTargetUser) + .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) + .Add(copyTargetUserToEffective) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); if (user) { @@ -2173,16 +2244,8 @@ var security = (function () { .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(renameNewProcessFields) + .Add(copyTargetUserToEffective) .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } - } - }) .Build(); var event4689 = new processor.Chain() @@ -2206,10 +2269,7 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addEventFields) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - evt.AppendTo('related.user', user); - }) + .Add(copyTargetUserToTarget) .Build(); var userRenamed = new processor.Chain() @@ -2221,6 +2281,12 @@ var security = (function () { evt.AppendTo('related.user', userNew); var userOld = evt.Get("winlog.event_data.OldTargetUserName"); evt.AppendTo('related.user', userOld); + if (userOld) { + evt.Put('user.target.name', userOld); + } + if (userNew) { + evt.Put('user.changes.name', userNew); + } }) .Build(); @@ -2359,6 +2425,7 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) + .Add(copyTargetUserToTarget) .Add(function(evt) { var oldSd = evt.Get("winlog.event_data.OldSd"); var newSd = evt.Get("winlog.event_data.NewSd"); diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index d3dbd3d19b5..b6187500440 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2903", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index 41b67ea75f6..712f63844ee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2903", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index e838da29e54..f2d158c8ef9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2904", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index 37544b89cbe..4da882d11c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2904", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index 3c7563a75de..4c79ebb81e2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2905", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index 5ff88d4e7c6..e473bc5a443 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -38,6 +38,7 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "SAAS", "group": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2905", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json index 819570bff67..d91d0349720 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json @@ -31,6 +31,7 @@ }, "user": { "domain": "TEST.SAAS", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm" }, "winlog": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json index 37ac84f9b32..ccfaf136948 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json @@ -30,6 +30,7 @@ "port": 53366 }, "user": { + "id": "S-1-5-21-1717121054-434620538-60925301-3057", "name": "MPUIG" }, "winlog": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json index 57911917d9b..5c8382b776e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -126,7 +131,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json index c2ae405fbe2..9e50bcb1a04 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -99,7 +104,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json index aec326c4990..73cf17f61eb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json @@ -28,7 +28,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -94,7 +99,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json index c77b35a2bce..5c5cbe31da8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -99,7 +104,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json index 1acefb2632e..c25e266f83a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -99,7 +104,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json index 113921ddf11..7e9c82f86f6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1001", + "name": "audittest23" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -100,7 +105,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 56f68012be8..59c58efcf4b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1112", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index e8700a9ab47..e3ac9be9101 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1112", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index e25f589d6ab..1d97aa773ea 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1111", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index 2c2db1bcc5a..9225f75661f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1111", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json index f32e127117b..786a77df8db 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -125,7 +130,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json index 6dc0514e838..1c91cbf9cee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WORKGROUP", "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index f9ac68771e9..5ffb623eb18 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1113", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index b4a7d4639c9..40cbe2246a4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -35,6 +35,7 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "domain": "local", "group": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-1113", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json index c4bfe8b056f..75feedba72a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json index 91b49e271f6..95d2603832a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -30,9 +30,15 @@ ] }, "user": { + "changes": { + "name": "audittest06" + }, "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "name": "audittest0609" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", @@ -101,9 +107,15 @@ ] }, "user": { + "changes": { + "name": "audittest0609" + }, "domain": "WIN-41OB2LO92CR", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "name": "audittest06" + } }, "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json index 655861b92d7..385560f46b0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json @@ -31,7 +31,12 @@ "user": { "domain": "WORKGROUP", "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } }, "winlog": { "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json index 309f889abb5..0b5f968db41 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json @@ -41,6 +41,9 @@ }, "user": { "domain": "VAGRANT", + "effective": { + "id": "S-1-0-0" + }, "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", "name": "vagrant" },