[Winlogbeat] - Security Group Management MemberSid translation

[gwsales]

Need a way to enable sid translation for MemberSid on Security Group Management events.

Example: event_id: 4732

When an object (User or Group) is added to a group, only the SID of object is available in most events. There are two fields, MemberName and MemberSid, MemberName is usually '-' and should trigger a SID lookup based on the event code. Local SID lookup for local Security Group Management events, and domain lookup for every thing else.

According to this link, it's possible that only local group events are impacted by the MemberName always being set to '-':
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4732

[andrewkroh]

It would be helpful to me if you could post the JSON event generated by Winlogbeat to exemplify the problem.

My current thinking is that a processor could be created that can resolve SIDs.

[gwsales]

Sure I could do that, the data would be sanitized but the json could probably help whoever is going to write the code.

…

On Jun 27, 2018, at 3:19 PM, Andrew Kroh ***@***.***> wrote: It would be helpful to me if you could post the JSON event generated by Winlogbeat to exemplify the problem. My current thinking is that a processor could be created that can resolve SIDs. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[gwsales]

{"@timestamp":"2018-06-28T17:13:53.765Z","@version":"1","activity_id":"{069C6F62-0D8A-0006-656F-9C068A0DD401}","beat":{"hostname":"HOSTNAME","name":"HOSTNAME","version":"6.1.2"},"computer_name":"HOSTNAME.dev.domain.com","event_data":{"MemberName":"-","MemberSid":"S-1-5-21-3724561596-2688610176-3820852040-512","PrivilegeList":"-","SubjectDomainName":"DEV","SubjectLogonId":"0x3e7","SubjectUserName":"HOSTNAME$","SubjectUserSid":"S-1-5-18","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"event_id":4732,"host":"HOSTNAME","keywords":["Audit Success"],"level":"Information","log_name":"Security","opcode":"Info","process_id":928,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_number":"1672376","source_name":"Microsoft-Windows-Security-Auditing","task":"Security Group Management","thread_id":16800,"type":"wineventlog"}

[andrewkroh]

{
  "@timestamp": "2018-06-28T17:13:53.765Z",
  "@version": "1",
  "activity_id": "{069C6F62-0D8A-0006-656F-9C068A0DD401}",
  "beat": {
    "hostname": "HOSTNAME",
    "name": "HOSTNAME",
    "version": "6.1.2"
  },
  "computer_name": "HOSTNAME.dev.domain.com",
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-21-3724561596-2688610176-3820852040-512",
    "PrivilegeList": "-",
    "SubjectDomainName": "DEV",
    "SubjectLogonId": "0x3e7",
    "SubjectUserName": "HOSTNAME$",
    "SubjectUserSid": "S-1-5-18",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-544",
    "TargetUserName": "Administrators"
  },
  "event_id": 4732,
  "host": "HOSTNAME",
  "keywords": [
    "Audit Success"
  ],
  "level": "Information",
  "log_name": "Security",
  "opcode": "Info",
  "process_id": 928,
  "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "record_number": "1672376",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "task": "Security Group Management",
  "thread_id": 16800,
  "type": "wineventlog"
}

[andrewkroh]

So would a processor like this be usable?

# Replace with the translated values.
processors:
- sid_translate:
    fields: [MemberName, MemberSid]

# Keep the original MemberSid value and write the resolved value to a new field.
processors:
- sid_translate:
    field: MemberSid
    target: user.name # or user.group? (but you get the idea)

[gwsales]

Yes that could work. MemberName isn’t needed for the processor unless you added a when condition that only did the lookup when MemberName == “-“. I like that you allow a custom target field since there could be 2 user accounts for this event, one for the source and one for the object. I’d maybe create a summary object or a user_map like the auditbeat events and still all translations in there to preserve the source fields.

…

On Jun 28, 2018, at 4:11 PM, Andrew Kroh ***@***.***> wrote: So would a processor like this be usable? # Replace with the translated values. processors: - sid_translate: fields: [MemberName, MemberSid] # Keep the original MemberSid value and write the resolved value to a new field. processors: - sid_translate: field: MemberSid target: user.name — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[andrewkroh]

Here's a secondary source explaining when the value can be dash.

For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md

[SpencerLN]

Has there been any work performed towards the creation of the processor discussed above?

[MakoWish]

I would also like to see this implemented. Is there any update?

[adrwh]

Hey guys is there any progress on this one? It would be great to translate SID in winlog.event_id: 4732 (and others similar).

"event_data": {
        "PrivilegeList": "-",
        "SubjectLogonId": "0x3e7",
        "TargetUserName": "Administrators",
        "TargetDomainName": "Builtin",
        "MemberName": "-",
        "SubjectDomainName": "REDACTED",
        "SubjectUserSid": "S-1-5-18",
        "MemberSid": "S-1-5-21-nnnn-nnnn-nnnn-nnnn",
        "TargetSid": "S-1-5-32-544",
        "SubjectUserName": "REDACTED"
      }

[MakoWish]

Pinging @andrewkroh. Any update on this?

[jyipks]

we're also interested in this fix, please keep us posted on the progress

[andrewkroh]

I have opened a pull request to add a translate_sid processor in #16013.

[MakoWish]

Thank you, @andrewkroh!

A few quick questions:

1. Was this implemented in 7.6.1?
2. Is this processor loaded by default? Or does it need to be specified in the winlogbeat.yml file?
3. If this processor must be specified, is "translate_sid" the official processor name?

Thank you!

[andrewkroh]

1. It should be released with the next minor version (pending on the merge of Cherry-pick #16013 to 7.x: Add translate_sid processor to Winlogbeat #16941) (so 7.7).
2. It's not used anywhere by default. It will probably get added to the Security module to enrich particular events, but that's not done right now. So add it to your configs for whatever winlog.event_data.* fields you want converted.
3. Yes, and it will start showing up in the master branch docs soon (pending Fix docs for translate_sid processor #16961). See https://www.elastic.co/guide/en/beats/winlogbeat/master/defining-processors.html

[MakoWish]

Perfect. Thank you, Andrew!

[mgovolt]

Is there any documentation for how this is supposed to work? I can find NOTHING on it. No examples, explanation, etc.
Does it only work on certain event ids?
Let's take an example of a log post adding the translate sid processor. Event code 4732. A member was added to a security-enabled local group.

Event.message is this:
Subject:
Security ID: S-1-5-18
Account Name: KAT-GOLD$
Account Domain: ACME
Logon ID: 0x3E7

Member:
Security ID: S-1-5-21-2506921386-1985662200-1028750493-10571
Account Name: -

Group:
Security ID: S-1-5-21-2258368003-3053585069-3447863528-1013
Group Name: Offer Remote Assistance Helpers
Group Domain: KAT-GOLD

Is translate_sid supposed to be modifying these values in event.message?
And/Or is it supposed to modify the beats created fields winlog.event_data.MemberSid and winlog.event_data.TargetSid? (Note: it does not do that, those are still just the SIDs)
I don't even know what to expect since there is nothing documented about so I can't even begin to tell if it is working as intended.

[andrewkroh]

The docs are in https://www.elastic.co/guide/en/beats/winlogbeat/current/processor-translate-sid.html.

[jamiehynds]

We plan on adding the translate_sid processor to our Windows integrations to ensure MemberSid is automatically resolved. Please see new issue here for updates: elastic/integrations#3309