Add event IDs 4797, 5379, 5380, 5381, and 5382

[MakoWish]

Type of change

• Enhancement

What does this PR do?

This PR adds event parsing to the Security Ingest Pipeline for Winlogbeat for Event ID's 4797, 5379, 5380, 5381, and 5382.

Why is it important?

These Event ID's are quite common in our environment, so ensuring the correct event.action is populated will help identify the nature of the event at a quick glance.

Checklist

• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Closes Missing Parsing for Event IDs 4797, 5379, 5380, 5381, and 5382 #34293

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @MakoWish? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-19T21:10:56.228+0000

• Duration: 39 min 59 sec

Test stats 🧪

Test	Results
Failed	0
Passed	336
Skipped	0
Total	336

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[efd6]

Are you able to provide events (as individual evtx) for these event types?

[MakoWish]

I was able to grab some of them, but they contain sensitive usernames, hostnames, etc. Do you have a location I can send them to you out of the public eye?

[efd6]

I think we could get around needing the evtx if we start from the XML by exporting this from the event viewer. This would mean that we can include the data in the tree without leaking your secrets if you scrub before letting us have the data. Does that sound reasonable to you?

[MakoWish]

Attaching five scrubbed sample events for each of the Event ID's.
4797_5379_5380_5381_5382.zip

[MakoWish]

Can we back-port this?

[efd6]

This is an enhancement, so we will not back-port.

[efd6]

It looks like there needs to be some additional changes to make sure that things like related.host and related.user are properly updated for these event types. There are hooks in the security.yml file that allow this to be done by adding the appropriate event ID to the filter array.

[efd6]

/test

[MakoWish]

I don't see any processors that would add related.hosts, so I just focused on those that would add to related.user.

[efd6]

/test

[efd6]

/test

[efd6]

Is there a reason not to include the other types here? They also appear to have SubjectUserName fields.

[MakoWish]

There was not. I had added them to the related user appending, but I forgot to add them to "Copy Subject User from Event Data" script. Since event 4797 also has a TargetUserName, I also just added that one to the "Copy Target User to Target" script.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b add_event_ids upstream/add_event_ids
git merge upstream/main
git push upstream add_event_ids

[efd6]

/test

[efd6]

Thanks

[jamiehynds]

@efd6 could mappings for these events be applied to the system.security pipeline for agent, to ensure alignment between the winlogbeat and agent pipelines?

[MakoWish]

@jamiehynds , please see #5085 that mirrors these changes to the Security Integration for Elastic Agent.

[jamiehynds]

Thanks @MakoWish, I missed that one. Thanks for all your recent contributions and collaboration!

[MakoWish]

Thanks @MakoWish, I missed that one.

Didn't miss it. I created it after your comment. 👍