diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 71a56da3854..beb129f5b10 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.0" + changes: + - description: Better user mappings for security events + type: enhancement + link: https://github.com/elastic/integrations/pull/1944 - version: "1.4.2" changes: - description: Prevent pipeline script error diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json index c912192199b..53b8272dc4a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:04.767568644Z", + "ingested": "2021-10-19T11:55:16.331823600Z", "code": "4746", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testdistlocal1", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json index be1948706b3..cc50850b535 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:04.888936317Z", + "ingested": "2021-10-19T11:55:16.621125Z", "code": "4747", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testdistlocal1", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json index bf9ec9ad6d8..6a73c84145e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.313669028Z", + "ingested": "2021-10-19T11:55:17.565769200Z", "code": "4751", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testglobal1", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json index 514027f49e2..d304bdf51ba 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.414207722Z", + "ingested": "2021-10-19T11:55:17.906691Z", "code": "4752", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testglobal1", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json index fbcc9c892e7..ffeefc7e13d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.791134249Z", + "ingested": "2021-10-19T11:55:18.871413700Z", "code": "4761", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testuni2", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json index c404cb58f04..c89878956f6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json @@ -64,7 +64,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:05.889044291Z", + "ingested": "2021-10-19T11:55:19.143941900Z", "code": "4762", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -84,6 +84,7 @@ "domain": "TEST", "target": { "name": "Administrator", + "domain": "SAAS", "group": { "name": "testuni2", "domain": "TEST", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 2698173f828..5ded5e448a0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -77,7 +77,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:06.837533884Z", + "ingested": "2021-10-19T11:55:21.246497500Z", "code": "4768", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -92,7 +92,8 @@ }, "user": { "name": "at_adm", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "id": "S-1-5-21-1717121054-434620538-60925301-2794" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index b306bd9ec3f..6ad77df55d1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -73,7 +73,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-07-30T21:06:07.159369727Z", + "ingested": "2021-10-19T11:55:22.001023400Z", "code": "4771", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -87,7 +87,8 @@ "outcome": "failure" }, "user": { - "name": "MPUIG" + "name": "MPUIG", + "id": "S-1-5-21-1717121054-434620538-60925301-3057" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index 1fda4455cd3..6a6e2b63138 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.468417917Z", + "ingested": "2021-10-19T11:55:27.016591Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + } } }, { @@ -144,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.468420621Z", + "ingested": "2021-10-19T11:55:27.016600700Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -160,8 +165,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest0609", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index d910919c85d..547487c3a26 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.676454372Z", + "ingested": "2021-10-19T11:55:27.450128800Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "Administrator", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500" + } } }, { @@ -144,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.676457128Z", + "ingested": "2021-10-19T11:55:27.450137Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -160,8 +165,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "Administrator", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index e92d4e29538..5078f6c3a20 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.855345755Z", + "ingested": "2021-10-19T11:55:27.912761300Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "elastictest1", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + } } }, { @@ -144,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:09.855372883Z", + "ingested": "2021-10-19T11:55:27.912770100Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -160,8 +165,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest0609", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index 1768cb0a68d..df4a98ae603 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:10.021979420Z", + "ingested": "2021-10-19T11:55:28.349650400Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + } } }, { @@ -144,7 +149,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:10.021981930Z", + "ingested": "2021-10-19T11:55:28.349659100Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -160,8 +165,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest0609", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index bb56bcd516c..aa0d1f55a04 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:10.186637182Z", + "ingested": "2021-10-19T11:55:28.808472500Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -79,8 +79,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest23", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1001" + } } }, { @@ -146,7 +151,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:10.186639172Z", + "ingested": "2021-10-19T11:55:28.808476700Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -162,8 +167,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index c8977e2fc0c..35a41c63fe4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.484678398Z", + "ingested": "2021-10-19T11:55:29.482838600Z", "code": "4728", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "test_group2", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index 851c0431620..aa28440ea04 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.589014334Z", + "ingested": "2021-10-19T11:55:29.782306700Z", "code": "4729", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "test_group2v2", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index 91c2d88d9b2..a77ae6e8509 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:10.947497984Z", + "ingested": "2021-10-19T11:55:30.491308800Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "test_group1", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index d96da4536e4..c0fd8104160 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.047118946Z", + "ingested": "2021-10-19T11:55:30.760815900Z", "code": "4733", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "test_group1", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index 1b8fc6a9867..ed72a29d7ba 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -88,7 +88,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:11.480298112Z", + "ingested": "2021-10-19T11:55:31.700998400Z", "code": "4738", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -104,8 +104,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "elastictest1", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index 914a98492b5..fbf132d5e57 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:11.616253567Z", + "ingested": "2021-10-19T11:55:31.973015500Z", "code": "4740", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "WIN-41OB2LO92CR$", + "id": "S-1-5-18", "domain": "WORKGROUP", - "id": "S-1-5-18" + "target": { + "name": "elastictest1", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index e7f7b081710..76ea0c8c6ed 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:11.948372473Z", + "ingested": "2021-10-19T11:55:32.637206400Z", "code": "4756", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "Test_group3v2", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index bad82e95dba..ad78bc1f3a9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-07-30T21:06:12.061031902Z", + "ingested": "2021-10-19T11:55:32.941287Z", "code": "4757", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -83,6 +83,7 @@ "domain": "WLBEAT", "target": { "name": "Administrator", + "domain": "local", "group": { "name": "Test_group3v2", "domain": "WLBEAT", diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index a39389063d9..6842c9bb8df 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.342564547Z", + "ingested": "2021-10-19T11:55:33.688576100Z", "code": "4767", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -78,8 +78,13 @@ }, "user": { "name": "Administrator", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "elastictest1", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index 2f8b1a588f5..9655c6a469e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -65,7 +65,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.430348253Z", + "ingested": "2021-10-19T11:55:33.918515Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -81,8 +81,14 @@ }, "user": { "name": "Administrator", + "changes": { + "name": "audittest06" + }, + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest0609" + } } }, { @@ -150,7 +156,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.430350746Z", + "ingested": "2021-10-19T11:55:33.918523800Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -166,8 +172,14 @@ }, "user": { "name": "Administrator", + "changes": { + "name": "audittest0609" + }, + "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "target": { + "name": "audittest06" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index 03c352ed78a..c2fa40482a3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -64,7 +64,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-07-30T21:06:12.614680121Z", + "ingested": "2021-10-19T11:55:34.345020800Z", "code": "4798", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -80,8 +80,13 @@ }, "user": { "name": "WIN-41OB2LO92CR$", + "id": "S-1-5-18", "domain": "WORKGROUP", - "id": "S-1-5-18" + "target": { + "name": "elastictest1", + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index 99d1c0c744b..fcb5bb17d96 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -81,7 +81,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-07-30T21:06:12.992208458Z", + "ingested": "2021-10-19T11:55:35.129471700Z", "code": "4688", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -96,8 +96,11 @@ }, "user": { "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" + "effective": { + "id": "S-1-0-0" + }, + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "domain": "VAGRANT" } } ] diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml index 3916709c2d8..2c21208254c 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml @@ -2286,22 +2286,28 @@ processors: return; } + def targetUserId = ctx?.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx?.winlog?.event_data?.TargetSid; + } + //TargetUserSid to user.id or user.target.id - if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (targetUserId != null) { if (ctx?.user == null) { HashMap hm = new HashMap(); ctx.put("user", hm); } if (ctx?.user?.id == null) { - ctx.user.put("id", ctx.winlog.event_data.TargetUserSid); + ctx.user.put("id", targetUserId); } else { if (ctx?.user?.target == null) { HashMap hm = new HashMap(); ctx.user.put("target", hm); } - ctx.user.target.put("id", ctx.winlog.event_data.TargetUserSid); + ctx.user.target.put("id", targetUserId); } } + //TargetUserName to related.user and user.name or user.target.name if (ctx?.winlog?.event_data?.TargetUserName != null) { def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); @@ -2382,6 +2388,10 @@ processors: if (!ctx.related.user.contains(memberName)) { ctx.related.user.add(memberName); } + if (memberNameParts.length >= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } } if (ctx?.winlog?.event_data?.TargetUserSid != null) { if (ctx?.group == null) { @@ -2409,7 +2419,8 @@ processors: HashMap hm = new HashMap(); ctx.put("group", hm); } - ctx.group.put("domain", ctx.winlog.event_data.TargetDomainName); + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); } if (ctx?.user?.target != null) { if (ctx?.user?.target?.group == null) { @@ -2480,7 +2491,8 @@ processors: "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", - "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912", + "4648"].contains(ctx.event.code)) { return; } if (ctx?.winlog?.event_data?.SubjectUserSid != null) { @@ -2516,6 +2528,86 @@ processors: ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); } + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user.effective.size() == 0) ctx.user.remove("effective"); + - script: lang: painless ignore_failure: false @@ -2774,6 +2866,16 @@ processors: ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && ctx?.winlog?.event_data?.PrivilegeList != null + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + - append: field: related.user value: '{{winlog.event_data.NewTargetUserName}}' diff --git a/packages/system/data_stream/security/fields/ecs.yml b/packages/system/data_stream/security/fields/ecs.yml index cf2eb514531..cc5cd530a48 100644 --- a/packages/system/data_stream/security/fields/ecs.yml +++ b/packages/system/data_stream/security/fields/ecs.yml @@ -78,6 +78,12 @@ name: user.id - external: ecs name: user.name +- external: ecs + name: user.effective.domain +- external: ecs + name: user.effective.id +- external: ecs + name: user.effective.name - external: ecs name: user.target.group.domain - external: ecs @@ -86,3 +92,9 @@ name: user.target.group.name - external: ecs name: user.target.name +- external: ecs + name: user.target.domain +- external: ecs + name: user.target.id +- external: ecs + name: user.changes.name diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 1a34428d0bd..ef175772727 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -557,12 +557,18 @@ An example event for `security` looks as following: | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.port | Port of the source. | long | | tags | List of keywords used to tag each event. | keyword | +| user.changes.name | Short name or login of the user. | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | | user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | | user.target.name | Short name or login of the user. | keyword | | winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | | winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 46d98f18727..20ea0283612 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.4.2 +version: 1.5.0 license: basic description: This Elastic integration collects logs and metrics from your servers type: integration