Skip to content

Commit

Permalink
Audit and Authentication Policy Change Events (#20684)
Browse files Browse the repository at this point in the history 
* [Winlogbeat] Audit and Authentication Policy Change Events

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
  • Loading branch information
@janniten @leehinman
janniten and leehinman authored Jan 25, 2021
1 parent 4b7b267 commit dd7a1b3
Show file tree
Hide file tree
Showing 39 changed files with 1,661 additions and 20 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -978,6 +978,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add additional event categorization for security and sysmon modules. {pull}22988[22988]
- Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
- Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684]

*Elastic Log Driver*

Expand Down
524 changes: 504 additions & 20 deletions x-pack/winlogbeat/module/security/config/winlogbeat-security.js
View file

Large diffs are not rendered by default.

Binary file added x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx
View file
Binary file not shown.
80 changes: 80 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
[
{
"@timestamp": "2020-07-28T13:22:18.7993488Z",
"event": {
"action": "permissions-changed",
"category": [
"iam",
"configuration"
],
"code": 4670,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"admin",
"change"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"process": {
"executable": "C:\\Windows\\System32\\services.exe",
"name": "services.exe",
"pid": 764
},
"related": {
"user": "WIN-BVM4LI1L1Q6$"
},
"user": {
"domain": "TEST",
"id": "S-1-5-18",
"name": "WIN-BVM4LI1L1Q6$"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"HandleId": "0x56c",
"NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
"NewSdDacl0": "Local system :Access Allowed (Generic All)",
"NewSdDacl1": "OW :Access Allowed (Read Permissions)",
"NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed (Generic All)",
"ObjectName": "-",
"ObjectServer": "Security",
"ObjectType": "Token",
"OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
"OldSdDacl0": "Local system :Access Allowed (Generic All)",
"OldSdDacl1": "Network service account :Access Allowed (Generic All)",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WIN-BVM4LI1L1Q6$",
"SubjectUserSid": "S-1-5-18"
},
"event_id": 4670,
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x3e7"
},
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 4604
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 31932,
"task": "Authorization Policy Change"
}
}
]
Binary file added x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx
View file
Binary file not shown.
72 changes: 72 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
[
{
"@timestamp": "2020-07-27T09:42:48.3690009Z",
"event": {
"action": "domain-trust-added",
"category": [
"configuration"
],
"code": 4706,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"creation"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"related": {
"user": "Administrator"
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
"name": "Administrator"
},
"winlog": {
"activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"DomainName": "192.168.230.153",
"DomainSid": "S-1-0-0",
"SidFilteringEnabled": "%%1796",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x6a868",
"SubjectUserName": "Administrator",
"SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
"TdoAttributes": "1",
"TdoDirection": "3",
"TdoType": "3"
},
"event_id": 4706,
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x6a868"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 3056
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6017,
"task": "Authentication Policy Change",
"trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
"trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
"trustType": "TRUST_TYPE_MIT"
}
}
]
Binary file added x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx
View file
Binary file not shown.
64 changes: 64 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
[
{
"@timestamp": "2020-07-28T06:18:04.600444Z",
"event": {
"action": "domain-trust-removed",
"category": [
"configuration"
],
"code": 4707,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"deletion"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"related": {
"user": "Administrator"
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
"name": "Administrator"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"DomainName": "192.168.230.153",
"DomainSid": "S-1-0-0",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x6a868",
"SubjectUserName": "Administrator",
"SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500"
},
"event_id": 4707,
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x6a868"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 2012
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 13679,
"task": "Authentication Policy Change"
}
}
]
Binary file added x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx
View file
Binary file not shown.
64 changes: 64 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
[
{
"@timestamp": "2020-07-28T10:15:43.4951882Z",
"event": {
"action": "kerberos-policy-changed",
"category": [
"configuration"
],
"code": 4713,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"related": {
"user": "WIN-BVM4LI1L1Q6$"
},
"user": {
"domain": "TEST",
"id": "S-1-5-18",
"name": "WIN-BVM4LI1L1Q6$"
},
"winlog": {
"activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WIN-BVM4LI1L1Q6$",
"SubjectUserSid": "S-1-5-18"
},
"event_id": 4713,
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x3e7"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 2012
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 21265,
"task": "Authentication Policy Change"
}
}
]
Binary file added x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx
View file
Binary file not shown.
72 changes: 72 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
[
{
"@timestamp": "2020-07-28T08:17:00.4706442Z",
"event": {
"action": "trusted-domain-information-changed",
"category": [
"configuration"
],
"code": 4716,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change"
]
},
"host": {
"name": "WIN-BVM4LI1L1Q6.TEST.local"
},
"log": {
"level": "information"
},
"related": {
"user": "Administrator"
},
"user": {
"domain": "TEST",
"id": "S-1-5-21-2024912787-2692429404-2351956786-500",
"name": "Administrator"
},
"winlog": {
"activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
"api": "wineventlog",
"channel": "Security",
"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"DomainName": "-",
"DomainSid": "S-1-0-0",
"SidFilteringEnabled": "-",
"SubjectDomainName": "TEST",
"SubjectLogonId": "0x6a868",
"SubjectUserName": "Administrator",
"SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
"TdoAttributes": "1",
"TdoDirection": "3",
"TdoType": "3"
},
"event_id": 4716,
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x6a868"
},
"opcode": "Info",
"process": {
"pid": 776,
"thread": {
"id": 3776
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 14929,
"task": "Authentication Policy Change",
"trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
"trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
"trustType": "TRUST_TYPE_MIT"
}
}
]
Binary file added x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx
View file
Binary file not shown.
Loading

0 comments on commit dd7a1b3

Please sign in to comment.