Skip to content

Commit

Permalink
[Winlogbeat] Add configuration category and more security events (ela…
Browse files Browse the repository at this point in the history 
…stic#22988)

* Add configuration category and more events

* Add pull request reference

* Fix bad event.action

(cherry picked from commit b6d97d9)
  • Loading branch information
Andrew Stucki committed Dec 9, 2020
1 parent 2f49b78 commit 2974e34
Show file tree
Hide file tree
Showing 81 changed files with 1,095 additions and 745 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -581,6 +581,7 @@ port. {pull}19209[19209]
- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517]
- Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058]
- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217]
- Add additional event categorization for security and sysmon modules. {pull}22988[22988]

*Elastic Log Driver*

Expand Down
196 changes: 99 additions & 97 deletions x-pack/winlogbeat/module/security/config/winlogbeat-security.js
View file

Large diffs are not rendered by default.

8 changes: 6 additions & 2 deletions x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,17 @@
"@timestamp": "2019-11-07T10:37:04.2260925Z",
"event": {
"action": "logging-service-shutdown",
"category": "process",
"category": [
"process"
],
"code": 1100,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": "end"
"type": [
"end"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
Expand Down
4 changes: 3 additions & 1 deletion x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"@timestamp": "2019-11-07T10:34:29.0559196Z",
"event": {
"action": "audit-log-cleared",
"category": "iam",
"category": [
"iam"
],
"code": 1102,
"kind": "event",
"module": "security",
Expand Down
8 changes: 6 additions & 2 deletions x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,17 @@
"@timestamp": "2019-11-08T07:56:17.3217049Z",
"event": {
"action": "logging-full",
"category": "iam",
"category": [
"iam"
],
"code": 1104,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": "admin"
"type": [
"admin"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
Expand Down
8 changes: 6 additions & 2 deletions x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,17 @@
"@timestamp": "2019-11-07T16:22:14.8425353Z",
"event": {
"action": "auditlog-archieved",
"category": "iam",
"category": [
"iam"
],
"code": 1105,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": "admin"
"type": [
"admin"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
Expand Down
5 changes: 4 additions & 1 deletion x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@
"@timestamp": "2019-11-07T15:22:57.6553291Z",
"event": {
"action": "changed-audit-config",
"category": "iam",
"category": [
"iam",
"configuration"
],
"code": 4719,
"kind": "event",
"module": "security",
Expand Down
4 changes: 3 additions & 1 deletion x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"@timestamp": "2019-12-18T16:22:12.3112534Z",
"event": {
"action": "added-computer-account",
"category": "iam",
"category": [
"iam"
],
"code": 4741,
"kind": "event",
"module": "security",
Expand Down
4 changes: 3 additions & 1 deletion x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"@timestamp": "2019-12-18T16:22:12.3425087Z",
"event": {
"action": "changed-computer-account",
"category": "iam",
"category": [
"iam"
],
"code": 4742,
"kind": "event",
"module": "security",
Expand Down
4 changes: 3 additions & 1 deletion x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"@timestamp": "2019-12-18T16:25:21.5781833Z",
"event": {
"action": "deleted-computer-account",
"category": "iam",
"category": [
"iam"
],
"code": 4743,
"kind": "event",
"module": "security",
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-18T16:26:46.8744233Z",
"event": {
"action": "added-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4744,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"creation",
"group"
"group",
"creation"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-18T16:29:05.0175739Z",
"event": {
"action": "changed-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4745,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-18T16:31:01.6117458Z",
"event": {
"action": "added-member-to-distribution-group",
"category": "iam",
"category": [
"iam"
],
"code": 4746,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-18T16:35:16.6816525Z",
"event": {
"action": "removed-member-from-distribution-group",
"category": "iam",
"category": [
"iam"
],
"code": 4747,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:01:45.9824133Z",
"event": {
"action": "deleted-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4748,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"deletion",
"group"
"group",
"deletion"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:03:42.7234679Z",
"event": {
"action": "added-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4749,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"creation",
"group"
"group",
"creation"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:10:57.4737631Z",
"event": {
"action": "changed-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4750,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:20:29.0889568Z",
"event": {
"action": "added-member-to-distribution-group",
"category": "iam",
"category": [
"iam"
],
"code": 4751,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:21:23.6444225Z",
"event": {
"action": "removed-member-from-distribution-group",
"category": "iam",
"category": [
"iam"
],
"code": 4752,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:24:36.5952761Z",
"event": {
"action": "deleted-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4753,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"deletion",
"group"
"group",
"deletion"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:26:26.1432582Z",
"event": {
"action": "added-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4759,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"creation",
"group"
"group",
"creation"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:28:21.0305977Z",
"event": {
"action": "changed-distribution-group-account",
"category": "iam",
"category": [
"iam"
],
"code": 4760,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
8 changes: 5 additions & 3 deletions x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,17 @@
"@timestamp": "2019-12-19T08:29:38.4487328Z",
"event": {
"action": "added-member-to-distribution-group",
"category": "iam",
"category": [
"iam"
],
"code": 4761,
"kind": "event",
"module": "security",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"change",
"group"
"group",
"change"
]
},
"group": {
Expand Down
Loading

0 comments on commit 2974e34

Please sign in to comment.