Set target group when possible

x-pack/winlogbeat/module/security/config/winlogbeat-security.js

@@ -1941,10 +1941,16 @@ var security = (function () {
         .Convert({
             fields: [
                 {from: "winlog.event_data.TargetUserSid", to: "group.id"},
+                {from: "winlog.event_data.TargetSid", to: "group.id"},
                 {from: "winlog.event_data.TargetUserName", to: "group.name"},
                 {from: "winlog.event_data.TargetDomainName", to: "group.domain"},
             ],
             ignore_missing: true,
+        }).Add(function(evt) {
+            if (!evt.Get("user.target")) return;
+            evt.Put("user.target.group.id", evt.Get("group.id"));
+            evt.Put("user.target.group.name", evt.Get("group.name"));
+            evt.Put("user.target.group.domain", evt.Get("group.domain"));
         })
         .Build();
 

x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2903",
       "name": "testdistlocal"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2903",
       "name": "testdistlocal1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2903",
       "name": "testdistlocal1"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2903",
+          "name": "testdistlocal1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2903",
       "name": "testdistlocal1"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2903",
+          "name": "testdistlocal1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2903",
       "name": "testdistlocal1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2904",
       "name": "testglobal"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2904",
       "name": "testglobal1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2904",
       "name": "testglobal1"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2904",
+          "name": "testglobal1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2904",
       "name": "testglobal1"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2904",
+          "name": "testglobal1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2904",
       "name": "testglobal1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2905",
       "name": "testuni"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2905",
       "name": "testuni2"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2905",
       "name": "testuni2"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2905",
+          "name": "testuni2"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2905",
       "name": "testuni2"
     },
     "host": {
@@ -37,6 +38,11 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "group": {
+          "domain": "TEST",
+          "id": "S-1-5-21-1717121054-434620538-60925301-2905",
+          "name": "testuni2"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "TEST",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2905",
       "name": "testuni2"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json

@@ -4,7 +4,8 @@
     "event": {
       "action": "session-reconnected",
       "category": [
-        "authentication"
+        "authentication",
+        "session"
       ],
       "code": 4778,
       "kind": "event",

x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json

@@ -4,7 +4,8 @@
     "event": {
       "action": "session-disconnected",
       "category": [
-        "authentication"
+        "authentication",
+        "session"
       ],
       "code": 4779,
       "kind": "event",

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1110",
       "name": "DnsUpdateProxy"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
       "name": "test_group2"
     },
     "host": {
@@ -34,6 +35,11 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "group": {
+          "domain": "WLBEAT",
+          "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
+          "name": "test_group2"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
       "name": "test_group2v2"
     },
     "host": {
@@ -34,6 +35,11 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "group": {
+          "domain": "WLBEAT",
+          "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
+          "name": "test_group2v2"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
       "name": "test_group2v2"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
       "name": "test_group1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
       "name": "test_group1"
     },
     "host": {
@@ -34,6 +35,11 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "group": {
+          "domain": "WLBEAT",
+          "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
+          "name": "test_group1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
       "name": "test_group1"
     },
     "host": {
@@ -34,6 +35,11 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "group": {
+          "domain": "WLBEAT",
+          "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
+          "name": "test_group1"
+        },
         "name": "Administrator"
       }
     },

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
       "name": "test_group1v1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1111",
       "name": "test_group1v1"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1112",
       "name": "test_group2v2"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
       "name": "Test_group3"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
       "name": "Test_group3v2"
     },
     "host": {

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json

@@ -18,6 +18,7 @@
     },
     "group": {
       "domain": "WLBEAT",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
       "name": "Test_group3v2"
     },
     "host": {
@@ -34,6 +35,11 @@
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
       "name": "Administrator",
       "target": {
+        "group": {
+          "domain": "WLBEAT",
+          "id": "S-1-5-21-101361758-2486510592-3018839910-1113",
+          "name": "Test_group3v2"
+        },
         "name": "Administrator"
       }
     },