From cc4c4cde4f57f9c7ab37ded80a666e2593953e9d Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 3 Feb 2021 11:15:02 +0100 Subject: [PATCH] Set target group when possible --- .../module/security/config/winlogbeat-security.js | 6 ++++++ .../module/security/test/testdata/4744.evtx.golden.json | 1 + .../module/security/test/testdata/4745.evtx.golden.json | 1 + .../module/security/test/testdata/4746.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4747.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4748.evtx.golden.json | 1 + .../module/security/test/testdata/4749.evtx.golden.json | 1 + .../module/security/test/testdata/4750.evtx.golden.json | 1 + .../module/security/test/testdata/4751.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4752.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4753.evtx.golden.json | 1 + .../module/security/test/testdata/4759.evtx.golden.json | 1 + .../module/security/test/testdata/4760.evtx.golden.json | 1 + .../module/security/test/testdata/4761.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4762.evtx.golden.json | 6 ++++++ .../module/security/test/testdata/4763.evtx.golden.json | 1 + .../testdata/security-windows2012_4778.evtx.golden.json | 3 ++- .../testdata/security-windows2012_4779.evtx.golden.json | 3 ++- .../testdata/security-windows2016_4727.evtx.golden.json | 1 + .../testdata/security-windows2016_4728.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4729.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4730.evtx.golden.json | 1 + .../testdata/security-windows2016_4731.evtx.golden.json | 1 + .../testdata/security-windows2016_4732.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4733.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4734.evtx.golden.json | 1 + .../testdata/security-windows2016_4735.evtx.golden.json | 1 + .../testdata/security-windows2016_4737.evtx.golden.json | 1 + .../testdata/security-windows2016_4754.evtx.golden.json | 1 + .../testdata/security-windows2016_4755.evtx.golden.json | 1 + .../testdata/security-windows2016_4756.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4757.evtx.golden.json | 6 ++++++ .../testdata/security-windows2016_4758.evtx.golden.json | 1 + .../testdata/security-windows2016_4764.evtx.golden.json | 1 + .../testdata/security-windows2016_4799.evtx.golden.json | 1 + 35 files changed, 102 insertions(+), 2 deletions(-) diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 586aeea5e17..e624a819beb 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1941,10 +1941,16 @@ var security = (function () { .Convert({ fields: [ {from: "winlog.event_data.TargetUserSid", to: "group.id"}, + {from: "winlog.event_data.TargetSid", to: "group.id"}, {from: "winlog.event_data.TargetUserName", to: "group.name"}, {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, ], ignore_missing: true, + }).Add(function(evt) { + if (!evt.Get("user.target")) return; + evt.Put("user.target.group.id", evt.Get("group.id")); + evt.Put("user.target.group.name", evt.Get("group.name")); + evt.Put("user.target.group.domain", evt.Get("group.domain")); }) .Build(); diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json index 5500629ef45..1c7d689ef4b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json index c34a17a1723..a19ba89ec83 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index dbdf4a7ab10..be20ce400a4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index 94ce89dec10..c903452389d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json index 78d9a0146b6..3d620a576f0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json index fd968769219..c1409cf7411 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json index 4933fc9371a..aabca7b49f0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index 50bc0140404..0e9aa901699 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index c536b386738..76fb4727e1f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json index 401a7005e4c..df5d283bb3c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json index 1519fe28c2c..ed306992f89 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json index 2e2445dd16c..b3842d0b7c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index 8e090753fd9..3c177519316 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index d93b36887a4..b31bf25e3f8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -37,6 +38,11 @@ "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json index 431f161b48b..cb288f808ee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json index f7944a0c686..8f3d01584d6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-reconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4778, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json index 93f89a592a6..0c8fb8171a0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-disconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4779, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index c849ac7c402..cdd1450d86c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", "name": "DnsUpdateProxy" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 88f4a145bbc..c7e1105ac1c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index 070ef52f642..c9bf1f23969 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index e538fa47a1a..0c22e3a226d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index a7021cfd3a2..dfd76b52414 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index 7c145be0204..3768dc8e845 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index 00e480e5513..43dafddae90 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index e47e1e32cca..24089b7f65c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index dc4d99b087e..37c7ec70a68 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 7827d002a2c..0eb1d5a9b48 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index 2389eb533ea..63dd5670366 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index 83035c20d46..22a5fd75508 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index 66785bb2cd1..3402221270b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index 561ecd1f573..76560110630 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -34,6 +35,11 @@ "id": "S-1-5-21-101361758-2486510592-3018839910-500", "name": "Administrator", "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, "name": "Administrator" } }, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index 685292a5c0d..54dd5ddcf7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 17ca0872e47..ff37d528888 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index bbac172350c..caca7eca7f2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "Builtin", + "id": "S-1-5-32-544", "name": "Administrators" }, "host": {