Add audit/computer/distribution groups management events to Security …

…module (#15217)

Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping.

New Events

Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem.

For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription).

Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope.

ComputerObject Management events were also added.

Changes to ECS mappings

In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed.

Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event.

Event test data were added for all events with the exception of event 1108 which I was not able to reproduce.

Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com>
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

winlogbeat/docs/modules/security.asciidoc

@@ -8,6 +8,11 @@ The security module processes event log records from the Security log.
 
 The module has transformations for the following event IDs:
 
+* 1100 - The event logging service has shut down.
+* 1102 - The audit log was cleared.
+* 1104 - The security log is now full.
+* 1105 - Event log automatic backup.
+* 1108 - The event logging service encountered an error while processing an incoming event published from %1
 * 4624 - An account was successfully logged on.
 * 4625 - An account failed to log on.
 * 4634 - An account was logged off.
@@ -16,16 +21,53 @@ The module has transformations for the following event IDs:
 * 4672 - Special privileges assigned to new logon.
 * 4688 - A new process has been created.
 * 4689 - A process has exited.
+* 4719 - System audit policy was changed.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
 * 4723 - An attempt was made to change an account's password.
 * 4724 - An attempt was made to reset an account's password.
 * 4725 - An user account was disabled.
 * 4726 - An user account was deleted.
+* 4727 - A security-enabled global group was created.
+* 4728 - A member was added to a security-enabled global group.
+* 4729 - A member was removed from a security-enabled global group.
+* 4730 - A security-enabled global group was deleted.
+* 4731 - A security-enabled local group was created
+* 4732 - A member was added to a security-enabled local group.
+* 4733 - A member was removed from a security-enabled local group.
+* 4734 - A security-enabled local group was deleted.
+* 4735 - A security-enabled local group was changed.
+* 4737 - A security-enabled global group was changed.
 * 4738 - An user account was changed.
 * 4740 - An user account was locked out.
+* 4741 - A computer account was created.
+* 4742 - A computer account was changed.
+* 4743 - A computer account was deleted.
+* 4744 - A security-disabled local group was created.
+* 4745 - A security-disabled local group was changed.
+* 4746 - A member was added to a security-disabled local group.
+* 4747 - A member was removed from a security-disabled local group.
+* 4748 - A security-disabled local group was deleted.
+* 4749 - A security-disabled global group was created.
+* 4750 - A security-disabled global group was changed.
+* 4751 - A member was added to a security-disabled global group.
+* 4752 - A member was removed from a security-disabled global group.
+* 4753 - A security-disabled global group was deleted.
+* 4754 - A security-enabled universal group was created.
+* 4755 - A security-enabled universal group was changed.
+* 4756 - A member was added to a security-enabled universal group.
+* 4757 - A member was removed from a security-enabled universal group.
+* 4758 - A security-enabled universal group was deleted.
+* 4759 - A security-disabled universal group was created.
+* 4760 - A security-disabled universal group was changed.
+* 4761 - A member was added to a security-disabled universal group.
+* 4762 - A member was removed from a security-disabled universal group.
+* 4763 - A security-disabled global group was deleted.
+* 4764 - A group's type was changed.
 * 4767 - An account was unlocked.
 * 4781 - The name of an account was changed.
+* 4798 - A user's local group membership was enumerated.
+* 4799 - A security-enabled local group membership was enumerated.
 
 More event IDs will be added.
 

x-pack/winlogbeat/module/security/_meta/docs.asciidoc

@@ -8,6 +8,11 @@ The security module processes event log records from the Security log.
 
 The module has transformations for the following event IDs:
 
+* 1100 - The event logging service has shut down.
+* 1102 - The audit log was cleared.
+* 1104 - The security log is now full.
+* 1105 - Event log automatic backup.
+* 1108 - The event logging service encountered an error while processing an incoming event published from %1
 * 4624 - An account was successfully logged on.
 * 4625 - An account failed to log on.
 * 4634 - An account was logged off.
@@ -16,16 +21,53 @@ The module has transformations for the following event IDs:
 * 4672 - Special privileges assigned to new logon.
 * 4688 - A new process has been created.
 * 4689 - A process has exited.
+* 4719 - System audit policy was changed.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
 * 4723 - An attempt was made to change an account's password.
 * 4724 - An attempt was made to reset an account's password.
 * 4725 - An user account was disabled.
 * 4726 - An user account was deleted.
+* 4727 - A security-enabled global group was created.
+* 4728 - A member was added to a security-enabled global group.
+* 4729 - A member was removed from a security-enabled global group.
+* 4730 - A security-enabled global group was deleted.
+* 4731 - A security-enabled local group was created
+* 4732 - A member was added to a security-enabled local group.
+* 4733 - A member was removed from a security-enabled local group.
+* 4734 - A security-enabled local group was deleted.
+* 4735 - A security-enabled local group was changed.
+* 4737 - A security-enabled global group was changed.
 * 4738 - An user account was changed.
 * 4740 - An user account was locked out.
+* 4741 - A computer account was created.
+* 4742 - A computer account was changed.
+* 4743 - A computer account was deleted.
+* 4744 - A security-disabled local group was created.
+* 4745 - A security-disabled local group was changed.
+* 4746 - A member was added to a security-disabled local group.
+* 4747 - A member was removed from a security-disabled local group.
+* 4748 - A security-disabled local group was deleted.
+* 4749 - A security-disabled global group was created.
+* 4750 - A security-disabled global group was changed.
+* 4751 - A member was added to a security-disabled global group.
+* 4752 - A member was removed from a security-disabled global group.
+* 4753 - A security-disabled global group was deleted.
+* 4754 - A security-enabled universal group was created.
+* 4755 - A security-enabled universal group was changed.
+* 4756 - A member was added to a security-enabled universal group.
+* 4757 - A member was removed from a security-enabled universal group.
+* 4758 - A security-enabled universal group was deleted.
+* 4759 - A security-disabled universal group was created.
+* 4760 - A security-disabled universal group was changed.
+* 4761 - A member was added to a security-disabled universal group.
+* 4762 - A member was removed from a security-disabled universal group.
+* 4763 - A security-disabled global group was deleted.
+* 4764 - A group's type was changed.
 * 4767 - An account was unlocked.
 * 4781 - The name of an account was changed.
+* 4798 - A user's local group membership was enumerated.
+* 4799 - A security-enabled local group membership was enumerated.
 
 More event IDs will be added.