[Winlogbeat] Event ID reuse in the Security channel causes wrong enrichment

[andrewkroh]

The Active Directory Federation Service (AD FS) can publish events to the Windows Security log. Some of the event IDs that it uses overlap with event IDs used by other publishers to the Security channel. This causes a problem with the Security module for Winlogbeat because it assumes the content of an event based on its event ID.

In most systems there are two publishers to the Security channel - Microsoft-Windows-Eventlog and Microsoft-Windows-Security-Auditing, and their event IDs do not collide. Because their can be collisions the Security module should also check the winlog.provider_name field because making assumptions about the winlog.event_id value.

As an example event ID 1102 from Microsoft-Windows-Eventlog collides with 1102 from the AD FS log. So when the module processes 1102 from AD FS it gets marked event.action: audit-log-cleared.

• AD FS event ID list - https://adfshelp.microsoft.com/AdfsEventViewer/GetAdfsEventList
• Security channel publisher list - https://windows-event-explorer.app.elstc.co/channel/Security

• beats/x-pack/winlogbeat/module/security/config/winlogbeat-security.js

  Line 168 in 75ed47c

  "1102": [["iam"], ["admin", "change"], "audit-log-cleared"], // need to recategorize

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[willemdh]

Noticed this for some time, thanks for creating the issue @andrewkroh