Add Group Management Events - Add NewUAC Description for User Management Events #14299
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
|
@andrewkroh |
| @@ -27,15 +55,34 @@ var security = (function () { | |||
| "4720": "added-user-account", | |||
| "4722": "enabled-user-account", | |||
| "4723": "changed-password", | |||
| "4724": "reset-password", | |||
| "4724": "reseted-password", | |||
There was a problem hiding this comment.
I actually think the initial value of "reset-password" was better. I don't think "reseted" is an english word :-)
|
This dashboard looks great. Would you like to add that to the PR?
(I haven't tried this on Windows, but I think it should work. This assumes Kibana is a |
|
|
@andrewkroh I have already exported the dashboard in a .json. I'll wait for your response and then I'll update the PR. |
Since these dashboards are dependent on the transformations done in the module I think they belong in the module dir at |
|
Done! |
|
@andrewkroh, It is not clear for me which is the error and If I have to correct something Thank you, |
There was a problem hiding this comment.
@janniten . Thank you this is really helpful. I did have a few whitespace changes, can you take a look? Also I generated new golden.json files to go with the new test data you added. Would it be OK if I added those to the PR?
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Outdated
Show resolved
Hide resolved
|
Hi @leehinman |
- fix whitespace in winlogbeat-security.js to make diffs cleaner
|
jenkins, test this |
- used libbeat/scripts/unpack_dashboards.py --transform decode
@leehinman, Maybe I can remove the dashboards so the PR can be merge and create a separate PR for the dashboards. What do you think? |
@janniten Let me see if I can test the dashboard, @andrewkroh gave me some pointers I'd like to try out. |
Hi @leehinman, Can I help/do something more? |
|
@janniten I haven't (yet) figured out how to get the dashboards working. If you are still willing maybe we should split the PR. I'll keep working on the dashboards. |
@leehinman I removed the dashboards. I think now is ok. |
|
jenkins, test this |
@leehinman , shall I modify something? CI Build failed |
leehinman
added
the
needs_backport
… User Management Events (elastic#14299) * Added Group Management Events * Added User and Group Enumeration * Added New UAC Description (cherry picked from commit 8e31628)
leehinman
added
v7.6.0
and removed
needs_backport
…module (#15217) Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping. New Events Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem. For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription). Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope. ComputerObject Management events were also added. Changes to ECS mappings In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed. Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event. Event test data were added for all events with the exception of event 1108 which I was not able to reproduce. Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
|
@leehinman one question. Events added in this PR are not listed in the release notes Do you know why? |
@janniten I'm sorry, this is my fault. I didn't catch that there wasn't a Changelog entry, and the info in the release notes is populated from the Changelog. I did check and the code is in the release. |
…module (elastic#15217) Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping. New Events Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem. For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription). Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (elastic#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope. ComputerObject Management events were also added. Changes to ECS mappings In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In elastic#13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed. Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event. Event test data were added for all events with the exception of event 1108 which I was not able to reproduce. Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit e624aef)
…ent Events - ECS related.user field mapping (#17090) Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping. New Events Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem. For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription). Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope. ComputerObject Management events were also added. Changes to ECS mappings In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed. Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event. Event test data were added for all events with the exception of event 1108 which I was not able to reproduce. Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> (cherry picked from commit e624aef)
…18775) This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
…lastic#18775) This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (elastic#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 7b9c535)
…18775) (#22598) This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard New Dashboards User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections. Failed and Blocked Accounts allow us to keep track to failed logons and locked out account Existing Dashboards Added Distribution groups Events (#15217) Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added All Dashboards Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards) image Visualization that use may events (like group management related visualizations) were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization) Removed the margin between panels to look in the same way that other beats dashboards TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 7b9c535) Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Added Group Management Events and Events 4798 and 4799 (User and Group enumeration)
In order to map correclty this event a new field group.domain was added to the ECS group schema
(elastic/ecs#547)
Added addUACDescription function in order to translate to a human readable form the flags in winlog.event_data.NewUacValue field. A new field winlog.event_data.NewUACList is created and contains a list of decoded flags from the hex value in winlog.event_data.NewUACList
For example
winlog.event_data.NewUacValue -> 0x15 is translated to winlog.event_data.NewUACList -> SCRIPT,LOCKOUT
Also converts the winlog.event_data.UserAccountControl to a list of values
Cosmetic change: fix the order of events 4767 and 4781 and some space fixing
Ingesting this events we can have information about group who performed group changes and what the changes are.