diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6a758a2959d..2948d612b52 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -1003,6 +1003,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] - Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684] +- Add new ECS 1.8 improvements. {pull}23563[23563] *Elastic Log Driver* diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 4ef1155086b..698b12711bf 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -333,11 +333,9 @@ var powershell = (function () { var userParts = evt.Get("winlog.event_data.UserId").split("\\"); evt.Delete("winlog.event_data.UserId"); if (userParts.length === 2) { - evt.Delete("user"); evt.Put("user.domain", userParts[0]); evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); - evt.Delete("winlog.event_data.UserId"); } }; @@ -346,7 +344,18 @@ var powershell = (function () { evt.Delete("winlog.event_data.Connected User"); if (userParts.length === 2) { evt.Put("powershell.connected_user.domain", userParts[0]); + if (evt.Get("user.domain")) { + evt.Put("destination.user.domain", evt.Get("user.domain")); + } + evt.Put("source.user.domain", userParts[0]); + evt.Put("user.domain", userParts[0]); + evt.Put("powershell.connected_user.name", userParts[1]); + if (evt.Get("user.name")) { + evt.Put("destination.user.name", evt.Get("user.name")); + } + evt.Put("source.user.name", userParts[1]); + evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); } }; @@ -541,6 +550,18 @@ var powershell = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Add(normalizeCommonFieldNames) .Add(addEngineVersion) .Add(addPipelineID) @@ -583,6 +604,18 @@ var powershell = (function () { ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Add(normalizeCommonFieldNames) .Add(addFileInfo) .Add(addScriptBlockID) @@ -594,6 +627,18 @@ var powershell = (function () { .Add(addRunspaceID) .Add(addScriptBlockID) .Add(removeEmptyEventData) + .Convert({ + fields: [ + { + from: "winlog.user.identifier", + to: "user.id", + type: "string", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Build(); var event4105 = new processor.Chain() diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json index e040dd0d8f4..c6c186bd12e 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json @@ -1,6 +1,12 @@ [ { "@timestamp": "2020-05-15T08:11:47.8979495Z", + "destination": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, "event": { "action": "Executing Pipeline", "category": [ @@ -72,8 +78,15 @@ "related": { "user": "vagrant" }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, "user": { "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", "name": "vagrant" }, "winlog": { @@ -196,6 +209,7 @@ }, "user": { "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", "name": "vagrant" }, "winlog": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json index 5926c0f789e..3c2af006185 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json @@ -28,6 +28,9 @@ "sequence": 1, "total": 1 }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "api": "wineventlog", @@ -85,6 +88,9 @@ "sequence": 1, "total": 1 }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json index 2cbd24255ea..f19c03b5abc 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json @@ -26,6 +26,9 @@ }, "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json index e598bb408ee..117c907387e 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json @@ -26,6 +26,9 @@ }, "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, "winlog": { "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 44d0e8eb34d..e624a819beb 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -179,7 +179,7 @@ var security = (function () { "4634": [["authentication"], ["end"], "logged-out"], "4647": [["authentication"], ["end"], "logged-out"], "4648": [["authentication"], ["start"], "logged-in-explicit"], - "4657": [["configuration"], ["change"], "registry-value-modified"], + "4657": [["registry", "configuration"], ["change"], "registry-value-modified"], "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], "4672": [["iam"], ["admin"], "logged-in-special"], "4673": [["iam"], ["admin"], "privileged-service-called"], @@ -250,8 +250,8 @@ var security = (function () { "4770": [["authentication"], ["start"], "kerberos-service-ticket-renewed"], "4771": [["authentication"], ["start"], "kerberos-preauth-failed"], "4776": [["authentication"], ["start"], "credential-validated"], - "4778": [["authentication"], ["start"], "session-reconnected"], - "4779": [["authentication"], ["end"], "session-disconnected"], + "4778": [["authentication", "session"], ["start"], "session-reconnected"], + "4779": [["authentication", "session"], ["end"], "session-disconnected"], "4781": [["iam"], ["user", "change"], "renamed-user-account"], "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group @@ -1351,7 +1351,7 @@ var security = (function () { "16903": "Publish", }; - // Trust Types + // Trust Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustTypes = { "1": "TRUST_TYPE_DOWNLEVEL", @@ -1360,7 +1360,7 @@ var security = (function () { "4": "TRUST_TYPE_DCE" } - // Trust Direction + // Trust Direction // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustDirection = { "0": "TRUST_DIRECTION_DISABLED", @@ -1369,7 +1369,7 @@ var security = (function () { "3": "TRUST_DIRECTION_BIDIRECTIONAL" } - // Trust Attributes + // Trust Attributes // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 var trustAttributes = { "0": "UNDEFINED", @@ -1899,35 +1899,58 @@ var security = (function () { }) .Build(); - var copyTargetUser = new processor.Chain() - .Convert({ - fields: [ - {from: "winlog.event_data.TargetUserSid", to: "user.id"}, - {from: "winlog.event_data.TargetUserName", to: "user.name"}, - {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, - ], - ignore_missing: true, - }) - .Add(function(evt) { - var user = evt.Get("winlog.event_data.TargetUserName"); - if (user) { - if (/.@*/.test(user)) { - user = user.split('@')[0]; - evt.Put('user.name', user); - } - evt.AppendTo('related.user', user); + + var copyTargetUser = function(evt) { + var targetUserId = evt.Get("winlog.event_data.TargetUserSid"); + if (targetUserId) { + if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId); + else evt.Put("user.id", targetUserId); + } + + var targetUserName = evt.Get("winlog.event_data.TargetUserName"); + if (targetUserName) { + if (/.@*/.test(targetUserName)) { + targetUserName = targetUserName.split('@')[0]; } - }) - .Build(); + + evt.AppendTo("related.user", targetUserName); + if (evt.Get("user.name")) evt.Put("user.target.name", targetUserName); + else evt.Put("user.name", targetUserName); + } + + var targetUserDomain = evt.Get("winlog.event_data.TargetDomainName"); + if (targetUserDomain) { + if (evt.Get("user.domain")) evt.Put("user.target.domain", targetUserDomain); + else evt.Put("user.domain", targetUserDomain); + } + } + + var copyMemberToUser = function(evt) { + var member = evt.Get("winlog.event_data.MemberName"); + if (!member) { + return; + } + + var userName = member.split(',')[0].replace('CN=', '').replace('cn=', ''); + + evt.AppendTo("related.user", userName); + evt.Put("user.target.name", userName); + } var copyTargetUserToGroup = new processor.Chain() .Convert({ fields: [ {from: "winlog.event_data.TargetUserSid", to: "group.id"}, + {from: "winlog.event_data.TargetSid", to: "group.id"}, {from: "winlog.event_data.TargetUserName", to: "group.name"}, {from: "winlog.event_data.TargetDomainName", to: "group.domain"}, ], ignore_missing: true, + }).Add(function(evt) { + if (!evt.Get("user.target")) return; + evt.Put("user.target.group.id", evt.Get("group.id")); + evt.Put("user.target.group.name", evt.Get("group.name")); + evt.Put("user.target.group.domain", evt.Get("group.domain")); }) .Build(); @@ -2194,16 +2217,10 @@ var security = (function () { var groupMgmtEvts = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) + .Add(copyMemberToUser) .Add(copyTargetUserToGroup) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(function(evt) { - var member = evt.Get("winlog.event_data.MemberName"); - if (!member) { - return; - } - evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); - }) .Build(); var auditLogCleared = new processor.Chain() diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json index 5500629ef45..1c7d689ef4b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json index c34a17a1723..a19ba89ec83 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index 0280c715784..be20ce400a4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index e5da6a98154..c903452389d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json index 78d9a0146b6..3d620a576f0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", "name": "testdistlocal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json index fd968769219..c1409cf7411 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json index 4933fc9371a..aabca7b49f0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index 52db79ef538..0e9aa901699 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index c4eaab12820..76fb4727e1f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json index 401a7005e4c..df5d283bb3c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", "name": "testglobal1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json index 1519fe28c2c..ed306992f89 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json index 2e2445dd16c..b3842d0b7c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index 353394a452a..3c177519316 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index 688e0f7c5aa..b31bf25e3f8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { @@ -35,7 +36,15 @@ "user": { "domain": "TEST", "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" + "name": "at_adm", + "target": { + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json index 431f161b48b..cb288f808ee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", "name": "testuni2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json index f7944a0c686..8f3d01584d6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-reconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4778, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json index 93f89a592a6..0c8fb8171a0 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -4,7 +4,8 @@ "event": { "action": "session-disconnected", "category": [ - "authentication" + "authentication", + "session" ], "code": 4779, "kind": "event", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index c849ac7c402..cdd1450d86c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", "name": "DnsUpdateProxy" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 489ea32ae30..c7e1105ac1c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index 971694737da..c9bf1f23969 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index e538fa47a1a..0c22e3a226d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index a7021cfd3a2..dfd76b52414 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index 5cdec92fafb..3768dc8e845 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index bf4540b62cb..43dafddae90 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index e47e1e32cca..24089b7f65c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index dc4d99b087e..37c7ec70a68 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", "name": "test_group1v1" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 7827d002a2c..0eb1d5a9b48 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index 2389eb533ea..63dd5670366 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index 83035c20d46..22a5fd75508 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index d4ec0369bf8..3402221270b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index d54323688b8..76560110630 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { @@ -32,7 +33,15 @@ "user": { "domain": "WLBEAT", "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" + "name": "Administrator", + "target": { + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } }, "winlog": { "api": "wineventlog", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index 685292a5c0d..54dd5ddcf7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", "name": "Test_group3v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 17ca0872e47..ff37d528888 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", "name": "test_group2v2" }, "host": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index bbac172350c..caca7eca7f2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -18,6 +18,7 @@ }, "group": { "domain": "Builtin", + "id": "S-1-5-32-544", "name": "Administrators" }, "host": { diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 17f1d0a914f..372912027a5 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -330,13 +330,16 @@ var sysmon = (function () { }; var addUser = function (evt) { + var id = evt.Get("winlog.user.identifier"); + if (id) { + evt.Put("user.id", id); + } var userParts = evt.Get("winlog.event_data.User"); if (!userParts) { return; } userParts = userParts.split("\\"); if (userParts.length === 2) { - evt.Delete("user"); evt.Put("user.domain", userParts[0]); evt.Put("user.name", userParts[1]); evt.AppendTo("related.user", userParts[1]); @@ -1192,7 +1195,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", @@ -1231,7 +1234,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", @@ -1270,7 +1273,7 @@ var sysmon = (function () { .Add(parseUtcTime) .AddFields({ fields: { - category: ["configuration"], + category: ["configuration", "registry"], type: ["change"], }, target: "event", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index d5d5c494791..5f333e3aee2 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -55,6 +55,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -127,6 +128,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "LOCAL SERVICE" }, "winlog": { @@ -198,6 +200,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json index 5dcbcaab942..5da24c16db5 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -3,7 +3,8 @@ "@timestamp": "2020-05-05T14:57:40.589Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -67,7 +68,8 @@ "@timestamp": "2020-05-05T14:57:44.714Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -125,7 +127,8 @@ "@timestamp": "2020-05-05T14:57:44.714Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -189,7 +192,8 @@ "@timestamp": "2020-05-05T14:57:46.808Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", @@ -247,7 +251,8 @@ "@timestamp": "2020-05-05T14:57:46.808Z", "event": { "category": [ - "configuration" + "configuration", + "registry" ], "code": 13, "kind": "event", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json index 7b102704685..678f5fe9fdf 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -57,6 +57,7 @@ }, "user": { "domain": "VAGRANT", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index 71e0fcc639d..82df773ae15 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -144,6 +144,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -236,6 +237,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -422,6 +424,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -506,6 +509,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -581,6 +585,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -656,6 +661,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -731,6 +737,7 @@ }, "user": { "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", "name": "vagrant" }, "winlog": { @@ -806,6 +813,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -884,6 +892,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -962,6 +971,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1036,6 +1046,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1110,6 +1121,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1187,6 +1199,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1264,6 +1277,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1338,6 +1352,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "NETWORK SERVICE" }, "winlog": { @@ -1413,6 +1428,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1491,6 +1507,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1569,6 +1586,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": { @@ -1647,6 +1665,7 @@ }, "user": { "domain": "NT AUTHORITY", + "id": "S-1-5-18", "name": "SYSTEM" }, "winlog": {