Account name not showing in windows event_id 4732

mancharagopan · December 27, 2019, 10:46am

I am trying to track users added to Administrators group. But in the event viewer log shows local username and group, but in the event which i am receiving has only the SID. I check the Friendly View and XML View, both are same. Is there any way to resolve this issue?

I am using ELK Stack and Beats agent to ship the logs. This is the Friendly view,

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/27/2019 3:25:02 PM
Event ID:      4732
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      pms-primary
Description:
A member was added to a security-enabled local group.

Subject:
    Security ID:        PMS-PRIMARY\Administrator
    Account Name:        Administrator
    Account Domain:      PMS-PRIMARY
    Logon ID:        0x1bc355

Member:
    Security ID:        PMS-PRIMARY\test
    Account Name:        -

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:        Administrators
    Group Domain:        Builtin

Additional Information:
    Privileges:        -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-27T09:55:02.995947100Z" />
    <EventRecordID>480532626</EventRecordID>
    <Correlation />
    <Execution ProcessID="556" ThreadID="5760" />
    <Channel>Security</Channel>
    <Computer>pms-primary</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-5-21-1340285219-1682968722-2481256013-1046</Data>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-1-5-32-544</Data>
    <Data Name="SubjectUserSid">S-1-5-21-1340285219-1682968722-2481256013-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">PMS-PRIMARY</Data>
    <Data Name="SubjectLogonId">0x1bc355</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>

andrewkroh · January 3, 2020, 3:25am

What Winlogbeat version? Can you please share the raw JSON from Winlogbeat for this event and specify what field contains the problem (or what data isn't being copied over).

mancharagopan · January 3, 2020, 4:12am

Winlogbeat version 6.6.0

Logstash receiving this,

[2020-01-03T09:34:43,542][DEBUG][logstash.pipeline ] filter received {"event"=>{"provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "opcode"=>"Info", "keywords"=>["Audit Success"], "type"=>"wineventlog", "process_id"=>512, "event_id"=>4732, "host"=>{"id"=>"54783f49-0ac6-4666-8ac7-eef51a5da86a", "architecture"=>"x86_64", "name"=>"pms-primary", "os"=>{"family"=>"windows", "platform"=>"windows", "build"=>"7601.0", "name"=>"Windows Server 2008 R2 Standard", "version"=>"6.1"}}, "log_name"=>"Security", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2020-01-03T04:03:16.293Z, "level"=>"Information", "@version"=>"1", "beat"=>{"hostname"=>"pms-primary", "name"=>"pms-primary", "version"=>"6.6.0"}, "source_name"=>"Microsoft-Windows-Security-Auditing", "thread_id"=>6768, "event_data"=>{"SubjectUserSid"=>"S-1-5-21-1340285219-1682968722-2481256013-500", "MemberName"=>"-", "SubjectUserName"=>"Administrator", "TargetUserName"=>"Administrators", "SubjectLogonId"=>"0x13ca00", "PrivilegeList"=>"-", "SubjectDomainName"=>"PMS-PRIMARY", "TargetDomainName"=>"Builtin", "TargetSid"=>"S-1-5-32-544", "MemberSid"=>"S-1-5-21-1340285219-1682968722-2481256013-1046"}, "message"=>"A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-", "task"=>"Security Group Management", "record_number"=>"481607351", "computer_name"=>"pms-primary"}}

This is what event viewer shows,

This is Elasticsearch JSON from kibana,

{
  "_index": "winlogbeat-2020.01.03",
  "_type": "doc",
  "_id": "l02TaW8BW6jMFpNRJqGN",
  "_version": 1,
  "_score": null,
  "_source": {
    "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "opcode": "Info",
    "keywords": [
      "Audit Success"
    ],
    "type": "wineventlog",
    "process_id": 512,
    "event_id": 4732,
    "host": {
      "id": "54783f49-0ac6-4666-8ac7-eef51a5da86a",
      "architecture": "x86_64",
      "name": "pms-primary",
      "os": {
        "family": "windows",
        "platform": "windows",
        "build": "7601.0",
        "name": "Windows Server 2008 R2 Standard",
        "version": "6.1"
      }
    },
    "log_name": "Security",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "@timestamp": "2020-01-03T04:03:16.293Z",
    "level": "Information",
    "@version": "1",
    "beat": {
      "hostname": "pms-primary",
      "name": "pms-primary",
      "version": "6.6.0"
    },
    "source_name": "Microsoft-Windows-Security-Auditing",
    "thread_id": 6768,
    "event_data": {
      "SubjectUserSid": "S-1-5-21-1340285219-1682968722-2481256013-500",
      "MemberName": "-",
      "SubjectUserName": "Administrator",
      "TargetUserName": "Administrators",
      "SubjectLogonId": "0x13ca00",
      "PrivilegeList": "-",
      "SubjectDomainName": "PMS-PRIMARY",
      "TargetDomainName": "Builtin",
      "TargetSid": "S-1-5-32-544",
      "MemberSid": "S-1-5-21-1340285219-1682968722-2481256013-1046"
    },
    "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-",
    "task": "Security Group Management",
    "record_number": "481607351",
    "computer_name": "pms-primary"
  },
  "fields": {
    "@timestamp": [
      "2020-01-03T04:03:16.293Z"
    ]
  },
  "sort": [
    1578024196293
  ]
}

andrewkroh · January 13, 2020, 10:11pm

So you are specifically talking about the event_data.MemberSid not being translated anywhere in the event?

andrewkroh · January 13, 2020, 10:12pm

Sounds like it's related to this enhancement request: https://github.com/elastic/beats/issues/7451

mancharagopan · January 16, 2020, 3:56am

I'll try it and update you the result.

system · February 13, 2020, 3:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.