Account name not showing in windows event_id 4732

mancharagopan · December 27, 2019, 10:46am

I am trying to track users added to Administrators group. But in the event viewer log shows local username and group, but in the event which i am receiving has only the SID. I check the Friendly View and XML View, both are same. Is there any way to resolve this issue?

I am using ELK Stack and Beats agent to ship the logs. This is the Friendly view,

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/27/2019 3:25:02 PM
Event ID:      4732
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      pms-primary
Description:
A member was added to a security-enabled local group.

Subject:
    Security ID:        PMS-PRIMARY\Administrator
    Account Name:        Administrator
    Account Domain:      PMS-PRIMARY
    Logon ID:        0x1bc355

Member:
    Security ID:        PMS-PRIMARY\test
    Account Name:        -

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:        Administrators
    Group Domain:        Builtin

Additional Information:
    Privileges:        -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-27T09:55:02.995947100Z" />
    <EventRecordID>480532626</EventRecordID>
    <Correlation />
    <Execution ProcessID="556" ThreadID="5760" />
    <Channel>Security</Channel>
    <Computer>pms-primary</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-5-21-1340285219-1682968722-2481256013-1046</Data>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-1-5-32-544</Data>
    <Data Name="SubjectUserSid">S-1-5-21-1340285219-1682968722-2481256013-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">PMS-PRIMARY</Data>
    <Data Name="SubjectLogonId">0x1bc355</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>

andrewkroh · January 3, 2020, 3:25am

What Winlogbeat version? Can you please share the raw JSON from Winlogbeat for this event and specify what field contains the problem (or what data isn't being copied over).

mancharagopan · January 3, 2020, 4:12am

Winlogbeat version 6.6.0

Logstash receiving this,

[2020-01-03T09:34:43,542][DEBUG][logstash.pipeline ] filter received {"event"=>{"provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "opcode"=>"Info", "keywords"=>["Audit Success"], "type"=>"wineventlog", "process_id"=>512, "event_id"=>4732, "host"=>{"id"=>"54783f49-0ac6-4666-8ac7-eef51a5da86a", "architecture"=>"x86_64", "name"=>"pms-primary", "os"=>{"family"=>"windows", "platform"=>"windows", "build"=>"7601.0", "name"=>"Windows Server 2008 R2 Standard", "version"=>"6.1"}}, "log_name"=>"Security", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2020-01-03T04:03:16.293Z, "level"=>"Information", "@version"=>"1", "beat"=>{"hostname"=>"pms-primary", "name"=>"pms-primary", "version"=>"6.6.0"}, "source_name"=>"Microsoft-Windows-Security-Auditing", "thread_id"=>6768, "event_data"=>{"SubjectUserSid"=>"S-1-5-21-1340285219-1682968722-2481256013-500", "MemberName"=>"-", "SubjectUserName"=>"Administrator", "TargetUserName"=>"Administrators", "SubjectLogonId"=>"0x13ca00", "PrivilegeList"=>"-", "SubjectDomainName"=>"PMS-PRIMARY", "TargetDomainName"=>"Builtin", "TargetSid"=>"S-1-5-32-544", "MemberSid"=>"S-1-5-21-1340285219-1682968722-2481256013-1046"}, "message"=>"A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-", "task"=>"Security Group Management", "record_number"=>"481607351", "computer_name"=>"pms-primary"}}

This is what event viewer shows,

This is Elasticsearch JSON from kibana,

{
  "_index": "winlogbeat-2020.01.03",
  "_type": "doc",
  "_id": "l02TaW8BW6jMFpNRJqGN",
  "_version": 1,
  "_score": null,
  "_source": {
    "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "opcode": "Info",
    "keywords": [
      "Audit Success"
    ],
    "type": "wineventlog",
    "process_id": 512,
    "event_id": 4732,
    "host": {
      "id": "54783f49-0ac6-4666-8ac7-eef51a5da86a",
      "architecture": "x86_64",
      "name": "pms-primary",
      "os": {
        "family": "windows",
        "platform": "windows",
        "build": "7601.0",
        "name": "Windows Server 2008 R2 Standard",
        "version": "6.1"
      }
    },
    "log_name": "Security",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "@timestamp": "2020-01-03T04:03:16.293Z",
    "level": "Information",
    "@version": "1",
    "beat": {
      "hostname": "pms-primary",
      "name": "pms-primary",
      "version": "6.6.0"
    },
    "source_name": "Microsoft-Windows-Security-Auditing",
    "thread_id": 6768,
    "event_data": {
      "SubjectUserSid": "S-1-5-21-1340285219-1682968722-2481256013-500",
      "MemberName": "-",
      "SubjectUserName": "Administrator",
      "TargetUserName": "Administrators",
      "SubjectLogonId": "0x13ca00",
      "PrivilegeList": "-",
      "SubjectDomainName": "PMS-PRIMARY",
      "TargetDomainName": "Builtin",
      "TargetSid": "S-1-5-32-544",
      "MemberSid": "S-1-5-21-1340285219-1682968722-2481256013-1046"
    },
    "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-",
    "task": "Security Group Management",
    "record_number": "481607351",
    "computer_name": "pms-primary"
  },
  "fields": {
    "@timestamp": [
      "2020-01-03T04:03:16.293Z"
    ]
  },
  "sort": [
    1578024196293
  ]
}

andrewkroh · January 13, 2020, 10:11pm

So you are specifically talking about the event_data.MemberSid not being translated anywhere in the event?

andrewkroh · January 13, 2020, 10:12pm

Sounds like it's related to this enhancement request: https://github.com/elastic/beats/issues/7451

mancharagopan · January 16, 2020, 3:56am

I'll try it and update you the result.

system · February 13, 2020, 3:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat read Windows Event id 4732 but not Member Security ID? Beats winlogbeat	3	719	March 2, 2023
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1526	September 3, 2019
Parsing issue with Event ID 4740 Beats winlogbeat	2	599	September 23, 2022
Winlogbeat wrong values Beats windows , winlogbeat	8	660	May 10, 2023
Wrong details parsing - Windows event-log Beats winlogbeat	1	317	September 27, 2021

Account name not showing in windows event_id 4732

Related Topics