Account name not showing in windows event_id 4732

I am trying to track users added to Administrators group. But in the event viewer log shows local username and group, but in the event which i am receiving has only the SID. I check the Friendly View and XML View, both are same. Is there any way to resolve this issue?

I am using ELK Stack and Beats agent to ship the logs. This is the Friendly view,

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/27/2019 3:25:02 PM
Event ID:      4732
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      pms-primary
Description:
A member was added to a security-enabled local group.

Subject:
    Security ID:        PMS-PRIMARY\Administrator
    Account Name:        Administrator
    Account Domain:      PMS-PRIMARY
    Logon ID:        0x1bc355

Member:
    Security ID:        PMS-PRIMARY\test
    Account Name:        -

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:        Administrators
    Group Domain:        Builtin

Additional Information:
    Privileges:        -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2019-12-27T09:55:02.995947100Z" />
    <EventRecordID>480532626</EventRecordID>
    <Correlation />
    <Execution ProcessID="556" ThreadID="5760" />
    <Channel>Security</Channel>
    <Computer>pms-primary</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-5-21-1340285219-1682968722-2481256013-1046</Data>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-1-5-32-544</Data>
    <Data Name="SubjectUserSid">S-1-5-21-1340285219-1682968722-2481256013-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">PMS-PRIMARY</Data>
    <Data Name="SubjectLogonId">0x1bc355</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>

What Winlogbeat version? Can you please share the raw JSON from Winlogbeat for this event and specify what field contains the problem (or what data isn't being copied over).

Winlogbeat version 6.6.0

Logstash receiving this,

[2020-01-03T09:34:43,542][DEBUG][logstash.pipeline ] filter received {"event"=>{"provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "opcode"=>"Info", "keywords"=>["Audit Success"], "type"=>"wineventlog", "process_id"=>512, "event_id"=>4732, "host"=>{"id"=>"54783f49-0ac6-4666-8ac7-eef51a5da86a", "architecture"=>"x86_64", "name"=>"pms-primary", "os"=>{"family"=>"windows", "platform"=>"windows", "build"=>"7601.0", "name"=>"Windows Server 2008 R2 Standard", "version"=>"6.1"}}, "log_name"=>"Security", "tags"=>["beats_input_codec_plain_applied"], "@timestamp"=>2020-01-03T04:03:16.293Z, "level"=>"Information", "@version"=>"1", "beat"=>{"hostname"=>"pms-primary", "name"=>"pms-primary", "version"=>"6.6.0"}, "source_name"=>"Microsoft-Windows-Security-Auditing", "thread_id"=>6768, "event_data"=>{"SubjectUserSid"=>"S-1-5-21-1340285219-1682968722-2481256013-500", "MemberName"=>"-", "SubjectUserName"=>"Administrator", "TargetUserName"=>"Administrators", "SubjectLogonId"=>"0x13ca00", "PrivilegeList"=>"-", "SubjectDomainName"=>"PMS-PRIMARY", "TargetDomainName"=>"Builtin", "TargetSid"=>"S-1-5-32-544", "MemberSid"=>"S-1-5-21-1340285219-1682968722-2481256013-1046"}, "message"=>"A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-", "task"=>"Security Group Management", "record_number"=>"481607351", "computer_name"=>"pms-primary"}}

This is what event viewer shows,
image

This is Elasticsearch JSON from kibana,

{
  "_index": "winlogbeat-2020.01.03",
  "_type": "doc",
  "_id": "l02TaW8BW6jMFpNRJqGN",
  "_version": 1,
  "_score": null,
  "_source": {
    "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "opcode": "Info",
    "keywords": [
      "Audit Success"
    ],
    "type": "wineventlog",
    "process_id": 512,
    "event_id": 4732,
    "host": {
      "id": "54783f49-0ac6-4666-8ac7-eef51a5da86a",
      "architecture": "x86_64",
      "name": "pms-primary",
      "os": {
        "family": "windows",
        "platform": "windows",
        "build": "7601.0",
        "name": "Windows Server 2008 R2 Standard",
        "version": "6.1"
      }
    },
    "log_name": "Security",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "@timestamp": "2020-01-03T04:03:16.293Z",
    "level": "Information",
    "@version": "1",
    "beat": {
      "hostname": "pms-primary",
      "name": "pms-primary",
      "version": "6.6.0"
    },
    "source_name": "Microsoft-Windows-Security-Auditing",
    "thread_id": 6768,
    "event_data": {
      "SubjectUserSid": "S-1-5-21-1340285219-1682968722-2481256013-500",
      "MemberName": "-",
      "SubjectUserName": "Administrator",
      "TargetUserName": "Administrators",
      "SubjectLogonId": "0x13ca00",
      "PrivilegeList": "-",
      "SubjectDomainName": "PMS-PRIMARY",
      "TargetDomainName": "Builtin",
      "TargetSid": "S-1-5-32-544",
      "MemberSid": "S-1-5-21-1340285219-1682968722-2481256013-1046"
    },
    "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tPMS-PRIMARY\n\tLogon ID:\t\t0x13ca00\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1340285219-1682968722-2481256013-1046\n\tAccount Name:\t\t-\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nAdditional Information:\n\tPrivileges:\t\t-",
    "task": "Security Group Management",
    "record_number": "481607351",
    "computer_name": "pms-primary"
  },
  "fields": {
    "@timestamp": [
      "2020-01-03T04:03:16.293Z"
    ]
  },
  "sort": [
    1578024196293
  ]
}

So you are specifically talking about the event_data.MemberSid not being translated anywhere in the event?

Sounds like it's related to this enhancement request: https://github.com/elastic/beats/issues/7451

I'll try it and update you the result.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.