Analysis logs for security events

I recommend following our Getting Started guide and using Winlogbeat 5.0.0-alpha1 because it has some new features over 1.X that are very useful.

When you install Winlogbeat with the default config, it will ship all events from the Security log to Elasticsearch. You can then build some custom searches and dashboards in Kibana to visualize the specific event IDs for logon events. Some of the more important event IDs are:

  • Account Lockouts - 4740
  • User Added to Privileged Group - 4728, 4732, 4756
  • Security-Enabled group Modification - 4735
  • Successful User Account Login - 4624
  • Failed User Account Login - 4625
  • Account Login with Explicit Credentials - 4648

Remote desktop logins can be searched by looking within the login events for an event_data.LoginType: 10 where 10 is the login type for remote interactive logons.

Visualization/Query example: Reporting Windows Security Events in Kibana

1 Like