Parsing issue with Event ID 4740

LuKaaS · August 26, 2022, 3:26pm

Hello everybody,

We are facing a parsing issue with the Event ID 4740 (A user account was locked) with Winlogbeat.

Winlogbeat version : 8.2.3
Winlogbeat log :

{
    "ecs":
    {
        "version": "8.0.0"
    },
    "event":
    {
        "created": "2022-08-25T08:19:50.520Z",
        "original": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
        "code": "4740",
        "outcome": "success",
        "action": "User Account Management",
        "provider": "Microsoft-Windows-Security-Auditing",
        "kind": "event"
    },
    "winlog":
    {
        "channel": "Security",
        "process":
        {
            "pid": 684,
            "thread":
            {
                "id": 6068
            }
        },
        "api": "wineventlog",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "computer_name": "My-DC-04.xxx.domain.fr",
        "opcode": "Info",
        "task": "User Account Management",
        "record_id": 65443187,
        "event_id": "4740",
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "event_data":
        {
            "SubjectLogonId": "0x3e7",
            "SubjectDomainName": "XXX",
            "TargetUserName": "user",
            "TargetDomainName": "My-DC-04",
            "TargetSid": "S-1-5-21-626379795-1024764227-3542870577-35828",
            "SubjectUserName": "My-DC-04$",
            "SubjectUserSid": "S-1-5-18"
        },
        "keywords":
        [
            "Audit Success"
        ]
    },
    "@version": "1",
    "log":
    {
        "level": "information"
    },
    "host":
    {
        "name": "My-DC-04.xxx.domain.fr"
    },
    "tags":
    [
        "ad",
        "beats_input_codec_plain_applied",
        "beats_input_codec_json_lines_applied"
    ],
    "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
    "@timestamp": "2022-08-25T08:19:49.120Z",
    "agent":
    {
        "type": "winlogbeat",
        "version": "8.2.3",
        "ephemeral_id": "426aff3d-2949-4a0a-9257-b0bf22c83452",
        "name": "My-DC-04",
        "id": "5483cdf2-3445-45b6-a854-22432c0dc795"
    }
}

As you can see the field "TargetDomainName" has the value of the "Call Computer Name".
"TargetDomainName" should be "WorkstationName" if we are following the naming convention of others event ID.

Are aware of this issue ?

Have a good day,
Lucas A.

andrewkroh · August 26, 2022, 5:36pm

Could you please find this exact event with record ID 65443187 in the Windows Event Viewer and post the XML version of the event here for comparison.

Winlogbeat does control the format of the message or the names of the fields. That comes from Windows.

system · September 23, 2022, 7:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat data is not parsing properly Beats winlogbeat	9	1357	June 7, 2020
Winlogbeat winlog.event_data.AccessList process Beats winlogbeat	1	917	August 6, 2021
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1530	September 3, 2019
Winlogbeat event id missing Beats winlogbeat	5	510	January 17, 2022
Not Logging Account Lockout (4740) Beats winlogbeat	3	1480	July 30, 2018

Parsing issue with Event ID 4740

Related topics