Hello everybody,
We are facing a parsing issue with the Event ID 4740 (A user account was locked) with Winlogbeat.
Winlogbeat version : 8.2.3
Winlogbeat log :
{
"ecs":
{
"version": "8.0.0"
},
"event":
{
"created": "2022-08-25T08:19:50.520Z",
"original": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
"code": "4740",
"outcome": "success",
"action": "User Account Management",
"provider": "Microsoft-Windows-Security-Auditing",
"kind": "event"
},
"winlog":
{
"channel": "Security",
"process":
{
"pid": 684,
"thread":
{
"id": 6068
}
},
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "My-DC-04.xxx.domain.fr",
"opcode": "Info",
"task": "User Account Management",
"record_id": 65443187,
"event_id": "4740",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_data":
{
"SubjectLogonId": "0x3e7",
"SubjectDomainName": "XXX",
"TargetUserName": "user",
"TargetDomainName": "My-DC-04",
"TargetSid": "S-1-5-21-626379795-1024764227-3542870577-35828",
"SubjectUserName": "My-DC-04$",
"SubjectUserSid": "S-1-5-18"
},
"keywords":
[
"Audit Success"
]
},
"@version": "1",
"log":
{
"level": "information"
},
"host":
{
"name": "My-DC-04.xxx.domain.fr"
},
"tags":
[
"ad",
"beats_input_codec_plain_applied",
"beats_input_codec_json_lines_applied"
],
"message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
"@timestamp": "2022-08-25T08:19:49.120Z",
"agent":
{
"type": "winlogbeat",
"version": "8.2.3",
"ephemeral_id": "426aff3d-2949-4a0a-9257-b0bf22c83452",
"name": "My-DC-04",
"id": "5483cdf2-3445-45b6-a854-22432c0dc795"
}
}
As you can see the field "TargetDomainName" has the value of the "Call Computer Name".
"TargetDomainName" should be "WorkstationName" if we are following the naming convention of others event ID.
Are aware of this issue ?
Have a good day,
Lucas A.