Parsing issue with Event ID 4740

Elastic Stack Beats
1

Hello everybody,

We are facing a parsing issue with the Event ID 4740 (A user account was locked) with Winlogbeat.

Winlogbeat version : 8.2.3
Winlogbeat log :

{
    "ecs":
    {
        "version": "8.0.0"
    },
    "event":
    {
        "created": "2022-08-25T08:19:50.520Z",
        "original": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
        "code": "4740",
        "outcome": "success",
        "action": "User Account Management",
        "provider": "Microsoft-Windows-Security-Auditing",
        "kind": "event"
    },
    "winlog":
    {
        "channel": "Security",
        "process":
        {
            "pid": 684,
            "thread":
            {
                "id": 6068
            }
        },
        "api": "wineventlog",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "computer_name": "My-DC-04.xxx.domain.fr",
        "opcode": "Info",
        "task": "User Account Management",
        "record_id": 65443187,
        "event_id": "4740",
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "event_data":
        {
            "SubjectLogonId": "0x3e7",
            "SubjectDomainName": "XXX",
            "TargetUserName": "user",
            "TargetDomainName": "My-DC-04",
            "TargetSid": "S-1-5-21-626379795-1024764227-3542870577-35828",
            "SubjectUserName": "My-DC-04$",
            "SubjectUserSid": "S-1-5-18"
        },
        "keywords":
        [
            "Audit Success"
        ]
    },
    "@version": "1",
    "log":
    {
        "level": "information"
    },
    "host":
    {
        "name": "My-DC-04.xxx.domain.fr"
    },
    "tags":
    [
        "ad",
        "beats_input_codec_plain_applied",
        "beats_input_codec_json_lines_applied"
    ],
    "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tMy-DC-04$\n\tAccount Domain:\t\tXXX\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-626379795-1024764227-3542870577-35828\n\tAccount Name:\t\tuser\n\nAdditional Information:\n\tCaller Computer Name:\tMy-DC-04",
    "@timestamp": "2022-08-25T08:19:49.120Z",
    "agent":
    {
        "type": "winlogbeat",
        "version": "8.2.3",
        "ephemeral_id": "426aff3d-2949-4a0a-9257-b0bf22c83452",
        "name": "My-DC-04",
        "id": "5483cdf2-3445-45b6-a854-22432c0dc795"
    }
}

As you can see the field "TargetDomainName" has the value of the "Call Computer Name".
"TargetDomainName" should be "WorkstationName" if we are following the naming convention of others event ID.

Are aware of this issue ?

Have a good day,
Lucas A.

2

Could you please find this exact event with record ID 65443187 in the Windows Event Viewer and post the XML version of the event here for comparison.

Winlogbeat does control the format of the message or the names of the fields. That comes from Windows.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.