Security /Hosts / User Authentifications empty

Elastic Security SIEM
1

Hi,
I installed Elasticsearch 7.9.3 a few days ago on a server and then Winlogbeat on 4 other servers.

In the User Authentifications section, it displays 0 from the beginning, regardless of the chosen time frame.

2020-10-29 16_09_30-Hosts - Kibana
2020-10-29 16_09_30-Hosts - Kibana1825×459 39.6 KB

When I check the request, there is a criteria about an event category :

       "bool": {
    	"filter": [
    	  {
    		"term": {
    		  "event.category": "authentication"
    		}
    	  }
    	]
      }

When I check my Winlobeat indice, this category does not exist.

But for a failed logon, I can see something :

    {
      "_index": "winlogbeat-7.9.3-2020.10.23-000001",
      "_type": "_doc",
      "_id": "P8zzdHUBts8hyrUiJdEJ",
      "_version": 1,
      "_score": null,
      "_source": {
        "agent": {
          "hostname": "S15",
          "name": "S15",
          "id": "c322b040-56eb-4bda-a8ee-ef683d50516c",
          "type": "winlogbeat",
          "ephemeral_id": "fc8a4d86-8c70-4b66-860a-8c7937ee02f0",
          "version": "7.9.3"
        },
        "winlog": {
          "computer_name": "S15",
          "process": {
            "pid": 600,
            "thread": {
              "id": 5108
            }
          },
          "keywords": [
            "Audit Failure"
          ],
          "channel": "Security",
          "event_data": {
            "Status": "0xc000006d",
            "ProcessName": "-",
            "LogonType": "3",
            "IpPort": "0",
            "TransmittedServices": "-",
            "SubjectLogonId": "0x0",
            "LmPackageName": "-",
            "KeyLength": "0",
            "SubjectUserName": "-",
            "WorkstationName": "BDT-10",
            "FailureReason": "%%2313",
            "IpAddress": "10.20.4.120",
            "SubjectDomainName": "-",
            "ProcessId": "0x0",
            "TargetUserName": "BDT",
            "SubStatus": "0xc000006a",
            "TargetDomainName": "domain_name",
            "LogonProcessName": "NtLmSsp ",
            "SubjectUserSid": "S-1-0-0",
            "AuthenticationPackageName": "NTLM",
            "TargetUserSid": "S-1-0-0"
          },
          "opcode": "Info",
          "record_id": 11335712,
          "event_id": 4625,
          "task": "Logon",
          "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
          "activity_id": "{4419FA9B-AC61-0001-B3FA-194461ACD601}",
          "api": "wineventlog",
          "provider_name": "Microsoft-Windows-Security-Auditing"
        },
        "log": {
          "level": "information"
        },
        "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tBDT\n\tAccount Domain:\t\tdomain_name\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC000006A\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\tBDT-10\n\tSource Network Address:\t10.20.4.120\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
        "@timestamp": "2020-10-29T15:21:30.994Z",
        "ecs": {
          "version": "1.5.0"
        },
        "host": {
          "hostname": "S15",
          "os": {
            "build": "14393.3986",
            "kernel": "10.0.14393.3986 (rs1_release.201002-1707)",
            "name": "Windows Server 2016 Standard",
            "family": "windows",
            "version": "10.0",
            "platform": "windows"
          },
          "ip": [
            "192.168.22.111",
            "fe80::5efe:c0a8:166f"
          ],
          "name": "S15",
          "id": "7057a7ed-154e-44bf-a6dd-05655fae0e4b",
          "mac": [
            "00:50:56:9d:87:2a",
            "00:00:00:00:00:00:00:e0"
          ],
          "architecture": "x86_64"
        },
        "event": {
          "code": 4625,
          "provider": "Microsoft-Windows-Security-Auditing",
          "created": "2020-10-29T15:21:32.195Z",
          "kind": "event",
          "action": "Logon",
          "outcome": "failure"
        }
      },
      "fields": {
        "@timestamp": [
          "2020-10-29T15:21:30.994Z"
        ],
        "event.created": [
          "2020-10-29T15:21:32.195Z"
        ]
      },
      "highlight": {
        "message": [
          "Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t@kibana-highlighted-field@BDT@/kibana-highlighted-field@\n\tAccount Domain:\t\tdomain_name\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC000006A\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t@kibana-highlighted-field@BDT@/kibana-highlighted-field@-10\n\tSource Network Address:\t10.20.4.120\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
        ],
        "agent.hostname": [
          "@kibana-highlighted-field@S15@/kibana-highlighted-field@"
        ]
      },
      "sort": [
        1603984890994
      ]
    }

What did I do wrong ?

Thanks for your help.

2

Hi @BenjaminD. It looks like you are missing a few properties from the event, so the module is probably not configured: https://www.elastic.co/guide/en/beats/winlogbeat/7.x/winlogbeat-module-security.html#_configuration_2

This is part of the default config file that you get when you download winlogbeat (the non-OSS version). Could you please make sure that this is included in your config?

Thanks!

3

Hi @stephmilovic.
Thanks for your help.
I checked my agents configuration files.
2 on 4 had the processor part commented (because I tried to see if things were differents).
The comments were removed, the services restarted and the the index pattern was refreshed.
I logged off and on many times but still nothing.
On the Hosts part the Authentifications tabs shows only one user, SYSTEM. No sign of my personnal user.

4

Thanks @BenjaminD. Could you please query your index for event.module: security to verify that you made the requested changes. If you did then event.code: 4625 (An account failed to log on) will have the event.category of authentication in them.

5

Hi,
After restarting server and hosts, I now can see log failures. But not success...

2020-11-10 10_12_04-NoSuccess
2020-11-10 10_12_04-NoSuccess702×298 11.1 KB

And I am sure there are success !

I queried my index for the security module and 4625 code.

There are some documents.

From the Hosts page, if I clic on the "Authentifications" tab, there are some failures.

But if I try to add the "Failures" column to a timeline, this timeline contains nothing while it show 20 failures on the selected time range.

Is that normal ?

Thanks

6

looks interesting. I change my domain too

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.