Windows User managment events - Events 4720-4722-4723-4724-4725-4726-4738-4740-4767

Hi,
@andrewkroh I've been working with user management-related events

In order to identify all the operations related to user creation/deletion and other user-account changes, I've made some modification to the winlogbeat-security.js process this events.

Event Description
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an account's password
4725 An user account was disabled
4726 An user account was deleted
4738 An user account was changed
4740 An user account was locked out
4767 An account was unlocked
4781 The name of an account was changed

All the events can be managed using a common processor

var userMgmt = new processor.Chain()
    .Add(copyTargetUser)
    .Add(copyLogonIDSubjectUser) (**)
    .Add(setProcessNameUsingExe)
    .Add(renameCommonAuthFields)
    .Add(addActionCode) (***)
    .Build();

....

		// 4720 - A user account was created
		4720: userMgmt.Run,    				
		// 4722 - A user account was created
		4722: userMgmt.Run,    				
		// 4724 - A user account was created
		4723: userMgmt.Run,    				
		// 4724 - A user account was created
		4724: userMgmt.Run,    				
		// 4725 - A user account was disabled.
		4725: userMgmt.Run,    				
		// 4726 - An user account was deleted.
		4726: userMgmt.Run,    				
		// 4738 - An user account was changed.
		4738: userMgmt.Run,
		 // 4740 - An account was locked out
		4740: userMgmt.Run,		
		// 4767 - A user account was unlocked.
		4767: userMgmt.Run,

When will be the code of https://github.com/elastic/beats/pull/12975 available in official release winlogbeat? Once it is available I can put a pull request with this changes

(**) I used a different approach to populate the winlog.logon.id because of Winlogbeat New ECS Fields and security module questions
(cases where both Subject and Target logonID exists )

Also, when building a dashboards with this events I found that It would be useful to have a "short description" of the event and I looked into the event.action. From the ECS documentation

event.action The action captured by the event.

This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created

event.category

This contains high-level information about the contents of the event. It is more generic than event.action , in the sense that typically a category contains multiple actions

In this case of user management I found event.action quite nonspecific. Same event.action for the diferent events

Where the event.action is populated? Should in this case have the event.action more specific information ?
Temporary I have added the winlog.event.action in order to have more specific information about the event (***)

var eventActionTypes = {
    "4720": "Account Created",
    "4722": "Account Enabled",
    "4723": "Password Change Attempt",
    "4724": "Password Changed",
    "4725": "Account Disabled",
    "4726": "Account Deleted",
    "4738": "Account Changed",
    "4740": "Account Locked Out",
    "4767": "Account Unlocked",
    "4781": "Account Renamed"

};

.....
var addActionCode = function(evt){
var code = evt.Get("event.code");
if (!code) {
return;
}
var eventActionDescription=eventActionTypes[code];
evt.Put("winlog.event.action",eventActionDescription)
}

Any feedback will be appreciated
Regards
Ana

This is great!

It will be released in 7.4 (probably mid to late Sept), but you don't need to wait for a release to open a pull request. The code is all in the master branch so you can make modifications from that branch.

Regarding event.category and event.action for these user management events, I think having detailed action value would be useful (maybe something like user-created, user-enabled, etc). For the category I can get back to you, or just open a PR and we can get feedback from the folks working on ECS. We recently were discussing what the first set of event.category values would be.

And if you want to get a copy of a package built from the master branch you can get it from: https://beats-ci.elastic.co/job/elastic+beats+master+multijob-package-linux/lastSuccessfulBuild/gcsObjects/

Those get built after changes are made to the master branch.

Great. I'll prepare the PR and I'll let you know.
Yes, I agree with you that the event.action is useful... For example to show more in a more descriptive way the operations over one user

Shall I complete the event action in the winlogbeat-security.js?
Thank you
Regards

Perfect! Thank you