Windows User managment events - Events 4720-4722-4723-4724-4725-4726-4738-4740-4767

Anabella_Cristaldi · August 12, 2019, 2:45pm

Hi,
@andrewkroh I've been working with user management-related events

In order to identify all the operations related to user creation/deletion and other user-account changes, I've made some modification to the winlogbeat-security.js process this events.

Event	Description
4720	A user account was created
4722	A user account was enabled
4723	An attempt was made to change an account's password
4724	An attempt was made to reset an account's password
4725	An user account was disabled
4726	An user account was deleted
4738	An user account was changed
4740	An user account was locked out
4767	An account was unlocked
4781	The name of an account was changed

All the events can be managed using a common processor

var userMgmt = new processor.Chain()
    .Add(copyTargetUser)
    .Add(copyLogonIDSubjectUser) (**)
    .Add(setProcessNameUsingExe)
    .Add(renameCommonAuthFields)
    .Add(addActionCode) (***)
    .Build();

....

		// 4720 - A user account was created
		4720: userMgmt.Run,    				
		// 4722 - A user account was created
		4722: userMgmt.Run,    				
		// 4724 - A user account was created
		4723: userMgmt.Run,    				
		// 4724 - A user account was created
		4724: userMgmt.Run,    				
		// 4725 - A user account was disabled.
		4725: userMgmt.Run,    				
		// 4726 - An user account was deleted.
		4726: userMgmt.Run,    				
		// 4738 - An user account was changed.
		4738: userMgmt.Run,
		 // 4740 - An account was locked out
		4740: userMgmt.Run,		
		// 4767 - A user account was unlocked.
		4767: userMgmt.Run,

When will be the code of https://github.com/elastic/beats/pull/12975 available in official release winlogbeat? Once it is available I can put a pull request with this changes

(**) I used a different approach to populate the winlog.logon.id because of Winlogbeat New ECS Fields and security module questions
(cases where both Subject and Target logonID exists )

Also, when building a dashboards with this events I found that It would be useful to have a "short description" of the event and I looked into the event.action. From the ECS documentation

event.action The action captured by the event.

This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created

event.category

This contains high-level information about the contents of the event. It is more generic than event.action , in the sense that typically a category contains multiple actions

In this case of user management I found event.action quite nonspecific. Same event.action for the diferent events

Where the event.action is populated? Should in this case have the event.action more specific information ?
Temporary I have added the winlog.event.action in order to have more specific information about the event (***)

var eventActionTypes = {
    "4720": "Account Created",
    "4722": "Account Enabled",
    "4723": "Password Change Attempt",
    "4724": "Password Changed",
    "4725": "Account Disabled",
    "4726": "Account Deleted",
    "4738": "Account Changed",
    "4740": "Account Locked Out",
    "4767": "Account Unlocked",
    "4781": "Account Renamed"

};

.....
var addActionCode = function(evt){
var code = evt.Get("event.code");
if (!code) {
return;
}
var eventActionDescription=eventActionTypes[code];
evt.Put("winlog.event.action",eventActionDescription)
}

Any feedback will be appreciated
Regards
Ana

andrewkroh · August 13, 2019, 3:12pm

This is great!

It will be released in 7.4 (probably mid to late Sept), but you don't need to wait for a release to open a pull request. The code is all in the master branch so you can make modifications from that branch.

Regarding event.category and event.action for these user management events, I think having detailed action value would be useful (maybe something like user-created, user-enabled, etc). For the category I can get back to you, or just open a PR and we can get feedback from the folks working on ECS. We recently were discussing what the first set of event.category values would be.

andrewkroh · August 13, 2019, 3:21pm

And if you want to get a copy of a package built from the master branch you can get it from: https://beats-ci.elastic.co/job/elastic+beats+master+multijob-package-linux/lastSuccessfulBuild/gcsObjects/

Those get built after changes are made to the master branch.

Anabella_Cristaldi · August 13, 2019, 3:29pm

Great. I'll prepare the PR and I'll let you know.
Yes, I agree with you that the event.action is useful... For example to show more in a more descriptive way the operations over one user

Shall I complete the event action in the winlogbeat-security.js?
Thank you
Regards

Anabella_Cristaldi · August 13, 2019, 3:30pm

Perfect! Thank you

Anabella_Cristaldi · September 6, 2019, 2:51pm

@andrewkroh

system · October 4, 2019, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows User managment events - problem Beats winlogbeat	1	571	October 20, 2019
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1531	September 3, 2019
Parsing issue with Event ID 4740 Beats winlogbeat	2	602	September 23, 2022
Winlogbeat event.action for 4648 Beats winlogbeat	3	548	May 21, 2020
Account name not showing in windows event_id 4732 Beats winlogbeat	6	3672	February 13, 2020

Windows User managment events - Events 4720-4722-4723-4724-4725-4726-4738-4740-4767

Related topics