Hi,
@andrewkroh I've been working with user management-related events
In order to identify all the operations related to user creation/deletion and other user-account changes, I've made some modification to the winlogbeat-security.js process this events.
| Event | Description |
|---|---|
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change an account's password |
| 4724 | An attempt was made to reset an account's password |
| 4725 | An user account was disabled |
| 4726 | An user account was deleted |
| 4738 | An user account was changed |
| 4740 | An user account was locked out |
| 4767 | An account was unlocked |
| 4781 | The name of an account was changed |
All the events can be managed using a common processor
var userMgmt = new processor.Chain()
.Add(copyTargetUser)
.Add(copyLogonIDSubjectUser) (**)
.Add(setProcessNameUsingExe)
.Add(renameCommonAuthFields)
.Add(addActionCode) (***)
.Build();
....
// 4720 - A user account was created
4720: userMgmt.Run,
// 4722 - A user account was created
4722: userMgmt.Run,
// 4724 - A user account was created
4723: userMgmt.Run,
// 4724 - A user account was created
4724: userMgmt.Run,
// 4725 - A user account was disabled.
4725: userMgmt.Run,
// 4726 - An user account was deleted.
4726: userMgmt.Run,
// 4738 - An user account was changed.
4738: userMgmt.Run,
// 4740 - An account was locked out
4740: userMgmt.Run,
// 4767 - A user account was unlocked.
4767: userMgmt.Run,
When will be the code of https://github.com/elastic/beats/pull/12975 available in official release winlogbeat? Once it is available I can put a pull request with this changes
(**) I used a different approach to populate the winlog.logon.id because of Winlogbeat New ECS Fields and security module questions
(cases where both Subject and Target logonID exists )
Also, when building a dashboards with this events I found that It would be useful to have a "short description" of the event and I looked into the event.action. From the ECS documentation
event.action The action captured by the event.
This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created
event.category
This contains high-level information about the contents of the event. It is more generic than event.action , in the sense that typically a category contains multiple actions
In this case of user management I found event.action quite nonspecific. Same event.action for the diferent events
Where the event.action is populated? Should in this case have the event.action more specific information ?
Temporary I have added the winlog.event.action in order to have more specific information about the event (***)
var eventActionTypes = {
"4720": "Account Created",
"4722": "Account Enabled",
"4723": "Password Change Attempt",
"4724": "Password Changed",
"4725": "Account Disabled",
"4726": "Account Deleted",
"4738": "Account Changed",
"4740": "Account Locked Out",
"4767": "Account Unlocked",
"4781": "Account Renamed"
};
.....
var addActionCode = function(evt){
var code = evt.Get("event.code");
if (!code) {
return;
}
var eventActionDescription=eventActionTypes[code];
evt.Put("winlog.event.action",eventActionDescription)
}
Any feedback will be appreciated
Regards
Ana
