Winlogbeat event.action for 4648

willemdh · April 14, 2020, 1:10pm

Hello,

Using the Winlogbeat 'security ' module I noticed event.code 4648 does not (yet) have an event.action defined:

var eventActionTypes = {
    "4624": "logged-in",
    "4625": "logon-failed",
    "4634": "logged-out",
    "4672": "logged-in-special",
    "4688": "created-process",
    "4689": "exited-process",

4624, 4625 and 4648

* 4624 - An account was successfully logged on.
* 4625 - An account failed to log on.
* 4648 - A logon was attempted using explicit credentials.

The result is that the 4648 events have 'Logon' as event.action.
The resulting histogram for event.action for logon events ooks like this:

So what event.action should a 4648 get?

special-logon-attempt ?

Grtz

Willem

MarianaD · April 22, 2020, 2:19pm

hi @willemdh, maybe explicit-logon-attempt?
Also, feel free to add an enhancement issue/PR in the beats repo for a follow up.

willemdh · April 23, 2020, 8:54am

github.com/elastic/beats

[Winlogbeat] event.action missing for event.code 4648

opened 08:54AM - 23 Apr 20 UTC

closed 12:30PM - 02 Apr 22 UTC

willemdh

enhancement Winlogbeat Team:Security-External Integrations

- Version: 7.6.1 - Operating System: Windows 2016 Server - Discuss Forum URL:h…ttps://discuss.elastic.co/t/winlogbeat-event-action-for-4648/227919 Using the Winlogbeat 'security ' module I noticed event.code 4648 does not (yet) have an event.action defined: ``` var eventActionTypes = { "4624": "logged-in", "4625": "logon-failed", "4634": "logged-out", "4672": "logged-in-special", "4688": "created-process", "4689": "exited-process", ``` 4624, 4625 and 4648 ``` * 4624 - An account was successfully logged on. * 4625 - An account failed to log on. * 4648 - A logon was attempted using explicit credentials. ``` The result is that the 4648 events have 'Logon' as event.action. The resulting histogram for `event.action` for logon events ooks like this: ![image](https://user-images.githubusercontent.com/6462991/80079528-b5ab4600-8550-11ea-829c-481fe7e41c00.png) event.action should be something like `explicit-logon-attempt`

system · May 21, 2020, 8:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1531	September 3, 2019
Adding to security module the parse of event.id equals to 4663 Beats winlogbeat	3	1028	June 5, 2020
Windows User managment events - problem Beats winlogbeat	1	571	October 20, 2019
Parsing issue with Event ID 4740 Beats winlogbeat	2	602	September 23, 2022
Failed Logins SIEM	4	2391	August 14, 2019

Winlogbeat event.action for 4648

Related topics