Skip to content

Commit

Permalink
Add Kerberos Events - Other Logon Events - ECS event Categories and T…
Browse files Browse the repository at this point in the history
…ypes (#17517)

Add support for event IDs 4673, 4674, 4697, 4698, 4699, 4700, 4701, 4702, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4964 to the Winlogbeat Security module.

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
  • Loading branch information
janniten and leehinman authored May 4, 2020
1 parent 2e4c7c3 commit 955bc46
Show file tree
Hide file tree
Showing 92 changed files with 2,386 additions and 344 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -376,6 +376,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

- Add more DNS error codes to the Sysmon module. {issue}15685[15685]
- Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849]
- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517]

==== Deprecated

Expand Down
42 changes: 41 additions & 1 deletion winlogbeat/docs/modules/security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,16 @@ The module has transformations for the following event IDs:
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4697 - A service was installed in the system.
* 4698 - A scheduled task was created.
* 4699 - A scheduled task was deleted.
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -32,7 +40,7 @@ The module has transformations for the following event IDs:
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4731 - A security-enabled local group was created.
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
Expand Down Expand Up @@ -65,9 +73,41 @@ The module has transformations for the following event IDs:
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4768 - A Kerberos authentication ticket TGT was requested.
* 4769 - A Kerberos service ticket was requested.
* 4770 - A Kerberos service ticket was renewed.
* 4771 - Kerberos pre-authentication failed.
* 4776 - The computer attempted to validate the credentials for an account.
* 4778 - A session was reconnected to a Window Station.
* 4779 - A session was disconnected from a Window Station.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.

Expand Down
42 changes: 41 additions & 1 deletion x-pack/winlogbeat/module/security/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,16 @@ The module has transformations for the following event IDs:
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4697 - A service was installed in the system.
* 4698 - A scheduled task was created.
* 4699 - A scheduled task was deleted.
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -32,7 +40,7 @@ The module has transformations for the following event IDs:
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4731 - A security-enabled local group was created.
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
Expand Down Expand Up @@ -65,9 +73,41 @@ The module has transformations for the following event IDs:
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4768 - A Kerberos authentication ticket TGT was requested.
* 4769 - A Kerberos service ticket was requested.
* 4770 - A Kerberos service ticket was renewed.
* 4771 - Kerberos pre-authentication failed.
* 4776 - The computer attempted to validate the credentials for an account.
* 4778 - A session was reconnected to a Window Station.
* 4779 - A session was disconnected from a Window Station.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.

Expand Down
Loading

0 comments on commit 955bc46

Please sign in to comment.