Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Kerberos Events - Other Logon Events - ECS event Categories and Types #17517

Merged
merged 9 commits into from
May 4, 2020
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

- Add more DNS error codes to the Sysmon module. {issue}15685[15685]
- Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849]
- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517]

==== Deprecated

Expand Down
42 changes: 41 additions & 1 deletion winlogbeat/docs/modules/security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,16 @@ The module has transformations for the following event IDs:
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4697 - A service was installed in the system.
* 4698 - A scheduled task was created.
* 4699 - A scheduled task was deleted.
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -32,7 +40,7 @@ The module has transformations for the following event IDs:
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4731 - A security-enabled local group was created.
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
Expand Down Expand Up @@ -65,9 +73,41 @@ The module has transformations for the following event IDs:
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4768 - A Kerberos authentication ticket TGT was requested.
* 4769 - A Kerberos service ticket was requested.
* 4770 - A Kerberos service ticket was renewed.
* 4771 - Kerberos pre-authentication failed.
* 4776 - The computer attempted to validate the credentials for an account.
* 4778 - A session was reconnected to a Window Station.
* 4779 - A session was disconnected from a Window Station.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.

Expand Down
42 changes: 41 additions & 1 deletion x-pack/winlogbeat/module/security/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,16 @@ The module has transformations for the following event IDs:
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
* 4688 - A new process has been created.
* 4689 - A process has exited.
* 4697 - A service was installed in the system.
* 4698 - A scheduled task was created.
* 4699 - A scheduled task was deleted.
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -32,7 +40,7 @@ The module has transformations for the following event IDs:
* 4728 - A member was added to a security-enabled global group.
* 4729 - A member was removed from a security-enabled global group.
* 4730 - A security-enabled global group was deleted.
* 4731 - A security-enabled local group was created
* 4731 - A security-enabled local group was created.
* 4732 - A member was added to a security-enabled local group.
* 4733 - A member was removed from a security-enabled local group.
* 4734 - A security-enabled local group was deleted.
Expand Down Expand Up @@ -65,9 +73,41 @@ The module has transformations for the following event IDs:
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4767 - An account was unlocked.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
* 4743 - A computer account was deleted.
* 4744 - A security-disabled local group was created.
* 4745 - A security-disabled local group was changed.
* 4746 - A member was added to a security-disabled local group.
* 4747 - A member was removed from a security-disabled local group.
* 4748 - A security-disabled local group was deleted.
* 4749 - A security-disabled global group was created.
* 4750 - A security-disabled global group was changed.
* 4751 - A member was added to a security-disabled global group.
* 4752 - A member was removed from a security-disabled global group.
* 4753 - A security-disabled global group was deleted.
* 4754 - A security-enabled universal group was created.
* 4755 - A security-enabled universal group was changed.
* 4756 - A member was added to a security-enabled universal group.
* 4757 - A member was removed from a security-enabled universal group.
* 4758 - A security-enabled universal group was deleted.
* 4759 - A security-disabled universal group was created.
* 4760 - A security-disabled universal group was changed.
* 4761 - A member was added to a security-disabled universal group.
* 4762 - A member was removed from a security-disabled universal group.
* 4763 - A security-disabled global group was deleted.
* 4764 - A group's type was changed.
* 4768 - A Kerberos authentication ticket TGT was requested.
* 4769 - A Kerberos service ticket was requested.
* 4770 - A Kerberos service ticket was renewed.
* 4771 - Kerberos pre-authentication failed.
* 4776 - The computer attempted to validate the credentials for an account.
* 4778 - A session was reconnected to a Window Station.
* 4779 - A session was disconnected from a Window Station.
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.

Expand Down
Loading