elastic
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/config/winlogbeat-security.js‎
Lines changed: 83 additions & 16 deletions b/‎x-pack/winlogbeat/module/security/config/winlogbeat-security.js‎
Lines changed: 83 additions & 16 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json‎
Lines changed: 1 addition & 0 deletions
@@ -449,6 +449,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
+- Add ECS 1.9 new users fields {pull}26509[26509]
 
 *Functionbeat*
 
 
@@ -1907,14 +1907,14 @@ var security = (function () {
 
     var copyTargetUser = function(evt) {
         var targetUserId = evt.Get("winlog.event_data.TargetUserSid");
+        if (!targetUserId) targetUserId = evt.Get("winlog.event_data.TargetSid");
         if (targetUserId) {
             if (evt.Get("user.id")) evt.Put("user.target.id", targetUserId);
             else evt.Put("user.id", targetUserId);
         }
-
         var targetUserName = evt.Get("winlog.event_data.TargetUserName");
         if (targetUserName) {
-            if (/.@*/.test(targetUserName)) {
+            if (targetUserName.indexOf('@')>0) {
                 targetUserName = targetUserName.split('@')[0];
             }
 
@@ -1930,6 +1930,71 @@ var security = (function () {
         }
     }
 
+    var removeIfEmptyOrHyphen = function(evt, key) {
+        var val = evt.Get(key);
+        if (!val || val === "-") {
+            evt.Delete(key);
+            return true;
+        }
+        return false;
+    }
+
+    var copyTargetUserToEffective = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetUserSid", to: "user.effective.id"},
+                {from: "winlog.event_data.TargetUserName", to: "user.effective.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "user.effective.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Add(function(evt) {
+            var user = evt.Get("winlog.event_data.TargetUserName");
+            if (user) {
+                if (user.indexOf('@')>0) {
+                    user = user.split('@')[0];
+                    evt.Put('user.effective.name', user);
+                }
+            }
+        })
+        .Add(function(evt) {
+            if (!removeIfEmptyOrHyphen(evt, "user.effective.name")) {
+                evt.AppendTo("related.user", evt.Get("user.effective.name"));
+            }
+            removeIfEmptyOrHyphen(evt, "user.effective.domain");
+            removeIfEmptyOrHyphen(evt, "user.effective.id");
+        })
+        .Build();
+
+    var copyTargetUserToTarget = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.TargetSid", to: "user.target.id"},
+                {from: "winlog.event_data.TargetUserName", to: "user.target.name"},
+                {from: "winlog.event_data.TargetDomainName", to: "user.target.domain"},
+            ],
+            ignore_missing: true,
+        })
+        .Add(function(evt) {
+            var user = evt.Get("winlog.event_data.TargetUserName");
+            if (user) {
+                if (user.indexOf('@')>0) {
+                    user = user.split('@')[0];
+                    evt.Put('user.target.name', user);
+                }
+                evt.AppendTo('related.user', user);
+            }
+        })
+        .Add(function(evt) {
+            if (!removeIfEmptyOrHyphen(evt, "user.target.name")) {
+                evt.AppendTo("related.user", evt.Get("user.target.name"));
+            }
+            removeIfEmptyOrHyphen(evt, "user.target.domain");
+            removeIfEmptyOrHyphen(evt, "user.target.id");
+        })
+        .Build();
+
+
     var copyMemberToUser = function(evt) {
         var member = evt.Get("winlog.event_data.MemberName");
         if (!member) {
@@ -1940,6 +2005,11 @@ var security = (function () {
 
         evt.AppendTo("related.user", userName);
         evt.Put("user.target.name", userName);
+
+        var domainName = member.split(',')[3];
+        if (domainName) {
+            evt.Put("user.target.domain", domainName.replace('DC=', '').replace('dc=', ''));
+        }
     }
 
     var copyTargetUserToGroup = new processor.Chain()
@@ -2130,10 +2200,11 @@ var security = (function () {
 
     // Handles both 4648
     var event4648 = new processor.Chain()
-        .Add(copyTargetUser)
+        .Add(copySubjectUser)
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
+        .Add(copyTargetUserToEffective)
         .Add(function(evt) {
             var user = evt.Get("winlog.event_data.SubjectUserName");
             if (user) {
@@ -2173,16 +2244,8 @@ var security = (function () {
         .Add(copySubjectUser)
         .Add(copySubjectUserLogonId)
         .Add(renameNewProcessFields)
+        .Add(copyTargetUserToEffective)
         .Add(addEventFields)
-        .Add(function(evt) {
-            var user = evt.Get("winlog.event_data.TargetUserName");
-            if (user) {
-                var res = /^-$/.test(user);
-                    if (!res) {
-                        evt.AppendTo('related.user', user);
-                    }
-            }
-        })
         .Build();
 
     var event4689 = new processor.Chain()
@@ -2206,10 +2269,7 @@ var security = (function () {
         .Add(renameCommonAuthFields)
         .Add(addUACDescription)
         .Add(addEventFields)
-        .Add(function(evt) {
-            var user = evt.Get("winlog.event_data.TargetUserName");
-            evt.AppendTo('related.user', user);
-        })
+        .Add(copyTargetUserToTarget)
         .Build();
 
     var userRenamed = new processor.Chain()
@@ -2221,6 +2281,12 @@ var security = (function () {
             evt.AppendTo('related.user', userNew);
             var userOld = evt.Get("winlog.event_data.OldTargetUserName");
             evt.AppendTo('related.user', userOld);
+            if (userOld) {
+                evt.Put('user.target.name', userOld);
+            }
+            if (userNew) {
+                evt.Put('user.changes.name', userNew);
+            }
         })
         .Build();
 
@@ -2359,6 +2425,7 @@ var security = (function () {
         .Add(copySubjectUserLogonId)
         .Add(renameCommonAuthFields)
         .Add(addEventFields)
+        .Add(copyTargetUserToTarget)
         .Add(function(evt) {
             var oldSd = evt.Get("winlog.event_data.OldSd");
             var newSd = evt.Get("winlog.event_data.NewSd");
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2903",
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2903",
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2904",
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2904",
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2905",
 
@@ -38,6 +38,7 @@
       "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm",
       "target": {
+        "domain": "SAAS",
         "group": {
           "domain": "TEST",
           "id": "S-1-5-21-1717121054-434620538-60925301-2905",
 
@@ -31,6 +31,7 @@
     },
     "user": {
       "domain": "TEST.SAAS",
+      "id": "S-1-5-21-1717121054-434620538-60925301-2794",
       "name": "at_adm"
     },
     "winlog": {
 
@@ -30,6 +30,7 @@
       "port": 53366
     },
     "user": {
+      "id": "S-1-5-21-1717121054-434620538-60925301-3057",
       "name": "MPUIG"
     },
     "winlog": {