Cherry-pick #14299 to 7.x: Add Group Management Events - Add NewUAC Description for User Management Events#15153
Merged
leehinman merged 1 commit intoelastic:7.xfrom Jan 2, 2020
Conversation
… User Management Events (elastic#14299) * Added Group Management Events * Added User and Group Enumeration * Added New UAC Description (cherry picked from commit 8e31628)
andrewkroh
approved these changes
Dec 18, 2019
Member
andrewkroh
left a comment
There was a problem hiding this comment.
LGTM. I noticed this is missing a changelog entry. We should add one when we backport the accompanying dashboards.
andrewkroh
requested changes
Dec 18, 2019
Member
andrewkroh
left a comment
There was a problem hiding this comment.
It looks like tests are failing. Maybe due to host.name changes in Winlogbeat that aren't in 7.x?
Contributor
Author
|
Looks like #15197 will fix it. |
Contributor
Author
That fixed things in master, but before I can backport it to 7.x I have to add this one because parts of that commit depend on this one. |
andrewkroh
approved these changes
Jan 2, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #14299 to 7.x branch. Original message:
Added Group Management Events and Events 4798 and 4799 (User and Group enumeration)
In order to map correclty this event a new field group.domain was added to the ECS group schema
(elastic/ecs#547)
Added addUACDescription function in order to translate to a human readable form the flags in winlog.event_data.NewUacValue field. A new field winlog.event_data.NewUACList is created and contains a list of decoded flags from the hex value in winlog.event_data.NewUACList
For example
winlog.event_data.NewUacValue -> 0x15 is translated to winlog.event_data.NewUACList -> SCRIPT,LOCKOUT
Also converts the winlog.event_data.UserAccountControl to a list of values
Cosmetic change: fix the order of events 4767 and 4781 and some space fixing
Ingesting this events we can have information about group who performed group changes and what the changes are.