Cherry-pick #20684 to 7.x: Audit and Authentication Policy Change Events

[leehinman]

Cherry-pick of PR #20684 to 7.x branch. Original message:

What does this PR do?

• Adds support for Audit and Authentication Policy Change Events

Audit Audit Policy Change	Audit Authentication Policy Change
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change	https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
4719(S): System audit policy was changed.	4670(S): Permissions on an object were changed
4817(S): Auditing settings on object were changed.	4706(S): A new trust was created to a domain.
4902(S): The Per-user audit policy table was created.	4707(S): A trust to a domain was removed.
4906(S): The CrashOnAuditFail value has changed.	4716(S): Trusted domain information was modified.
4907(S): Auditing settings on object were changed.	4713(S): Kerberos policy was changed.
4908(S): Special Groups Logon table modified.	4717(S): System security access was granted to an account.
4912(S): Per User Audit Policy was changed.	4718(S): System security access was removed from an account.
4904(S): An attempt was made to register a security event source.	4739(S): Domain Policy was changed.
4905(S): An attempt was made to unregister a security event source.

Note: Although processing of Event 4715 (The audit policy (SACL) on an object was changed) seems to be identical to 4670, event 4715 was not included due I was not able to generate an example event.

For events where exists information of DACLs or SACLs those ACL are translated from the SDDL (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070) to a human-readable from. For example:

• Adds related.ip information in existing events where source.ip is present.

Why is it important?

• Auditing the changes in policies and event sources is crucial when we want to have a strong security monitoring system. Monitor these kinds of events are also important when we address compliance (SOX, PCI. HIPAA, etc )

• The related.ip information is useful when we want to pivot data between different sources. For example
  Fortinet Event (37141) indicating a user is connected to a VPN SSL when tunnelip is the asigned address. Tunnelip is also in the related.ip field
  Windows Event 4624 indicating a windows login from a source.ip. If we have source.ip in the related.ip it is easy to match the user connected through VPN with a windows logon

Checklist

• [x ] My code follows the style guidelines of this project
• [ x] I have commented my code, particularly in hard-to-understand areas
• [ x] I have made corresponding changes to the documentation
• [x ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #23659 updated

• • Start Time: 2021-01-27T02:43:29.466+0000

• Duration: 24 min 1 sec

• Commit: 7e0bce3

Test stats 🧪

Test	Results
Failed	0
Passed	472
Skipped	6
Total	478

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	472
Skipped	6
Total	478

[andrewkroh]

Could you please pull in ee485bd to go with this so that they are together.

[leehinman]

Could you please pull in ee485bd to go with this so that they are together.

Sure. I'm thinking we want d4e193d too, so the tests don't break.