[Winlogbeat] ECS 1.9 user.changes.*, user.effective.*, user.target.*

[janniten]

What does this PR do?

In ECS 1.9 user.changes.*, user.effective.*, and user.target.* were introduced in order to capture better those events in where many users are involved. This fields allows us to model complex user's relationships.

See improvements sections in https://github.com/elastic/ecs/releases

Why is it important?

According to the usage described in https://www.elastic.co/guide/en/ecs/current/ecs-user-usage.html modifications to the winlogbeat security module are introduced in this PR in order to model user's relationship in an event.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

Use cases

The events affected are

EventID	User Field	Comments
4648	user.effective.*	This event captures the semantic of RunAs. Originally the user.* was completed with the information of the winlog.event_data.TargetUser.*, but according to the documentation user.* is the actual user who is executing the RunAs, so I've change to the user.* to be complete with the winlog.event_data.SubjectUser and the winlog.event_data.TargetUser.* copied to user.effective.*. From the doc Use the user fields at the root to capture who is requesting the privilege change, and user.effective to capture the requested privilege level, whether or not the privilege change was successful
4688	user.effective.*	In Windows 10/ Windows Server 2016 the some fields (winlog.event_data.TargetUser.*) where added in order to capture when a process is started under a different account. By default, a new process runs under the same account and logon session as the creator process
4720	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4722	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4723	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4724	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4725	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4726	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4728	user.target.*	Group Management Events user.target.* is completed with member information
4729	user.target.*	Group Management Events user.target.* is completed with member information
4732	user.target.*	Group Management Events user.target.* is completed with member information
4733	user.target.*	Group Management Events user.target.* is completed with member information
4738	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4740	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4746	user.target.*	Group Management Events user.target.* is completed with member information
4747	user.target.*	Group Management Events user.target.* is completed with member information
4751	user.target.*	Group Management Events user.target.* is completed with member information
4752	user.target.*	Group Management Events user.target.* is completed with member information
4756	user.target.*	Group Management Events user.target.* is completed with member information
4757	user.target.*	Group Management Events user.target.* is completed with member information
4761	user.target.*	Group Management Events user.target.* is completed with member information
4762	user.target.*	Group Management Events user.target.* is completed with member information
4767	user.target.*	User Management Events where the winlog.event_data.TargetUser.*  ->  user.target.*
4768	fix	Fixed targetSid Field
4771	fix	Fixed targetSid Field
4781	user.target.* and user.changes.*	User Management Events where the winlog.event_data.OldTargetUser.*  ->  user.target.* and winlog.event_data.NewTargetUser.*

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-10-18T11:54:47.349+0000

• Duration: 62 min 27 sec

• Commit: 8941a65

Test stats 🧪

Test	Results
Failed	0
Passed	880
Skipped	0
Total	880

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

[janniten]

@jsoriano #25754

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jsoriano]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ecs_1.9 upstream/ecs_1.9
git merge upstream/master
git push upstream ecs_1.9

[janniten]

Hi @adriansr @jsoriano
I've been using the latest version of winlogbeat and I realize that for some events (4728,4732,4733,4729) the field user.target.* is been populated.
In this case I've noticed that the user.target.name is populated with the group name, and not with the user that is been added to the group.
IMHO, I think that the user.target.name should be the user added to the group because is affecting the user's properties

        evt.Put("user.target.group.id", evt.Get("group.id"));
        evt.Put("user.target.group.name", evt.Get("group.name"));
        evt.Put("user.target.group.domain", evt.Get("group.domain"));

Also the user.target.* user.effective.* and user.changes.* are part of the winlogbeat's index template but not completed for the User Management Events and or 4648 and 4688
Shall I cancel this PR? and open a new one with the events still not have the user.target/effective/changes ?
Or just cancel it definitively if you are working in those changes.
Thank you
Regards
Ana

[adriansr]

Hi @janniten we're looking at this, sorry for the delay

[mergify]

This pull request does not have a backport label. Could you fix it @janniten? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[P1llus]

/test

[marc-gr]

/test

[marc-gr]

would be nice if we could ignore -

[marc-gr]

I think this line got in with the merge, can we remove it if it is the case?

[marc-gr]

/test

[marc-gr]

/test

[P1llus]

LGTM

changes done