Skip to content

Commit e7f9f30

Browse files
committed
Improve user mappings
1 parent 153945d commit e7f9f30

File tree

30 files changed

+281
-57
lines changed

30 files changed

+281
-57
lines changed

packages/system/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.5.0"
3+
changes:
4+
- description: Better user mappings for security events
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/1944
27
- version: "1.4.2"
38
changes:
49
- description: Prevent pipeline script error

packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:04.767568644Z",
67+
"ingested": "2021-10-19T11:55:16.331823600Z",
6868
"code": "4746",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testdistlocal1",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:04.888936317Z",
67+
"ingested": "2021-10-19T11:55:16.621125Z",
6868
"code": "4747",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testdistlocal1",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:05.313669028Z",
67+
"ingested": "2021-10-19T11:55:17.565769200Z",
6868
"code": "4751",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testglobal1",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:05.414207722Z",
67+
"ingested": "2021-10-19T11:55:17.906691Z",
6868
"code": "4752",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testglobal1",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:05.791134249Z",
67+
"ingested": "2021-10-19T11:55:18.871413700Z",
6868
"code": "4761",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testuni2",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"name": "DC_TEST2k12.TEST.SAAS"
6565
},
6666
"event": {
67-
"ingested": "2021-07-30T21:06:05.889044291Z",
67+
"ingested": "2021-10-19T11:55:19.143941900Z",
6868
"code": "4762",
6969
"provider": "Microsoft-Windows-Security-Auditing",
7070
"kind": "event",
@@ -84,6 +84,7 @@
8484
"domain": "TEST",
8585
"target": {
8686
"name": "Administrator",
87+
"domain": "SAAS",
8788
"group": {
8889
"name": "testuni2",
8990
"domain": "TEST",

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@
7777
"name": "DC_TEST2k12.TEST.SAAS"
7878
},
7979
"event": {
80-
"ingested": "2021-07-30T21:06:06.837533884Z",
80+
"ingested": "2021-10-19T11:55:21.246497500Z",
8181
"code": "4768",
8282
"provider": "Microsoft-Windows-Security-Auditing",
8383
"kind": "event",
@@ -92,7 +92,8 @@
9292
},
9393
"user": {
9494
"name": "at_adm",
95-
"domain": "TEST.SAAS"
95+
"domain": "TEST.SAAS",
96+
"id": "S-1-5-21-1717121054-434620538-60925301-2794"
9697
}
9798
}
9899
]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@
7373
"name": "DC_TEST2k12.TEST.SAAS"
7474
},
7575
"event": {
76-
"ingested": "2021-07-30T21:06:07.159369727Z",
76+
"ingested": "2021-10-19T11:55:22.001023400Z",
7777
"code": "4771",
7878
"provider": "Microsoft-Windows-Security-Auditing",
7979
"kind": "event",
@@ -87,7 +87,8 @@
8787
"outcome": "failure"
8888
},
8989
"user": {
90-
"name": "MPUIG"
90+
"name": "MPUIG",
91+
"id": "S-1-5-21-1717121054-434620538-60925301-3057"
9192
}
9293
}
9394
]

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@
6262
"name": "WIN-41OB2LO92CR"
6363
},
6464
"event": {
65-
"ingested": "2021-07-30T21:06:09.468417917Z",
65+
"ingested": "2021-10-19T11:55:27.016591Z",
6666
"code": "4722",
6767
"provider": "Microsoft-Windows-Security-Auditing",
6868
"kind": "event",
@@ -78,8 +78,13 @@
7878
},
7979
"user": {
8080
"name": "Administrator",
81+
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
8182
"domain": "WIN-41OB2LO92CR",
82-
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
83+
"target": {
84+
"name": "audittest",
85+
"domain": "WIN-41OB2LO92CR",
86+
"id": "S-1-5-21-101361758-2486510592-3018839910-1000"
87+
}
8388
}
8489
},
8590
{
@@ -144,7 +149,7 @@
144149
"name": "WIN-41OB2LO92CR"
145150
},
146151
"event": {
147-
"ingested": "2021-07-30T21:06:09.468420621Z",
152+
"ingested": "2021-10-19T11:55:27.016600700Z",
148153
"code": "4722",
149154
"provider": "Microsoft-Windows-Security-Auditing",
150155
"kind": "event",
@@ -160,8 +165,13 @@
160165
},
161166
"user": {
162167
"name": "Administrator",
168+
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
163169
"domain": "WIN-41OB2LO92CR",
164-
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
170+
"target": {
171+
"name": "audittest0609",
172+
"domain": "WIN-41OB2LO92CR",
173+
"id": "S-1-5-21-101361758-2486510592-3018839910-1006"
174+
}
165175
}
166176
}
167177
]

0 commit comments

Comments
 (0)