Skip to content

[System][Windows] "Users Added to Group" panel has incorrect filter #6275

Closed
#6280
Closed
[System][Windows] "Users Added to Group" panel has incorrect filter#6275
#6280
Labels
Integration:systemSystembugSomething isn't working, use only for issues
@sakurai-youhei

Description

@sakurai-youhei
sakurai-youhei
opened on May 22, 2023

Kibana > Dashboard > [System Windows Security] Group Management Events > Users Added to Group has the following filter:

integrations/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json

Line 3951 in 41f5983

"query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\""

Issue: The listed event IDs are for group creations as per the MS doc below.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
4731 635 Low A security-enabled local group was created.
4727 631 Medium A security-enabled global group was created.
4754 658 Medium A security-enabled universal group was created.
4749 653 Low A security-disabled global group was created.
4759 663 Low A security-disabled universal group was created.
4744 648 Low A security-disabled local group was created.
4783 667 Low A basic application group was created.
4790 694 Low An LDAP query group was created.

Proposal: The filter should consists of the following event IDs to show user additions.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
4732 636 Low A member was added to a security-enabled local group.
4728 632 Low A member was added to a security-enabled global group.
4756 660 Low A member was added to a security-enabled universal group.
4751 655 Low A member was added to a security-disabled global group.
4761 665 Low A member was added to a security-disabled universal group.
4746 650 Low A member was added to a security-disabled local group.
4785 689 Low A member was added to a basic application group.
4787 691 Low A nonmember was added to a basic application group.

Note: These proposed event IDs are identical with the ones used in Users Added - Table [Windows System Security] following this panel.

integrations/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json

Line 1181 in 25a4f35

"value": "4732, 4728, 4756, 4751, 4761, 4746, 4785, 4787"

Metadata

Metadata

Assignees

No one assigned

    Labels

    Integration:systemSystembugSomething isn't working, use only for issues

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions