windows/forwarded: add support for events 4674, 4738 and 4742 (#3945)

Logic for the "Decode message table" processor is ported from the same processor in the system/security data stream added in bc44f65.

Author: efd6

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.15.0"
+ changes:
+ - description: Add support for events 4674, 4738 and 4742.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3945
 - version: "1.14.1"
  changes:
  - description: Fix translate_sid processor error in powershell operational data stream.

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4674.json

@@ -0,0 +1,125 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-11-11T17:14:52.001Z",
+ "agent": {
+ "name": "AgentName",
+ "type": "filebeat",
+ "version": "7.15.2",
+ "hostname": "hostname",
+ "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614",
+ "id": "7d1ef343-9372-428d-bd10-0a78e6894797"
+ },
+ "winlog": {
+ "time_created": "2015-10-09T00:22:36.237Z",
+ "event_id": "4674",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "opcode": "Info",
+ "outcome": "failure",
+ "level": "information",
+ "event_data": {
+ "ProcessId": "0x1f0",
+ "SubjectDomainName": "NT AUTHORITY",
+ "SubjectLogonId": "0x3e5",
+ "ObjectType": "-",
+ "ObjectName": "-",
+ "AccessMask": "16777216",
+ "PrivilegeList": "SeSecurityPrivilege",
+ "ProcessName": "C:\\\\Windows\\\\System32\\\\lsass.exe",
+ "SubjectUserSid": "S-1-5-19",
+ "SubjectUserName": "LOCAL SERVICE",
+ "ObjectServer": "LSA",
+ "HandleId": "0x0"
+ },
+ "process": {
+ "pid": 496,
+ "thread": {
+ "id": 504
+ }
+ },
+ "channel": "Security",
+ "record_id": 1099680,
+ "computer_name": "DC01.contoso.local",
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
+ },
+ "event": {
+ "code": "4674",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "outcome": "failure"
+ },
+ "log": {
+ "file": {
+ "path": "/file/path/4674.xml"
+ },
+ "level": "information"
+ },
+ "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "input": {
+ "type": "log"
+ },
+ "ecs": {
+ "version": "1.11.0"
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ }
+ },
+ {
+ "@timestamp": "2021-11-11T17:14:53.001Z",
+ "event": {
+ "action": "Sensitive Privilege Use",
+ "code": "4674",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing"
+ },
+ "host": {
+ "name": "DC_TEST2k12.TEST.SAAS"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC_TEST2k12.TEST.SAAS",
+ "event_data": {
+ "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t",
+ "HandleId": "0x1684",
+ "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor",
+ "ObjectServer": "Security",
+ "ObjectType": "File",
+ "PrivilegeList": "SeSecurityPrivilege",
+ "ProcessId": "0x3e4",
+ "ProcessName": "C:\\Windows\\System32\\svchost.exe",
+ "SubjectDomainName": "TEST",
+ "SubjectLogonId": "0x5e2887",
+ "SubjectUserName": "at_adm",
+ "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794"
+ },
+ "event_id": "4674",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 604,
+ "thread": {
+ "id": 612
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 18232147,
+ "task": "Sensitive Privilege Use",
+ "time_created": "2022-08-01T08:53:50.3336583Z"
+ }
+ }
+ ]
+}

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4674.json-expected.json

@@ -0,0 +1,184 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2015-10-09T00:22:36.237Z",
+ "agent": {
+ "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614",
+ "hostname": "hostname",
+ "id": "7d1ef343-9372-428d-bd10-0a78e6894797",
+ "name": "AgentName",
+ "type": "filebeat",
+ "version": "7.15.2"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "privileged-operation",
+ "category": [
+ "iam"
+ ],
+ "code": "4674",
+ "kind": "event",
+ "outcome": "failure",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "admin"
+ ]
+ },
+ "host": {
+ "name": "DC01.contoso.local"
+ },
+ "input": {
+ "type": "log"
+ },
+ "log": {
+ "file": {
+ "path": "/file/path/4674.xml"
+ },
+ "level": "information"
+ },
+ "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "process": {
+ "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe",
+ "name": "lsass.exe",
+ "pid": 496
+ },
+ "related": {
+ "user": [
+ "LOCAL SERVICE"
+ ]
+ },
+ "user": {
+ "domain": "NT AUTHORITY",
+ "id": "S-1-5-19",
+ "name": "LOCAL SERVICE"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC01.contoso.local",
+ "event_data": {
+ "AccessMask": "16777216",
+ "AccessMaskDescription": [
+ "ADS_RIGHT_ACCESS_SYSTEM_SECURITY"
+ ],
+ "HandleId": "0x0",
+ "ObjectName": "-",
+ "ObjectServer": "LSA",
+ "ObjectType": "-",
+ "PrivilegeList": [
+ "SeSecurityPrivilege"
+ ],
+ "SubjectDomainName": "NT AUTHORITY",
+ "SubjectLogonId": "0x3e5",
+ "SubjectUserName": "LOCAL SERVICE",
+ "SubjectUserSid": "S-1-5-19"
+ },
+ "event_id": "4674",
+ "keywords": [
+ "Audit Failure"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x3e5"
+ },
+ "opcode": "Info",
+ "outcome": "failure",
+ "process": {
+ "pid": 496,
+ "thread": {
+ "id": 504
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "1099680",
+ "time_created": "2015-10-09T00:22:36.237Z"
+ }
+ },
+ {
+ "@timestamp": "2022-08-01T08:53:50.333Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "action": "privileged-operation",
+ "category": [
+ "iam"
+ ],
+ "code": "4674",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing",
+ "type": [
+ "admin"
+ ]
+ },
+ "host": {
+ "name": "DC_TEST2k12.TEST.SAAS"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege",
+ "process": {
+ "executable": "C:\\Windows\\System32\\svchost.exe",
+ "name": "svchost.exe",
+ "pid": 996
+ },
+ "related": {
+ "user": [
+ "at_adm"
+ ]
+ },
+ "user": {
+ "domain": "TEST",
+ "id": "S-1-5-21-1717121054-434620538-60925301-2794",
+ "name": "at_adm"
+ },
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC_TEST2k12.TEST.SAAS",
+ "event_data": {
+ "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t",
+ "AccessMaskDescription": [
+ "Delete Child",
+ "List Contents"
+ ],
+ "HandleId": "0x1684",
+ "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor",
+ "ObjectServer": "Security",
+ "ObjectType": "File",
+ "PrivilegeList": [
+ "SeSecurityPrivilege"
+ ],
+ "SubjectDomainName": "TEST",
+ "SubjectLogonId": "0x5e2887",
+ "SubjectUserName": "at_adm",
+ "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794"
+ },
+ "event_id": "4674",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "logon": {
+ "id": "0x5e2887"
+ },
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 604,
+ "thread": {
+ "id": 612
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": "18232147",
+ "task": "Sensitive Privilege Use",
+ "time_created": "2022-08-01T08:53:50.3336583Z"
+ }
+ }
+ ]
+}

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json

@@ -0,0 +1,72 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-11-11T17:14:52.001Z",
+ "event": {
+ "action": "User Account Management",
+ "code": "4738",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Security-Auditing"
+ },
+ "host": {
+ "name": "DC_TEST2k12"
+ },
+ "log": {
+ "level": "information"
+ },
+ "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-8884\n\tAccount Name:\t\tanatest1\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\tanatest12@TEST\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t-\n\tNew UAC Value:\t\t-\n\tUser Account Control:\t-\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-",
+ "winlog": {
+ "channel": "Security",
+ "computer_name": "DC_TEST2k12",
+ "event_data": {
+ "AccountExpires": "-",
+ "AllowedToDelegateTo": "-",
+ "DisplayName": "-",
+ "Dummy": "-",
+ "HomeDirectory": "-",
+ "HomePath": "-",
+ "LogonHours": "-",
+ "NewUacValue": "-",
+ "OldUacValue": "-",
+ "PasswordLastSet": "-",
+ "PrimaryGroupId": "-",
+ "PrivilegeList": "-",
+ "ProfilePath": "-",
+ "SamAccountName": "-",
+ "ScriptPath": "-",
+ "SidHistory": "-",
+ "SubjectDomainName": "TEST",
+ "SubjectLogonId": "0x5e2887",
+ "SubjectUserName": "at_adm",
+ "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794",
+ "TargetDomainName": "TEST",
+ "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884",
+ "TargetUserName": "anatest1",
+ "UserAccountControl": "-",
+ "UserParameters": "-",
+ "UserPrincipalName": "anatest12@TEST",
+ "UserWorkstations": "-"
+ },
+ "event_id": "4738",
+ "keywords": [
+ "Audit Success"
+ ],
+ "level": "information",
+ "opcode": "Info",
+ "outcome": "success",
+ "process": {
+ "pid": 604,
+ "thread": {
+ "id": 864
+ }
+ },
+ "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+ "provider_name": "Microsoft-Windows-Security-Auditing",
+ "record_id": 18232108,
+ "task": "User Account Management",
+ "time_created": "2022-08-01T08:49:58.8259888Z"
+ }
+ }
+ ]
+}