[AD Entity Analytics] Fix UserAccountControl Attribute Table

Author: w0rk3r

packages/entityanalytics_ad/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.11.0"
+ changes:
+ - description: Fix useraccountcontrol conversion.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/13145
 - version: "0.10.0"
  changes:
  - description: Changes the field used to populate `user.name` to `sam_account_name`.

packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json-expected.json

@@ -216,8 +216,8 @@
  "sam_account_name": "Administrator",
  "sam_account_type": "805306368",
  "uac_list": [
- "USER_DONT_REQUIRE_PREAUTH",
- "USER_DONT_EXPIRE_PASSWORD"
+ "DONT_EXPIRE_PASSWORD",
+ "NORMAL_ACCOUNT"
  ],
  "user_account_control": "66048",
  "usn_changed": "25166",
@@ -307,10 +307,10 @@
  "sam_account_name": "Guest",
  "sam_account_type": "805306368",
  "uac_list": [
- "USER_MNS_LOGON_ACCOUNT",
- "USER_DONT_REQUIRE_PREAUTH",
- "USER_HOME_DIRECTORY_REQUIRED",
- "USER_DONT_EXPIRE_PASSWORD"
+ "PASSWD_NOTREQD",
+ "DONT_EXPIRE_PASSWORD",
+ "ACCOUNTDISABLE",
+ "NORMAL_ACCOUNT"
  ],
  "user_account_control": "66082",
  "usn_changed": "8197",
@@ -444,8 +444,8 @@
  "service_principal_name": "kadmin/changepw",
  "show_in_advanced_view_only": true,
  "uac_list": [
- "USER_HOME_DIRECTORY_REQUIRED",
- "USER_DONT_EXPIRE_PASSWORD"
+ "ACCOUNTDISABLE",
+ "NORMAL_ACCOUNT"
  ],
  "user_account_control": "514",
  "usn_changed": "12785",

packages/entityanalytics_ad/data_stream/user/elasticsearch/ingest_pipeline/entity.yml

@@ -166,30 +166,33 @@ processors:
  tag: Set User Account Control
  description: Set User Account Control
  # USER_ACCOUNT Codes
- # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec
+ # https://learn.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol
+ # https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum
  params:
- "0x00000001": USER_ACCOUNT_DISABLED
- "0x00000002": USER_HOME_DIRECTORY_REQUIRED
- "0x00000004": USER_PASSWORD_NOT_REQUIRED
- "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT
- "0x00000010": USER_NORMAL_ACCOUNT
- "0x00000020": USER_MNS_LOGON_ACCOUNT
- "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT
- "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT
- "0x00000100": USER_SERVER_TRUST_ACCOUNT
- "0x00000200": USER_DONT_EXPIRE_PASSWORD
- "0x00000400": USER_ACCOUNT_AUTO_LOCKED
- "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED
- "0x00001000": USER_SMARTCARD_REQUIRED
- "0x00002000": USER_TRUSTED_FOR_DELEGATION
- "0x00004000": USER_NOT_DELEGATED
- "0x00008000": USER_USE_DES_KEY_ONLY
- "0x00010000": USER_DONT_REQUIRE_PREAUTH
- "0x00020000": USER_PASSWORD_EXPIRED
- "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
- "0x00080000": USER_NO_AUTH_DATA_REQUIRED
- "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT
- "0x00200000": USER_USE_AES_KEYS
+ "0x00000001": SCRIPT
+ "0x00000002": ACCOUNTDISABLE
+ "0x00000008": HOMEDIR_REQUIRED
+ "0x00000010": LOCKOUT
+ "0x00000020": PASSWD_NOTREQD
+ "0x00000040": PASSWD_CANT_CHANGE
+ "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED
+ "0x00000100": TEMP_DUPLICATE_ACCOUNT
+ "0x00000200": NORMAL_ACCOUNT
+ "0x00000800": INTERDOMAIN_TRUST_ACCOUNT
+ "0x00001000": WORKSTATION_TRUST_ACCOUNT
+ "0x00002000": SERVER_TRUST_ACCOUNT
+ "0x00010000": DONT_EXPIRE_PASSWORD
+ "0x00020000": MNS_LOGON_ACCOUNT
+ "0x00040000": SMARTCARD_REQUIRED
+ "0x00080000": TRUSTED_FOR_DELEGATION
+ "0x00100000": NOT_DELEGATED
+ "0x00200000": USE_DES_KEY_ONLY
+ "0x00400000": DONT_REQUIRE_PREAUTH
+ "0x00800000": PASSWORD_EXPIRED
+ "0x01000000": TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
+ "0x02000000": NO_AUTH_DATA_REQUIRED
+ "0x04000000": PARTIAL_SECRETS_ACCOUNT
+ "0x08000000": USE_AES_KEYS
  source: |-
  Long newUacValue = Long.decode(ctx.activedirectory.user.user_account_control);
  ArrayList uacResult = new ArrayList();

packages/entityanalytics_ad/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: entityanalytics_ad
 title: Active Directory Entity Analytics
-version: "0.10.0"
+version: "0.11.0"
 description: "Collect User Identities from Active Directory Entity with Elastic Agent."
 type: integration
 categories: