diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 718f2a9716a..ad869c6afc5 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] *Winlogbeat* +- Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest *Functionbeat* diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index 298a3029144..7d37023947f 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -2349,7 +2349,12 @@ processors: //ClientAddress to source.ip and related.ip if (ctx?.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-") { + ctx.winlog.event_data.ClientAddress != "-" && + ctx.winlog.event_data.ClientAddress != "Unknown") { + // Correct invalid IP address "LOCAL" + if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { + ctx.winlog.event_data.ClientAddress="127.0.0.1"; + } if (ctx?.source == null) { HashMap hm = new HashMap(); ctx.put("source", hm); diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4778.evtx.golden.json new file mode 100644 index 00000000000..486ef019333 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4778.evtx.golden.json @@ -0,0 +1,212 @@ +[ + { + "event": { + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "LOCAL", + "ClientName": "Unknown", + "LogonID": "0x5c7c095", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 4484 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6540868, + "time_created": "2023-01-17T21:35:22.347697Z" + } + }, + { + "event": { + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "LOCAL", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 9240 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6533066, + "time_created": "2023-01-17T14:30:22.2097094Z" + } + }, + { + "event": { + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "LOCAL", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 20588 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6529837, + "time_created": "2023-01-17T12:16:32.6562756Z" + } + }, + { + "event": { + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "LOCAL", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 1560 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6528511, + "time_created": "2023-01-17T11:38:09.0384455Z" + } + }, + { + "event": { + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "LOCAL", + "ClientName": "Unknown", + "LogonID": "0x32b6a80", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 1560 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6524523, + "time_created": "2023-01-17T05:15:18.8083596Z" + } + } +] diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4779.evtx.golden.json new file mode 100644 index 00000000000..d332b56cf2b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4779.evtx.golden.json @@ -0,0 +1,212 @@ +[ + { + "event": { + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0x4c636b9", + "SessionName": "rdp-sxs220817450#18" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 9584 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3480043, + "time_created": "2023-01-17T22:37:25.1926737Z" + } + }, + { + "event": { + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0x3fc8b36", + "SessionName": "rdp-sxs220817450#12" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 7788 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3479302, + "time_created": "2023-01-17T22:09:56.3562679Z" + } + }, + { + "event": { + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#16" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 4660 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3479095, + "time_created": "2023-01-17T21:55:25.3931099Z" + } + }, + { + "event": { + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#15" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 4660 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3479032, + "time_created": "2023-01-17T21:54:30.3134111Z" + } + }, + { + "event": { + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#3" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 7328 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3478947, + "time_created": "2023-01-17T21:53:19.6235931Z" + } + } +] diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json new file mode 100644 index 00000000000..2c790115683 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json @@ -0,0 +1,372 @@ +[ + { + "@timestamp": "2023-01-17T21:35:22.347Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x5c7c095", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5c7c095" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 4484 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6540868", + "time_created": "2023-01-17T21:35:22.347697Z" + } + }, + { + "@timestamp": "2023-01-17T14:30:22.209Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2d7650" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 9240 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6533066", + "time_created": "2023-01-17T14:30:22.2097094Z" + } + }, + { + "@timestamp": "2023-01-17T12:16:32.656Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2d7650" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 20588 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6529837", + "time_created": "2023-01-17T12:16:32.6562756Z" + } + }, + { + "@timestamp": "2023-01-17T11:38:09.038Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x2d7650", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2d7650" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 1560 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6528511", + "time_created": "2023-01-17T11:38:09.0384455Z" + } + }, + { + "@timestamp": "2023-01-17T05:15:18.808Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "user1" + ] + }, + "source": { + "domain": "Unknown", + "ip": "127.0.0.1" + }, + "user": { + "domain": "CONTOSO", + "name": "user1" + }, + "winlog": { + "activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "user1", + "ClientAddress": "127.0.0.1", + "ClientName": "Unknown", + "LogonID": "0x32b6a80", + "SessionName": "Console" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x32b6a80" + }, + "opcode": "Info", + "process": { + "pid": 320, + "thread": { + "id": 1560 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6524523", + "time_created": "2023-01-17T05:15:18.8083596Z" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json new file mode 100644 index 00000000000..f3579ec77c5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json @@ -0,0 +1,352 @@ +[ + { + "@timestamp": "2023-01-17T22:37:25.192Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "source": { + "domain": "DESKTOP" + }, + "user": { + "domain": "CONTOSO", + "name": "USER1" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0x4c636b9", + "SessionName": "rdp-sxs220817450#18" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4c636b9" + }, + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 9584 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3480043", + "time_created": "2023-01-17T22:37:25.1926737Z" + } + }, + { + "@timestamp": "2023-01-17T22:09:56.356Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "source": { + "domain": "DESKTOP" + }, + "user": { + "domain": "CONTOSO", + "name": "USER1" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0x3fc8b36", + "SessionName": "rdp-sxs220817450#12" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3fc8b36" + }, + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 7788 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3479302", + "time_created": "2023-01-17T22:09:56.3562679Z" + } + }, + { + "@timestamp": "2023-01-17T21:55:25.393Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "source": { + "domain": "DESKTOP" + }, + "user": { + "domain": "CONTOSO", + "name": "USER1" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#16" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0xe03a99" + }, + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 4660 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3479095", + "time_created": "2023-01-17T21:55:25.3931099Z" + } + }, + { + "@timestamp": "2023-01-17T21:54:30.313Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "source": { + "domain": "DESKTOP" + }, + "user": { + "domain": "CONTOSO", + "name": "USER1" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#15" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0xe03a99" + }, + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 4660 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3479032", + "time_created": "2023-01-17T21:54:30.3134111Z" + } + }, + { + "@timestamp": "2023-01-17T21:53:19.623Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "COMPUTER1.contoso.com" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER1" + ] + }, + "source": { + "domain": "DESKTOP" + }, + "user": { + "domain": "CONTOSO", + "name": "USER1" + }, + "winlog": { + "activity_id": "{01f78c75-2270-0002-52ab-626e802ad901}", + "channel": "Security", + "computer_name": "COMPUTER1.contoso.com", + "event_data": { + "AccountDomain": "CONTOSO", + "AccountName": "USER1", + "ClientAddress": "Unknown", + "ClientName": "DESKTOP", + "LogonID": "0xe03a99", + "SessionName": "rdp-sxs220817450#3" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0xe03a99" + }, + "opcode": "Info", + "process": { + "pid": 932, + "thread": { + "id": 7328 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3478947", + "time_created": "2023-01-17T21:53:19.6235931Z" + } + } +] \ No newline at end of file