[Winlogbeat] - Security Group Management MemberSid translation #7451
Comments
|
It would be helpful to me if you could post the JSON event generated by Winlogbeat to exemplify the problem. My current thinking is that a processor could be created that can resolve SIDs. |
andrewkroh
changed the title
|
Sure I could do that, the data would be sanitized but the json could probably help whoever is going to write the code.
… On Jun 27, 2018, at 3:19 PM, Andrew Kroh ***@***.***> wrote:
It would be helpful to me if you could post the JSON event generated by Winlogbeat to exemplify the problem.
My current thinking is that a processor could be created that can resolve SIDs.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
{
"@timestamp": "2018-06-28T17:13:53.765Z",
"@version": "1",
"activity_id": "{069C6F62-0D8A-0006-656F-9C068A0DD401}",
"beat": {
"hostname": "HOSTNAME",
"name": "HOSTNAME",
"version": "6.1.2"
},
"computer_name": "HOSTNAME.dev.domain.com",
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-3724561596-2688610176-3820852040-512",
"PrivilegeList": "-",
"SubjectDomainName": "DEV",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "HOSTNAME$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-544",
"TargetUserName": "Administrators"
},
"event_id": 4732,
"host": "HOSTNAME",
"keywords": [
"Audit Success"
],
"level": "Information",
"log_name": "Security",
"opcode": "Info",
"process_id": 928,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"record_number": "1672376",
"source_name": "Microsoft-Windows-Security-Auditing",
"task": "Security Group Management",
"thread_id": 16800,
"type": "wineventlog"
} |
|
So would a processor like this be usable? |
|
Yes that could work.
MemberName isn’t needed for the processor unless you added a when condition that only did the lookup when MemberName == “-“.
I like that you allow a custom target field since there could be 2 user accounts for this event, one for the source and one for the object.
I’d maybe create a summary object or a user_map like the auditbeat events and still all translations in there to preserve the source fields.
… On Jun 28, 2018, at 4:11 PM, Andrew Kroh ***@***.***> wrote:
So would a processor like this be usable?
# Replace with the translated values.
processors:
- sid_translate:
fields: [MemberName, MemberSid]
# Keep the original MemberSid value and write the resolved value to a new field.
processors:
- sid_translate:
field: MemberSid
target: user.name
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Here's a secondary source explaining when the value can be dash.
|
|
Has there been any work performed towards the creation of the processor discussed above? |
|
I would also like to see this implemented. Is there any update? |
|
Hey guys is there any progress on this one? It would be great to translate SID in winlog.event_id: 4732 (and others similar). |
|
Pinging @andrewkroh. Any update on this? |
|
we're also interested in this fix, please keep us posted on the progress |
|
I have opened a pull request to add a |
The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. Closes elastic#7451
* Add translate_sid processor to Winlogbeat The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. Closes #7451
* Add translate_sid processor to Winlogbeat The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. Closes elastic#7451 (cherry picked from commit 65b31bd)
|
Thank you, @andrewkroh! A few quick questions:
Thank you! |
|
|
Perfect. Thank you, Andrew! |
…16941) * Add translate_sid processor (#16013) * Add translate_sid processor to Winlogbeat The `translate_sid` processor translates a Windows security identifier (SID) into an account name. It retrieves the name of the account associated with the SID, the first domain on which the SID is found, and the type of account. Closes #7451 (cherry picked from commit 65b31bd)
|
Is there any documentation for how this is supposed to work? I can find NOTHING on it. No examples, explanation, etc. Event.message is this: Member: Group: Is translate_sid supposed to be modifying these values in event.message? |
|
We plan on adding the translate_sid processor to our Windows integrations to ensure MemberSid is automatically resolved. Please see new issue here for updates: elastic/integrations#3309 |
Need a way to enable sid translation for MemberSid on Security Group Management events.
Example: event_id: 4732
When an object (User or Group) is added to a group, only the SID of object is available in most events. There are two fields, MemberName and MemberSid, MemberName is usually '-' and should trigger a SID lookup based on the event code. Local SID lookup for local Security Group Management events, and domain lookup for every thing else.
According to this link, it's possible that only local group events are impacted by the MemberName always being set to '-':
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4732
The text was updated successfully, but these errors were encountered: