Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Winlogbeat] - Security Group Management MemberSid translation #7451

Closed
gwsales opened this issue Jun 27, 2018 · 19 comments · Fixed by #16013
Closed

[Winlogbeat] - Security Group Management MemberSid translation #7451

gwsales opened this issue Jun 27, 2018 · 19 comments · Fixed by #16013

Comments

@gwsales
Copy link

gwsales commented Jun 27, 2018

Need a way to enable sid translation for MemberSid on Security Group Management events.

Example: event_id: 4732

When an object (User or Group) is added to a group, only the SID of object is available in most events. There are two fields, MemberName and MemberSid, MemberName is usually '-' and should trigger a SID lookup based on the event code. Local SID lookup for local Security Group Management events, and domain lookup for every thing else.

According to this link, it's possible that only local group events are impacted by the MemberName always being set to '-':
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4732

@andrewkroh
Copy link
Member

It would be helpful to me if you could post the JSON event generated by Winlogbeat to exemplify the problem.

My current thinking is that a processor could be created that can resolve SIDs.

@andrewkroh andrewkroh changed the title winlogbeat - Security Group Management MemberSid translation [Winlogbeat] - Security Group Management MemberSid translation Jun 27, 2018
@gwsales
Copy link
Author

gwsales commented Jun 28, 2018 via email

@gwsales
Copy link
Author

gwsales commented Jun 28, 2018

{"@timestamp":"2018-06-28T17:13:53.765Z","@version":"1","activity_id":"{069C6F62-0D8A-0006-656F-9C068A0DD401}","beat":{"hostname":"HOSTNAME","name":"HOSTNAME","version":"6.1.2"},"computer_name":"HOSTNAME.dev.domain.com","event_data":{"MemberName":"-","MemberSid":"S-1-5-21-3724561596-2688610176-3820852040-512","PrivilegeList":"-","SubjectDomainName":"DEV","SubjectLogonId":"0x3e7","SubjectUserName":"HOSTNAME$","SubjectUserSid":"S-1-5-18","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","TargetUserName":"Administrators"},"event_id":4732,"host":"HOSTNAME","keywords":["Audit Success"],"level":"Information","log_name":"Security","opcode":"Info","process_id":928,"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","record_number":"1672376","source_name":"Microsoft-Windows-Security-Auditing","task":"Security Group Management","thread_id":16800,"type":"wineventlog"}

@andrewkroh
Copy link
Member

{
  "@timestamp": "2018-06-28T17:13:53.765Z",
  "@version": "1",
  "activity_id": "{069C6F62-0D8A-0006-656F-9C068A0DD401}",
  "beat": {
    "hostname": "HOSTNAME",
    "name": "HOSTNAME",
    "version": "6.1.2"
  },
  "computer_name": "HOSTNAME.dev.domain.com",
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-21-3724561596-2688610176-3820852040-512",
    "PrivilegeList": "-",
    "SubjectDomainName": "DEV",
    "SubjectLogonId": "0x3e7",
    "SubjectUserName": "HOSTNAME$",
    "SubjectUserSid": "S-1-5-18",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-544",
    "TargetUserName": "Administrators"
  },
  "event_id": 4732,
  "host": "HOSTNAME",
  "keywords": [
    "Audit Success"
  ],
  "level": "Information",
  "log_name": "Security",
  "opcode": "Info",
  "process_id": 928,
  "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "record_number": "1672376",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "task": "Security Group Management",
  "thread_id": 16800,
  "type": "wineventlog"
}

@andrewkroh
Copy link
Member

andrewkroh commented Jun 28, 2018

So would a processor like this be usable?

# Replace with the translated values.
processors:
- sid_translate:
    fields: [MemberName, MemberSid]
# Keep the original MemberSid value and write the resolved value to a new field.
processors:
- sid_translate:
    field: MemberSid
    target: user.name # or user.group? (but you get the idea)

@gwsales
Copy link
Author

gwsales commented Jun 28, 2018 via email

@andrewkroh
Copy link
Member

Here's a secondary source explaining when the value can be dash.

For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md

@SpencerLN
Copy link
Contributor

Has there been any work performed towards the creation of the processor discussed above?

@MakoWish
Copy link
Contributor

I would also like to see this implemented. Is there any update?

@adrwh
Copy link

adrwh commented Aug 10, 2019

Hey guys is there any progress on this one? It would be great to translate SID in winlog.event_id: 4732 (and others similar).

"event_data": {
        "PrivilegeList": "-",
        "SubjectLogonId": "0x3e7",
        "TargetUserName": "Administrators",
        "TargetDomainName": "Builtin",
        "MemberName": "-",
        "SubjectDomainName": "REDACTED",
        "SubjectUserSid": "S-1-5-18",
        "MemberSid": "S-1-5-21-nnnn-nnnn-nnnn-nnnn",
        "TargetSid": "S-1-5-32-544",
        "SubjectUserName": "REDACTED"
      }

@MakoWish
Copy link
Contributor

MakoWish commented Jan 6, 2020

Pinging @andrewkroh. Any update on this?

@jyipks
Copy link

jyipks commented Jan 31, 2020

we're also interested in this fix, please keep us posted on the progress

@andrewkroh
Copy link
Member

I have opened a pull request to add a translate_sid processor in #16013.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Feb 25, 2020
The `translate_sid` processor translates a Windows security identifier (SID)
into an account name. It retrieves the name of the account associated with the
SID, the first domain on which the SID is found, and the type of account.

Closes elastic#7451
andrewkroh added a commit that referenced this issue Feb 26, 2020
* Add translate_sid processor to Winlogbeat

The `translate_sid` processor translates a Windows security identifier (SID)
into an account name. It retrieves the name of the account associated with the
SID, the first domain on which the SID is found, and the type of account.

Closes #7451
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 10, 2020
* Add translate_sid processor to Winlogbeat

The `translate_sid` processor translates a Windows security identifier (SID)
into an account name. It retrieves the name of the account associated with the
SID, the first domain on which the SID is found, and the type of account.

Closes elastic#7451

(cherry picked from commit 65b31bd)
@MakoWish
Copy link
Contributor

MakoWish commented Mar 11, 2020

Thank you, @andrewkroh!

A few quick questions:

  1. Was this implemented in 7.6.1?
  2. Is this processor loaded by default? Or does it need to be specified in the winlogbeat.yml file?
  3. If this processor must be specified, is "translate_sid" the official processor name?

Thank you!

@andrewkroh
Copy link
Member

  1. It should be released with the next minor version (pending on the merge of Cherry-pick #16013 to 7.x: Add translate_sid processor to Winlogbeat #16941) (so 7.7).
  2. It's not used anywhere by default. It will probably get added to the Security module to enrich particular events, but that's not done right now. So add it to your configs for whatever winlog.event_data.* fields you want converted.
  3. Yes, and it will start showing up in the master branch docs soon (pending Fix docs for translate_sid processor #16961). See https://www.elastic.co/guide/en/beats/winlogbeat/master/defining-processors.html

@MakoWish
Copy link
Contributor

Perfect. Thank you, Andrew!

andrewkroh added a commit that referenced this issue Mar 12, 2020
…16941)

* Add translate_sid processor (#16013)

* Add translate_sid processor to Winlogbeat

The `translate_sid` processor translates a Windows security identifier (SID)
into an account name. It retrieves the name of the account associated with the
SID, the first domain on which the SID is found, and the type of account.

Closes #7451

(cherry picked from commit 65b31bd)
@mgovolt
Copy link

mgovolt commented Jan 15, 2022

Is there any documentation for how this is supposed to work? I can find NOTHING on it. No examples, explanation, etc.
Does it only work on certain event ids?
Let's take an example of a log post adding the translate sid processor. Event code 4732. A member was added to a security-enabled local group.

Event.message is this:
Subject:
Security ID: S-1-5-18
Account Name: KAT-GOLD$
Account Domain: ACME
Logon ID: 0x3E7

Member:
Security ID: S-1-5-21-2506921386-1985662200-1028750493-10571
Account Name: -

Group:
Security ID: S-1-5-21-2258368003-3053585069-3447863528-1013
Group Name: Offer Remote Assistance Helpers
Group Domain: KAT-GOLD

Is translate_sid supposed to be modifying these values in event.message?
And/Or is it supposed to modify the beats created fields winlog.event_data.MemberSid and winlog.event_data.TargetSid? (Note: it does not do that, those are still just the SIDs)
I don't even know what to expect since there is nothing documented about so I can't even begin to tell if it is working as intended.

@andrewkroh
Copy link
Member

@jamiehynds
Copy link

We plan on adding the translate_sid processor to our Windows integrations to ensure MemberSid is automatically resolved. Please see new issue here for updates: elastic/integrations#3309

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants