windows: enrich user details from MemberSid where possible (#3707)

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.14.0"
+  changes:
+    - description: Use MemberSid to enrich for user name and domain where possible.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3707
 - version: "1.13.0"
   changes:
     - description: Added Processors for service datatstream.

packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs

@@ -21,7 +21,14 @@ include_xml: true
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: winlog.event_data._MemberUserName
+      domain_target: winlog.event_data._MemberDomain
+      account_type_target: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}

packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml

@@ -13,6 +13,31 @@ processors:
   - pipeline:
       name: '{{ IngestPipeline "sysmon_operational" }}'
       if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational"
+
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: winlog.event_data._MemberUserName
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: winlog.event_data._MemberDomain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      value: '{{{winlog.event_data._MemberAccountType}}}'
+      field: user.roles
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx.winlog?.event_data?._MemberAccountType != null
+  - remove:
+      field: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType)   
+
 on_failure:
   - set:
       field: "error.message"

packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs

@@ -18,7 +18,14 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: winlog.event_data._MemberUserName
+      domain_target: winlog.event_data._MemberDomain
+      account_type_target: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}

packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml

@@ -117,6 +117,29 @@ processors:
       ignore_failure: true
       allow_duplicates: false
       if: ctx?.user?.name != null
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: winlog.event_data._MemberUserName
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: winlog.event_data._MemberDomain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      value: '{{{winlog.event_data._MemberAccountType}}}'
+      field: user.roles
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx.winlog?.event_data?._MemberAccountType != null
+  - remove:
+      field: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType)   
 
   ## PowerShell fields.
 

packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs

@@ -18,7 +18,13 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      account_name_target: winlog.event_data._MemberUserName
+      domain_target:       winlog.event_data._MemberDomain
+      account_type_target: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}

packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml

@@ -171,6 +171,29 @@ processors:
       ignore_failure: true
       ignore_empty_value: true
       if: ctx?.source?.user != null
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: winlog.event_data._MemberUserName
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: winlog.event_data._MemberDomain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      value: '{{{winlog.event_data._MemberAccountType}}}'
+      field: user.roles
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx.winlog?.event_data?._MemberAccountType != null
+  - remove:
+      field: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType)   
 
   ## PowerShell fields.
 

packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs

@@ -18,7 +18,14 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: winlog.event_data._MemberUserName
+      domain_target: winlog.event_data._MemberDomain
+      account_type_target: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}

packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml

@@ -851,6 +851,29 @@ processors:
       ignore_failure: true
       ignore_empty_value: true
       if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: winlog.event_data._MemberUserName
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: winlog.event_data._MemberDomain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
+  - append:
+      value: '{{{winlog.event_data._MemberAccountType}}}'
+      field: user.roles
+      ignore_failure: true
+      allow_duplicates: false
+      if: ctx.winlog?.event_data?._MemberAccountType != null
+  - remove:
+      field: winlog.event_data._MemberAccountType
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType)   
 
 ## Sysmon fields
 

packages/windows/manifest.yml

@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.13.0
+version: 1.14.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: