Windows Events | Resolve MemberSid #3309

jamiehynds · 2022-05-10T09:10:12Z

Problem: Our Windows Security pipeline does not automatically resolve MemberSid fields, causing a visibility gap when monitoring events such as Active Directory user/group creation and modification. Users can manually apply the translate_sid processor , but requires extra effort and awareness that the processor even exists.

Solution: Add the processor this to our integrations that handle Windows security logs. This would create new fields in the event distinguished from the original fields by using the underscore (_) prefix. The Ingest Pipeline could then be enhanced to map those value to the appropriate ECS fields based on the context of the event.

elasticmachine · 2022-05-10T09:10:22Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

jamiehynds added the Team:Security-External Integrations label May 10, 2022

jamiehynds added Integration:windows Windows Integration:system System enhancement New feature or request 8.4-candidate labels May 10, 2022

jamiehynds mentioned this issue May 10, 2022

[Winlogbeat] - Security Group Management MemberSid translation elastic/beats#7451

Closed

jamiehynds added 8.4 candidate and removed 8.4-candidate labels Jun 23, 2022

efd6 self-assigned this Jul 14, 2022

efd6 mentioned this issue Jul 14, 2022

windows: enrich user details from MemberSid where possible #3707

Merged

4 tasks

efd6 closed this as completed in #3707 Jul 15, 2022

elastic deleted a comment Jul 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Windows Events | Resolve MemberSid #3309

Windows Events | Resolve MemberSid #3309

jamiehynds commented May 10, 2022

elasticmachine commented May 10, 2022

Windows Events | Resolve MemberSid #3309

Windows Events | Resolve MemberSid #3309

Comments

jamiehynds commented May 10, 2022

elasticmachine commented May 10, 2022