elastic · efd6 · Aug 2, 2022 · Aug 2, 2022
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.19.1"
+  changes:
+    - description: Fix handling of security events 4674, 4738 and 3742.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3930
 - version: "1.19.0"
   changes:
     - description: Add ignore_older to remaining logs

@@ -67,6 +67,59 @@
             "host": {
                 "name": "DC01.contoso.local"
             }
+        },
+        {
+            "@timestamp": "2021-11-11T17:14:53.001Z",
+            "event": {
+                "action": "Sensitive Privilege Use",
+                "code": "4674",
+                "kind": "event",
+                "outcome": "success",
+                "provider": "Microsoft-Windows-Security-Auditing"
+            },
+            "host": {
+                "name": "DC_TEST2k12.TEST.SAAS"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege",
+            "winlog": {
+                "channel": "Security",
+                "computer_name": "DC_TEST2k12.TEST.SAAS",
+                "event_data": {
+                    "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t",
+                    "HandleId": "0x1684",
+                    "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor",
+                    "ObjectServer": "Security",
+                    "ObjectType": "File",
+                    "PrivilegeList": "SeSecurityPrivilege",
+                    "ProcessId": "0x3e4",
+                    "ProcessName": "C:\\Windows\\System32\\svchost.exe",
+                    "SubjectDomainName": "TEST",
+                    "SubjectLogonId": "0x5e2887",
+                    "SubjectUserName": "at_adm",
+                    "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794"
+                },
+                "event_id": "4674",
+                "keywords": [
+                    "Audit Success"
+                ],
+                "level": "information",
+                "opcode": "Info",
+                "outcome": "success",
+                "process": {
+                    "pid": 604,
+                    "thread": {
+                        "id": 612
+                    }
+                },
+                "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "provider_name": "Microsoft-Windows-Security-Auditing",
+                "record_id": 18232147,
+                "task": "Sensitive Privilege Use",
+                "time_created": "2022-08-01T08:53:50.3336583Z"
+            }
         }
     ]
 }
@@ -95,6 +95,90 @@
                 "record_id": "1099680",
                 "time_created": "2015-10-09T00:22:36.237Z"
             }
+        },
+        {
+            "@timestamp": "2022-08-01T08:53:50.333Z",
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "action": "privileged-operation",
+                "category": [
+                    "iam"
+                ],
+                "code": "4674",
+                "kind": "event",
+                "outcome": "success",
+                "provider": "Microsoft-Windows-Security-Auditing",
+                "type": [
+                    "admin"
+                ]
+            },
+            "host": {
+                "name": "DC_TEST2k12.TEST.SAAS"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x5E2887\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1684\n\nProcess Information:\n\tProcess ID:\t0x3e4\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\n\tPrivileges:\t\tSeSecurityPrivilege",
+            "process": {
+                "executable": "C:\\Windows\\System32\\svchost.exe",
+                "name": "svchost.exe",
+                "pid": 996
+            },
+            "related": {
+                "user": [
+                    "at_adm"
+                ]
+            },
+            "user": {
+                "domain": "TEST",
+                "id": "S-1-5-21-1717121054-434620538-60925301-2794",
+                "name": "at_adm"
+            },
+            "winlog": {
+                "channel": "Security",
+                "computer_name": "DC_TEST2k12.TEST.SAAS",
+                "event_data": {
+                    "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t",
+                    "AccessMaskDescription": [
+                        "Delete Child",
+                        "List Contents"
+                    ],
+                    "HandleId": "0x1684",
+                    "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor",
+                    "ObjectServer": "Security",
+                    "ObjectType": "File",
+                    "PrivilegeList": [
+                        "SeSecurityPrivilege"
+                    ],
+                    "SubjectDomainName": "TEST",
+                    "SubjectLogonId": "0x5e2887",
+                    "SubjectUserName": "at_adm",
+                    "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794"
+                },
+                "event_id": "4674",
+                "keywords": [
+                    "Audit Success"
+                ],
+                "level": "information",
+                "logon": {
+                    "id": "0x5e2887"
+                },
+                "opcode": "Info",
+                "outcome": "success",
+                "process": {
+                    "pid": 604,
+                    "thread": {
+                        "id": 612
+                    }
+                },
+                "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "provider_name": "Microsoft-Windows-Security-Auditing",
+                "record_id": "18232147",
+                "task": "Sensitive Privilege Use",
+                "time_created": "2022-08-01T08:53:50.3336583Z"
+            }
         }
     ]
 }
@@ -83,9 +83,7 @@
                     "TargetDomainName": "WIN-41OB2LO92CR",
                     "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005",
                     "TargetUserName": "elastictest1",
-                    "UserAccountControl": [
-                        "-"
-                    ],
+                    "UserAccountControl": "-",
                     "UserParameters": "%%1793",
                     "UserPrincipalName": "-",
                     "UserWorkstations": "%%1793"

@@ -819,7 +819,10 @@ processors:
         "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION
         "0x04000000": PARTIAL_SECRETS_ACCOUNT
       source: |-
-        if (ctx?.winlog?.event_data?.NewUacValue == null) {
+        if (ctx.winlog?.event_data == null) {
+          return;
+        }
+        if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") {
           return;
         }
         Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue);
@@ -834,7 +837,7 @@ processors:
           return;
         }
         ctx.winlog.event_data.put("NewUACList", uacResult);
-        if (ctx?.winlog?.event_data?.UserAccountControl == null) {
+        if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") {
           return;
         }
         ArrayList uac_array = new ArrayList();
@@ -2094,6 +2097,21 @@ processors:
           "0x40000000": ADS_RIGHT_GENERIC_WRITE
           "0x80000000": ADS_RIGHT_GENERIC_READ
       source: |-
+        def split(String s) {
+          def f = new ArrayList();
+          int last = 0;
+          for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {}
+          for (def i = last; i < s.length(); i++) {
+            if (!Character.isWhitespace(s.charAt(i))) {
+              continue;
+            }
+            f.add(s.substring(last, i));
+            for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {}
+            last = i;
+          }
+          f.add(s.substring(last));
+          return f;
+        }
         if (ctx?.winlog?.event_data?.FailureReason != null) {
           def code = ctx.winlog.event_data.FailureReason.replace("%%","");
           if (params.descriptions.containsKey(code)) {
@@ -2134,17 +2152,36 @@ processors:
         }
         if (ctx?.winlog?.event_data?.AccessMask != null) {
           ArrayList results = new ArrayList();
-          Long accessMask = Long.decode(ctx.winlog.event_data.AccessMask);
-          for (entry in params.AccessMaskDescriptions.entrySet()) {
-            Long accessFlag = Long.decode(entry.getKey());
-            if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) {
-              results.add(entry.getValue());
+          for (elem in split(ctx.winlog.event_data.AccessMask)) {
+            def mask = elem.replace("%%","").trim();
+            if (mask == "") {
+              continue;
+            }
+            Long accessMask = Long.decode(mask);
+            for (entry in params.AccessMaskDescriptions.entrySet()) {
+              Long accessFlag = Long.decode(entry.getKey());
+              if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) {
+                results.add(entry.getValue());
+              }
             }
           }
           if (results.length > 0) {
-            ctx.winlog.event_data.put("AccessMaskDescription", results);
+            ctx.winlog.event_data.put("_AccessMaskDescription", results);
           }
         }
+  - foreach:
+      field: winlog.event_data._AccessMaskDescription
+      processor:
+        append:
+          field: winlog.event_data.AccessMaskDescription
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false
+          ignore_failure: true
+      ignore_failure: true
+      if: ctx.winlog?.event_data?._AccessMaskDescription != null && ctx.winlog.event_data._AccessMaskDescription instanceof List
+  - remove:
+      field: winlog.event_data._AccessMaskDescription
+      ignore_failure: true
   - script:
       lang: painless
       ignore_failure: false

@@ -111,6 +111,8 @@
           type: keyword
         - name: Company
           type: keyword
+        - name: ComputerAccountChange
+          type: keyword
         - name: CorruptionActionState
           type: keyword
         - name: CrashOnAuditFailValue
@@ -133,6 +135,8 @@
           type: keyword
         - name: DisplayName
           type: keyword
+        - name: DnsHostName
+          type: keyword
         - name: DomainBehaviorVersion
           type: keyword
         - name: DomainName
@@ -359,6 +363,8 @@
           type: keyword
         - name: ServiceName
           type: keyword
+        - name: ServicePrincipalNames
+          type: keyword
         - name: ServiceSid
           type: keyword
         - name: ServiceStartType

@@ -686,6 +686,7 @@ An example event for `security` looks as following:
 | winlog.event_data.ClientName |  | keyword |
 | winlog.event_data.CommandLine |  | keyword |
 | winlog.event_data.Company |  | keyword |
+| winlog.event_data.ComputerAccountChange |  | keyword |
 | winlog.event_data.CorruptionActionState |  | keyword |
 | winlog.event_data.CrashOnAuditFailValue |  | keyword |
 | winlog.event_data.CreationUtcTime |  | keyword |
@@ -697,6 +698,7 @@ An example event for `security` looks as following:
 | winlog.event_data.DeviceVersionMajor |  | keyword |
 | winlog.event_data.DeviceVersionMinor |  | keyword |
 | winlog.event_data.DisplayName |  | keyword |
+| winlog.event_data.DnsHostName |  | keyword |
 | winlog.event_data.DomainBehaviorVersion |  | keyword |
 | winlog.event_data.DomainName |  | keyword |
 | winlog.event_data.DomainPolicyChanged |  | keyword |
@@ -809,6 +811,7 @@ An example event for `security` looks as following:
 | winlog.event_data.ServiceAccount |  | keyword |
 | winlog.event_data.ServiceFileName |  | keyword |
 | winlog.event_data.ServiceName |  | keyword |
+| winlog.event_data.ServicePrincipalNames |  | keyword |
 | winlog.event_data.ServiceSid |  | keyword |
 | winlog.event_data.ServiceStartType |  | keyword |
 | winlog.event_data.ServiceType |  | keyword |

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: system
 title: System
-version: 1.19.0
+version: 1.19.1
 license: basic
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration