diff --git a/winlogbeat/.gitignore b/winlogbeat/.gitignore index e48a3cb74cbb..95a09897efc4 100644 --- a/winlogbeat/.gitignore +++ b/winlogbeat/.gitignore @@ -1,5 +1,5 @@ # Compiled Object files, Static and Dynamic libs (Shared Objects) -winlogbeat +/winlogbeat # Folders _obj diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 8947d0bb9b18..aeb44503463b 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -27,6 +27,7 @@ import ( // Import the script processor and supporting modules. _ "github.com/elastic/beats/libbeat/processors/script" + _ "github.com/elastic/beats/winlogbeat/processors/script/javascript/module/winlogbeat" ) // Name of this beat diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go b/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go new file mode 100644 index 000000000000..fc782636d09e --- /dev/null +++ b/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go @@ -0,0 +1,21 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package winlogbeat registers the winlogbeat module with the javascript script +// processor. The module has utilities specific to Winlogbeat like parsing +// Windows command lines. +package winlogbeat diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go b/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go new file mode 100644 index 000000000000..dc9439c5c673 --- /dev/null +++ b/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go @@ -0,0 +1,82 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package winlogbeat + +import ( + "syscall" + "unsafe" + + "github.com/dop251/goja" + "github.com/dop251/goja_nodejs/require" +) + +// SplitCommandLine splits a string into a list of space separated arguments. +// See Window's CommandLineToArgvW for more details. +func SplitCommandLine(cmd string) []string { + args, err := commandLineToArgvW(cmd) + if err != nil { + panic(err) + } + + return args +} + +func commandLineToArgvW(in string) ([]string, error) { + ptr, err := syscall.UTF16PtrFromString(in) + if err != nil { + return nil, err + } + + var numArgs int32 + argsWide, err := syscall.CommandLineToArgv(ptr, &numArgs) + if err != nil { + return nil, err + } + + // Free memory allocated for CommandLineToArgvW arguments. + defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(argsWide))) + + args := make([]string, numArgs) + for idx := range args { + args[idx] = syscall.UTF16ToString(argsWide[idx][:]) + } + return args, nil +} + +// Require registers the winlogbeat module that has utilities specific to +// Winlogbeat like parsing Windows command lines. It can be accessed using: +// +// // javascript +// var winlogbeat = require('winlogbeat'); +// +func Require(vm *goja.Runtime, module *goja.Object) { + o := module.Get("exports").(*goja.Object) + + o.Set("splitCommandLine", SplitCommandLine) +} + +// Enable adds path to the given runtime. +func Enable(runtime *goja.Runtime) { + runtime.Set("winlogbeat", require.Require(runtime, "winlogbeat")) +} + +func init() { + require.RegisterNativeModule("winlogbeat", Require) +} diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go b/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go new file mode 100644 index 000000000000..45c339cc1f2c --- /dev/null +++ b/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go @@ -0,0 +1,57 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package winlogbeat + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +const quotedCommandLine = `"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\jimmy\AppData\Local\Steam\htmlcache" "-steampid=796" "-buildid=1546909276" "-steamid=0" "-steamuniverse=Dev" "-clientui=C:\Program Files (x86)\Steam\clientui" --disable-spell-checking --disable-out-of-process-pac --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents --enable-media-stream --disable-smooth-scrolling --num-raster-threads=4 --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt"` + +func TestSplitCommandLine(t *testing.T) { + args := SplitCommandLine(quotedCommandLine) + + for _, a := range args { + t.Log(a) + } + + expected := []string{ + `C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe`, + `-lang=en_US`, + `-cachedir=C:\Users\jimmy\AppData\Local\Steam\htmlcache`, + `-steampid=796`, + `-buildid=1546909276`, + `-steamid=0`, + `-steamuniverse=Dev`, + `-clientui=C:\Program Files (x86)\Steam\clientui`, + `--disable-spell-checking`, + `--disable-out-of-process-pac`, + `--enable-blink-features=ResizeObserver,Worklet,AudioWorklet`, + `--disable-features=TouchpadAndWheelScrollLatching,AsyncWheelEvents`, + `--enable-media-stream`, + `--disable-smooth-scrolling`, + `--num-raster-threads=4`, + `--enable-direct-write`, + `--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt`, + } + assert.Equal(t, expected, args) +} diff --git a/x-pack/winlogbeat/_meta/beat.yml.tmpl b/x-pack/winlogbeat/_meta/beat.yml.tmpl index 5c2878664e41..f2660df68bd9 100644 --- a/x-pack/winlogbeat/_meta/beat.yml.tmpl +++ b/x-pack/winlogbeat/_meta/beat.yml.tmpl @@ -6,4 +6,17 @@ winlogbeat.event_logs: - name: System - name: Security + processors: + - script: + lang: javascript + id: security + file: ${path.home}/module/security/config/winlogbeat-security.js + + - name: Microsoft-Windows-Sysmon/Operational + processors: + - script: + lang: javascript + id: sysmon + file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + {{if not .Reference}}{{ template "elasticsearch_settings" . }}{{end}} diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js new file mode 100644 index 000000000000..c8c5973320ab --- /dev/null +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -0,0 +1,86 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var security = (function () { + var path = require("path"); + var processor = require("processor"); + var winlogbeat = require("winlogbeat"); + + var addAuthSuccess = new processor.AddFields({ + fields: { + "event.category": "authentication", + "event.type": "authentication_success", + }, + target: "", + }); + + var addAuthFailed = new processor.AddFields({ + fields: { + "event.category": "authentication", + "event.type": "authentication_failed", + }, + target: "", + }); + + var convertAuthentication = new processor.Convert({ + fields: [ + {from: "winlog.event_data.TargetUserSid", to: "user.id"}, + {from: "winlog.event_data.TargetUserName", to: "user.name"}, + {from: "winlog.event_data.TargetDomainName", to: "user.domain"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.ProcessName", to: "process.executable"}, + {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, + {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, + {from: "winlog.event_data.WorkstationName", to: "source.domain"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }); + + var setProcessNameUsingExe = function(evt) { + var name = evt.Get("process.name"); + if (name) { + return; + } + var exe = evt.Get("process.executable"); + evt.Put("process.name", path.basename(exe)); + }; + + var logonSuccess = new processor.Chain() + .Add(addAuthSuccess) + .Add(convertAuthentication) + .Add(setProcessNameUsingExe) + .Build(); + + var logonFailed = new processor.Chain() + .Add(addAuthFailed) + .Add(convertAuthentication) + .Add(setProcessNameUsingExe) + .Build(); + + return { + // 4624 - An account was successfully logged on. + 4624: logonSuccess.Run, + + // 4625 - An account failed to log on. + 4625: logonFailed.Run, + + // 4648 - A logon was attempted using explicit credentials. + 4648: logonSuccess.Run, + + process: function(evt) { + var event_id = evt.Get("winlog.event_id"); + var processor = this[event_id]; + if (processor === undefined) { + return; + } + processor(evt); + }, + }; +})(); + +function process(evt) { + return security.process(evt); +} diff --git a/x-pack/winlogbeat/module/security/test/security_windows_test.go b/x-pack/winlogbeat/module/security/test/security_windows_test.go new file mode 100644 index 000000000000..03198ce5279d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/security_windows_test.go @@ -0,0 +1,15 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "testing" + + "github.com/elastic/beats/x-pack/winlogbeat/module" +) + +func TestSecurity(t *testing.T) { + module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-security.js") +} diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx new file mode 100644 index 000000000000..c7bb37fc0675 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json new file mode 100644 index 000000000000..d391d6fc87a3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -0,0 +1,1129 @@ +[ + { + "@timestamp": "2019-03-29T21:10:39.7868321Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1535, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.2555609Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1538, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.3805426Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 448 + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "127.0.0.1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x1008e", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1542, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.5055514Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1545, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.6305447Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129F1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "NTLM V1", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetLogonId": "0x129f1", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1547, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:53.6617957Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28D31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetLogonId": "0x28d31", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1550, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:54.6618303Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29F0F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetLogonId": "0x29f0f", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1553, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:55.4587259Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2A362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetLogonId": "0x2a362", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1556, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.3025591Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324F8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "source": { + "domain": "127.0.0.1" + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetLogonId": "0x324f8", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1561, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.5213056Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-2", + "name": "DWM-2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x33444", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1563, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.6149946Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "10.0.2.2", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "10", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3444f", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1567, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:18.7869259Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357FD\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2188 + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-3", + "name": "DWM-3" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x357fd", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1570, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.7402309Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1574, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.7402309Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1576, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:50.5840151Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1578, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:23:42.5201798Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1581, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:26:24.1764267Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4624, + "kind": "event", + "type": "authentication_success" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetLogonId": "0x3e7", + "TransmittedServices": "-" + }, + "event_id": 4624, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1583, + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:45:35.177054Z", + "event": { + "action": "Logon", + "category": "authentication", + "code": 4625, + "kind": "event", + "type": "authentication_failed" + }, + "log": { + "level": "information" + }, + "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 836 + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-0-0", + "name": "bosch" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "FailureReason": "%%2313", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "seclogo", + "LogonType": "2", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "VAGRANT-2012-R2", + "SubjectLogonId": "0x1008e", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": 4625, + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 2756 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1585, + "task": "Logon" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js new file mode 100644 index 000000000000..c4a2a1dc64b1 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -0,0 +1,590 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var sysmon = (function () { + var path = require("path"); + var processor = require("processor"); + var winlogbeat = require("winlogbeat"); + + var setProcessNameUsingExe = function(evt) { + setProcessNameFromPath(evt, "process.executable", "process.name"); + }; + + var setParentProcessNameUsingExe = function(evt) { + setProcessNameFromPath(evt, "process.parent.executable", "process.parent.name"); + }; + + var setProcessNameFromPath = function(evt, pathField, nameField) { + var name = evt.Get(nameField); + if (name) { + return; + } + var exe = evt.Get(pathField); + evt.Put(nameField, path.basename(exe)); + }; + + var splitCommandLine = function(evt, field) { + var commandLine = evt.Get(field); + if (!commandLine) { + return; + } + evt.Put(field, winlogbeat.splitCommandLine(commandLine)); + }; + + var splitProcessArgs = function(evt) { + splitCommandLine(evt, "process.args"); + }; + + var splitParentProcessArgs = function(evt) { + splitCommandLine(evt, "process.parent.args"); + }; + + var addUser = function(evt) { + var userParts = evt.Get("winlog.event_data.User").split("\\"); + if (userParts.length === 2) { + evt.Delete("user"); + evt.Put("user.name", userParts[0]); + evt.Put("user.domain", userParts[1]); + evt.Delete("winlog.event_data.User"); + } + }; + + var addNetworkDirection = function(evt) { + switch (evt.Get("winlog.event_data.Initiated")) { + case "true": + evt.Put("network.direction", "outbound"); + break; + case "false": + evt.Put("network.direction", "inbound"); + break; + } + evt.Delete("winlog.event_data.Initiated"); + }; + + var addNetworkType = function(evt) { + switch (evt.Get("winlog.event_data.SourceIsIpv6")) { + case "true": + evt.Put("network.type", "ipv6"); + break; + case "false": + evt.Put("network.type", "ipv4"); + break; + } + evt.Delete("winlog.event_data.SourceIsIpv6"); + evt.Delete("winlog.event_data.DestinationIsIpv6"); + }; + + var addHashes = function(evt, hashField) { + var hashes = evt.Get(hashField); + evt.Delete(hashField); + hashes.split(",").forEach(function(hash){ + var parts = hash.split("="); + if (parts.length !== 2) { + return; + } + + var key = parts[0].toLowerCase(); + var value = parts[1].toLowerCase(); + evt.Put("hash."+key, value); + }); + }; + + var splitHashes = function(evt) { + addHashes(evt, "winlog.event_data.Hashes"); + }; + + var splitHash = function(evt) { + addHashes(evt, "winlog.event_data.Hash"); + }; + + var removeEmptyEventData = function(evt) { + var eventData = evt.Get("winlog.event_data"); + if (eventData && Object.keys(eventData).length === 0) { + evt.Delete("winlog.event_data"); + } + }; + + var parseUtcTime = function(evt) { + var timestamp = evt.Get("winlog.event_data.UtcTime"); + if (!timestamp) { + return; + } + + var ms = Date.parse(timestamp.split(' ').join('T')); + if (isNaN(ms)) { + evt.Delete("winlog.event_data.UtcTime"); + return; + } + + var date = new Date(ms); + evt.Put("winlog.event_data.UtcTime", date); + }; + + var event1 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.CommandLine", to: "process.args"}, + {from: "winlog.event_data.CurrentDirectory", to: "process.working_directory"}, + {from: "winlog.event_data.ParentProcessGuid", to: "process.parent.entity_id"}, + {from: "winlog.event_data.ParentProcessId", to: "process.parent.pid", type: "long"}, + {from: "winlog.event_data.ParentImage", to: "process.parent.executable"}, + {from: "winlog.event_data.ParentCommandLine", to: "process.parent.args"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(splitProcessArgs) + .Add(addUser) + .Add(splitHashes) + .Add(setParentProcessNameUsingExe) + .Add(splitParentProcessArgs) + .Add(removeEmptyEventData) + .Build(); + + var event2 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.TargetFilename", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event3 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.Protocol", to: "network.transport"}, + {from: "winlog.event_data.SourceIp", to: "source.ip", type: "ip"}, + {from: "winlog.event_data.SourceHostname", to: "source.domain", type: "string"}, + {from: "winlog.event_data.SourcePort", to: "source.port", type: "long"}, + {from: "winlog.event_data.DestinationIp", to: "destination.ip", type: "ip"}, + {from: "winlog.event_data.DestinationHostname", to: "destination.domain", type: "string"}, + {from: "winlog.event_data.DestinationPort", to: "destination.port", type: "long"}, + {from: "winlog.event_data.DestinationPortName", to: "network.protocol"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(addUser) + .Add(addNetworkDirection) + .Add(addNetworkType) + .Add(removeEmptyEventData) + .Build(); + + var event4 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(removeEmptyEventData) + .Build(); + + var event5 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event6 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(splitHashes) + .Add(removeEmptyEventData) + .Build(); + + var event7 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.ImageLoaded", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(splitHashes) + .Add(removeEmptyEventData) + .Build(); + + var event8 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.SourceProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.SourceImage", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event9 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.Device", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event10 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.SourceProcessGUID", to: "process.entity_id"}, + {from: "winlog.event_data.SourceProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.SourceThreadId", to: "process.thread.id", type: "long"}, + {from: "winlog.event_data.SourceImage", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event11 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.TargetFilename", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event12 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event13 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event14 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event15 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + {from: "winlog.event_data.TargetFilename", to: "file.path"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(splitHash) + .Add(removeEmptyEventData) + .Build(); + + var event16 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(removeEmptyEventData) + .Build(); + + var event17 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.PipeName", to: "file.name"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event18 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"}, + {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.PipeName", to: "file.name"}, + {from: "winlog.event_data.Image", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event19 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addUser) + .Add(removeEmptyEventData) + .Build(); + + var event20 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.Destination", to: "process.executable"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addUser) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + + var event21 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addUser) + .Add(removeEmptyEventData) + .Build(); + + var event255 = new processor.Chain() + .Add(parseUtcTime) + .Convert({ + fields: [ + {from: "winlog.event_data.UtcTime", to: "@timestamp"}, + {from: "winlog.event_data.ID", to: "error.code"}, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(removeEmptyEventData) + .Build(); + + return { + // Event ID 1 - Process Create. + 1: event1.Run, + + // Event ID 2 - File creation time changed. + 2: event2.Run, + + // Event ID 3 - Network connection detected. + 3: event3.Run, + + // Event ID 4 - Sysmon service state changed. + 4: event4.Run, + + // Event ID 5 - Process terminated. + 5: event5.Run, + + // Event ID 6 - Driver loaded. + 6: event6.Run, + + // Event ID 7 - Image loaded. + 7: event7.Run, + + // Event ID 8 - CreateRemoteThread detected. + 8: event8.Run, + + // Event ID 9 - RawAccessRead detected. + 9: event9.Run, + + // Event ID 10 - Process accessed. + 10: event10.Run, + + // Event ID 11 - File created. + 11: event11.Run, + + // Event ID 12 - Registry object added or deleted. + 12: event12.Run, + + // Event ID 13 - Registry value set. + 13: event13.Run, + + // Event ID 14 - Registry object renamed. + 14: event14.Run, + + // Event ID 15 - File stream created. + 15: event15.Run, + + // Event ID 16 - Sysmon config state changed. + 16: event16.Run, + + // Event ID 17 - Pipe Created. + 17: event17.Run, + + // Event ID 18 - Pipe Connected. + 18: event18.Run, + + // Event ID 19 - WmiEventFilter activity detected. + 19: event19.Run, + + // Event ID 20 - WmiEventConsumer activity detected. + 20: event20.Run, + + // Event ID 21 - WmiEventConsumerToFilter activity detected. + 21: event21.Run, + + // Event ID 255 - Error report. + 255: event255.Run, + + process: function(evt) { + var event_id = evt.Get("winlog.event_id"); + var processor= this[event_id]; + if (processor === undefined) { + throw "unexpected sysmon event_id"; + } + processor(evt); + }, + }; +})(); + +function process(evt) { + return sysmon.process(evt); +} diff --git a/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go b/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go new file mode 100644 index 000000000000..2f1e367cc511 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go @@ -0,0 +1,24 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "testing" + + "github.com/elastic/beats/x-pack/winlogbeat/module" +) + +// Ignore these fields so that the tests will pass if Sysmon is not installed. +var ignoreFields = []string{ + "event.action", + "message", + "winlog.opcode", + "winlog.task", +} + +func TestSysmon(t *testing.T) { + module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-sysmon.js", + module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx new file mode 100644 index 000000000000..beb10ea812ba Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json new file mode 100644 index 000000000000..1730e33f8690 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -0,0 +1,1671 @@ +[ + { + "@timestamp": "2019-03-18T16:57:37.933Z", + "event": { + "code": 16, + "kind": "event" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + }, + "event_id": 16, + "process": { + "pid": 4616, + "thread": { + "id": 4724 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 1, + "user": { + "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.011Z", + "event": { + "code": 4, + "kind": "event" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SchemaVersion": "4.20", + "State": "Started", + "Version": "9.01" + }, + "event_id": 4, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.949Z", + "event": { + "code": 1, + "kind": "event" + }, + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\Sysmon.exe" + ], + "entity_id": "{42F11C3B-CE01-5C8F-0000-0010C73E2A00}", + "executable": "C:\\Windows\\Sysmon.exe", + "name": "Sysmon.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\services.exe" + ], + "entity_id": "{42F11C3B-6E1A-5C8C-0000-0010F14D0000}", + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 488 + }, + "pid": 4860, + "working_directory": "C:\\Windows\\system32\\" + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Sysinternals - www.sysinternals.com", + "Description": "System activity monitor", + "FileVersion": "9.01", + "IntegrityLevel": "System", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", + "LogonId": "0x3e7", + "Product": "Sysinternals Sysmon", + "TerminalSessionId": "0" + }, + "event_id": 1, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 3, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.964Z", + "event": { + "code": 1, + "kind": "event" + }, + "hash": { + "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wbem\\unsecapp.exe", + "-Embedding" + ], + "entity_id": "{42F11C3B-CE01-5C8F-0000-00102C412A00}", + "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", + "name": "unsecapp.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\svchost.exe", + "-k", + "DcomLaunch" + ], + "entity_id": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 560 + }, + "pid": 5028, + "working_directory": "C:\\Windows\\system32\\" + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Sink to receive asynchronous callbacks for WMI client application", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft® Windows® Operating System", + "TerminalSessionId": "0" + }, + "event_id": 1, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 4, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", + "event": { + "code": 5, + "kind": "event" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CDF4-5C8F-0000-0010E61E2A00}", + "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4616 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 5, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 5, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", + "event": { + "code": 5, + "kind": "event" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CDF4-5C8F-0000-0010071E2A00}", + "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4648 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 5, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 6, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:39.012Z", + "event": { + "code": 1, + "kind": "event" + }, + "hash": { + "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "-Embedding" + ], + "entity_id": "{42F11C3B-CE03-5C8F-0000-0010E9462A00}", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "name": "WmiPrvSE.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\svchost.exe", + "-k", + "DcomLaunch" + ], + "entity_id": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 560 + }, + "pid": 4508, + "working_directory": "C:\\Windows\\system32\\" + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "WMI Provider Host", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft® Windows® Operating System", + "TerminalSessionId": "0" + }, + "event_id": 1, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 7, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:47.847Z", + "destination": { + "ip": "a00:203:3000:3000:3000:3000:3000:3300", + "port": 53 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "domain", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", + "port": 62141 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 8, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.07Z", + "destination": { + "ip": "10.0.2.3", + "port": 53 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "inbound", + "protocol": "domain", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 62141 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 9, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.148Z", + "destination": { + "ip": "40.77.226.250", + "port": 443 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "https", + "transport": "tcp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1138 + }, + "user": { + "domain": "vagrant", + "name": "VAGRANT-2012-R2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 10, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.214Z", + "destination": { + "ip": "40.77.226.250", + "port": 443 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "https", + "transport": "tcp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1139 + }, + "user": { + "domain": "vagrant", + "name": "VAGRANT-2012-R2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 11, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.25Z", + "destination": { + "ip": "10.0.2.255", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 12, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.25Z", + "destination": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "inbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "ip": "10.0.2.255", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 13, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.25Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "fe80:0:0:0:e488:b85c:5262:ff86", + "port": 55542 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 14, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.25Z", + "destination": { + "ip": "e000:fc:4300:6800:7200:6f00:6d00:6500", + "port": 5355 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", + "port": 55542 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 15, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.25Z", + "destination": { + "ip": "169.254.255.255", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "ip": "169.254.180.25", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 16, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "169.254.180.25", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "inbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "ip": "169.254.255.255", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 17, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "ip": "fe80:0:0:0:616f:32fa:b04f:b419", + "port": 55717 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 18, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "e000:fc:0:0:0:0:0:0", + "port": 5355 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "source": { + "ip": "a9fe:b419:0:0:f880:2301:e0:ffff", + "port": 55717 + }, + "user": { + "domain": "NETWORK SERVICE", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 19, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.264Z", + "destination": { + "ip": "40.77.226.250", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 20, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.276Z", + "destination": { + "ip": "10.0.2.3", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 21, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.213Z", + "destination": { + "ip": "169.254.255.255", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 22, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.218Z", + "destination": { + "ip": "169.254.180.25", + "port": 137 + }, + "event": { + "code": 3, + "kind": "event" + }, + "log": { + "level": "information" + }, + "network": { + "direction": "outbound", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", + "executable": "System", + "name": "System", + "pid": 4 + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "SYSTEM", + "name": "NT AUTHORITY" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SourcePortName": "netbios-ns" + }, + "event_id": 3, + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 23, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.35Z", + "event": { + "code": 5, + "kind": "event" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCC6-5C8F-0000-001005082900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 4832 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 5, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 24, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.364Z", + "event": { + "code": 5, + "kind": "event" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCCC-5C8F-0000-0010E8272900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 3208 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 5, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 25, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.387Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 26, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 27, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.028", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 28, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:51:54.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 29, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "event": { + "code": 5, + "kind": "event" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAB-5C8F-0000-001064EB2700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 2680 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 5, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 30, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:08.496", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 31, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "event": { + "code": 2, + "kind": "event" + }, + "file": { + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.339", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": 2, + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 32, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go new file mode 100644 index 000000000000..fe6b6dbc7fb5 --- /dev/null +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -0,0 +1,201 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package module + +import ( + "encoding/json" + "flag" + "io" + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/libbeat/common" + "github.com/elastic/beats/libbeat/processors/script/javascript" + "github.com/elastic/beats/winlogbeat/checkpoint" + "github.com/elastic/beats/winlogbeat/eventlog" + + // Register javascript modules. + _ "github.com/elastic/beats/libbeat/processors/script/javascript/module" + _ "github.com/elastic/beats/winlogbeat/processors/script/javascript/module/winlogbeat" +) + +var update = flag.Bool("update", false, "update golden files") + +// Option configures the test behavior. +type Option func(*params) + +type params struct { + ignoreFields []string +} + +// WithFieldFilter filters the specified fields from the event prior to +// creating the golden file. +func WithFieldFilter(filter []string) Option { + return func(p *params) { + p.ignoreFields = filter + } +} + +// TestPipeline tests the given pipeline by reading events from the .evtx files +// and processing them with the pipeline. Then it compares the results against +// a saved golden file. Use -update to regenerate the golden files. +func TestPipeline(t *testing.T, evtx string, pipeline string, opts ...Option) { + files, err := filepath.Glob(evtx) + if err != nil { + t.Fatal(err) + } + if len(files) == 0 { + t.Fatal("glob", evtx, "didn't match any files") + } + + var p params + for _, o := range opts { + o(&p) + } + + for _, f := range files { + t.Run(filepath.Base(f), func(t *testing.T) { + testPipeline(t, f, pipeline, &p) + }) + } +} + +func testPipeline(t testing.TB, evtx string, pipeline string, p *params) { + t.Helper() + + path, err := filepath.Abs(evtx) + if err != nil { + t.Fatal(err) + } + + // Open evtx file. + log, err := eventlog.New(common.MustNewConfigFrom(common.MapStr{ + "name": path, + "api": "wineventlog", + "no_more_events": "stop", + })) + if err != nil { + t.Fatal(err) + } + defer log.Close() + + if err = log.Open(checkpoint.EventLogState{}); err != nil { + t.Fatal(err) + } + + // Load javascript processor. + processor, err := javascript.New(common.MustNewConfigFrom(common.MapStr{ + "file": pipeline, + })) + if err != nil { + t.Fatal(err) + } + + // Read and process events. + var events []common.MapStr + for stop := false; !stop; { + records, err := log.Read() + if err == io.EOF { + stop = true + } else if err != nil { + t.Fatal(err) + } + + for _, r := range records { + record := r.ToEvent() + record.Delete("event.created") + record.Delete("log.file") + + // Enrichment based on user.identifier varies based on the host + // where this is execute so remove it. + if userType, _ := record.GetValue("winlog.user.type"); userType != "Well Known Group" { + record.Delete("winlog.user.type") + record.Delete("winlog.user.name") + record.Delete("winlog.user.domain") + } + + evt, err := processor.Run(&record) + if err != nil { + t.Fatalf("%v while processing event:\n%v", err, record.Fields.StringToPrint()) + } + + // Ensure timezone is UTC. In the normal Beats output this is handled + // by the encoder (go-structform). + evt.PutValue("@timestamp", evt.Timestamp.UTC()) + + events = append(events, filterEvent(evt.Fields, p.ignoreFields)) + } + } + + if *update { + writeGolden(t, path, events) + return + } + + expected := readGolden(t, path) + if !assert.Len(t, events, len(expected)) { + return + } + for i, e := range events { + assert.EqualValues(t, expected[i], normalize(t, e)) + } +} + +func writeGolden(t testing.TB, source string, events []common.MapStr) { + data, err := json.MarshalIndent(events, "", " ") + if err != nil { + t.Fatal(err) + } + + if err := os.MkdirAll("testdata", 0755); err != nil { + t.Fatal(err) + } + + outPath := filepath.Join("testdata", filepath.Base(source)+".golden.json") + if err := ioutil.WriteFile(outPath, data, 0644); err != nil { + t.Fatal(err) + } +} + +func readGolden(t testing.TB, source string) []common.MapStr { + inPath := filepath.Join("testdata", filepath.Base(source)+".golden.json") + + data, err := ioutil.ReadFile(inPath) + if err != nil { + t.Fatal(err) + } + + var events []common.MapStr + if err = json.Unmarshal(data, &events); err != nil { + t.Fatal(err) + } + + return events +} + +func normalize(t testing.TB, m common.MapStr) common.MapStr { + data, err := json.Marshal(m) + if err != nil { + t.Fatal(err) + } + + var out common.MapStr + if err = json.Unmarshal(data, &out); err != nil { + t.Fatal(err) + } + + return out +} + +func filterEvent(m common.MapStr, ignores []string) common.MapStr { + for _, f := range ignores { + m.Delete(f) + } + return m +} diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 4e8656d822e6..7aaa24eac85c 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -29,6 +29,19 @@ winlogbeat.event_logs: - name: System - name: Security + processors: + - script: + lang: javascript + id: security + file: ${path.home}/module/security/config/winlogbeat-security.js + + - name: Microsoft-Windows-Sysmon/Operational + processors: + - script: + lang: javascript + id: sysmon + file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + #================================ General ====================================== diff --git a/x-pack/winlogbeat/winlogbeat.yml b/x-pack/winlogbeat/winlogbeat.yml index 30e628838812..f045f94ded40 100644 --- a/x-pack/winlogbeat/winlogbeat.yml +++ b/x-pack/winlogbeat/winlogbeat.yml @@ -24,6 +24,19 @@ winlogbeat.event_logs: - name: System - name: Security + processors: + - script: + lang: javascript + id: security + file: ${path.home}/module/security/config/winlogbeat-security.js + + - name: Microsoft-Windows-Sysmon/Operational + processors: + - script: + lang: javascript + id: sysmon + file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js + #==================== Elasticsearch template settings ========================== setup.template.settings: