Cherry-pick #20684 to 7.x: Audit and Authentication Policy Change Eve…

…nts (#23659) * Audit and Authentication Policy Change Events (#20684) * [Winlogbeat] Audit and Authentication Policy Change Events Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co> (cherry picked from commit dd7a1b3) * Remove 4912 evtx from testing (#23669) - causing failures on Win 7,8, 2008R2 & 2012R2 (cherry picked from commit d4e193d) * Add Winlogbeat Security Module Doc (#23674) * Add Winlogbeat Security Module Doc * Update source file used to generate security module docs (cherry picked from commit ee485bd) Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
elastic · Feb 1, 2021 · 7fc2b2a · 7fc2b2a
1 parent 7fe2eb4
commit 7fc2b2a
Show file tree

Hide file tree

Showing 39 changed files with 1,623 additions and 20 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -689,6 +689,7 @@ port. {pull}19209[19209]
 - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
 - Add additional event categorization for security and sysmon modules. {pull}22988[22988]
 - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
+- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684]
 
 *Elastic Log Driver*
 

diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc
@@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
 * 4634 - An account was logged off.
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
+* 4670 - Permissions on an object were changed.
 * 4672 - Special privileges assigned to new logon.
 * 4673 - A privileged service was called.
 * 4674 - An operation was attempted on a privileged object.
@@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
 * 4700 - A scheduled task was enabled.
 * 4701 - A scheduled task was disabled.
 * 4702 - A scheduled task was updated.
+* 4706 - A new trust was created to a domain.
+* 4707 - A trust to a domain was removed.
+* 4713 - Kerberos policy was changed.
+* 4716 - Trusted domain information was modified.
+* 4717 - System security access was granted to an account.
+* 4718 - System security access was removed from an account.
 * 4719 - System audit policy was changed.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
@@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
 * 4735 - A security-enabled local group was changed.
 * 4737 - A security-enabled global group was changed.
 * 4738 - An user account was changed.
+* 4739 - Domain Policy was changed.
 * 4740 - An user account was locked out.
 * 4741 - A computer account was created.
 * 4742 - A computer account was changed.
@@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
 * 4781 - The name of an account was changed.
 * 4798 - A user's local group membership was enumerated.
 * 4799 - A security-enabled local group membership was enumerated.
+* 4817 - Auditing settings on object were changed.
+* 4902 - The Per-user audit policy table was created.
+* 4904 - An attempt was made to register a security event source.
+* 4905 - An attempt was made to unregister a security event source.
+* 4906 - The CrashOnAuditFail value has changed.
+* 4907 - Auditing settings on object were changed.
+* 4908 - Special Groups Logon table modified.
+* 4912 - Per User Audit Policy was changed.
 * 4964 - Special groups have been assigned to a new logon.
 
 More event IDs will be added.

diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc
@@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
 * 4634 - An account was logged off.
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
+* 4670 - Permissions on an object were changed.
 * 4672 - Special privileges assigned to new logon.
 * 4673 - A privileged service was called.
 * 4674 - An operation was attempted on a privileged object.
@@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
 * 4700 - A scheduled task was enabled.
 * 4701 - A scheduled task was disabled.
 * 4702 - A scheduled task was updated.
+* 4706 - A new trust was created to a domain.
+* 4707 - A trust to a domain was removed.
+* 4713 - Kerberos policy was changed.
+* 4716 - Trusted domain information was modified.
+* 4717 - System security access was granted to an account.
+* 4718 - System security access was removed from an account.
 * 4719 - System audit policy was changed.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
@@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
 * 4735 - A security-enabled local group was changed.
 * 4737 - A security-enabled global group was changed.
 * 4738 - An user account was changed.
+* 4739 - Domain Policy was changed.
 * 4740 - An user account was locked out.
 * 4741 - A computer account was created.
 * 4742 - A computer account was changed.
@@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
 * 4781 - The name of an account was changed.
 * 4798 - A user's local group membership was enumerated.
 * 4799 - A security-enabled local group membership was enumerated.
+* 4817 - Auditing settings on object were changed.
+* 4902 - The Per-user audit policy table was created.
+* 4904 - An attempt was made to register a security event source.
+* 4905 - An attempt was made to unregister a security event source.
+* 4906 - The CrashOnAuditFail value has changed.
+* 4907 - Auditing settings on object were changed.
+* 4908 - Special Groups Logon table modified.
+* 4912 - Per User Audit Policy was changed.
 * 4964 - Special groups have been assigned to a new logon.
 
 More event IDs will be added.