Audit and Authentication Policy Change Events (#20684)

* [Winlogbeat] Audit and Authentication Policy Change Events

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>

CHANGELOG.next.asciidoc

@@ -978,6 +978,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add additional event categorization for security and sysmon modules. {pull}22988[22988]
 - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
 - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
+- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684]
 
 *Elastic Log Driver*
 

x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json

@@ -0,0 +1,80 @@
+[
+  {
+    "@timestamp": "2020-07-28T13:22:18.7993488Z",
+    "event": {
+      "action": "permissions-changed",
+      "category": [
+        "iam",
+        "configuration"
+      ],
+      "code": 4670,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "admin",
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\services.exe",
+      "name": "services.exe",
+      "pid": 764
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "HandleId": "0x56c",
+        "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
+        "NewSdDacl0": "Local system :Access Allowed (Generic All)",
+        "NewSdDacl1": "OW :Access Allowed (Read Permissions)",
+        "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed (Generic All)",
+        "ObjectName": "-",
+        "ObjectServer": "Security",
+        "ObjectType": "Token",
+        "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
+        "OldSdDacl0": "Local system :Access Allowed (Generic All)",
+        "OldSdDacl1": "Network service account :Access Allowed (Generic All)",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4670,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 4604
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 31932,
+      "task": "Authorization Policy Change"
+    }
+  }
+]

x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json

@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-07-27T09:42:48.3690009Z",
+    "event": {
+      "action": "domain-trust-added",
+      "category": [
+        "configuration"
+      ],
+      "code": 4706,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "creation"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "192.168.230.153",
+        "DomainSid": "S-1-0-0",
+        "SidFilteringEnabled": "%%1796",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
+        "TdoAttributes": "1",
+        "TdoDirection": "3",
+        "TdoType": "3"
+      },
+      "event_id": 4706,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 3056
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 6017,
+      "task": "Authentication Policy Change",
+      "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+      "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
+      "trustType": "TRUST_TYPE_MIT"
+    }
+  }
+]

x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json

@@ -0,0 +1,64 @@
+[
+  {
+    "@timestamp": "2020-07-28T06:18:04.600444Z",
+    "event": {
+      "action": "domain-trust-removed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4707,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "deletion"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "192.168.230.153",
+        "DomainSid": "S-1-0-0",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500"
+      },
+      "event_id": 4707,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 2012
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 13679,
+      "task": "Authentication Policy Change"
+    }
+  }
+]

x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json

@@ -0,0 +1,64 @@
+[
+  {
+    "@timestamp": "2020-07-28T10:15:43.4951882Z",
+    "event": {
+      "action": "kerberos-policy-changed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4713,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "WIN-BVM4LI1L1Q6$"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-18",
+      "name": "WIN-BVM4LI1L1Q6$"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00);  KerMaxR: 0x649534e0000 (0x58028e44000);  KerProxy: 0xd693a400 (0xb2d05e00);  ",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WIN-BVM4LI1L1Q6$",
+        "SubjectUserSid": "S-1-5-18"
+      },
+      "event_id": 4713,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 2012
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 21265,
+      "task": "Authentication Policy Change"
+    }
+  }
+]

x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json

@@ -0,0 +1,72 @@
+[
+  {
+    "@timestamp": "2020-07-28T08:17:00.4706442Z",
+    "event": {
+      "action": "trusted-domain-information-changed",
+      "category": [
+        "configuration"
+      ],
+      "code": 4716,
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "change"
+      ]
+    },
+    "host": {
+      "name": "WIN-BVM4LI1L1Q6.TEST.local"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": "Administrator"
+    },
+    "user": {
+      "domain": "TEST",
+      "id": "S-1-5-21-2024912787-2692429404-2351956786-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "activity_id": "{be129571-63f8-0000-a795-12bef863d601}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+      "event_data": {
+        "DomainName": "-",
+        "DomainSid": "S-1-0-0",
+        "SidFilteringEnabled": "-",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x6a868",
+        "SubjectUserName": "Administrator",
+        "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500",
+        "TdoAttributes": "1",
+        "TdoDirection": "3",
+        "TdoType": "3"
+      },
+      "event_id": 4716,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x6a868"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 3776
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 14929,
+      "task": "Authentication Policy Change",
+      "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE",
+      "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL",
+      "trustType": "TRUST_TYPE_MIT"
+    }
+  }
+]