Add 4634 and 4647 (logoff events) to Security module (#12906)

This adds event ID 4634 and 4647 (logoff events) to the Security module. It also adds winlog.logon.type which is a descriptive version of the winlog.event_data.LogonType field. Co-authored-by: Anabella Cristaldi <anabella.cristaldi@gmail.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
elastic · Jul 18, 2019 · 192f523 · 192f523
1 parent 833c022
commit 192f523
Show file tree

Hide file tree

Showing 10 changed files with 204 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -294,6 +294,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Winlogbeat*
 
 - Add support for reading from .evtx files. {issue}4450[4450]
+- Add support for event ID 4634 and 4647 to the Security module. {pull}12906[12906]
 
 ==== Deprecated
 

diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml
@@ -193,6 +193,13 @@
           required: false
           description: The version number of the event's definition.
 
+        - name: logon.type
+          type: keyword
+          description: >
+            Logon type name. This is the descriptive version of the
+            `winlog.event_data.LogonType` ordinal. This is an enrichment added
+            by the Security module.
+
 # Aliases for the old fields
 - key: eventlog
   title: Event log record

diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc
@@ -4157,3 +4157,13 @@ required: False
 
 --
 
+*`winlog.logon.type`*::
++
+--
+Logon type name. This is the descriptive version of the `winlog.event_data.LogonType` ordinal. This is an enrichment added by the Security module.
+
+
+type: keyword
+
+--
+
diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc
@@ -10,6 +10,8 @@ The module has transformations for the following event IDs:
 
 * 4624 - An account was successfully logged on.
 * 4625 - An account failed to log on.
+* 4634 - An account was logged off.
+* 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 
 More event IDs will be added.

diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go
diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc
@@ -10,6 +10,8 @@ The module has transformations for the following event IDs:
 
 * 4624 - An account was successfully logged on.
 * 4625 - An account failed to log on.
+* 4634 - An account was logged off.
+* 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 
 More event IDs will be added.

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -7,6 +7,30 @@ var security = (function () {
     var processor = require("processor");
     var winlogbeat = require("winlogbeat");
 
+    var logonTypes = {
+        "2": "Interactive",
+        "3": "Network",
+        "4": "Batch",
+        "5": "Service",
+        "7": "Unlock",
+        "8": "NetworkCleartext",
+        "9": "NewCredentials",
+        "10": "RemoteInteractive",
+        "11": "CachedInteractive",
+    };
+
+    var addLogonType = function(evt) {
+        var lt = evt.Get("winlog.event_data.LogonType");
+        if (!lt) {
+            return;
+        }
+        var descriptiveLogonType = logonTypes[lt];
+        if (descriptiveLogonType === undefined) {
+            return;
+        }
+        evt.Put("winlog.logon.type", descriptiveLogonType);
+    };
+
     var addAuthSuccess = new processor.AddFields({
         fields: {
             "event.category": "authentication",
@@ -48,15 +72,22 @@ var security = (function () {
         evt.Put("process.name", path.basename(exe));
     };
 
+    var logoff = new processor.Chain()
+        .Add(convertAuthentication)
+        .Add(addLogonType)
+        .Build();
+
     var logonSuccess = new processor.Chain()
         .Add(addAuthSuccess)
         .Add(convertAuthentication)
+        .Add(addLogonType)
         .Add(setProcessNameUsingExe)
         .Build();
 
     var logonFailed = new processor.Chain()
         .Add(addAuthFailed)
         .Add(convertAuthentication)
+        .Add(addLogonType)
         .Add(setProcessNameUsingExe)
         .Build();
 
@@ -66,6 +97,12 @@ var security = (function () {
 
         // 4625 - An account failed to log on.
         4625: logonFailed.Run,
+
+        // 4634 - An account was logged off.
+        4634: logoff.Run,
+
+        // 4647 - User initiated logoff.
+        4647: logoff.Run,
 
         // 4648 - A logon was attempted using explicit credentials.
         4648: logonSuccess.Run,

diff --git a/...ck/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/...ck/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
@@ -47,6 +47,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -109,6 +112,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -174,6 +180,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Interactive"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -236,6 +245,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -298,6 +310,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Network"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -360,6 +375,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Network"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -422,6 +440,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Network"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -484,6 +505,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Network"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -549,6 +573,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Network"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -611,6 +638,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Interactive"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -676,6 +706,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "RemoteInteractive"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -738,6 +771,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Interactive"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -800,6 +836,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -862,6 +901,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -924,6 +966,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -986,6 +1031,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -1048,6 +1096,9 @@
       "keywords": [
         "Audit Success"
       ],
+      "logon": {
+        "type": "Service"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,
@@ -1113,6 +1164,9 @@
       "keywords": [
         "Audit Failure"
       ],
+      "logon": {
+        "type": "Interactive"
+      },
       "opcode": "Info",
       "process": {
         "pid": 516,

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json
@@ -0,0 +1,90 @@
+[
+  {
+    "@timestamp": "2019-05-17T11:06:58.210768Z",
+    "event": {
+      "action": "Logoff",
+      "code": 4634,
+      "kind": "event"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
+    "user": {
+      "domain": "WIN-41OB2LO92CR",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
+      "name": "audittest"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "LogonType": "3",
+        "TargetLogonId": "0x767a77"
+      },
+      "event_id": 4634,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "type": "Network"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 776,
+        "thread": {
+          "id": 540
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 485,
+      "task": "Logoff"
+    }
+  },
+  {
+    "@timestamp": "2019-05-19T16:15:38.542273Z",
+    "event": {
+      "action": "Logoff",
+      "code": 4634,
+      "kind": "event"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
+    "user": {
+      "domain": "WIN-41OB2LO92CR",
+      "id": "S-1-5-21-101361758-2486510592-3018839910-500",
+      "name": "Administrator"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WIN-41OB2LO92CR",
+      "event_data": {
+        "LogonType": "3",
+        "TargetLogonId": "0x104a4a6"
+      },
+      "event_id": 4634,
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "type": "Network"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 780,
+        "thread": {
+          "id": 820
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 747,
+      "task": "Logoff"
+    }
+  }
+]