[Winlogbeat] Add support for eventID 4688 & 4689 (elastic#14557)

* [Winlogbeat] Add support for eventID 4688 & 4689

- add support for 4688 (Process created)
- add support for 4689 (Process exited)
- Added event.category & event.type like sysmon module

Fixes elastic#14038

CHANGELOG.next.asciidoc

@@ -523,6 +523,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fill `event.provider`. {pull}13937[13937]
 - Add support for user management events to the Security module. {pull}13530[13530]
 - GA the Winlogbeat `sysmon` module. {pull}14326[14326]
+- Add support for event ID 4688 & 4689 (Process create & exit) to the Security module. {issue}14038[14038]
 
 ==== Deprecated
 

winlogbeat/docs/modules/security.asciidoc

@@ -14,6 +14,8 @@ The module has transformations for the following event IDs:
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 * 4672 - Special privileges assigned to new logon.
+* 4688 - A new process has been created.
+* 4689 - A process has exited.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
 * 4723 - An attempt was made to change an account's password.

x-pack/winlogbeat/module/security/_meta/docs.asciidoc

@@ -14,6 +14,8 @@ The module has transformations for the following event IDs:
 * 4647 - User initiated logoff (interactive logon types).
 * 4648 - A logon was attempted using explicit credentials.
 * 4672 - Special privileges assigned to new logon.
+* 4688 - A new process has been created.
+* 4689 - A process has exited.
 * 4720 - A user account was created.
 * 4722 - A user account was enabled.
 * 4723 - An attempt was made to change an account's password.

x-pack/winlogbeat/module/security/config/winlogbeat-security.js

@@ -24,6 +24,8 @@ var security = (function () {
         "4625": "logon-failed",
         "4634": "logged-out",
         "4672": "logged-in-special",
+        "4688": "created-process",
+        "4689": "exited-process",
         "4720": "added-user-account",
         "4722": "enabled-user-account",
         "4723": "changed-password",
@@ -1192,6 +1194,49 @@ var security = (function () {
         target: "",
     });
 
+    var renameNewProcessFields = new processor.Chain()
+        .Convert({
+            fields: [
+                {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
+                {from: "winlog.event_data.NewProcessName", to: "process.executable"},
+                {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
+            ],
+            mode: "rename",
+            ignore_missing: true,
+            fail_on_error: false,
+        })
+        .Add(function(evt) {
+            var name = evt.Get("process.name");
+            if (name) {
+                return;
+            }
+            var exe = evt.Get("process.executable");
+            if (!exe) {
+                return;
+            }
+            evt.Put("process.name", path.basename(exe));
+        })
+        .Add(function(evt) {
+            var name = evt.Get("process.parent.name");
+            if (name) {
+                return;
+            }
+            var exe = evt.Get("process.parent.executable");
+            if (!exe) {
+                return;
+            }
+            evt.Put("process.parent.name", path.basename(exe));
+        })
+        .Add(function(evt) {
+            var cl = evt.Get("winlog.event_data.CommandLine");
+            if (!cl) {
+                return;
+            }
+            evt.Put("process.args", winlogbeat.splitCommandLine(cl));
+            evt.Put("process.command_line", cl);
+        })
+        .Build();
+
     // Handles 4634 and 4647.
     var logoff = new processor.Chain()
         .Add(copyTargetUser)
@@ -1235,6 +1280,26 @@ var security = (function () {
         .Add(addActionDesc)
         .Build();
 
+    var event4688 = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(renameNewProcessFields)
+        .Add(addActionDesc)
+        .Add(function(evt) {
+            evt.Put("event.category", "process");
+            evt.Put("event.type", "process_start");
+        })
+        .Build();
+
+    var event4689 = new processor.Chain()
+        .Add(copySubjectUser)
+        .Add(renameCommonAuthFields)
+        .Add(addActionDesc)
+        .Add(function(evt) {
+            evt.Put("event.category", "process");
+            evt.Put("event.type", "process_end");
+        })
+        .Build();
+
     var userMgmtEvts = new processor.Chain()
         .Add(copyTargetUser)
         .Add(copySubjectUserLogonId)
@@ -1267,6 +1332,12 @@ var security = (function () {
         // 4672 - Special privileges assigned to new logon.
         4672: event4672.Run,
 
+        // 4688 - A new process has been created.
+        4688: event4688.Run,
+
+        // 4689 - A process has exited.
+        4689: event4689.Run,
+
         // 4720 - A user account was created
         4720: userMgmtEvts.Run,
 

x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json

@@ -0,0 +1,73 @@
+[
+  {
+    "@timestamp": "2019-11-14T17:10:15.1515514Z",
+    "event": {
+      "action": "created-process",
+      "category": "process",
+      "code": 4688,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": "process_start"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",
+    "process": {
+      "args": [
+        "C:\\Windows\\system32\\wevtutil.exe",
+        "cl",
+        "Security"
+      ],
+      "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
+      "executable": "C:\\Windows\\System32\\wevtutil.exe",
+      "name": "wevtutil.exe",
+      "parent": {
+        "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+        "name": "powershell.exe"
+      },
+      "pid": 4556
+    },
+    "user": {
+      "domain": "VAGRANT",
+      "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant",
+      "event_data": {
+        "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
+        "MandatoryLabel": "S-1-16-12288",
+        "ProcessId": "0x122c",
+        "SubjectDomainName": "VAGRANT",
+        "SubjectLogonId": "0x274a2",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+        "TargetDomainName": "-",
+        "TargetLogonId": "0x0",
+        "TargetUserName": "-",
+        "TargetUserSid": "S-1-0-0",
+        "TokenElevationType": "%%1937"
+      },
+      "event_id": 4688,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 5076
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 5010,
+      "task": "Process Creation",
+      "version": 2
+    }
+  }
+]

x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json

@@ -0,0 +1,161 @@
+[
+  {
+    "@timestamp": "2019-11-14T21:26:49.4961966Z",
+    "event": {
+      "action": "exited-process",
+      "category": "process",
+      "code": 4689,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": "process_end"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0",
+    "process": {
+      "executable": "C:\\Windows\\System32\\wevtutil.exe",
+      "name": "wevtutil.exe",
+      "pid": 5412
+    },
+    "user": {
+      "domain": "VAGRANT",
+      "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Status": "0x0",
+        "SubjectDomainName": "VAGRANT",
+        "SubjectLogonId": "0x274a2",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+      },
+      "event_id": 4689,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 1168
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 7538,
+      "task": "Process Termination"
+    }
+  },
+  {
+    "@timestamp": "2019-11-14T21:27:46.9609089Z",
+    "event": {
+      "action": "exited-process",
+      "category": "process",
+      "code": 4689,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": "process_end"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0",
+    "process": {
+      "executable": "C:\\Windows\\System32\\taskhostw.exe",
+      "name": "taskhostw.exe",
+      "pid": 3988
+    },
+    "user": {
+      "domain": "VAGRANT",
+      "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Status": "0x0",
+        "SubjectDomainName": "VAGRANT",
+        "SubjectLogonId": "0x274f1",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+      },
+      "event_id": 4689,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 500
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 7542,
+      "task": "Process Termination"
+    }
+  },
+  {
+    "@timestamp": "2019-11-14T21:28:18.4605129Z",
+    "event": {
+      "action": "exited-process",
+      "category": "process",
+      "code": 4689,
+      "kind": "event",
+      "module": "security",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": "process_end"
+    },
+    "log": {
+      "level": "information"
+    },
+    "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0",
+    "process": {
+      "executable": "C:\\Windows\\System32\\wevtutil.exe",
+      "name": "wevtutil.exe",
+      "pid": 2760
+    },
+    "user": {
+      "domain": "VAGRANT",
+      "id": "S-1-5-21-1610636575-2290000098-1654242922-1000",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Status": "0x0",
+        "SubjectDomainName": "VAGRANT",
+        "SubjectLogonId": "0x274a2",
+        "SubjectUserName": "vagrant",
+        "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000"
+      },
+      "event_id": 4689,
+      "keywords": [
+        "Audit Success"
+      ],
+      "opcode": "Info",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 5636
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": 7544,
+      "task": "Process Termination"
+    }
+  }
+]