Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Winlogbeat Security Module Doc #23674

Merged
merged 2 commits into from
Jan 26, 2021
Merged

Add Winlogbeat Security Module Doc #23674

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e45f2c3
Add Winlogbeat Security Module Doc
janniten Jan 26, 2021
b872646
Update source file used to generate security module docs
andrewkroh Jan 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions winlogbeat/docs/modules/security.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4670 - Permissions on an object were changed.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
Expand All @@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4706 - A new trust was created to a domain.
* 4707 - A trust to a domain was removed.
* 4713 - Kerberos policy was changed.
* 4716 - Trusted domain information was modified.
* 4717 - System security access was granted to an account.
* 4718 - System security access was removed from an account.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4739 - Domain Policy was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
Expand Down Expand Up @@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4817 - Auditing settings on object were changed.
* 4902 - The Per-user audit policy table was created.
* 4904 - An attempt was made to register a security event source.
* 4905 - An attempt was made to unregister a security event source.
* 4906 - The CrashOnAuditFail value has changed.
* 4907 - Auditing settings on object were changed.
* 4908 - Special Groups Logon table modified.
* 4912 - Per User Audit Policy was changed.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.
Expand Down
16 changes: 16 additions & 0 deletions x-pack/winlogbeat/module/security/_meta/docs.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ The module has transformations for the following event IDs:
* 4634 - An account was logged off.
* 4647 - User initiated logoff (interactive logon types).
* 4648 - A logon was attempted using explicit credentials.
* 4670 - Permissions on an object were changed.
* 4672 - Special privileges assigned to new logon.
* 4673 - A privileged service was called.
* 4674 - An operation was attempted on a privileged object.
Expand All @@ -27,6 +28,12 @@ The module has transformations for the following event IDs:
* 4700 - A scheduled task was enabled.
* 4701 - A scheduled task was disabled.
* 4702 - A scheduled task was updated.
* 4706 - A new trust was created to a domain.
* 4707 - A trust to a domain was removed.
* 4713 - Kerberos policy was changed.
* 4716 - Trusted domain information was modified.
* 4717 - System security access was granted to an account.
* 4718 - System security access was removed from an account.
* 4719 - System audit policy was changed.
* 4720 - A user account was created.
* 4722 - A user account was enabled.
Expand All @@ -45,6 +52,7 @@ The module has transformations for the following event IDs:
* 4735 - A security-enabled local group was changed.
* 4737 - A security-enabled global group was changed.
* 4738 - An user account was changed.
* 4739 - Domain Policy was changed.
* 4740 - An user account was locked out.
* 4741 - A computer account was created.
* 4742 - A computer account was changed.
Expand Down Expand Up @@ -105,6 +113,14 @@ The module has transformations for the following event IDs:
* 4781 - The name of an account was changed.
* 4798 - A user's local group membership was enumerated.
* 4799 - A security-enabled local group membership was enumerated.
* 4817 - Auditing settings on object were changed.
* 4902 - The Per-user audit policy table was created.
* 4904 - An attempt was made to register a security event source.
* 4905 - An attempt was made to unregister a security event source.
* 4906 - The CrashOnAuditFail value has changed.
* 4907 - Auditing settings on object were changed.
* 4908 - Special Groups Logon table modified.
* 4912 - Per User Audit Policy was changed.
* 4964 - Special groups have been assigned to a new logon.

More event IDs will be added.
Expand Down