This technology pack will process Windows Security event logs, providing normalization and enrichment of common events of interest. In addition, it will identify all Windows logs that have not been processed by any other technology pack, normalize common event log fields, and index these messages in a separate index.
Supported Versions
-
Currently supported versions of the Windows operating system
Requirements
-
Winlogbeat v 8.x or NXLog Enterprise 3.2 / NXLog Community Edition 2.10
-
When using the Winlogbeat agent, the beats type prefix should be enabled
Stream Configuration
This technology pack includes 2 streams:
- "Illuminate:Windows Security Event Log Messages" -- contains all messages from the Windows Security event log
- "Illuminate:Windows Event Log Messages" -- contains all event log messages that have not been processed by this or any other technology pack
Hint: If this stream does not exist prior to the
activation of this pack then it will be created and configured to route messages to this stream and the
associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes 2 index set definitions:
- "Windows Security Event Log Messages" -- contains all messages from the Windows Security event log
- "Windows Event Log Messages" -- contains all event log messages not processed by this or any other technology pack
Hint: If this index set is already defined, then
nothing will be changed. If this index set does not exist, then it will be created with retention
settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after
installation.
Log Collection
The following log delivery agents are supported:
-
Winlogbeat 8.x
-
NXLog Enterprise Edition 3.2
-
NXLog Community Edition 2.10
Graylog Sidecar Configuration
Please refer to the official documentation to set up Graylog Sidecar.
-
Create a Beats input for Winlogbeat or a GELF input for NXLog in Graylog. When sending to a Beats input, ensure that the option Do not add Beats type as prefix is disabled.
-
Create an API access token and a custom configuration for your chosen log delivery agent.
-
See the following example configuration for Winlogbeat:
Copywinlogbeat:
event_logs:
- name: Security -
See the following example configuration for NXLog:
Copy<Input eventlog>
Module im_msvistalog
PollInterval 1
SavePos False
ReadFromLast True
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input> -
Install Graylog Sidecar on the client host.
-
Edit the Graylog Sidecar client configuration with your Graylog server API URL and API access token.
What is Provided
-
Parsing and normalization to extract Windows event logs into Graylog schema compatible fields
-
Graylog Information Model categorization of messages
Events Processed by This Technology Pack
The Windows Security technology pack applies normalization of common event log fields to all Windows event log messages. See the tables below for the full list of normalized fields, processed event IDs, and GIM categorization assignments.
Event IDs
Event IDs List ▼
| Event ID | Description |
|---|---|
| 1100 | The event logging service has shut down |
| 1101 | Audit events have been dropped by the transport |
| 1102 | The audit log was cleared |
| 1104 | The security log is now full |
| 1108 | The event logging service encountered an error |
| 4610 | An authentication package has been loaded by the Local Security Authority |
| 4611 | A trusted logon process has been registered with the Local Security Authority |
| 4614 | A notification package has been loaded by the Security Account Manager |
| 4616 | The system time was changed |
| 4622 | A security package has been loaded by the Local Security Authority |
| 4624 | An account was successfully logged on |
| 4625 | An account failed to log on |
| 4627 | Group membership information |
| 4634 | An account was logged off |
| 4647 | User initiated logoff |
| 4648 | A logon was attempted using explicit credentials |
| 4656 | A handle to an object was requested |
| 4657 | A registry value was modified |
| 4658 | The handle to an object was closed |
| 4660 | An object was deleted |
| 4663 | An attempt was made to access an object |
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4674 | An operation was attempted on a privileged object |
| 4688 | A new process has been created |
| 4689 | A process has exited |
| 4696 | A primary token was assigned to process |
| 4697 | A service was installed in the system |
| 4698 | A scheduled task was created |
| 4703 | A user right was adjusted |
| 4704 | A user right was assigned |
| 4705 | A user right was removed |
| 4719 | System audit policy was changed |
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change an account's password |
| 4724 | An attempt was made to reset an account's password |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4727 | A security-enabled global group was created |
| 4728 | A member was added to a security-enabled global group |
| 4729 | A member was removed from a security-enabled global group |
| 4730 | A security-enabled global group was deleted |
| 4731 | A security-enabled local group was created |
| 4732 | A member was added to a security-enabled local group |
| 4733 | A member was removed from a security-enabled local group |
| 4734 | A security-enabled local group was deleted |
| 4735 | A security-enabled local group was changed |
| 4737 | A security-enabled global group was changed |
| 4738 | A user account was changed |
| 4740 | A user account was locked out |
| 4741 | A computer account was created |
| 4742 | A computer account was changed |
| 4743 | A computer account was deleted |
| 4754 | A security-enabled universal group was created |
| 4755 | A security-enabled universal group was changed |
| 4756 | A member was added to a security-enabled universal group |
| 4757 | A member was removed from a security-enabled universal group |
| 4758 | A security-enabled universal group was deleted |
| 4764 | A group's type was changed |
| 4767 | A user account was unlocked |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4770 | A Kerberos service ticket was renewed |
| 4771 | Kerberos pre-authentication failed |
| 4776 | The computer attempted to validate the credentials for an account |
| 4778 | A session was reconnected to a Window Station |
| 4779 | A session was disconnected from a Window Station |
| 4781 | The name of an account was changed |
| 4798 | A user's local group membership was enumerated |
| 4799 | A security-enabled local group membership was enumerated |
| 4820 | A Kerberos Ticket-Granting Ticket (TGT) was denied because the device does not meet the access control restrictions |
| 4821 | A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions |
| 4822 | NTLM authentication failed because the account was a member of the Protected User group |
| 4823 | NTLM authentication failed because access control restrictions are required |
| 4824 | Kerberos pre-authentication by using DES or RC4 failed because the account was a member of the Protected User group |
| 5136 | A directory service object was modified |
| 5140 | A network share object was accessed |
| 5145 | A network share object was checked to see whether client can be granted desired access |
| 5379 | User credentials were read |
| 6416 | A new external device was recognized by the system |
Parsed Fields
Parsed Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| application_name | Remote Desktop Services | keyword | Application associated with a remote interactive session (events 4778/4779) |
| authentication_method | Kerberos | keyword | Authentication method used (e.g. Kerberos, NTLM, NTLMv2) |
| authentication_protocol | Kerberos | keyword | Authentication protocol used during logon |
| event_code | 5140 | long | Windows Event ID |
| event_error_code | 0x12 | keyword | Error or failure code (e.g. Kerberos error code, NTSTATUS code) |
| event_log_name | security | keyword | Windows event log channel name in lowercase |
| event_outcome | success | keyword | Outcome of the event (success or failure) |
| event_received_time | 2024-09-20 10:00:00 | keyword | Time the event was received by the NXLog agent (NXLog only) |
| event_reporter | GRAYLOGLABDC1 | keyword | Hostname of the agent that delivered the event to Graylog (Winlogbeat only) |
| event_source | GRAYLOGLABDC1.grayloglab.com | keyword | Fully qualified hostname of the system that generated the event (Winlogbeat only) |
| event_source_product | windows | keyword | Always set to 'windows' for Windows Security events |
| event_uid | 6223518 | long | Unique Windows event record ID |
| file_path | \??\C:\Windows\SYSVOL | keyword | Local path of the accessed file or network share |
| gim_event_type_code | ["201500"] | array | GIM event type code(s) assigned to the event |
| object_type | File | keyword | Type of the audited object (e.g. File, Key) |
| privilege_assigned_name | ["SeTcbPrivilege"] | array | Privilege(s) assigned to an account (event 4703) |
| privilege_name | ["SeTcbPrivilege"] | array | Privilege(s) used or requested |
| privilege_removed_name | ["SeShutdownPrivilege"] | array | Privilege(s) removed from an account (event 4703) |
| process_id | 0x92c | keyword | ID of the process associated with the event |
| process_name | svchost.exe | keyword | Executable filename of the process |
| process_path | C:\Windows\System32\svchost.exe | keyword | Full path to the process executable |
| process_target_id | 0x1cc8 | keyword | Process ID of the newly created process (event 4688) |
| process_target_name | cmd.exe | keyword | Executable filename of the newly created process (event 4688) |
| process_target_path | C:\Windows\System32\cmd.exe | keyword | Full path to the newly created process executable (event 4688) |
| registry_path | HKLM\SOFTWARE\Policies | keyword | Registry key path (for registry object access events) |
| service_name | LSA | keyword | Service or object server name (events 4673/4674) |
| source_ip | 10.0.1.25 | keyword | Source IP address |
| source_port | 49201 | keyword | Source port number |
| source_reference | 10.0.1.25 | keyword | Source reference derived from the source IP address |
| source_user_domain | DC05 | keyword | Domain of the source/initiating user (events where Subject is the actor) |
| source_user_id | S-1-5-21-516985470-3561783665-4042718931-500 | keyword | SID of the source/initiating user |
| source_user_name | Administrator | keyword | Username of the source/initiating user |
| source_user_session_id | 0x73368 | keyword | Logon session ID of the source/initiating user |
| source_user_sid_authority1 | S-1-5-21 | keyword | SID authority prefix of the source user |
| source_user_sid_authority2 | 516985470-3561783665-4042718931 | keyword | SID sub-authority of the source user |
| source_user_sid_rid | 500 | keyword | SID relative identifier of the source user |
| source_user_type | well-known sid | keyword | Account type classification of the source user |
| target_user_domain | GRAYLOGLAB | keyword | Domain of the target account (logon and IAM events) |
| target_user_id | S-1-5-21-98903719-2683663973-4168234638-1113 | keyword | SID of the target account |
| target_user_name | testuser10 | keyword | Username of the target account |
| target_user_session_id | 0x69d52 | keyword | Logon session ID assigned to the target account |
| target_user_type | user | keyword | Account type classification of the target account |
| user_domain | GRAYLOGLAB | keyword | Domain of the user performing the action |
| user_id | S-1-5-21-98903719-2683663973-4168234638-1113 | keyword | SID of the user |
| user_id_mapped | Local System | keyword | Human-readable name for well-known SIDs (e.g. Local System, NT Authority) |
| user_name | testuser10 | keyword | Username of the user performing the action |
| user_session_id | 0x69d52 | keyword | Logon session ID of the user |
| user_sid_authority1 | S-1-5-21 | keyword | SID authority prefix |
| user_sid_authority2 | 98903719-2683663973-4168234638 | keyword | SID sub-authority |
| user_sid_rid | 1113 | keyword | SID relative identifier |
| user_type | user | keyword | Account type classification (user, computer, well-known sid) |
| vendor_access_mask | 16777216 | keyword | Access mask value requested for the operation (event 4674) |
| vendor_attribute_ldap_display_name | versionNumber | keyword | LDAP display name of the modified directory attribute (event 5136) |
| vendor_attribute_syntax_oid | 2.5.5.9 | keyword | OID of the modified attribute's syntax (event 5136) |
| vendor_attribute_value | 5 | keyword | New value of the modified directory attribute (event 5136) |
| vendor_directory_service_name | DC05.com | keyword | Name of the directory service (event 5136) |
| vendor_directory_service_type | %%14676 | keyword | Type code of the directory service (event 5136) |
| vendor_event_action | Audit Policy Change | keyword | Event action description from the agent |
| vendor_event_category | file share | keyword | Microsoft-defined event category derived from the Task field |
| vendor_event_description | A network share object was accessed | keyword | Human-readable description of the event |
| vendor_event_severity | INFO | keyword | Vendor-defined severity label (NXLog only) |
| vendor_event_severity_level | 2 | long | Vendor-defined numeric severity level (NXLog only) |
| vendor_group_membership | ["S-1-5-21-..."] | array | List of group SIDs the user belongs to (event 4627) |
| vendor_handle_id | 0x408 | keyword | Handle ID for the accessed object (events 4656/4660) |
| vendor_object_class | groupPolicyContainer | keyword | Object class of the directory service object (event 5136) |
| vendor_object_guid | {908a315f-fe92-4c64-91fe-fa78981d7c2b} | keyword | GUID of the directory service object (event 5136) |
| vendor_object_name | CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,... | keyword | Distinguished name of the directory service object or privileged object name (events 5136/4674) |
| vendor_opcode | Info | keyword | Windows event opcode description |
| vendor_opcode_value | 0 | long | Numeric Windows event opcode value |
| vendor_operation_correlation_id | {99690fab-4ed6-4cb5-b862-8c816411fb33} | keyword | Correlation GUID linking related directory service operations (event 5136) |
| vendor_operation_type | Value Added | keyword | Human-readable directory service operation type (event 5136) |
| vendor_operation_type_code | %%14674 | keyword | Internal code for the directory service operation type (event 5136) |
| vendor_share_name | \\*\ADMIN$ | keyword | UNC name of the accessed network share (event 5140) |
GIM Categorization
GIM categorization is provided for the following messages:
GIM Categorization ▼
| Windows Security Event ID | Additional Details | gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|---|
| 1100 | 220101 | endpoint | audit | audit.state | audit service stopped | |
| 1101 | 220102 | endpoint | audit | audit.state | audit error | |
| 1102 | 220000 | endpoint | audit | audit.integrity | audit log cleared | |
| 1104 | 220102 | endpoint | audit | audit.state | audit error | |
| 1108 | 220102 | endpoint | audit | audit.state | audit error | |
| 4610 | Authentication package loaded by LSA | 211500 | endpoint | service | service.state | service installed |
| 4611 | Trusted logon process registered with LSA | 211500 | endpoint | service | service.state | service installed |
| 4614 | SAM notification package loaded | 211500 | endpoint | service | service.state | service installed |
| 4616 | 260000 | endpoint | system_time | system_time.time_change | system time changed | |
| 4622 | Security package loaded by LSA | 211500 | endpoint | service | service.state | service installed |
| 4624 | 100000 | authentication | authentication.logon | logon | ||
| 4625 | 100000 | authentication | authentication.logon | logon | ||
| 4627 | 119500 | iam | iam.information | group membership enumerated | ||
| 4634 | 102500 | authentication | authentication.logoff | logoff | ||
| 4647 | 102500 | authentication | authentication.logoff | logoff | ||
| 4648 | 100003 | authentication | authentication.logon | logon with alternate credentials | ||
| 4656 | object_type=File | 201500 | endpoint | file | file.access | file accessed |
| 4656 | object_type=Key | 259999 | endpoint | registry | registry.default | registry event |
| 4656 | object_type=other | 000000 | message | message.log_message | message | |
| 4658 | 000000 | message | message.log_message | message | ||
| 4663 | object_type=File (read/write access) | 201500 | endpoint | file | file.access | file accessed |
| 4663 | object_type=File (write access) | 201000 | endpoint | file | file.modify | file modified |
| 4663 | object_type=File (other) | 209999 | endpoint | file | file.default | file event |
| 4663 | object_type=Key | 259999 | endpoint | registry | registry.default | registry event |
| 4663 | object_type=Key (write) | 250000 | endpoint | registry | registry.value_change | registry value set |
| 4672 | 101000 | authentication | authentication.access notice | special logon | ||
| 4673 | 101000 | authentication | authentication.access notice | special logon | ||
| 4674 | 101000 | authentication | authentication.access notice | special logon | ||
| 4688 | 190000 | endpoint | process | process.execute | process started | |
| 4689 | 190100 | endpoint | process | process.end | process stopped | |
| 4696 | 191000 | endpoint | process | process.action | process altered | |
| 4697 | 211500 | endpoint | service | service.state | service installed | |
| 4703 | 111001|111002 | iam | iam.object modify | privileges assigned|privileges removed | ||
| 4704 | 111001 | iam | iam.object modify | privileges assigned | ||
| 4705 | 111002 | iam | iam.object modify | privileges removed | ||
| 4719 | 220500 | endpoint | audit | audit.policy | audit policy changed | |
| 4720 | 110000 | iam | iam.object create | account created | ||
| 4722 | 112001 | iam | iam.object enable | account enabled | ||
| 4723 | 111004 | iam | iam.object modify | password change | ||
| 4724 | 111005 | iam | iam.object modify | administrative password reset | ||
| 4725 | 111501 | iam | iam.object disable | account disabled | ||
| 4726 | 110500 | iam | iam.object delete | account deleted | ||
| 4727 | 110002 | iam | iam.object create | group created | ||
| 4728 | 111007 | iam | iam.object modify | group member added | ||
| 4729 | 111008 | iam | iam.object modify | group member removed | ||
| 4730 | 110501 | iam | iam.object delete | group deleted | ||
| 4731 | 110002 | iam | iam.object create | group created | ||
| 4732 | 111007 | iam | iam.object modify | group member added | ||
| 4733 | 111008 | iam | iam.object modify | group member removed | ||
| 4734 | 110501 | iam | iam.object delete | group deleted | ||
| 4735 | 111009 | iam | iam.object modify | group properties modified | ||
| 4737 | 111009 | iam | iam.object modify | group properties modified | ||
| 4738 | 111000 | iam | iam.object modify | account modified | ||
| 4740 | 111500 | iam | iam.object disable | account locked | ||
| 4741 | 110000 | iam | iam.object create | account created | ||
| 4742 | 111000 | iam | iam.object modify | account modified | ||
| 4743 | 110500 | iam | iam.object delete | account deleted | ||
| 4754 | 110002 | iam | iam.object create | group created | ||
| 4755 | 111009 | iam | iam.object modify | group properties modified | ||
| 4756 | 111007 | iam | iam.object modify | group member added | ||
| 4757 | 111008 | iam | iam.object modify | group member removed | ||
| 4758 | 110501 | iam | iam.object delete | group deleted | ||
| 4764 | 111009 | iam | iam.object modify | group properties modified | ||
| 4767 | 112000 | iam | iam.object enable | account unlocked | ||
| 4768 | 100000|102002 | authentication | authentication.logon|authentication.kerberos request | logon|tgt request | ||
| 4769 | 102001 | authentication | authentication.kerberos request | service ticket requested | ||
| 4770 | 102000 | authentication | authentication.kerberos request | service ticket renewed | ||
| 4771 | 100000|100500 | authentication | authentication.logon|authentication.credential validation | logon|credential validation | ||
| 4776 | 100500 | authentication | authentication.credential validation | credential validation | ||
| 4778 | 100004 | authentication | authentication.logon | session reconnect | ||
| 4779 | 102501 | authentication | authentication.logoff | session disconnect | ||
| 4781 | 111003 | iam | iam.object modify | account renamed | ||
| 4798 | 119500 | iam | iam.information | group membership enumerated | ||
| 4799 | 119500 | iam | iam.information | group membership enumerated | ||
| 4820 | 101501 | authentication | authentication.access policy | device policy violation | ||
| 4821 | 101500 | authentication | authentication.access policy | access policy violation | ||
| 4822 | 101502 | authentication | authentication.access policy | account policy violation | ||
| 4823 | 101502 | authentication | authentication.access policy | account policy violation | ||
| 4824 | 101502 | authentication | authentication.access policy | account policy violation | ||
| 5136 | object_class=user (modify) | 111000 | iam | iam.object modify | account modified | |
| 5136 | object_class=group (modify) | 111009 | iam | iam.object modify | group properties modified | |
| 5136 | object_class=other | 000000 | message | message.log_message | message | |
| 4657 | Registry value modified | 250003 | endpoint | registry | registry.value_change | registry value modified |
| 4698 | Scheduled task created | 229999 | endpoint | audit | audit.default | audit event |
| 5140 | 201500 | endpoint | file | file.access | file accessed | |
| 5145 | 201500 | endpoint | file | file.access | file accessed | |
| 6416 | 270000 | endpoint | driver | driver.loaded | system driver loaded |
