The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
This technology pack will process Windows Security event logs, providing normalization and enrichment of common events of interest. In addition, it will identify all Windows logs that have not been processed by any other technology pack, normalize common event log fields, and index these messages in a separate index.
Supported Version(s)
- Currently supported versions of the Windows operating system
Requirements
- Winlogbeat v 8.x or NXLog Enterprise 3.2 / NXLog Community Edition 2.10
-
The beats type prefix should also be enabled when using the Winlogbeat agent
Stream Configuration
This technology pack includes two streams:
-
“Illuminate:Windows Security Event Log Messages,” which contains all messages from the Windows Security event log
-
“Illuminate:Windows Event Log Messages,” which will contain all event log messages that have not been processed by this or any other technology pack
Index Set Configuration
This technology pack includes two index set definitions:
- “Windows Security Event Log Messages,” which contains all messages from the Windows Security event log
- “Windows Event Log Messages,” which will contain all event log messages not processed by this or any other technology pack
If these index sets are already defined, then nothing will be changed. If these index sets do not exist, then they will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
What is Provided
- Parsing and normalization to extract Windows event logs into Graylog schema compatible fields
- Graylog Information Model categorization of messages
- Illuminate Spotlight
Events Processed by This Technology Pack
Illuminate will perform some basic processing of all event logs ingested by Winlogbeat, normalizing field common to all events:
| Field Name | Field Description |
|---|---|
event_code
|
Windows "Event ID" value |
event_log_name
|
The lower case Windows event log "name" or channel |
event_reporter
|
The system that delivered the event to Graylog |
event_source
|
The computer name that originally generated the event |
event_uid
|
The unique system record entry number for the event message |
vendor_event_category
|
The Microsoft-defined event category derived from the "Task" field |
The Windows Security technology pack will apply normalization of common event log fields, such as Event ID, to all Windows event log messages. The Windows Security technology pack will provide normalization and enrichment to the following Windows security event log IDs:
|
Event ID |
Additional Data |
gim_event_type_code |
gim_event_category |
gim_event_subcategory |
gim_event_type |
|---|---|---|---|---|---|
|
1100 |
|
220101 |
audit |
audit.state |
audit service stopped |
|
1101 |
|
220102 |
audit |
audit.state |
audit error |
|
1102 |
|
220000 |
audit |
audit.integrity |
audit log cleared |
|
1104 |
|
220102 |
audit |
audit.state |
audit error |
|
4610 |
|
270000 |
registry |
registry.default |
registry event |
|
4611 |
|
270000 |
registry |
registry.default |
registry event |
|
4614 |
|
270000 |
registry |
registry.default |
registry event |
|
4616 |
|
260000 |
registry |
registry.default |
registry event |
|
4622 |
|
270000 |
registry |
registry.default |
registry event |
|
4624 |
|
100000 |
authentication |
authentication.logon |
logon |
|
4625 |
|
100000 |
authentication |
authentication.logon |
logon |
|
4634 |
|
102500 |
authentication |
authentication.logoff |
logoff |
|
4647 |
|
102500 |
authentication |
authentication.logoff |
logoff |
|
4648 |
|
100003 |
authentication |
authentication.logon |
logon with alternate credentials |
|
4663 |
Access Type: ReadEA |
209999 |
file |
file.default |
file event |
|
4663 |
Access Type: ReadData (or ListDirectory) |
201500 |
file |
file.access |
file access |
|
4663 |
Access Type: WriteData (or AddFile) |
201000 |
file |
file.modify |
file modified |
|
4663 |
Access Type: AppendData (or AddSubdirectory or CreatePipeInstance) |
201000 |
file |
file.modify |
file modified |
|
4663 |
Access Type: Notify about changes to keys |
259999 |
registry |
registry.default |
registry event |
|
4663 |
Access Type: Enumerate sub-key |
259999 |
registry |
registry.default |
registry event |
|
4663 |
Access Type: Create sub-key |
250500 |
registry |
registry.key_change |
registry key added |
|
4663 |
Access Type: Set key value |
250000 |
registry |
registry.value_change |
registry value set |
|
4663 |
Access Type: Query key value |
259999 |
registry |
registry.default |
registry event |
|
4663 |
Access Type: WriteEA |
209999 |
file |
file.default |
file event |
|
4672 |
|
101000 |
authentication |
authentication.access notice |
special logon |
|
4688 |
|
190000 |
process |
process.execution |
process started |
|
4689 |
|
190100 |
process |
process.end |
process stopped |
|
4697 |
|
211500 |
service |
service.state |
service installed |
|
4720 |
|
110000 |
iam |
iam.object create |
account created |
|
4722 |
|
112001 |
iam |
iam.object enable |
account enabled |
|
4723 |
|
111004 |
iam |
iam.object modify |
password change |
|
4724 |
|
111005 |
iam |
iam.object modify |
administrative password reset |
|
4725 |
|
111501 |
iam |
iam.object disable |
account disabled |
|
4726 |
|
110500 |
iam |
iam.object delete |
account deleted |
|
4727 |
|
110002 |
iam |
iam.object create |
group created |
|
4728 |
|
111007 |
iam |
iam.object modify |
group member added |
|
4729 |
|
111008 |
iam |
iam.object modify |
group member removed |
|
4730 |
|
110501 |
iam |
iam.object delete |
group deleted |
|
4731 |
|
110002 |
iam |
iam.object create |
group created |
|
4732 |
|
111007 |
iam |
iam.object modify |
group member added |
|
4733 |
|
111008 |
iam |
iam.object modify |
group member removed |
|
4734 |
|
110501 |
iam |
iam.object delete |
group deleted |
|
4735 |
|
111009 |
iam |
iam.object modify |
group properties modified |
|
4737 |
|
111009 |
iam |
iam.object modify |
group properties modified |
|
4738 |
|
111000 |
iam |
iam.object modify |
account account modified |
|
4740 |
|
111500 |
iam |
iam.object disable |
account locked |
|
4741 |
|
110000 |
iam |
iam.object create |
Account created |
|
4742 |
|
111000 |
iam |
iam.object modify |
account account modified |
|
4743 |
|
110500 |
iam |
iam.object delete |
account deleted |
|
4754 |
|
110002 |
iam |
iam.object create |
group created |
|
4755 |
|
111009 |
iam |
iam.object modify |
group properties modified |
|
4756 |
|
111007 |
iam |
iam.object modify |
group member added |
|
4757 |
|
111008 |
iam |
iam.object modify |
group member removed |
|
4758 |
|
110501 |
iam |
iam.object delete |
group deleted |
|
4764 |
|
111009 |
iam |
iam.object modify |
group properties modified |
|
4767 |
|
112000 |
iam |
iam.object enable |
account unlocked |
|
4768 |
|
100000 |
authentication |
authentication.logon |
logon |
|
4769 |
|
102001 |
authentication |
authentication.kerberos requests |
service ticket requested |
|
4770 |
|
102000 |
authentication |
authentication.kerberos requests |
service ticket renewed |
|
4771 |
|
100000 |
authentication |
authentication.logon |
logon |
|
4776 |
|
100500 |
authentication |
authentication.credential validation |
credential validation |
|
4778 |
|
100004 |
authentication |
authentication.logon |
session reconnect |
|
4779 |
|
102501 |
authentication |
authentication.logoff |
session disconnect |
|
4781 |
|
111003 |
iam |
iam.object modify |
account renamed |
|
4798 |
|
119500 |
iam |
iam.information |
IAM message |
|
4799 |
|
119500 |
iam |
iam.information |
IAM message |
|
4820 |
|
101501 |
authentication |
authentication.access policy |
device policy violation |
|
4821 |
|
101500 |
authentication |
authentication.access policy |
access policy violation |
|
4822 |
|
101502 |
authentication |
authentication.access policy |
account policy violation |
|
4823 |
|
101502 |
authentication |
authentication.access policy |
account policy violation |
|
4824 |
|
101502 |
authentication |
authentication.access policy |
account policy violation |
