Beats: [WinlogBeat] Active Directory security events
Describe the enhancement:
Microsoft released a while back a list of event id's to monitor, in an Active Directory installation.
These would be great to have in a module, for an "out-of-the-box" experience, and integration with Elastic SIEM.
Extension the already existing Security module, with a active_directory dataset would be nice, or the like.
Describe a specific use case for the enhancement or feature:
I would love to analyze important Active Directory events in Elastic SIEM, find outliers and other potential bad stuff.
All user activity goes through my Active Directory installation, and would be a great spot to catch potentially bad stuff :)
magnuslarsen
All 6 comments
Hi @magnuslarsen
winlogbeat agent can collect any windows event log. You just need to enable the auditing mechanism with GPO in your active directory so that they are logged into the windows event log, where winlogbeat picks them up.
Additionally, all data is already inside Elasticsearch and processed in SIEM.
If you want that this Microsoft list is part of a ruleset within SIEM, that automatically triggers a watcher, alert or something like this, then this is not a Beat issue. I think that should be discussed in the discuss.elastic.co SIEM forum.
philippkahr
on 13 Feb 2020
Hi @philippkahr , I am already gathering the event_ids, based on that list, by manually specifying it my Winlogbeat configuration.
I would just like to see a more "plug'n'play" module, like we have with the Filebeat modules (e.g. apache) - Install winlogbeat, enable the active_directory module, and then automatically have setup ingest pipelines, dashboards, and preferably a SIEM "plugin"
magnuslarsen
on 13 Feb 2020
Ah, I understand. Hmm I do feel your pain points.
I guess there is a reason why you didn鈥檛 just set the winlogbeat config to something like:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
Which would collect all events from the channel, therefore you would not need to input the list from Microsoft.
Could you double check the event_ids from the security module with what you need? https://www.elastic.co/guide/en/beats/winlogbeat/master/winlogbeat-modules.html
There are some additional dashboards available: https://github.com/elastic/beats/issues/14149
Regarding SIEM. Since it is using ECS anyway you should see everything in the SIEM app.
In my point of view I would focus more on the MITRE ATT&CK classification than just the Microsoft.
@andrewkroh do you think it would make sense to at least add the risk factor from the Microsoft page as an attribute to each event? I guess it should be compatible with the MITRE ATT&CK risk score.
philippkahr
on 13 Feb 2020
I would like to have an issue with a checklist for each item in that table from Microsoft. And we can use that to guide the development of the Security module. And yes we should add a risk score as event.risk_score (from ECS).
andrewkroh
on 13 Feb 2020
I created a CSV of the Microsoft list, and added a column In Security Module?.
TRUE if it is already in this list, FALSE if not.
The CSV should be easily filterable, and from that an issue could be created quite quickly?
AdEventIdsInWinlogbeat.txt (.txt as github doesn't support .csv)
magnuslarsen
on 14 Feb 2020
Here's the issue to track this. https://github.com/elastic/beats/issues/16334
Thanks!
andrewkroh
on 14 Feb 2020
Related issues
musayev-io
路
3Comments
ppf2
路
3Comments
ycombinator
路
3Comments
feelan03
路
3Comments
jsoriano
路
3Comments
Most helpful comment
I created a CSV of the Microsoft list, and added a column
In Security Module?.TRUE if it is already in this list, FALSE if not.
The CSV should be easily filterable, and from that an issue could be created quite quickly?
AdEventIdsInWinlogbeat.txt (
.txtas github doesn't support.csv)