IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Security Module
editSecurity Module
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
The security module processes event log records from the Security log.
The module has transformations for the following event IDs:
- 4624 - An account was successfully logged on.
- 4625 - An account failed to log on.
- 4634 - An account was logged off.
- 4647 - User initiated logoff (interactive logon types).
- 4648 - A logon was attempted using explicit credentials.
- 4672 - Special privileges assigned to new logon.
- 4688 - A new process has been created.
- 4689 - A process has exited.
- 4720 - A user account was created.
- 4722 - A user account was enabled.
- 4723 - An attempt was made to change an account’s password.
- 4724 - An attempt was made to reset an account’s password.
- 4725 - An user account was disabled.
- 4726 - An user account was deleted.
- 4738 - An user account was changed.
- 4740 - An user account was locked out.
- 4767 - An account was unlocked.
- 4781 - The name of an account was changed.
More event IDs will be added.
Configuration
editwinlogbeat.event_logs: - name: Security processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js