Security Module

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

  • 4624 - An account was successfully logged on.
  • 4625 - An account failed to log on.
  • 4634 - An account was logged off.
  • 4647 - User initiated logoff (interactive logon types).
  • 4648 - A logon was attempted using explicit credentials.
  • 4672 - Special privileges assigned to new logon.

More event IDs will be added.

Configuration

edit
winlogbeat.event_logs:
  - name: Security
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js