Windows Security Event Analysis

Event logs are the valuable source of information in detecting and investigating security incidents. As part of the regulatory requirements many companies collect and store logs from different sources but few of them analyze the collected logs proactively. This post shows how the security event logs can be collected from Windows operating systems using winlogbeat and send to ELK infrastructure for further analysis.

Some of the useful Security Events for forensics analysis or incident response in a Windows machine

4624 Successful Logon
4625 Failed Login
4776 Successful /Failed Account Authentication
4720 A user account was created
4732 A member was added to a security-enabled local group
4728 A member was added to a security-enabled global group
4647 4647 user initiated logon
4800 Workstation Locked
4801 Workstation unlocked
4802 Screen saver loaded
4803 Screen saver dismissed
4778 RDP reconnected
4779 RDP disconnected
4720 User account created
4722 User account enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 User account disabled
4726 User account deleted
4738 User account changed
4740 User account locked out
4767 User account unlocked
4781 User name changed

Successful/Failed logon events provide the details about how the user or process tried to logon and the logon type information is given as a number.

Logon Type Explanation
2 Logon via console
3 Network Logon, A user or computer logged on to this computer from the network.
4 Batch logon
5 Windows Service Logon
7 Credentials used to unlock screen
8 Network logon sending credentials (cleartext)
9 Different credentials used than logged on user
10 Remote interactive logon (RDP)
11 Cached credentials used to logon
12 Cached remote interactive
13 Cached unlock (Similar to logon type 7)

Logon failue codes

0xC0000064 User name does not exist
0xC000006A User name is correct but the password is wrong
0xC0000234 User is currently locked out
0xC0000072 Account is currently disabled
0xC000006F  User tried to logon outside his day of week or time of day restrictions
0xC0000070 Workstation restriction
0xC00000193 Account expiration
0xC0000071 Expired password
0xC0000133 Clocks between DC and other computer too far out of sync
0xC0000224 User is required to change password at next logon
0xC0000225 Evidently a bug in Windows and not a risk
0xC000015b The user has not been granted the requested logon

winlogbeat.yml settings

winlogbeat.event_logs:
  - name: Security
    ignore_older: 72h
output.logstash:
  # The Logstash hosts
  hosts: ["10.10.10.10:5044"]

Logstash settings (input,filter and output)

input {
  beats {
    port => 5044
  }
}
if [type]=="wineventlog"
        {
        mutate { add_field => { "indexType" => "WIN-LOGS" }
                        }
                }

if [indexType]== "WIN-LOGS"
{
 elasticsearch {
    hosts => "http://elasticsearchhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        document_type => doc
  }
}

Kibana query for password changed events

event_id:4724

Kibana query for remote desktop login

event_id:4624 AND event_data.LogonType:10

Visualizations in Kibana

Password change events

Remote desktop logins