Windows Security Event Analysis
Event logs are the valuable source of information in detecting and investigating security incidents. As part of the regulatory requirements many companies collect and store logs from different sources but few of them analyze the collected logs proactively. This post shows how the security event logs can be collected from Windows operating systems using winlogbeat and send to ELK infrastructure for further analysis.
Some of the useful Security Events for forensics analysis or incident response in a Windows machine
4624 | Successful Logon |
4625 | Failed Login |
4776 | Successful /Failed Account Authentication |
4720 | A user account was created |
4732 | A member was added to a security-enabled local group |
4728 | A member was added to a security-enabled global group |
4647 | 4647 user initiated logon |
4800 | Workstation Locked |
4801 | Workstation unlocked |
4802 | Screen saver loaded |
4803 | Screen saver dismissed |
4778 | RDP reconnected |
4779 | RDP disconnected |
4720 | User account created |
4722 | User account enabled |
4723 | User changed own password |
4724 | Privileged User changed this user’s password |
4725 | User account disabled |
4726 | User account deleted |
4738 | User account changed |
4740 | User account locked out |
4767 | User account unlocked |
4781 | User name changed |
Successful/Failed logon events provide the details about how the user or process tried to logon and the logon type information is given as a number.
Logon Type | Explanation |
2 | Logon via console |
3 | Network Logon, A user or computer logged on to this computer from the network. |
4 | Batch logon |
5 | Windows Service Logon |
7 | Credentials used to unlock screen |
8 | Network logon sending credentials (cleartext) |
9 | Different credentials used than logged on user |
10 | Remote interactive logon (RDP) |
11 | Cached credentials used to logon |
12 | Cached remote interactive |
13 | Cached unlock (Similar to logon type 7) |
Logon failue codes
0xC0000064 | User name does not exist |
0xC000006A | User name is correct but the password is wrong |
0xC0000234 | User is currently locked out |
0xC0000072 | Account is currently disabled |
0xC000006F | User tried to logon outside his day of week or time of day restrictions |
0xC0000070 | Workstation restriction |
0xC00000193 | Account expiration |
0xC0000071 | Expired password |
0xC0000133 | Clocks between DC and other computer too far out of sync |
0xC0000224 | User is required to change password at next logon |
0xC0000225 | Evidently a bug in Windows and not a risk |
0xC000015b | The user has not been granted the requested logon |
winlogbeat.yml settings
winlogbeat.event_logs: - name: Security ignore_older: 72h
output.logstash: # The Logstash hosts hosts: ["10.10.10.10:5044"]
Logstash settings (input,filter and output)
input { beats { port => 5044 } }
if [type]=="wineventlog" { mutate { add_field => { "indexType" => "WIN-LOGS" } } }
if [indexType]== "WIN-LOGS" { elasticsearch { hosts => "http://elasticsearchhost:9200" manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => doc } }
Kibana query for password changed events
event_id:4724
Kibana query for remote desktop login
event_id:4624 AND event_data.LogonType:10
Visualizations in Kibana
Password change events
Remote desktop logins