Skip to content

Commit 8cba01a

Browse files
w0rk3rw0rk3r
authored
entityanalytics_ad: fix SID rendering and improve user identity and account control mappings (#13013)
The SID was being incorrectly rendered with the number of sub auth fields included in the text. This is removed. UAC details are obtained from activedirectory.user.user_account_control field into the list of attributes.
1 parent 88d8d8e commit 8cba01a

File tree

7 files changed

+122
-35
lines changed

7 files changed

+122
-35
lines changed

packages/entityanalytics_ad/changelog.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,12 @@
11
# newer versions go on top
2+
- version: "0.8.0"
3+
changes:
4+
- description: Improve users identity and account control mappings.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/13013
7+
- description: Fix SID rendering.
8+
type: bugfix
9+
link: https://github.com/elastic/integrations/pull/13013
210
- version: "0.7.0"
311
changes:
412
- description: Update Kibana constraint to support 9.0.0.

packages/entityanalytics_ad/data_stream/user/_dev/test/pipeline/test-user.json-expected.json

Lines changed: 39 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
"asset": {
3333
"category": "entity",
3434
"create_date": "2024-01-22T06:36:59.000Z",
35-
"id": "CN=Administrator,CN=Users,DC=testserver,DC=local",
35+
"id": "S-1-5-21-372676048-1189045421-4047760665-500",
3636
"last_updated": "2024-03-27T04:30:09.000Z",
3737
"name": "Administrator",
3838
"type": "activedirectory_user"
@@ -51,6 +51,7 @@
5151
"1601-01-01T00:00:01Z"
5252
],
5353
"group_type": "-2147483646",
54+
"id": "S-1-5-21-372676048-1189045421-4047760665-520",
5455
"instance_type": "4",
5556
"is_critical_system_object": true,
5657
"member": "CN=Administrator,CN=Users,DC=testserver,DC=local",
@@ -62,7 +63,7 @@
6263
"group"
6364
],
6465
"object_guid": "eeaebdab-3304-4192-9dd5-7d8815b2ba1f",
65-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-520",
66+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-520",
6667
"sam_account_name": "Group Policy Creator Owners",
6768
"sam_account_type": "268435456",
6869
"usn_changed": "12391",
@@ -81,6 +82,7 @@
8182
"1601-01-01T00:04:16Z"
8283
],
8384
"group_type": "-2147483646",
85+
"id": "S-1-5-21-372676048-1189045421-4047760665-512",
8486
"instance_type": "4",
8587
"is_critical_system_object": true,
8688
"member": "CN=Administrator,CN=Users,DC=testserver,DC=local",
@@ -95,7 +97,7 @@
9597
"group"
9698
],
9799
"object_guid": "37d9c275-8f12-4ff7-b36b-eb112e187c90",
98-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-512",
100+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-512",
99101
"sam_account_name": "Domain Admins",
100102
"sam_account_type": "268435456",
101103
"usn_changed": "12770",
@@ -115,6 +117,7 @@
115117
],
116118
"group_type": "-2147483640",
117119
"instance_type": "4",
120+
"id": "S-1-5-21-372676048-1189045421-4047760665-519",
118121
"is_critical_system_object": true,
119122
"member": "CN=Administrator,CN=Users,DC=testserver,DC=local",
120123
"member_of": [
@@ -128,7 +131,7 @@
128131
"group"
129132
],
130133
"object_guid": "5325d1f0-3aa1-4e4d-b50c-d14b21eed51d",
131-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-519",
134+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-519",
132135
"sam_account_name": "Enterprise Admins",
133136
"sam_account_type": "268435456",
134137
"usn_changed": "12773",
@@ -147,6 +150,7 @@
147150
"1601-01-01T00:04:16Z"
148151
],
149152
"group_type": "-2147483640",
153+
"id": "S-1-5-21-372676048-1189045421-4047760665-518",
150154
"instance_type": "4",
151155
"is_critical_system_object": true,
152156
"member": "CN=Administrator,CN=Users,DC=testserver,DC=local",
@@ -158,7 +162,7 @@
158162
"group"
159163
],
160164
"object_guid": "fca92f4e-20ce-40b4-8044-5045ddc352a7",
161-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-518",
165+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-518",
162166
"sam_account_name": "Schema Admins",
163167
"sam_account_type": "268435456",
164168
"usn_changed": "12769",
@@ -167,7 +171,6 @@
167171
"when_created": "2024-01-22T06:37:40Z"
168172
}
169173
],
170-
"id": "CN=Administrator,CN=Users,DC=testserver,DC=local",
171174
"user": {
172175
"account_expires": "2185-07-21T23:34:33.709551516Z",
173176
"admin_count": "1",
@@ -198,6 +201,7 @@
198201
"CN=Administrators,CN=Builtin,DC=testserver,DC=local"
199202
],
200203
"name": "Administrator",
204+
"object_dn": "CN=Administrator,CN=Users,DC=testserver,DC=local",
201205
"object_category": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
202206
"object_class": [
203207
"top",
@@ -206,11 +210,15 @@
206210
"user"
207211
],
208212
"object_guid": "09e84591-183c-48bf-9935-ce9469d024d7",
209-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-500",
213+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-500",
210214
"primary_group_id": "513",
211215
"pwd_last_set": "2024-01-22T06:15:39.8703568Z",
212216
"sam_account_name": "Administrator",
213217
"sam_account_type": "805306368",
218+
"uac_list": [
219+
"USER_DONT_REQUIRE_PREAUTH",
220+
"USER_DONT_EXPIRE_PASSWORD"
221+
],
214222
"user_account_control": "66048",
215223
"usn_changed": "25166",
216224
"usn_created": "8196",
@@ -235,8 +243,7 @@
235243
"user": [
236244
"Administrator",
237245
"CN=Administrator,CN=Users,DC=testserver,DC=local",
238-
"09e84591-183c-48bf-9935-ce9469d024d7",
239-
"S-1-5-5-21-372676048-1189045421-4047760665-500"
246+
"09e84591-183c-48bf-9935-ce9469d024d7"
240247
]
241248
},
242249
"tags": [
@@ -247,7 +254,7 @@
247254
"password_change_date": "2024-01-22T06:15:39.870Z"
248255
},
249256
"domain": "testserver.local",
250-
"id": "CN=Administrator,CN=Users,DC=testserver,DC=local",
257+
"id": "S-1-5-21-372676048-1189045421-4047760665-500",
251258
"name": "Administrator"
252259
}
253260
},
@@ -256,7 +263,7 @@
256263
"asset": {
257264
"category": "entity",
258265
"create_date": "2024-01-22T06:36:59.000Z",
259-
"id": "CN=Guest,CN=Users,DC=testserver,DC=local",
266+
"id": "S-1-5-21-372676048-1189045421-4047760665-501",
260267
"last_updated": "2024-01-22T06:36:59.000Z",
261268
"name": "Guest",
262269
"type": "activedirectory_user"
@@ -265,7 +272,6 @@
265272
"version": "8.11.0"
266273
},
267274
"entityanalytics_ad": {
268-
"id": "CN=Guest,CN=Users,DC=testserver,DC=local",
269275
"user": {
270276
"account_expires": "2185-07-21T23:34:33.709551516Z",
271277
"bad_password_time": "0",
@@ -286,6 +292,7 @@
286292
"logon_count": "0",
287293
"member_of": "CN=Guests,CN=Builtin,DC=testserver,DC=local",
288294
"name": "Guest",
295+
"object_dn": "CN=Guest,CN=Users,DC=testserver,DC=local",
289296
"object_category": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
290297
"object_class": [
291298
"top",
@@ -294,12 +301,18 @@
294301
"user"
295302
],
296303
"object_guid": "e37f2b85-c945-4e41-9c7f-e2765e860c1f",
297-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-501",
304+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-501",
298305
"primary_group_id": "514",
299306
"pwd_last_set": "2185-07-21T23:34:33.709551616Z",
300307
"sam_account_name": "Guest",
301308
"sam_account_type": "805306368",
302309
"user_account_control": "66082",
310+
"uac_list": [
311+
"USER_MNS_LOGON_ACCOUNT",
312+
"USER_DONT_REQUIRE_PREAUTH",
313+
"USER_HOME_DIRECTORY_REQUIRED",
314+
"USER_DONT_EXPIRE_PASSWORD"
315+
],
303316
"usn_changed": "8197",
304317
"usn_created": "8197",
305318
"when_changed": "2024-01-22T06:36:59Z",
@@ -323,8 +336,7 @@
323336
"user": [
324337
"Guest",
325338
"CN=Guest,CN=Users,DC=testserver,DC=local",
326-
"e37f2b85-c945-4e41-9c7f-e2765e860c1f",
327-
"S-1-5-5-21-372676048-1189045421-4047760665-501"
339+
"e37f2b85-c945-4e41-9c7f-e2765e860c1f"
328340
]
329341
},
330342
"tags": [
@@ -335,7 +347,7 @@
335347
"password_change_date": "2185-07-21T23:34:33.709Z"
336348
},
337349
"domain": "testserver.local",
338-
"id": "CN=Guest,CN=Users,DC=testserver,DC=local",
350+
"id": "S-1-5-21-372676048-1189045421-4047760665-501",
339351
"name": "Guest"
340352
}
341353
},
@@ -344,7 +356,7 @@
344356
"asset": {
345357
"category": "entity",
346358
"create_date": "2024-01-22T06:37:40.000Z",
347-
"id": "CN=krbtgt,CN=Users,DC=testserver,DC=local",
359+
"id": "S-1-5-21-372676048-1189045421-4047760665-502",
348360
"last_updated": "2024-01-22T06:52:50.000Z",
349361
"name": "krbtgt",
350362
"type": "activedirectory_user"
@@ -363,6 +375,7 @@
363375
"1601-01-01T00:00:01Z"
364376
],
365377
"group_type": "-2147483644",
378+
"id": "S-1-5-21-372676048-1189045421-4047760665-572",
366379
"instance_type": "4",
367380
"is_critical_system_object": true,
368381
"member": [
@@ -382,7 +395,7 @@
382395
"group"
383396
],
384397
"object_guid": "fef93e22-372d-446e-93c7-86ea750959df",
385-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-572",
398+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-572",
386399
"sam_account_name": "Denied RODC Password Replication Group",
387400
"sam_account_type": "536870912",
388401
"usn_changed": "12433",
@@ -391,7 +404,6 @@
391404
"when_created": "2024-01-22T06:37:40Z"
392405
}
393406
],
394-
"id": "CN=krbtgt,CN=Users,DC=testserver,DC=local",
395407
"user": {
396408
"account_expires": "2185-07-21T23:34:33.709551516Z",
397409
"admin_count": "1",
@@ -415,6 +427,7 @@
415427
"member_of": "CN=Denied RODC Password Replication Group,CN=Users,DC=testserver,DC=local",
416428
"msds-supported_encryption_types": "0",
417429
"name": "krbtgt",
430+
"object_dn": "CN=krbtgt,CN=Users,DC=testserver,DC=local",
418431
"object_category": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
419432
"object_class": [
420433
"top",
@@ -423,13 +436,17 @@
423436
"user"
424437
],
425438
"object_guid": "1736d9ad-aefa-4be0-9de7-64396d35dcee",
426-
"object_sid": "S-1-5-5-21-372676048-1189045421-4047760665-502",
439+
"object_sid": "S-1-5-21-372676048-1189045421-4047760665-502",
427440
"primary_group_id": "513",
428441
"pwd_last_set": "2024-01-22T06:37:40.4305135Z",
429442
"sam_account_name": "krbtgt",
430443
"sam_account_type": "805306368",
431444
"service_principal_name": "kadmin/changepw",
432445
"show_in_advanced_view_only": true,
446+
"uac_list": [
447+
"USER_HOME_DIRECTORY_REQUIRED",
448+
"USER_DONT_EXPIRE_PASSWORD"
449+
],
433450
"user_account_control": "514",
434451
"usn_changed": "12785",
435452
"usn_created": "12324",
@@ -454,8 +471,7 @@
454471
"user": [
455472
"krbtgt",
456473
"CN=krbtgt,CN=Users,DC=testserver,DC=local",
457-
"1736d9ad-aefa-4be0-9de7-64396d35dcee",
458-
"S-1-5-5-21-372676048-1189045421-4047760665-502"
474+
"1736d9ad-aefa-4be0-9de7-64396d35dcee"
459475
]
460476
},
461477
"tags": [
@@ -466,7 +482,7 @@
466482
"password_change_date": "2024-01-22T06:37:40.430Z"
467483
},
468484
"domain": "testserver.local",
469-
"id": "CN=krbtgt,CN=Users,DC=testserver,DC=local",
485+
"id": "S-1-5-21-372676048-1189045421-4047760665-502",
470486
"name": "krbtgt"
471487
}
472488
},

packages/entityanalytics_ad/data_stream/user/elasticsearch/ingest_pipeline/entity.yml

Lines changed: 64 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -98,13 +98,13 @@ processors:
9898
}
9999
String sid(String text) {
100100
def bytes = Base64.getDecoder().decode(text);
101-
int subauths = Byte.toUnsignedInt(bytes[1]);
102-
def uid = "S-"+Byte.toString(bytes[0])+"-"+Integer.toString(subauths)+"-";
101+
def uid = "S-"+Byte.toString(bytes[0])+"-";
103102
int auth = 0;
104103
for (int i = 2; i < 8; i++) {
105104
auth |= Byte.toUnsignedInt(bytes[i])<<(8*(5-(i-2)));
106105
}
107106
uid += Integer.toString(auth);
107+
int subauths = Byte.toUnsignedInt(bytes[1]);
108108
int off = 8;
109109
for (int i = 0; i < subauths; i++) {
110110
int subauth = 0;
@@ -161,6 +161,50 @@ processors:
161161
162162
ctx.activedirectory = renameKeys(ctx.activedirectory, params)
163163
164+
- script:
165+
lang: painless
166+
ignore_failure: false
167+
tag: Set User Account Control
168+
description: Set User Account Control
169+
# USER_ACCOUNT Codes
170+
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec
171+
params:
172+
"0x00000001": USER_ACCOUNT_DISABLED
173+
"0x00000002": USER_HOME_DIRECTORY_REQUIRED
174+
"0x00000004": USER_PASSWORD_NOT_REQUIRED
175+
"0x00000008": USER_TEMP_DUPLICATE_ACCOUNT
176+
"0x00000010": USER_NORMAL_ACCOUNT
177+
"0x00000020": USER_MNS_LOGON_ACCOUNT
178+
"0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT
179+
"0x00000080": USER_WORKSTATION_TRUST_ACCOUNT
180+
"0x00000100": USER_SERVER_TRUST_ACCOUNT
181+
"0x00000200": USER_DONT_EXPIRE_PASSWORD
182+
"0x00000400": USER_ACCOUNT_AUTO_LOCKED
183+
"0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED
184+
"0x00001000": USER_SMARTCARD_REQUIRED
185+
"0x00002000": USER_TRUSTED_FOR_DELEGATION
186+
"0x00004000": USER_NOT_DELEGATED
187+
"0x00008000": USER_USE_DES_KEY_ONLY
188+
"0x00010000": USER_DONT_REQUIRE_PREAUTH
189+
"0x00020000": USER_PASSWORD_EXPIRED
190+
"0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
191+
"0x00080000": USER_NO_AUTH_DATA_REQUIRED
192+
"0x00100000": USER_PARTIAL_SECRETS_ACCOUNT
193+
"0x00200000": USER_USE_AES_KEYS
194+
source: |-
195+
Long newUacValue = Long.decode(ctx.activedirectory.user.user_account_control);
196+
ArrayList uacResult = new ArrayList();
197+
for (entry in params.entrySet()) {
198+
Long flag = Long.decode(entry.getKey());
199+
if ((newUacValue.longValue() & flag.longValue()) != 0) {
200+
uacResult.add(entry.getValue());
201+
}
202+
}
203+
if (uacResult.length != 0) {
204+
ctx.activedirectory.user.uac_list = uacResult;
205+
}
206+
if: ctx.activedirectory?.user?.user_account_control != null && ctx.activedirectory.user.user_account_control != 0
207+
164208
- date:
165209
field: activedirectory.user.when_created
166210
target_field: asset.create_date
@@ -224,8 +268,20 @@ processors:
224268
if: ctx.user?.domain != null
225269
- set:
226270
field: asset.id
227-
copy_from: activedirectory.id
228-
ignore_empty_value: true
271+
copy_from: activedirectory.user.object_sid
272+
- set:
273+
field: user.id
274+
copy_from: activedirectory.user.object_sid
275+
276+
- foreach:
277+
tag: foreach_group_id
278+
field: activedirectory.groups
279+
if: ctx.activedirectory?.groups instanceof List
280+
processor:
281+
set:
282+
tag: set_group_id
283+
field: "_ingest._value.id"
284+
value: "{{{_ingest._value.object_sid}}}"
229285

230286
- append:
231287
field: related.user
@@ -245,12 +301,10 @@ processors:
245301
tag: append_object_guid_into_related_user
246302
allow_duplicates: false
247303
if: ctx.activedirectory?.user?.object_guid != null
248-
- append:
249-
field: related.user
250-
value: "{{{activedirectory.user.object_sid}}}"
251-
tag: append_object_sid_into_related_user
252-
allow_duplicates: false
253-
if: ctx.activedirectory?.user?.object_sid != null
304+
305+
- rename:
306+
field: activedirectory.id
307+
target_field: activedirectory.user.object_dn
254308

255309
- rename:
256310
field: activedirectory

0 commit comments

Comments
 (0)