[system.security,windows.forwarded] Add 'Group Membership' to categor…

…y enrichment (elastic#12335) For the system.security and windows.forwarded data streams, enrich group membership related events with an audit category and subcategory. The associated UUID was missing from the enrichment table. The UUID value is referenced in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d
agithomas · Feb 11, 2025 · 5f6a456 · 5f6a456
1 parent de1db4a
commit 5f6a456
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 2 deletions.
diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.66.1"
+  changes:
+    - description: For Windows security event logs, enrich group membership related events with an audit category and subcategory.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12335
 - version: "1.66.0"
   changes:
     - description: Allow the usage of deprecated log input and support for stack 9.0

diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -1128,6 +1128,7 @@ processors:
         "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"]
         "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"]
         "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"]
+        "0CCE9249-69AE-11D9-BED3-505054503030": ["Group Membership","Logon/Logoff"]
         "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"]
         "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"]
         "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"]

diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "1.66.0"
+version: "1.66.1"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:

diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.1"
+  changes:
+    - description: For Windows security event logs, enrich group membership related events with an audit category and subcategory.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12335
 - version: "2.4.0"
   changes:
     - description: Improve pipeline script to parse fully rendered events correctly.

diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml
@@ -1036,6 +1036,7 @@ processors:
         "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"]
         "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"]
         "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"]
+        "0CCE9249-69AE-11D9-BED3-505054503030": ["Group Membership","Logon/Logoff"]
         "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"]
         "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"]
         "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"]

diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 2.4.0
+version: 2.4.1
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: