From 5f6a456db3edc066374cb3ab499d0a34c730b2bc Mon Sep 17 00:00:00 2001
From: ksctst <78084392+ksctst@users.noreply.github.com>
Date: Tue, 11 Feb 2025 23:49:07 +0300
Subject: [PATCH] [system.security,windows.forwarded] Add 'Group Membership' to
 category enrichment (#12335)

For the system.security and windows.forwarded data streams,
enrich group membership related events with an audit category
and subcategory. The associated UUID was missing from the
enrichment table.

The UUID value is referenced in
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d
---
 packages/system/changelog.yml                                | 5 +++++
 .../security/elasticsearch/ingest_pipeline/standard.yml      | 1 +
 packages/system/manifest.yml                                 | 2 +-
 packages/windows/changelog.yml                               | 5 +++++
 .../forwarded/elasticsearch/ingest_pipeline/security.yml     | 1 +
 packages/windows/manifest.yml                                | 2 +-
 6 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
index c4966214943..0a22af1df0d 100644
--- a/packages/system/changelog.yml
+++ b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.66.1"
+  changes:
+    - description: For Windows security event logs, enrich group membership related events with an audit category and subcategory.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12335
 - version: "1.66.0"
   changes:
     - description: Allow the usage of deprecated log input and support for stack 9.0
diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
index b7b223ae15e..7d407cf6818 100644
--- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
+++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -1128,6 +1128,7 @@ processors:
         "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"]
         "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"]
         "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"]
+        "0CCE9249-69AE-11D9-BED3-505054503030": ["Group Membership","Logon/Logoff"]
         "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"]
         "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"]
         "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"]
diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
index 22855fbfa90..9f00eee86f1 100644
--- a/packages/system/manifest.yml
+++ b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "1.66.0"
+version: "1.66.1"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index 8e966805057..a473d784b5d 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.1"
+  changes:
+    - description: For Windows security event logs, enrich group membership related events with an audit category and subcategory.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12335
 - version: "2.4.0"
   changes:
     - description: Improve pipeline script to parse fully rendered events correctly.
diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml
index f7545e4b415..02f9f05876d 100644
--- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml
+++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml
@@ -1036,6 +1036,7 @@ processors:
         "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"]
         "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"]
         "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"]
+        "0CCE9249-69AE-11D9-BED3-505054503030": ["Group Membership","Logon/Logoff"]
         "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"]
         "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"]
         "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"]
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 0eb2467b216..0b6ef156d12 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 2.4.0
+version: 2.4.1
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: