From fe4f1cae202d50bb673ecdf798a0f566eb78d3bb Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 20 Mar 2026 09:42:53 +0100 Subject: [PATCH 1/5] Enhance Windows/system security: args_count (4688), 5136 reason & ObjectDN - Add process.args_count for event 4688 (#14767) - Map OperationType to event.reason for event 5136 (#15308) - Parse ObjectDN for 5136 into user.target/group/host by ObjectClass (#16965) Keep windows.forwarded and system.security pipelines in sync. --- packages/system/changelog.yml | 6 +++ .../pipeline/test-log-5136.json-expected.json | 7 +++- ...19-4688-process-created.json-expected.json | 1 + .../ingest_pipeline/standard.yml | 41 +++++++++++++++++++ packages/system/manifest.yml | 2 +- packages/windows/changelog.yml | 6 +++ ...19-4688-process-created.json-expected.json | 1 + .../ingest_pipeline/security_standard.yml | 41 +++++++++++++++++++ packages/windows/manifest.yml | 2 +- 9 files changed, 104 insertions(+), 3 deletions(-) diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index ce2068f6719..c9a634bc0ed 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,10 @@ # newer versions go on top +- version: "2.14.0" + changes: + - description: Add process.args_count to security process events (event 4688). + type: enhancement + - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. + type: enhancement - version: "2.13.0" changes: - description: Improve documentation diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json index cd838f949b4..6f9e99a6c7e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json @@ -15,11 +15,15 @@ "kind": "event", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing", + "reason": "Value Added", "type": [ "admin", "change" ] }, + "group": { + "name": "{0AB54C97-8836-43BB-9B53- 87556DD51F30}" + }, "host": { "name": "DC01.contoso.local" }, @@ -28,7 +32,8 @@ }, "related": { "user": [ - "dadmin" + "dadmin", + "{0AB54C97-8836-43BB-9B53- 87556DD51F30}" ] }, "user": { diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index 5871f217502..36c13cd5ebd 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -40,6 +40,7 @@ "cl", "Security" ], + "args_count": 3, "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml index bf68d2fc77f..43f0abac7d6 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -4352,6 +4352,7 @@ processors: } ctx.process.put("args", al); ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + ctx.process.put("args_count", al.size()); } if ((ctx.winlog?.event_data?.TargetUserName != null) && (!ctx.winlog.event_data.TargetUserName.equals("-"))) { @@ -4432,6 +4433,46 @@ processors: ctx.winlog?.event_data?.OldTargetUserName != null && ctx.winlog.event_data.OldTargetUserName != "-" + - set: + field: event.reason + copy_from: winlog.event_data.OperationType + if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.OperationType != null + + - script: + lang: painless + ignore_failure: true + tag: Event 5136 ObjectDN and ObjectClass mappings + description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass + source: |- + if (ctx.event?.code != "5136" || ctx.winlog?.event_data?.ObjectDN == null) { + return; + } + String objectDN = ctx.winlog.event_data.ObjectDN.toString(); + String objectClass = ctx.winlog?.event_data?.ObjectClass != null ? ctx.winlog.event_data.ObjectClass.toString().toLowerCase() : ""; + int cnStart = objectDN.toLowerCase().indexOf("cn="); + if (cnStart < 0) return; + int valueStart = cnStart + 3; + int commaIdx = objectDN.indexOf(",", valueStart); + String cnValue = commaIdx >= 0 ? objectDN.substring(valueStart, commaIdx).trim() : objectDN.substring(valueStart).trim(); + if (cnValue.length() == 0) return; + if (objectClass.contains("user")) { + if (ctx.user == null) ctx.put("user", new HashMap()); + if (ctx.user.target == null) ctx.user.put("target", new HashMap()); + ctx.user.target.put("name", cnValue); + if (ctx.related == null) ctx.put("related", new HashMap()); + if (ctx.related.user == null) ctx.related.put("user", new ArrayList()); + if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue); + } else if (objectClass.contains("group")) { + if (ctx.group == null) ctx.put("group", new HashMap()); + ctx.group.put("name", cnValue); + if (ctx.related == null) ctx.put("related", new HashMap()); + if (ctx.related.user == null) ctx.related.put("user", new ArrayList()); + if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue); + } else if (objectClass.contains("computer") && (ctx.host == null || ctx.host.name == null)) { + if (ctx.host == null) ctx.put("host", new HashMap()); + ctx.host.put("name", cnValue); + } + - gsub: description: Normalize separators in the SidList value. field: winlog.event_data.SidList diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index ed86999f3b9..29c163d8ce1 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.4.0 name: system title: System -version: "2.13.0" +version: "2.14.0" description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 3503566ef47..f98d6d977be 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,10 @@ # newer versions go on top +- version: "3.7.0" + changes: + - description: Add process.args_count to forwarded security process events (event 4688). + type: enhancement + - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. + type: enhancement - version: "3.6.1" changes: - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103. diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index b8f5751bfa5..e345ef13550 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -44,6 +44,7 @@ "cl", "Security" ], + "args_count": 3, "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml index cdb30daa1db..8a1191be412 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml @@ -3876,6 +3876,7 @@ processors: } ctx.process.put("args", al); ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + ctx.process.put("args_count", al.size()); } if ((ctx.winlog?.event_data?.TargetUserName != null) && (!ctx.winlog.event_data.TargetUserName.equals("-"))) { @@ -3947,6 +3948,46 @@ processors: ctx.winlog?.event_data?.OldTargetUserName != null && ctx.winlog.event_data.OldTargetUserName != "-" + - set: + field: event.reason + copy_from: winlog.event_data.OperationType + if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.OperationType != null + + - script: + lang: painless + ignore_failure: true + tag: Event 5136 ObjectDN and ObjectClass mappings + description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass + source: |- + if (ctx.event?.code != "5136" || ctx.winlog?.event_data?.ObjectDN == null) { + return; + } + String objectDN = ctx.winlog.event_data.ObjectDN.toString(); + String objectClass = ctx.winlog?.event_data?.ObjectClass != null ? ctx.winlog.event_data.ObjectClass.toString().toLowerCase() : ""; + int cnStart = objectDN.toLowerCase().indexOf("cn="); + if (cnStart < 0) return; + int valueStart = cnStart + 3; + int commaIdx = objectDN.indexOf(",", valueStart); + String cnValue = commaIdx >= 0 ? objectDN.substring(valueStart, commaIdx).trim() : objectDN.substring(valueStart).trim(); + if (cnValue.length() == 0) return; + if (objectClass.contains("user")) { + if (ctx.user == null) ctx.put("user", new HashMap()); + if (ctx.user.target == null) ctx.user.put("target", new HashMap()); + ctx.user.target.put("name", cnValue); + if (ctx.related == null) ctx.put("related", new HashMap()); + if (ctx.related.user == null) ctx.related.put("user", new ArrayList()); + if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue); + } else if (objectClass.contains("group")) { + if (ctx.group == null) ctx.put("group", new HashMap()); + ctx.group.put("name", cnValue); + if (ctx.related == null) ctx.put("related", new HashMap()); + if (ctx.related.user == null) ctx.related.put("user", new ArrayList()); + if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue); + } else if (objectClass.contains("computer") && (ctx.host == null || ctx.host.name == null)) { + if (ctx.host == null) ctx.put("host", new HashMap()); + ctx.host.put("name", cnValue); + } + - gsub: description: Normalize separators in the SidList value. field: winlog.event_data.SidList diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 5d60ec474b4..2d10f03627a 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 3.6.1 +version: 3.7.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: From 276b8c997825378d2dc7f3c63807049b3bc075f5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 20 Mar 2026 09:43:05 +0100 Subject: [PATCH 2/5] Add PR link to changelog entries --- packages/system/changelog.yml | 2 ++ packages/windows/changelog.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index c9a634bc0ed..2c238b50f96 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -3,8 +3,10 @@ changes: - description: Add process.args_count to security process events (event 4688). type: enhancement + link: https://github.com/elastic/integrations/pull/17921 - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement + link: https://github.com/elastic/integrations/pull/17921 - version: "2.13.0" changes: - description: Improve documentation diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index f98d6d977be..f14ccb17d17 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -3,8 +3,10 @@ changes: - description: Add process.args_count to forwarded security process events (event 4688). type: enhancement + link: https://github.com/elastic/integrations/pull/17921 - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement + link: https://github.com/elastic/integrations/pull/17921 - version: "3.6.1" changes: - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103. From cfa48f8ce47c6ea0ac168d8c3ce303d04ad9ab43 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 20 Mar 2026 09:46:38 +0100 Subject: [PATCH 3/5] refactor: use processor if for 5136 ObjectDN script guard --- .../security/elasticsearch/ingest_pipeline/standard.yml | 4 +--- .../elasticsearch/ingest_pipeline/security_standard.yml | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml index 43f0abac7d6..465b90fee49 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -4441,12 +4441,10 @@ processors: - script: lang: painless ignore_failure: true + if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.ObjectDN != null tag: Event 5136 ObjectDN and ObjectClass mappings description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass source: |- - if (ctx.event?.code != "5136" || ctx.winlog?.event_data?.ObjectDN == null) { - return; - } String objectDN = ctx.winlog.event_data.ObjectDN.toString(); String objectClass = ctx.winlog?.event_data?.ObjectClass != null ? ctx.winlog.event_data.ObjectClass.toString().toLowerCase() : ""; int cnStart = objectDN.toLowerCase().indexOf("cn="); diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml index 8a1191be412..4c268235da2 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml @@ -3956,12 +3956,10 @@ processors: - script: lang: painless ignore_failure: true + if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.ObjectDN != null tag: Event 5136 ObjectDN and ObjectClass mappings description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass source: |- - if (ctx.event?.code != "5136" || ctx.winlog?.event_data?.ObjectDN == null) { - return; - } String objectDN = ctx.winlog.event_data.ObjectDN.toString(); String objectClass = ctx.winlog?.event_data?.ObjectClass != null ? ctx.winlog.event_data.ObjectClass.toString().toLowerCase() : ""; int cnStart = objectDN.toLowerCase().indexOf("cn="); From 1eb2aa60167a6dc2615755362c440ebe9cf4ecec Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 20 Mar 2026 10:05:17 +0100 Subject: [PATCH 4/5] fix: robust CN parsing for 5136 ObjectDN --- packages/system/changelog.yml | 3 + .../test-5136-objectdn-escaped-comma.json | 50 +++++++++++ ...-objectdn-escaped-comma.json-expected.json | 81 ++++++++++++++++++ .../ingest_pipeline/standard.yml | 24 +++++- packages/windows/changelog.yml | 3 + ...-security-5136-objectdn-escaped-comma.json | 50 +++++++++++ ...-objectdn-escaped-comma.json-expected.json | 85 +++++++++++++++++++ .../ingest_pipeline/security_standard.yml | 24 +++++- 8 files changed, 316 insertions(+), 4 deletions(-) create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json create mode 100644 packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json create mode 100644 packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 2c238b50f96..61a245ff5bf 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -7,6 +7,9 @@ - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement link: https://github.com/elastic/integrations/pull/17921 + - description: Fix event 5136 ObjectDN CN parsing to honor LDAP escapes (e.g. commas in CN values). + type: bugfix + link: https://github.com/elastic/integrations/pull/17921 - version: "2.13.0" changes: - description: Improve documentation diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json new file mode 100644 index 00000000000..04440512630 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json @@ -0,0 +1,50 @@ +{ + "events": [ + { + "event": { + "code": "5136", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC01.contoso.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x32004", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "DSName": "example.com", + "DSType": "Active Directory Domain Services", + "ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com", + "ObjectClass": "user", + "OperationType": "Value Added", + "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}", + "AppCorrelationID": "{ff320a1e-447a}" + }, + "event_id": "5136", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 4020 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 410204, + "time_created": "2015-08-28T17:36:04.1294726Z" + } + } + ] +} diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json new file mode 100644 index 00000000000..2273f6c8539 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json @@ -0,0 +1,81 @@ +{ + "expected": [ + { + "@timestamp": "2015-08-28T17:36:04.129Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "directory-service-object-modified", + "category": [ + "iam", + "configuration" + ], + "code": "5136", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "Value Added", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "DC01.contoso.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "dadmin", + "Smith, John" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-3457937927-2839227994-823803824-1104", + "name": "dadmin", + "target": { + "name": "Smith, John" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AppCorrelationID": "{ff320a1e-447a}", + "DSName": "example.com", + "DSType": "Active Directory Domain Services", + "ObjectClass": "user", + "ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com", + "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}", + "OperationType": "Value Added", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x32004", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "event_id": "5136", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x32004" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 4020 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "410204", + "time_created": "2015-08-28T17:36:04.1294726Z" + } + } + ] +} diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml index 465b90fee49..bd367c4db8e 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -4450,8 +4450,28 @@ processors: int cnStart = objectDN.toLowerCase().indexOf("cn="); if (cnStart < 0) return; int valueStart = cnStart + 3; - int commaIdx = objectDN.indexOf(",", valueStart); - String cnValue = commaIdx >= 0 ? objectDN.substring(valueStart, commaIdx).trim() : objectDN.substring(valueStart).trim(); + int dnLen = objectDN.length(); + StringBuilder cn = new StringBuilder(); + for (int i = valueStart; i < dnLen; i++) { + char c = objectDN.charAt(i); + if (c == 92 && i + 1 < dnLen) { // backslash escape + char n = objectDN.charAt(++i); + int d1 = Character.digit(n, 16); + if (d1 >= 0 && i + 1 < dnLen) { // hex escape + int d2 = Character.digit(objectDN.charAt(i + 1), 16); + if (d2 >= 0) { + cn.append((char)(d1 * 16 + d2)); + i++; + continue; + } + } + cn.append(n); // simple escaped char + continue; + } + if (c == 44) break; // unescaped comma ends CN + cn.append(c); + } + String cnValue = cn.toString().trim(); if (cnValue.length() == 0) return; if (objectClass.contains("user")) { if (ctx.user == null) ctx.put("user", new HashMap()); diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index f14ccb17d17..7533606be7d 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -7,6 +7,9 @@ - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement link: https://github.com/elastic/integrations/pull/17921 + - description: Fix event 5136 ObjectDN CN parsing to honor LDAP escapes (e.g. commas in CN values). + type: bugfix + link: https://github.com/elastic/integrations/pull/17921 - version: "3.6.1" changes: - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103. diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json new file mode 100644 index 00000000000..04440512630 --- /dev/null +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json @@ -0,0 +1,50 @@ +{ + "events": [ + { + "event": { + "code": "5136", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC01.contoso.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x32004", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "DSName": "example.com", + "DSType": "Active Directory Domain Services", + "ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com", + "ObjectClass": "user", + "OperationType": "Value Added", + "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}", + "AppCorrelationID": "{ff320a1e-447a}" + }, + "event_id": "5136", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 4020 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 410204, + "time_created": "2015-08-28T17:36:04.1294726Z" + } + } + ] +} diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json new file mode 100644 index 00000000000..e474a86798b --- /dev/null +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json @@ -0,0 +1,85 @@ +{ + "expected": [ + { + "@timestamp": "2015-08-28T17:36:04.129Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "directory-service-object-modified", + "category": [ + "iam", + "configuration" + ], + "code": "5136", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "Value Added", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "DC01.contoso.local", + "os": { + "family": "windows", + "type": "windows" + } + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "dadmin", + "Smith, John" + ] + }, + "user": { + "domain": "CONTOSO", + "id": "S-1-5-21-3457937927-2839227994-823803824-1104", + "name": "dadmin", + "target": { + "name": "Smith, John" + } + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AppCorrelationID": "{ff320a1e-447a}", + "DSName": "example.com", + "DSType": "Active Directory Domain Services", + "ObjectClass": "user", + "ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com", + "OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}", + "OperationType": "Value Added", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x32004", + "SubjectUserName": "dadmin", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "event_id": "5136", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x32004" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 4020 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "410204", + "time_created": "2015-08-28T17:36:04.1294726Z" + } + } + ] +} diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml index 4c268235da2..78ff8ff9273 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml @@ -3965,8 +3965,28 @@ processors: int cnStart = objectDN.toLowerCase().indexOf("cn="); if (cnStart < 0) return; int valueStart = cnStart + 3; - int commaIdx = objectDN.indexOf(",", valueStart); - String cnValue = commaIdx >= 0 ? objectDN.substring(valueStart, commaIdx).trim() : objectDN.substring(valueStart).trim(); + int dnLen = objectDN.length(); + StringBuilder cn = new StringBuilder(); + for (int i = valueStart; i < dnLen; i++) { + char c = objectDN.charAt(i); + if (c == 92 && i + 1 < dnLen) { // backslash escape + char n = objectDN.charAt(++i); + int d1 = Character.digit(n, 16); + if (d1 >= 0 && i + 1 < dnLen) { // hex escape + int d2 = Character.digit(objectDN.charAt(i + 1), 16); + if (d2 >= 0) { + cn.append((char)(d1 * 16 + d2)); + i++; + continue; + } + } + cn.append(n); // simple escaped char + continue; + } + if (c == 44) break; // unescaped comma ends CN + cn.append(c); + } + String cnValue = cn.toString().trim(); if (cnValue.length() == 0) return; if (objectClass.contains("user")) { if (ctx.user == null) ctx.put("user", new HashMap()); From 0aa1ac40b84503ac85e26d759dc0735895d05f24 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 20 Mar 2026 10:17:13 +0100 Subject: [PATCH 5/5] chore: drop 5136 CN bugfix changelog entry --- packages/system/changelog.yml | 3 --- packages/windows/changelog.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 61a245ff5bf..2c238b50f96 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -7,9 +7,6 @@ - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement link: https://github.com/elastic/integrations/pull/17921 - - description: Fix event 5136 ObjectDN CN parsing to honor LDAP escapes (e.g. commas in CN values). - type: bugfix - link: https://github.com/elastic/integrations/pull/17921 - version: "2.13.0" changes: - description: Improve documentation diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 7533606be7d..f14ccb17d17 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -7,9 +7,6 @@ - description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136. type: enhancement link: https://github.com/elastic/integrations/pull/17921 - - description: Fix event 5136 ObjectDN CN parsing to honor LDAP escapes (e.g. commas in CN values). - type: bugfix - link: https://github.com/elastic/integrations/pull/17921 - version: "3.6.1" changes: - description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103.