Skip to content

Windows/System security: process.args_count (4688), 5136 event.reason & ObjectDN #17921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marc-gr wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Windows/System security: process.args_count (4688), 5136 event.reason & ObjectDN #17921

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fe4f1ca
Enhance Windows/system security: args_count (4688), 5136 reason & Obj…
marc-gr Mar 20, 2026
276b8c9
Add PR link to changelog entries
marc-gr Mar 20, 2026
cfa48f8
refactor: use processor if for 5136 ObjectDN script guard
marc-gr Mar 20, 2026
1eb2aa6
fix: robust CN parsing for 5136 ObjectDN
marc-gr Mar 20, 2026
adbc466
Merge branch 'main' into windows-system-security-4688-5136
marc-gr Mar 20, 2026
0aa1ac4
chore: drop 5136 CN bugfix changelog entry
marc-gr Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions packages/system/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "2.14.0"
changes:
- description: Add process.args_count to security process events (event 4688).
type: enhancement
link: https://github.com/elastic/integrations/pull/17921
- description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136.
type: enhancement
link: https://github.com/elastic/integrations/pull/17921
- version: "2.13.0"
changes:
- description: Improve documentation
Expand Down
50 changes: 50 additions & 0 deletions ...ages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"events": [
{
"event": {
"code": "5136",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "DC01.contoso.local"
},
"log": {
"level": "information"
},
"winlog": {
"channel": "Security",
"computer_name": "DC01.contoso.local",
"event_data": {
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x32004",
"SubjectUserName": "dadmin",
"SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104",
"DSName": "example.com",
"DSType": "Active Directory Domain Services",
"ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com",
"ObjectClass": "user",
"OperationType": "Value Added",
"OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}",
"AppCorrelationID": "{ff320a1e-447a}"
},
"event_id": "5136",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 516,
"thread": {
"id": 4020
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 410204,
"time_created": "2015-08-28T17:36:04.1294726Z"
}
}
]
}
81 changes: 81 additions & 0 deletions ...ta_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"expected": [
{
"@timestamp": "2015-08-28T17:36:04.129Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"action": "directory-service-object-modified",
"category": [
"iam",
"configuration"
],
"code": "5136",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"reason": "Value Added",
"type": [
"admin",
"change"
]
},
"host": {
"name": "DC01.contoso.local"
},
"log": {
"level": "information"
},
"related": {
"user": [
"dadmin",
"Smith, John"
]
},
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
"name": "dadmin",
"target": {
"name": "Smith, John"
}
},
"winlog": {
"channel": "Security",
"computer_name": "DC01.contoso.local",
"event_data": {
"AppCorrelationID": "{ff320a1e-447a}",
"DSName": "example.com",
"DSType": "Active Directory Domain Services",
"ObjectClass": "user",
"ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com",
"OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}",
"OperationType": "Value Added",
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x32004",
"SubjectUserName": "dadmin",
"SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104"
},
"event_id": "5136",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x32004"
},
"opcode": "Info",
"process": {
"pid": 516,
"thread": {
"id": 4020
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "410204",
"time_created": "2015-08-28T17:36:04.1294726Z"
}
}
]
}
7 changes: 6 additions & 1 deletion packages/system/data_stream/security/_dev/test/pipeline/test-log-5136.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,15 @@
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"reason": "Value Added",
"type": [
"admin",
"change"
]
},
"group": {
"name": "{0AB54C97-8836-43BB-9B53- 87556DD51F30}"
},
"host": {
"name": "DC01.contoso.local"
},
Expand All @@ -28,7 +32,8 @@
},
"related": {
"user": [
"dadmin"
"dadmin",
"{0AB54C97-8836-43BB-9B53- 87556DD51F30}"
]
},
"user": {
Expand Down
1 change: 1 addition & 0 deletions ...rity/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
"cl",
"Security"
],
"args_count": 3,
"command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",
"executable": "C:\\Windows\\System32\\wevtutil.exe",
"name": "wevtutil.exe",
Expand Down
59 changes: 59 additions & 0 deletions packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4352,6 +4352,7 @@ processors:
}
ctx.process.put("args", al);
ctx.process.put("command_line", ctx.winlog.event_data.CommandLine);
ctx.process.put("args_count", al.size());
}
if ((ctx.winlog?.event_data?.TargetUserName != null) &&
(!ctx.winlog.event_data.TargetUserName.equals("-"))) {
Expand Down Expand Up @@ -4432,6 +4433,64 @@ processors:
ctx.winlog?.event_data?.OldTargetUserName != null &&
ctx.winlog.event_data.OldTargetUserName != "-"

- set:
field: event.reason
copy_from: winlog.event_data.OperationType
if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.OperationType != null

- script:
lang: painless
ignore_failure: true
if: ctx.event?.code == "5136" && ctx.winlog?.event_data?.ObjectDN != null
tag: Event 5136 ObjectDN and ObjectClass mappings
description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass
source: |-
String objectDN = ctx.winlog.event_data.ObjectDN.toString();
String objectClass = ctx.winlog?.event_data?.ObjectClass != null ? ctx.winlog.event_data.ObjectClass.toString().toLowerCase() : "";
int cnStart = objectDN.toLowerCase().indexOf("cn=");
if (cnStart < 0) return;
int valueStart = cnStart + 3;
int dnLen = objectDN.length();
StringBuilder cn = new StringBuilder();
for (int i = valueStart; i < dnLen; i++) {
char c = objectDN.charAt(i);
if (c == 92 && i + 1 < dnLen) { // backslash escape
char n = objectDN.charAt(++i);
int d1 = Character.digit(n, 16);
if (d1 >= 0 && i + 1 < dnLen) { // hex escape
int d2 = Character.digit(objectDN.charAt(i + 1), 16);
if (d2 >= 0) {
cn.append((char)(d1 * 16 + d2));
i++;
continue;
}
}
cn.append(n); // simple escaped char
continue;
}
if (c == 44) break; // unescaped comma ends CN
cn.append(c);
}
String cnValue = cn.toString().trim();
if (cnValue.length() == 0) return;
if (objectClass.contains("user")) {
if (ctx.user == null) ctx.put("user", new HashMap());
if (ctx.user.target == null) ctx.user.put("target", new HashMap());
ctx.user.target.put("name", cnValue);
if (ctx.related == null) ctx.put("related", new HashMap());
if (ctx.related.user == null) ctx.related.put("user", new ArrayList());
if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue);
} else if (objectClass.contains("group")) {
if (ctx.group == null) ctx.put("group", new HashMap());
ctx.group.put("name", cnValue);
if (ctx.related == null) ctx.put("related", new HashMap());
if (ctx.related.user == null) ctx.related.put("user", new ArrayList());
if (!ctx.related.user.contains(cnValue)) ctx.related.user.add(cnValue);
} else if (objectClass.contains("computer") && (ctx.host == null || ctx.host.name == null)) {
if (ctx.host == null) ctx.put("host", new HashMap());
ctx.host.put("name", cnValue);
}

- gsub:
description: Normalize separators in the SidList value.
field: winlog.event_data.SidList
Expand Down
2 changes: 1 addition & 1 deletion packages/system/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.4.0
name: system
title: System
version: "2.13.0"
version: "2.14.0"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
Expand Down
8 changes: 8 additions & 0 deletions packages/windows/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "3.7.0"
changes:
- description: Add process.args_count to forwarded security process events (event 4688).
type: enhancement
link: https://github.com/elastic/integrations/pull/17921
- description: Map OperationType to event.reason and improve ObjectDN parsing for Windows Security event 5136.
type: enhancement
link: https://github.com/elastic/integrations/pull/17921
- version: "3.6.1"
changes:
- description: Handle ContextInfo containing multi-line values in PowerShell Event ID 4103.
Expand Down
50 changes: 50 additions & 0 deletions ...s/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"events": [
{
"event": {
"code": "5136",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "DC01.contoso.local"
},
"log": {
"level": "information"
},
"winlog": {
"channel": "Security",
"computer_name": "DC01.contoso.local",
"event_data": {
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x32004",
"SubjectUserName": "dadmin",
"SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104",
"DSName": "example.com",
"DSType": "Active Directory Domain Services",
"ObjectDN": "CN=Smith\\, John,OU=Users,DC=example,DC=com",
"ObjectClass": "user",
"OperationType": "Value Added",
"OpCorrelationID": "{ff320a1e-447a-4bb1-9196-bb3469a00b55}",
"AppCorrelationID": "{ff320a1e-447a}"
},
"event_id": "5136",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 516,
"thread": {
"id": 4020
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 410204,
"time_created": "2015-08-28T17:36:04.1294726Z"
}
}
]
}
Loading
Loading