From e818bf8c75a19c4d7a9b43c8640807e0a21c918e Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 18 Mar 2020 19:53:38 -0400 Subject: [PATCH] Cherry-pick #15217 to 7.x: Audit/Computer/Distribution Groups Management Events - ECS related.user field mapping (#17090) Added Audit and Log Management related events, Computer Object Management Events, Distribution Groups Events. Changed user.name field for user management events and related.user mapping. New Events Due to that Windows events are the source of information for Winlogbeat the events 1100, 1102, 1104, 1105, 1108 and 4719 has been added in order to monitor changes in the audit policy configuration, log deletion and other failures in the log subsystem. For event 4719, a human readable description was added in order to know which setting was modified (winlog.event_data.SubCategory) and to which value (winlog.event_data.AuditPolicyChangesDescription). Distribution Groups (Security-Disabled) Management Events were added. Those events are processed in the same way and with the same function that Security Groups (#14299). In order to add information about the nature of the group being managed the type (Security-Disabled/Security-Enabled) and scope (Local,Global,Universal) where added as winlog.group.type and winlog.group.scope. ComputerObject Management events were also added. Changes to ECS mappings In elastic/ecs#678 and elastic/ecs#589 we have been discussing how n-ary relationship between users in an event should be named and mapping into ECS. In #13530 winlog.event_data.TargetUserName has been mapped to user.name but from the reasons exposed in elastic/ecs#678 and elastic/ecs#589 the mapping winlog.event_data.SubjectUserName -> user.name is more appropriate. This mapping was changed. Also, with the adding of related fields in ECS 1.3 and specifically the related.user field (elastic/ecs#694) all the user names appearing in one event were mapped to the related user events. Every time a SubjectUserName or TargetUserName is copied also is added to the related.user field, as well as other users appearing in the event. Event test data were added for all events with the exception of event 1108 which I was not able to reproduce. Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Andrew Kroh Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> (cherry picked from commit e624aefb57fa6b973038a7f1f1ff94adda21359b) --- CHANGELOG.next.asciidoc | 1 + winlogbeat/docs/modules/security.asciidoc | 42 ++ .../module/security/_meta/docs.asciidoc | 42 ++ .../security/config/winlogbeat-security.js | 391 +++++++++++++++--- .../module/security/test/testdata/1100.evtx | Bin 0 -> 69632 bytes .../test/testdata/1100.evtx.golden.json | 38 ++ .../module/security/test/testdata/1102.evtx | Bin 0 -> 69632 bytes .../test/testdata/1102.evtx.golden.json | 56 +++ .../module/security/test/testdata/1104.evtx | Bin 0 -> 69632 bytes .../test/testdata/1104.evtx.golden.json | 38 ++ .../module/security/test/testdata/1105.evtx | Bin 0 -> 69632 bytes .../test/testdata/1105.evtx.golden.json | 43 ++ .../module/security/test/testdata/4719.evtx | Bin 0 -> 69632 bytes .../test/testdata/4719.evtx.golden.json | 66 +++ .../module/security/test/testdata/4741.evtx | Bin 0 -> 69632 bytes .../test/testdata/4741.evtx.golden.json | 94 +++++ .../module/security/test/testdata/4742.evtx | Bin 0 -> 69632 bytes .../test/testdata/4742.evtx.golden.json | 92 +++++ .../module/security/test/testdata/4743.evtx | Bin 0 -> 69632 bytes .../test/testdata/4743.evtx.golden.json | 66 +++ .../module/security/test/testdata/4744.evtx | Bin 0 -> 69632 bytes .../test/testdata/4744.evtx.golden.json | 65 +++ .../module/security/test/testdata/4745.evtx | Bin 0 -> 69632 bytes .../test/testdata/4745.evtx.golden.json | 65 +++ .../module/security/test/testdata/4746.evtx | Bin 0 -> 69632 bytes .../test/testdata/4746.evtx.golden.json | 65 +++ .../module/security/test/testdata/4747.evtx | Bin 0 -> 69632 bytes .../test/testdata/4747.evtx.golden.json | 65 +++ .../module/security/test/testdata/4748.evtx | Bin 0 -> 69632 bytes .../test/testdata/4748.evtx.golden.json | 63 +++ .../module/security/test/testdata/4749.evtx | Bin 0 -> 69632 bytes .../test/testdata/4749.evtx.golden.json | 65 +++ .../module/security/test/testdata/4750.evtx | Bin 0 -> 69632 bytes .../test/testdata/4750.evtx.golden.json | 65 +++ .../module/security/test/testdata/4751.evtx | Bin 0 -> 69632 bytes .../test/testdata/4751.evtx.golden.json | 65 +++ .../module/security/test/testdata/4752.evtx | Bin 0 -> 69632 bytes .../test/testdata/4752.evtx.golden.json | 65 +++ .../module/security/test/testdata/4753.evtx | Bin 0 -> 69632 bytes .../test/testdata/4753.evtx.golden.json | 63 +++ .../module/security/test/testdata/4759.evtx | Bin 0 -> 69632 bytes .../test/testdata/4759.evtx.golden.json | 65 +++ .../module/security/test/testdata/4760.evtx | Bin 0 -> 69632 bytes .../test/testdata/4760.evtx.golden.json | 65 +++ .../module/security/test/testdata/4761.evtx | Bin 0 -> 69632 bytes .../test/testdata/4761.evtx.golden.json | 65 +++ .../module/security/test/testdata/4762.evtx | Bin 0 -> 69632 bytes .../test/testdata/4762.evtx.golden.json | 65 +++ .../module/security/test/testdata/4763.evtx | Bin 0 -> 69632 bytes .../test/testdata/4763.evtx.golden.json | 63 +++ ...urity-windows2012r2-logon.evtx.golden.json | 54 +++ ...security-windows2016-4672.evtx.golden.json | 3 + ...curity-windows2016-logoff.evtx.golden.json | 6 + ...2016_4720_Account_Created.evtx.golden.json | 24 +- ...2016_4722_Account_Enabled.evtx.golden.json | 20 +- ...2016_4723_Password_Change.evtx.golden.json | 10 +- ...s2016_4724_Password_Reset.evtx.golden.json | 20 +- ...016_4725_Account_Disabled.evtx.golden.json | 20 +- ...2016_4726_Account_Deleted.evtx.golden.json | 20 +- ...security-windows2016_4727.evtx.golden.json | 4 +- ...security-windows2016_4728.evtx.golden.json | 6 +- ...security-windows2016_4729.evtx.golden.json | 6 +- ...security-windows2016_4730.evtx.golden.json | 4 +- ...security-windows2016_4731.evtx.golden.json | 6 +- ...security-windows2016_4732.evtx.golden.json | 6 +- ...security-windows2016_4733.evtx.golden.json | 6 +- ...security-windows2016_4734.evtx.golden.json | 4 +- ...security-windows2016_4735.evtx.golden.json | 4 +- ...security-windows2016_4737.evtx.golden.json | 4 +- ...2016_4738_Account_Changed.evtx.golden.json | 24 +- ...6_4740_Account_Locked_Out.evtx.golden.json | 12 +- ...security-windows2016_4754.evtx.golden.json | 4 +- ...security-windows2016_4755.evtx.golden.json | 4 +- ...security-windows2016_4756.evtx.golden.json | 6 +- ...security-windows2016_4757.evtx.golden.json | 6 +- ...security-windows2016_4758.evtx.golden.json | 4 +- ...security-windows2016_4764.evtx.golden.json | 4 +- ...016_4767_Account_Unlocked.evtx.golden.json | 10 +- ...2016_4781_Account_Renamed.evtx.golden.json | 22 +- ...security-windows2016_4798.evtx.golden.json | 12 +- ...security-windows2016_4799.evtx.golden.json | 4 +- ...2019_4688_Process_Created.evtx.golden.json | 6 + ...s2019_4689_Process_Exited.evtx.golden.json | 9 + 83 files changed, 2138 insertions(+), 154 deletions(-) create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1100.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1102.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1104.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1105.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4719.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4741.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4742.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4743.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4744.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4745.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4746.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4747.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4748.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4749.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4750.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4751.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4752.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4753.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4759.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4760.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4761.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4762.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4763.evtx create mode 100644 x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 88154f73247..5aa72b534f1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -325,6 +325,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Add more DNS error codes to the Sysmon module. {issue}15685[15685] +- Add Audit and Log Management, Computer Object Management, and Distribution Group related events to the Security module. {pull}15217[15217] ==== Deprecated diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index a0fc158e2b1..c7e7415244e 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -8,6 +8,11 @@ The security module processes event log records from the Security log. The module has transformations for the following event IDs: +* 1100 - The event logging service has shut down. +* 1102 - The audit log was cleared. +* 1104 - The security log is now full. +* 1105 - Event log automatic backup. +* 1108 - The event logging service encountered an error while processing an incoming event published from %1 * 4624 - An account was successfully logged on. * 4625 - An account failed to log on. * 4634 - An account was logged off. @@ -16,16 +21,53 @@ The module has transformations for the following event IDs: * 4672 - Special privileges assigned to new logon. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. * 4724 - An attempt was made to reset an account's password. * 4725 - An user account was disabled. * 4726 - An user account was deleted. +* 4727 - A security-enabled global group was created. +* 4728 - A member was added to a security-enabled global group. +* 4729 - A member was removed from a security-enabled global group. +* 4730 - A security-enabled global group was deleted. +* 4731 - A security-enabled local group was created +* 4732 - A member was added to a security-enabled local group. +* 4733 - A member was removed from a security-enabled local group. +* 4734 - A security-enabled local group was deleted. +* 4735 - A security-enabled local group was changed. +* 4737 - A security-enabled global group was changed. * 4738 - An user account was changed. * 4740 - An user account was locked out. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. * 4767 - An account was unlocked. * 4781 - The name of an account was changed. +* 4798 - A user's local group membership was enumerated. +* 4799 - A security-enabled local group membership was enumerated. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index a0fc158e2b1..c7e7415244e 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -8,6 +8,11 @@ The security module processes event log records from the Security log. The module has transformations for the following event IDs: +* 1100 - The event logging service has shut down. +* 1102 - The audit log was cleared. +* 1104 - The security log is now full. +* 1105 - Event log automatic backup. +* 1108 - The event logging service encountered an error while processing an incoming event published from %1 * 4624 - An account was successfully logged on. * 4625 - An account failed to log on. * 4634 - An account was logged off. @@ -16,16 +21,53 @@ The module has transformations for the following event IDs: * 4672 - Special privileges assigned to new logon. * 4688 - A new process has been created. * 4689 - A process has exited. +* 4719 - System audit policy was changed. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. * 4724 - An attempt was made to reset an account's password. * 4725 - An user account was disabled. * 4726 - An user account was deleted. +* 4727 - A security-enabled global group was created. +* 4728 - A member was added to a security-enabled global group. +* 4729 - A member was removed from a security-enabled global group. +* 4730 - A security-enabled global group was deleted. +* 4731 - A security-enabled local group was created +* 4732 - A member was added to a security-enabled local group. +* 4733 - A member was removed from a security-enabled local group. +* 4734 - A security-enabled local group was deleted. +* 4735 - A security-enabled local group was changed. +* 4737 - A security-enabled global group was changed. * 4738 - An user account was changed. * 4740 - An user account was locked out. +* 4741 - A computer account was created. +* 4742 - A computer account was changed. +* 4743 - A computer account was deleted. +* 4744 - A security-disabled local group was created. +* 4745 - A security-disabled local group was changed. +* 4746 - A member was added to a security-disabled local group. +* 4747 - A member was removed from a security-disabled local group. +* 4748 - A security-disabled local group was deleted. +* 4749 - A security-disabled global group was created. +* 4750 - A security-disabled global group was changed. +* 4751 - A member was added to a security-disabled global group. +* 4752 - A member was removed from a security-disabled global group. +* 4753 - A security-disabled global group was deleted. +* 4754 - A security-enabled universal group was created. +* 4755 - A security-enabled universal group was changed. +* 4756 - A member was added to a security-enabled universal group. +* 4757 - A member was removed from a security-enabled universal group. +* 4758 - A security-enabled universal group was deleted. +* 4759 - A security-disabled universal group was created. +* 4760 - A security-disabled universal group was changed. +* 4761 - A member was added to a security-disabled universal group. +* 4762 - A member was removed from a security-disabled universal group. +* 4763 - A security-disabled global group was deleted. +* 4764 - A group's type was changed. * 4767 - An account was unlocked. * 4781 - The name of an account was changed. +* 4798 - A user's local group membership was enumerated. +* 4799 - A security-enabled local group membership was enumerated. More event IDs will be added. diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 13ef413f9e5..b6cac040b74 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -21,39 +21,46 @@ var security = (function () { // User Account Control Attributes Table // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - var uac_flags = [ - [0x0001, 'SCRIPT'], - [0x0002, 'ACCOUNTDISABLE'], - [0x0008, 'HOMEDIR_REQUIRED'], - [0x0010, 'LOCKOUT'], - [0x0020, 'PASSWD_NOTREQD'], - [0x0040, 'PASSWD_CANT_CHANGE'], - [0x0080, 'ENCRYPTED_TEXT_PWD_ALLOWED'], - [0x0100, 'TEMP_DUPLICATE_ACCOUNT'], - [0x0200, 'NORMAL_ACCOUNT'], - [0x0800, 'INTERDOMAIN_TRUST_ACCOUNT'], - [0x1000, 'WORKSTATION_TRUST_ACCOUNT'], - [0x2000, 'SERVER_TRUST_ACCOUNT'], - [0x10000, 'DONT_EXPIRE_PASSWORD'], - [0x20000, 'MNS_LOGON_ACCOUNT'], - [0x40000, 'SMARTCARD_REQUIRED'], - [0x80000, 'TRUSTED_FOR_DELEGATION'], - [0x100000, 'NOT_DELEGATED'], - [0x200000, 'USE_DES_KEY_ONLY'], - [0x400000, 'DONT_REQ_PREAUTH'], - [0x800000, 'PASSWORD_EXPIRED'], - [0x1000000, 'TRUSTED_TO_AUTH_FOR_DELEGATION'], - [0x04000000, 'PARTIAL_SECRETS_ACCOUNT'], + var uacFlags = [ + [0x0001, "SCRIPT"], + [0x0002, "ACCOUNTDISABLE"], + [0x0008, "HOMEDIR_REQUIRED"], + [0x0010, "LOCKOUT"], + [0x0020, "PASSWD_NOTREQD"], + [0x0040, "PASSWD_CANT_CHANGE"], + [0x0080, "ENCRYPTED_TEXT_PWD_ALLOWED"], + [0x0100, "TEMP_DUPLICATE_ACCOUNT"], + [0x0200, "NORMAL_ACCOUNT"], + [0x0800, "INTERDOMAIN_TRUST_ACCOUNT"], + [0x1000, "WORKSTATION_TRUST_ACCOUNT"], + [0x2000, "SERVER_TRUST_ACCOUNT"], + [0x10000, "DONT_EXPIRE_PASSWORD"], + [0x20000, "MNS_LOGON_ACCOUNT"], + [0x40000, "SMARTCARD_REQUIRED"], + [0x80000, "TRUSTED_FOR_DELEGATION"], + [0x100000, "NOT_DELEGATED"], + [0x200000, "USE_DES_KEY_ONLY"], + [0x400000, "DONT_REQ_PREAUTH"], + [0x800000, "PASSWORD_EXPIRED"], + [0x1000000, "TRUSTED_TO_AUTH_FOR_DELEGATION"], + [0x4000000, "PARTIAL_SECRETS_ACCOUNT"], ]; + // event.action Description Table // event.action Description Table var eventActionTypes = { + "1100": "logging-service-shutdown", + "1102": "changed-audit-config", + "1104": "logging-full", + "1105": "auditlog-archieved", + "1108": "logging-processing-error", "4624": "logged-in", "4625": "logon-failed", "4634": "logged-out", "4672": "logged-in-special", "4688": "created-process", "4689": "exited-process", + "4719": "changed-audit-config", "4720": "added-user-account", "4722": "enabled-user-account", "4723": "changed-password", @@ -61,22 +68,40 @@ var security = (function () { "4725": "disabled-user-account", "4726": "deleted-user-account", "4727": "added-group-account", - "4728": "added-group-account-to", - "4729": "deleted-group-account-from", + "4728": "added-member-to-group", + "4729": "removed-member-from-group", "4730": "deleted-group-account", - "4731": "added-group-account", - "4732": "added-group-account-to", - "4733": "deleted-group-account-from", + "4731": "added-member-to-group", + "4732": "added-member-to-group", + "4733": "removed-member-from-group", "4734": "deleted-group-account", "4735": "modified-group-account", "4737": "modified-group-account", "4738": "modified-user-account", "4740": "locked-out-user-account", + "4741": "added-computer-account", + "4742": "changed-computer-account", + "4743": "deleted-computer-account", + "4744": "added-distribution-group-account", + "4745": "changed-distribution-group-account", + "4746": "added-member-to-distribution-group", + "4747": "removed-member-from-distribution-group", + "4748": "deleted-distribution-group-account", + "4749": "added-distribution-group-account", + "4750": "changed-distribution-group-account", + "4751": "added-member-to-distribution-group", + "4752": "removed-member-from-distribution-group", + "4753": "deleted-distribution-group-account", "4754": "added-group-account", "4755": "modified-group-account", - "4756": "added-group-account-to", - "4757": "deleted-group-account-from", + "4756": "added-member-to-group", + "4757": "removed-member-from-group", "4758": "deleted-group-account", + "4759": "added-distribution-group-account", + "4760": "changed-distribution-group-account", + "4761": "added-member-to-distribution-group", + "4762": "removed-member-from-distribution-group", + "4763": "deleted-distribution-group-account", "4764": "type-changed-group-account", "4767": "unlocked-user-account", "4781": "renamed-user-account", @@ -84,6 +109,73 @@ var security = (function () { "4799": "user-member-enumerated", }; + var auditActions = { + "8448": "Success Removed", + "8450": "Failure Removed", + "8449": "Success Added", + "8451": "Failure Added", + }; + + var auditDescription = { + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"], + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"], + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"], + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"], + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"], + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"], + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff", "Logon/Logoff"], + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout", "Logon/Logoff"], + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode", "Logon/Logoff"], + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode", "Logon/Logoff"], + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode", "Logon/Logoff"], + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon", "Logon/Logoff"], + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events", "Logon/Logoff"], + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server", "Logon/Logoff"], + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims", "Logon/Logoff"], + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System", "Object Access"], + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry", "Object Access"], + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object", "Object Access"], + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM", "Object Access"], + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services", "Object Access"], + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated", "Object Access"], + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation", "Object Access"], + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share", "Object Access"], + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop", "Object Access"], + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ", "Object Access"], + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events", "Object Access"], + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share", "Object Access"], + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage", "Object Access"], + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging", "Object Access"], + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use", "Privilege Use"], + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use", "Privilege Use"], + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events", "Privilege Use"], + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation", "Detailed Tracking"], + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination", "Detailed Tracking"], + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity", "Detailed Tracking"], + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events", "Detailed Tracking"], + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events", "Detailed Tracking"], + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change", "Policy Change"], + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change", "Policy Change"], + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change", "Policy Change"], + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change", "Policy Change"], + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change", "Policy Change"], + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events", "Policy Change"], + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management", "Account Management"], + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management", "Account Management"], + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management", "Account Management"], + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management", "Account Management"], + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management", "Account Management"], + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events", "Account Management"], + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access", "Account Management"], + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes", "Account Management"], + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication", "Account Management"], + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication", "Account Management"], + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation", "Account Logon"], + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations", "Account Logon"], + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events", "Account Logon"], + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service", "Account Logon"], + }; + // Descriptions of failure status codes. // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 var logonFailureStatus = { @@ -1150,27 +1242,54 @@ var security = (function () { evt.Put("winlog.logon.failure.sub_status", descriptiveFailureStatus); }; - var addUACDescription = function(evt) { + var addUACDescription = function (evt) { var code = evt.Get("winlog.event_data.NewUacValue"); if (!code) { return; } - var uac_code=parseInt(code); - var uac_result = []; - for (var i=0; i 0) { + evt.Put("winlog.event_data.NewUacList", uacResult); + } + + // Parse list of values like "%%2080 %%2082 %%2084". + var uacList = evt.Get("winlog.event_data.UserAccountControl"); + if (!uacList) { + return; + } + uacList = uacList.replace(/\s/g, "").split("%%").filter(String); + if (uacList.length > 0) { + evt.Put("winlog.event_data.UserAccountControl", uacList); + } + }; + + var addAuditInfo = function (evt) { + var subcategoryGuid = evt.Get("winlog.event_data.SubcategoryGuid").replace("{", "").replace("}", "").toUpperCase(); + if (!subcategoryGuid) { + return; } - var uac_list=evt.Get("winlog.event_data.UserAccountControl").replace(/\s/g,'').split("%%").filter(String); - if (! uac_list) { + if (!auditDescription[subcategoryGuid]) { return; } - evt.Put("winlog.event_data.UserAccountControl",uac_list); - }; + evt.Put("winlog.event_data.Category", auditDescription[subcategoryGuid][1]); + evt.Put("winlog.event_data.SubCategory", auditDescription[subcategoryGuid][0]); + var coded_actions = evt.Get("winlog.event_data.AuditPolicyChanges").split(","); + var action_results = []; + for (var j = 0; j < coded_actions.length; j++) { + var action_code = coded_actions[j].replace("%%", "").replace(" ", ""); + action_results.push(auditActions[action_code]); + } + evt.Put("winlog.event_data.AuditPolicyChangesDescription", action_results); + }; var copyTargetUser = new processor.Chain() .Convert({ @@ -1181,6 +1300,10 @@ var security = (function () { ], ignore_missing: true, }) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var copyTargetUserToGroup = new processor.Chain() @@ -1194,6 +1317,17 @@ var security = (function () { }) .Build(); + var copyTargetUserToComputerObject = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.TargetSid", to: "winlog.computerObject.id"}, + {from: "winlog.event_data.TargetUserName", to: "winlog.computerObject.name"}, + {from: "winlog.event_data.TargetDomainName", to: "winlog.computerObject.domain"}, + ], + ignore_missing: true, + }) + .Build(); + var copyTargetUserLogonId = new processor.Chain() .Convert({ fields: [ @@ -1212,15 +1346,25 @@ var security = (function () { ], ignore_missing: true, }) + .Add(function(evt) { + var user = evt.Get("winlog.event_data.SubjectUserName"); + evt.AppendTo("related.user", user); + }) .Build(); - var copyOldTargetUser = new processor.Chain() + var copySubjectUserFromUserData = new processor.Chain() .Convert({ fields: [ - {from: "winlog.event_data.OldTargetUserName", to: "user.name"}, + {from: "winlog.user_data.SubjectUserSid", to: "user.id"}, + {from: "winlog.user_data.SubjectUserName", to: "user.name"}, + {from: "winlog.user_data.SubjectDomainName", to: "user.domain"}, ], ignore_missing: true, }) + .Add(function (evt) { + var user = evt.Get("winlog.user_data.SubjectUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var copySubjectUserLogonId = new processor.Chain() @@ -1232,6 +1376,15 @@ var security = (function () { }) .Build(); + var copySubjectUserLogonIdFromUserData = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.user_data.SubjectLogonId", to: "winlog.logon.id"}, + ], + ignore_missing: true, + }) + .Build(); + var renameCommonAuthFields = new processor.Chain() .Convert({ fields: [ @@ -1245,12 +1398,15 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.name"); if (name) { return; } var exe = evt.Get("process.executable"); + if (!exe) { + return; + } evt.Put("process.name", path.basename(exe)); }) .Build(); @@ -1284,7 +1440,7 @@ var security = (function () { ignore_missing: true, fail_on_error: false, }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.name"); if (name) { return; @@ -1295,7 +1451,7 @@ var security = (function () { } evt.Put("process.name", path.basename(exe)); }) - .Add(function(evt) { + .Add(function (evt) { var name = evt.Get("process.parent.name"); if (name) { return; @@ -1306,7 +1462,7 @@ var security = (function () { } evt.Put("process.parent.name", path.basename(exe)); }) - .Add(function(evt) { + .Add(function (evt) { var cl = evt.Get("winlog.event_data.CommandLine"); if (!cl) { return; @@ -1349,7 +1505,7 @@ var security = (function () { var event4672 = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) - .Add(function(evt) { + .Add(function (evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { return; @@ -1363,34 +1519,48 @@ var security = (function () { .Add(copySubjectUser) .Add(renameNewProcessFields) .Add(addActionDesc) - .Add(function(evt) { + .Add(function (evt) { evt.Put("event.category", "process"); evt.Put("event.type", "process_start"); }) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var event4689 = new processor.Chain() .Add(copySubjectUser) .Add(renameCommonAuthFields) .Add(addActionDesc) - .Add(function(evt) { + .Add(function (evt) { evt.Put("event.category", "process"); evt.Put("event.type", "process_end"); }) .Build(); var userMgmtEvts = new processor.Chain() - .Add(copyTargetUser) + .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addActionDesc) + .Add(function (evt) { + var user = evt.Get("winlog.event_data.TargetUserName"); + evt.AppendTo("related.user", user); + }) .Build(); var userRenamed = new processor.Chain() - .Add(copyOldTargetUser) + .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addActionDesc) + .Add(function (evt) { + var user_new = evt.Get("winlog.event_data.NewTargetUserName"); + evt.AppendTo("related.user", user_new); + var user_old = evt.Get("winlog.event_data.OldTargetUserName"); + evt.AppendTo("related.user", user_old); + }) .Build(); var groupMgmtEvts = new processor.Chain() @@ -1401,7 +1571,59 @@ var security = (function () { .Add(addActionDesc) .Build(); + var auditLogCleared = new processor.Chain() + .Add(copySubjectUserFromUserData) + .Add(copySubjectUserLogonIdFromUserData) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Build(); + + var auditChanged = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addAuditInfo) + .Add(addActionDesc) + .Build(); + + var auditLogMgmt = new processor.Chain() + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Build(); + + var computerMgmtEvts = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(copyTargetUserToComputerObject) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Add(addUACDescription) + .Add(function (evt) { + var privs = evt.Get("winlog.event_data.PrivilegeList"); + if (!privs) { + return; + } + evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); + }) + .Build(); + return { + + // 1100 - The event logging service has shut down. + 1100: auditLogMgmt.Run, + + // 1102 - The audit log was cleared. + 1102: auditLogCleared.Run, + + // 1104 - The security log is now full. + 1104: auditLogMgmt.Run, + + // 1105 - Event log automatic backup. + 1105: auditLogMgmt.Run, + + // 1108 - The event logging service encountered an error while processing an incoming event published from %1 + 1108: auditLogMgmt.Run, + // 4624 - An account was successfully logged on. 4624: logonSuccess.Run, @@ -1426,6 +1648,9 @@ var security = (function () { // 4689 - A process has exited. 4689: event4689.Run, + // 4719 - System audit policy was changed. + 4719: auditChanged.Run, + // 4720 - A user account was created 4720: userMgmtEvts.Run, @@ -1480,6 +1705,45 @@ var security = (function () { // 4740 - An account was locked out 4740: userMgmtEvts.Run, + // 4741 - A computer account was created. + 4741: computerMgmtEvts.Run, + + // 4742 - A computer account was changed. + 4742: computerMgmtEvts.Run, + + // 4743 - A computer account was deleted. + 4743: computerMgmtEvts.Run, + + // 4744 - A security-disabled local group was created. + 4744: groupMgmtEvts.Run, + + // 4745 - A security-disabled local group was changed. + 4745: groupMgmtEvts.Run, + + // 4746 - A member was added to a security-disabled local group. + 4746: groupMgmtEvts.Run, + + // 4747 - A member was removed from a security-disabled local group. + 4747: groupMgmtEvts.Run, + + // 4748 - A security-disabled local group was deleted. + 4748: groupMgmtEvts.Run, + + // 4749 - A security-disabled global group was created. + 4749: groupMgmtEvts.Run, + + // 4750 - A security-disabled global group was changed. + 4750: groupMgmtEvts.Run, + + // 4751 - A member was added to a security-disabled global group. + 4751: groupMgmtEvts.Run, + + // 4752 - A member was removed from a security-disabled global group. + 4752: groupMgmtEvts.Run, + + // 4753 - A security-disabled global group was deleted. + 4753: groupMgmtEvts.Run, + // 4754 - A security-enabled universal group was created. 4754: groupMgmtEvts.Run, @@ -1495,6 +1759,21 @@ var security = (function () { // 4758 - A security-enabled universal group was deleted. 4758: groupMgmtEvts.Run, + // 4759 - A security-disabled universal group was created. + 4759: groupMgmtEvts.Run, + + // 4760 - A security-disabled universal group was changed. + 4760: groupMgmtEvts.Run, + + // 4761 - A member was added to a security-disabled universal group. + 4761: groupMgmtEvts.Run, + + // 4762 - A member was removed from a security-disabled universal group. + 4762: groupMgmtEvts.Run, + + // 4763 - A security-disabled global group was deleted. + 4763: groupMgmtEvts.Run, + // 4764 - A group\'s type was changed. 4764: groupMgmtEvts.Run, @@ -1510,9 +1789,9 @@ var security = (function () { // 4799 - A security-enabled local group membership was enumerated. 4799: groupMgmtEvts.Run, - process: function(evt) { - var event_id = evt.Get("winlog.event_id"); - var processor = this[event_id]; + process: function (evt) { + var eventId = evt.Get("winlog.event_id"); + var processor = this[eventId]; if (processor === undefined) { return; } diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx new file mode 100644 index 0000000000000000000000000000000000000000..56ade4fdb8570ac5b582f8b4f1d08db7ff8ffeed GIT binary patch literal 69632 zcmeI$TZoip9LMqhJM+%$yR$ayYJ!-UN+=qxhuYlLf^^+2aXplp7fP_Xv+nBbZ0x~R zmdG&aCc5(?NQjUiib6;UNg|@Ut8Of+n=YaQ6k!lWH`DL`9(3F=NpHXJF#8^!=Y5|4 z^Lb9}^i&6XhpQEvdF0XuCv*-hZ#FxandP?cXV0&HaodGZ00IagfB*srAbfoah-<> zjVWe3^z0%14Do-D9pQh!(bbfspGoVRO7kB`pL^klFLk|PM!T++czajNvL9?zOnXC|H!F4JO7*GY&HDY^pFj8QJAFB54Fa1L z{4({%{;XubK7QiNlOOe*e{TKM(Vd6X63?}%Uf-`vZ=fF+XBDi+j#|ZPHlh0$^erAv z6W?zw*fATisuIVQPzX9~NZBUrY1?3{^%=K=dQwrIeqFcgJgg^UHmbW(8&uAA-H+<| zYMWA8P3LvCMxXn2wZ=O2w{o@m@$2q#LB0NbL%)sgDcWv3u97F>8a2Sxn6DLA)}vRZ zBij|%epGc0DA$-$FX-Ew4aRM!L))QXN0jIdT43A%74jTz&cdFe>(O0fbJ`LzDlj`()BuBb=rM;-k~c`>(D!c zI(O+@v9-$AY0p@GQ(obj{hikKM}Jd8C|hld(w6I6^davdt@x&7k13pfb=j~A99Cgt zYJpifv|_HDw_+Hy*it>nX4?GbCVL{yHmt_gl$I;ESQu)IEz(Uk#RfhrSf4WbSgFRD z%roU|p>AGL0DkmLhqfmk3rBR9E9bnzz!vMqr=TBiFDlwj4Im#D-bJ1*@RAC4k8XVC z`f>R4$hIl@xVm6ejTnfVkt-K$UZ`&0r7Ue4$9`;lsYR6z$9>wZtQ7^|Lu5c{F^|t; zAJY#`m#!N@*-PRnT3bFSX|!Hj%X;&7G-yAr0zG7pB$3aROIGq&PU)p=L3-`?7VD0) zc^uU^l8p6$^7Vd_23@*RvP~*+LV^2eolr}Ya?4HDTKrYnyxTiIZZoesDaqS(gO}!5 zYhJO8sE%wAd+&U+8gMKQd@`;m>E1^@4qu@?meN74PAH?B__MPyOYmv-;kQ(cjS zhf>=NpxkUxKB(8%dHd6a^Q4Aow{rGtAl2fy)xU)xlDqp&s)(emp?_({8F=lf!z`Pd4}-b!;PkD+d!}PcbT!+SxZZx1k}J=( zC1GfH>RKZ@{%QhfA5L&0n`e==DOEE^SN@Hx6z7W{-r&zqwnTXkSzkIe7C(IH(+k^t z**~Ty@2bFa>(f`0eZand{p{6UMc4Z;f4FaH^_|Q2Ui|U5OUjw<1Lt&^ZIW*;Z;frn z;=$-cVYhnGJ0e*HeOY)`-*|5*1RIsuxDWXHUsKQe8s_Wst?mWM9+54)jeA3~@a9qi zMH26We&#>`0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0 z009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{ z1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009IL zKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ z0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY** z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#{* F`v-hNFkJuu literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json new file mode 100644 index 00000000000..e981d6042ea --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2019-11-07T10:37:04.2260925Z", + "event": { + "action": "logging-service-shutdown", + "code": 1100, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1100, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 14257, + "task": "Service shutdown" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx new file mode 100644 index 0000000000000000000000000000000000000000..8776562216140447622a8e21ef6aa757fcc8a8e3 GIT binary patch literal 69632 zcmeI$TWFkh8prYHol_>0WMYhgT18taO2x)njW$-nX%1_#hp4SZS^_bLCha7VCTUuW z7+%Xwd4u%hzOc~?RO2q1s}0tg_000Iag zfB*srAn=<41LcXn$(aNCH-2<1_q*h`^`8Pm1+#mHH=K%c|M72c=c>Y2Tay|}&1T1Q z(bb%OC$q_&=y$u)Zq>-wkoKS@^B#Pw)Z*|qUAZByO{6wl2y&lS~n{@+(7|6x;ARd*a~RZ`vQ)mN)e zl`rY{e}40Nu=|Nmg7zS=*5JFv=l3Kv`}vWj+eUqlpKgBctgBQ|sr~1@vn&-n7HNf>SpDV7UM^7Ei+fdm0A+ZwQVM(a`g{75Jb^DOAc4!>? zvFRTzYIG{>(>`S#R{%al#&j>_@mcI+`j(@Gvqn%-NIW^~NCyRt)-!9_V7jeJ`z}@J zA$uf|e5zQmg2!@9g^~s7+5fdzUzp9~D2I_Gtb3Jj@clUG!l{ClRO7q?_t849CynYY zHd%Y_du8)(?|HAoyy>VWf2L&$U1;rT#WJlnl11#b6U};n!(reHVM9^(-tKYu3hl8J zPBzDL#z)?q{^BU|me2Xp?p=GVH!tDI*fs$uHd{U&R4N<%`QwH2Q4P^PXy4>p>+Dtf7A;}*?XpFG!Tb5Um>iyv!E&GSnH>(uWzix_)M*G0tr-x4@yNRFQcJZe> z^Y0vZ=JsP>efE^5b-WM!Tc^ne`9i5ERbSf%)j?$e^o8FeVW0aX7&_3?3|)zOb^m%fIdE97iV&wnOP{_yhu z)rTdO_KnxO!1)h`Bhr_u-RjfLS_4X&y^m?>JnQiHh(F8m%f81y(339t$Q1gL7VG{; zeD(6(#@|e;W?89H*`c`qHk+wR^$C!x-P|wK-t6xp3tCf#^y{1AsMgt%uI~@8d_naw z68KutTUYDqMzuD@>!ok6K2f5fqVfZE<<~VT-xh9vzQXu|6>SdN6rFE|sWu-uzvl^k zbC_0XUop=NgaM(AXkK`H{)FkM)?IZG-r6X_F1>XusH{ilOQ{d4L0w0$L$!5lq4S9M z)YaYBsO}ZV+{YAUlMEFF$ zHAfp$wDbB^eS0~z=aW$5Lencb_U@}sd%Qu~lMT||YLNDAgR~Ws^=%9(?HUDfE@Rna z_3bBm3r60$7a&&;S4c literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json new file mode 100644 index 00000000000..16f6e120b8a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2019-11-07T10:34:29.0559196Z", + "event": { + "action": "changed-audit-config", + "code": 1102, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1102, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x50e87" + }, + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 14224, + "task": "Log clear", + "user_data": { + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "xml_name": "LogFileCleared" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5f9b87b3b81dd4c6b092737d8903f1e8e2a325a8 GIT binary patch literal 69632 zcmeI53w&QymGAdIuO?|pQ=W=g!YJ5Qlji*>AZ^nII?z)35@_0zHVG|F)7l0~KOHn6 z44)ZAy?3tY=W~_edVMh0&-ehD;o$?WGJ|&%@G}lN>L^2%!6$`52L`qG_uY@2ll)JT zf7?9%Fz2-YoOAZs=j^rDUVE***Is+A<$b*!JNkOe$fLj~4C|!a%#kBE$J%Z8x)QV29MG2sY>6UpRpy@sS7_1a50;wMw)E>%R=0BP)ziPxuOkrS z#UCm%s|4&WJ)}aXo0VB0SDSZOP`d^Aeic_8!%&~nt~Mp_^E5R7lp=GXxz?7(=gu() zRqJi0*)*wq{sqCcV?EbDPdRrcU`<%?+k-Nuj_q z=0AODzv-G017(F-re|-_uLP0@r1{@3HeQ<|9wpTSUrlQD{6jT(NlA_E^ z^G8YuJ?(X6Gt35`ZHFq?uV)1nGfh#EXl$--LKo|Ptk_(ljL=G-&1A?_V9wCZM+E@K z@`FWYou!4Hx+|zCpumi&(hXgZXtw^xSJ6FEtnI@c}i# zZdIb&R->Sz*qlhesHX0_6*J82l3yts&EE9L97ECWOVnwUmrgXZ3kAzAl@XZO zefO5B0@qu>ueAla=Di3w;LyNQ{@pU)XP~@&`sbl2HKir6cAEBZnbZ5rc`(bf7j|0uC7IT5rn{HX~=W?OD*Ddi8KJ# z^N&dNS8B>_KASkopC6gC^o<^~+V`NU#jpSJnWp^q zf682>lurnrk6i3ub#manpLqXIf^_2gmA-ebTlkjq@B3m){T^r@T`LO_Qap-=yedAEL6A{1xN9l`zK`u%zd&IMOKRtexFLtwXYiQw36fv>n& z<`%OQ`KQ+JRA1;-k$ctV-D>|umdn)Y8NZF9l}$>i)lLkad|TZmoJVvZ~$-K%+M9RDCXzdn#UTe92 zm1wqK)Bt;iC}FDby3V2RLM^0siBcG<^oWvL)T#~oZBg4csQgA>siuw|0{*@~i)PL>o7i_FK^%2p!<)0^+ z`*q1U8k+SSa;nG2bpnBT4I|+yfx$@lG{9lJTb!ApvFf!FsE+n~?0}NTJM>gDLsRnS zx`+)8H5^dtmz7vh;YW8QJZ%%iDHx=YP%MT#G!#2g3AIYFAG|^rVK7C`TWwATN|N_g zO8629#TtYz5nOxJgPAZyJ(g@smF*Rm?f8U0kZqQDw2ODE9K%wWk5-G>BM$29FtgW+fokQb)yJ5@ zHRx}<@-wf4`7G7@Fq<1p$%j=8M0VAavt!eRwQ4X1yEI^YzBxlRi9^X0Z>%2aCTp*_ zL8BRSvPO3stLwUHSO=X##~9NvK6ETSTs-I&y?U1~Vcey=Yq&mm`nau(#2vr#z%-1S!S&n&WCrxds|G3|!rDiH`k(nhB)Dolq&eOBz z5zpQ5)cvg!dqsQTRA5yaWN?Ru67}Zrp+=Qeth`e>c8Io+tg9qEcxS!N7fHpiM$?LQ z<_Zn;SLykH*F^0U1CPsRN@hBM97Y}=7MGaeX})jI7h>|b<=rc1{vFuW!SyFj!b?Cp@KU84LQ!hDk`!pq^}%$rq) zQ#|jtEQ8^bQwgI|a_Tl_hNL>3T9`FfjcC^KB{Omo$vmVk9bW>I0|`8&@+9FHW$hdE zDzaApO$YMJDh`pB6ft0I2sfQ#Bs=F%Xc+JYIIzJ-6xzH?DJ#`G4&>`J@ z)KL>gL&=SL-K}0Z&C2lgj!sQDqGc9l`J^!YaEiL!(xISpLqCYF zV3(e<)U(Lv3QIjfq1P)G+aK$DZgm2M_d@m2tA$jU^FnoZbai~OR$A*gTjzST^m4HX zv_rYp0qCz0q{%fve*{#0f(vaD%IfVljm0YjiAzIVEEMy}XNdO*UPrX~59v-}7J6Vs zC~)f0T70zhiKPTb@e3tpBB`-f*U&(>C>l-q-aMg!0Bcx!%Xc_YXrS|POKR{DC!6VU z3&m#~HH_BIqoq$y`(LL%6!gq2c*lo+ELiWf{4YOxSfGPkVeay@eVuI$r!$AoF(x|p z8U+#LxhV1xIeDMPI%Qr?Hf_A=gOe{O%gUXc{6%a45K0a}28a^mOqVab1+?t1m4S@Nq%PkU8rx$ar3s?$4dl0{pU z%K8;brmadv-PEYGF1=N)zr9Mqbf8uDy?Uon-|AJlq+(P+Z>aOqkrl3add?Xc+OEHt zT6E|yMg^|txWAk19r-UXZXqeRzng6CI+a2GdVg-P=S`|zy{%n?uvM>mb*YYBs(ZD{ z$1DQeH0r)v_tXizQagtO>eD1VH0vMgxcsYKgRLFy*{zzjsXh&YxLPgOrTRMcp)=^9 z?Py!3GOemji{5ZXA+5^CRZrfvU8AjCt6GZIYEnzF{s>*85_OZZR;5s5aBZV;mfzw&V4{Cfkb8W0z>GMR3rP z@Fd!W_H0z!(NfT;<3jXLdR@KVpx?0y>Udt%ijJ>LH-BmNwS!{-Au^1bbgM>NeeLLB zaAp+vs1cyiZ91bWz$B|)IT^*}AAf1FwWD>m3SO2QsHZa$qitxrdZjt80vDoojkXT1$t)8VK{PN>z%$gQ?c)RDGBn&um2w%OXj zDQN?^MVGFtE!{P$jhy6jJ&-!k#_-WrzSFJu*spWp$dh?Ix z|F_8>w=R+5isMfUBmGV&**?&p08zrYb#6>?MXRBssIl#W3~$giV-{4_?r^h)-G_BY zeJeA@%=GpBU)yW`_vF{N$1Cbo+r| z=tVMrw&9MVa|+^mkstbT>sfQ2oq};|l3pZ~9LB8yqJ(kl(dtG1=d$t{pMLD}xL)L6 ze0>)m{?5Nl{y05JFA_=)^$idu)ORxUA~KqUMvrT9qFi;ToafG7bUplrBa1T9!C zdJ*(IPZb;UV_%=c*WYx)jG=kh*|+@Wsdp`L80WgO{8Jkb|M2VI_~Y+>_wt`gOXT-a z{If2n*>3YPfe`FA7YktQHd}P|hSaBxu#&2h?rX39VRzxoVfWZ;Ol8rD1sh21>UNuG z*bJPtU+5(z4%;vEMq$$L{dW6>a6T|>ztDeIg58z#pf2M3g??sp#`X)%mGwXl`-L{S zY{$P}=plW`LUu?Oleu5$+(KuZ@H3{=_82sQ>_SQ)#{^=2U14OLV5F`zGHC7BZ<(5s z9p#v*tWskRXz`z|C@B7nPpOh>9+MBY`?8#Z`HlO=^-_^G>UzD5VVBCNZiC$gy+z7< zd^NO~b5sKRqPOUNiH7$}m9j=ew85qzd?U58KI4xQWEQ|?$qV#z#(H6o^**I6(f3yB ztE=>Tm)<7@W5ckqx>MV|!Z zRiv8k6n5#1#|Ink0zx;&8AOl$VZ)9wAPy2RYIL^neQGz?=39h$7JylXV;G513)58= zh@BBiozgK%X|pMqs$hiDqu(~=?hzef(!k;nW-w65@PAvB4{GB{kKV<)n{%tB5-6C( zFJ}V7x4Wdihn_HnL6PsuXE~7NF&3HJ_c1hKvWd|`vz|iB&~P~5>+ttG#ipL}{QZ%S zEItzP_f2<{Jihrtm!In$kNk3T%~x04_1&kg{WwhB^Y?E}KYw2yu4l2?kV4uZFv@5R8Ea1~e>!!$U9@3*2y|Nq5`zj{H`(iTl_X>J@A(%wx8IX%x%)&RC6QZ_NIj!3m3uj&n7sK8}B3Bm`%|>}%M8 z;HrZ!*>y${&A)o$xPAV;3H<3~y`0eymfu9|BRIP-n_NT50nPwX0=X8%h9DphFExD< zgx5>_K&W^h!tTFEo2hUJg?E;*Nf#>#hO3YRtGJLH#9>B^TWdtVEA+L?g=*YWBdLlwbBtfPT@kUqJ4PlFejfT+~%c5*TZnIy-GLUXU&Sc_?6S5oZFc8WO zhltVrf~8*=+Aeqogzp2w>wf*s^&3$;j1QmdXv4eD==k4i$sf#OafN*gR;tbtq*3<_ zeGuUcGqLSq`?a%UWsrfjEVgMdiR|H6O%@g8im_xy344Powg{IDk_JSx4AQdiN5{DF z5?27*L-hTG`mr5vXae!H@6U~kAI+3z%_k?iKmUi{7ZjgTgpvb*0iuNd{GF0W{6O2Z z!ERqahK=}5*{)PKtr&e0@oH(gJ+@9bid!_)ipi8RI$v_m?SfC4W8p*aqGn;0DHb-g z*k!swY{Y%yS6H25#nWJ0G<$k8d}`G#{>WT@hvmPtA+99$ic{n^$#T;e*IPTpXTv0` zOFZ8BaAVTNS9x~5e%TOB#H42AgbRpTBx@pwj&8yQl#@T@ayX9q&X#ex8Xkz4{2)UZ zI62EmhDoF$wcx5uj-U}YRb%ksh9$@}ra{>7BB}6Wggqg)cnqwtFN~&POqUoUI$U;( zCh&^5%hJaIVRpN|M(d`ya+BlXxI$X&5LVg0$bK-Ve26gS=4BRQX9OUyMFP{(nzmp56M?Qy=19$Cd5<@02X6A@JtE1&Cw^y3`l^HXvH^%F0j zPpkZ^qRE%f4GHt-P;!7UK$IY#E3@X$OSGV~TJwxGnr*F>7Hs^vb1n+a8+wT|63a5Xb%6z`{RX0x^j}Etp)>tG&70wyW9Xr_Eepu$_?6YzE`a(xo1A( z3tj~$ow((m_}p`aS^MiBA=j9Ha{g(Ue=fbUczWd9Azv~T=Lis`@=bJ*+p;ETOXXY8 z48J<`u=&h`Qu%f?V}Vq@ZPC~&*Rd14YGUPEeC}4IZ`TC*#ysvBFW&~9@0kMmmbCsE zN~Yo*0ip!?macz}W(bt7e`2kWu73`<0zu#E%wbdgD(1BDuy?P0UG!LTm(g&#{&}qH z@QA6&)30^}{c5eE`~91j&o?ZstBK~H?DOg$01RWee)`E<)_$q?2j`yujjO7H*Zw7Q z3|{-EdB4k_#O$H*c8xu>^>$7Cn~DmPDfu5<%qBRV3$!uXR+gC}Sz{izTUmVcLlVZ? z+mf-bES7osFn8X^ve`vm@&R9=5gqs!>cYD7?&snJ7u$~<|0m>loCmn`evu0siLcVa zV>irHRLY%x#)Z4|U8MkL;}yRU@J^9QQ*U3HLE)Y17(`kpX~bS`qTK7Jv!B{-%-^A1)Gd}r#zR$`Hj0yyXwdv z-(P?5Y9-rk1PZ^Z%fFQ?jkoCR?e>Wrvq3)s5Ny#p!3uk~MH^pmbARzrT#O&tOkVKRqJ_Ym2IKtty21NtJ#*GCK)|U z4WO0oOqkfkfl+9a{^D$`-0z1$9ZY1(Dr@G{sPjC*MBRy;$! z7YF7ehc0mwTxa6CPhZ2m^Ket;`6>-OQ93c0oH-BpaZZXIc9ts&tdx6dzBM*p1pBAl z&}g!-Gdvt#r^$Ng5!q^Y|thV?8dg3&un1w=<>F($-n~h0mn5B@E zN^3=TYZXVOL;d0%Vr1+T>`Y+J*}bz}e2a~#j$SwDOc>)3)N#EvXeA~!rZH?fNNNSl zC{tbmC!L&Di0^Gg3OTV!ba1zMIEl+30dOOm^6&g<6J$0^vuUg3Q%^}-B^n7P^_A5c z*|;G%+sxQLl|AUsmMdYmH>0E|?1YmmsSFuwG(K@{Ft%(@rONTlnew@nQjRtm9Btxz z6P^~*k+ai5B=x5xIg`z`+&1VwKmTUK-Ac_>7#U~FnRHYfbUssq@01gb&50(S!r7jf z&M?AUJPNKjzTU1~+DEjz-Ci4#%{@|nJvr38R`ZH@_}XmDr+j-d`1bgCPx<#$QM{It z4C}<$EAPn|^Q>PlUVQg$3G2lyy-mbAV4IHz^1IkNU?_3H?+>rJ>5M}w@45ZC7b^yK zex7x}by|WAkmbQT;F+h)Z~E)M0CmQ2edwZ=%}d_%<&Qkr{n>{>5$k|jo7Li_T?Z^+ z$&O*8Tazw%c;+Q-w>y})UbXGUb)Wgist2F@hl)3j zMT=S<1ApMLO6Ok$Jl=ikWs`@;K!?xA@#ssOqtFx3;c8bGONSqkg=v6n3h`*PjHTsX z@B)4Y)gylC@$=kg&bcbW&*j~l3;*WB4q&d&c?KINqgcYJD`}`oz?R#MH*2R2LtR_!t{y zI+66<=ET&Np;Y#uws;s?hf?E^wI!xPNl|%tM5+lbD1Ukw81z72&{?hM?bn{p&U*H3 zQ$T087C1WV5O;RRpa~_1lmJlzopl%7C^D7Fn2uK)o#940ADI=*C^zcIkC&t9IQ6qX z+NDO+AE(kd^+#WbQ$NOP?h6t1W6aca+|(cSVpK{|uZX9Q?BDbj3_8GyJ9_9R^p}U! zZ=Uo0W!8na_eXp=_|uYPFPfVO0(T6WP;y8K5GC}N7h`vsBl^k{yL30V3)(W(RZ&{j!hk zu&3YVd!F4r`ShFQebbog0e`Gp*wT!h-Y$~K! zw(rY)-un-)LK;n+|B-q=866ob*N|`Q1AE@fxBhv5m;(8hv_CtP93Tu3CCImQe|EY* z8*~5c@H?r0>RxFovdvx7{n^fUYLY?A$PHnyHC&A)chmjZ$Kxj*QH6}2IRDgf8QmH7 zXFsZW=nGyx|L~*TpN;09ANpodbH&}pu(rhY$)|ti$_4db`}+kOYfgPcxq;}UN%2~3s&q>UJ?Yw#c12HCY^rv@$S>^sW6%V$3Mqly z5(ZyYv9%>EboLJIy{)opa`wiuJGMJ~%Rs-3Gxtc3^6#FGSGJvYcSOf8eCspMJ^4lV z0@phqTeo`UuO9Bc?TWIeAJp5Pjz6c%X{O`12!ue#pBKQ;@uzj}z|TN&=Jg4iPqKHM zuhfFvGOeJtOJ7=VI`B+ToH@rFl~-nTw+X=&qq?jhHod*JEIPQT~F*UdV3)1$$Qhs==h;(>UEz2=4?Npv)URr9V@)ns{0zoY? z>hC-~Yaa1DQn;dWT`6HcpdXX8D(&~?j<9g}9B}bQgB^hjHvCTI*kSFOyRB&n@2nSt zyhwY-*T@24o%N-#N?#aIcr!d1>=avz%O0od72t~IgPgH?d)>b1+0@IB@7OZx3&pYb0Q0D)E#OsNX#4 zZGPkHchgV4egEXw?|}DEiW3kP9VZv0dPcwTfI7 zCuOcjOAm3QM$R8cs{_#c78D#KYk+wTQ1xjf41ojZcAG|x=sYfsfz?8Fv3!PjkKlE* zoBxnH=Pe6`RhSEg{sW`7_|#BBpyeeo%3Z5#Xn^=qIOo}$Co~XXT_?)L*-pO0=^TZ) zc8+iSrpGN52XWLeT04)HKCzr2;Pg86p+2=YvDg+0yK!;1PboVs|I3dacC;|#*`FZ* z!RNzJ06y2NIv;zDf(Sw)h@T=Kk(2k88}nN)C+}Wy;scW}C(FvQ*OEzmop~Gyf?5ZnC-SR2FaHR*7?iJ#SL&>TT^BRCgjI z5^0u5huDE^vpAu4O?m>ph&MqLU!u~2gC3om^ev)FFyZdCFy>S38f@)oPa;CL3E~Dp zOaxsbX*dM|El--WifOa;Bycwoi*blXEM=~G@~(D`wsx&*DOw8~PHWk#dZP58COD0Q zmT5cs1JQ#qGVW5U3r@}*F6QEG2ek~R%%ss>Xy=iX34JGz2_w2igOi+xRQHRbqHrZB$ z9=k+iM6jhL;YqX$>MY{F5W58$bzF%4Nw2Hd8}vJj#2wGeH~!M>YX`>wLSz^<-JE2cn4`-BcQdbjP^>rx?x#+l$laX6(ov0&ihcwN% zwrjJsgHzH5aEmToS6jNnUXpeSJ&-!k#_-Wr<>v`hNlTLAcwyj(Be~~v$aQMOxP>uD zt)(v4kFe%M$|Dm{j$`QuUva6`%IPddsU=ae;WzM^d}}?8PW?eo)7m}bRmQD{mHZ!m z+k{d&IR3OS((iG~!8rv>z15b@wfrW~2cn77_ zllsa9qEK>R z*E4apw|tH93CsFDDuJ;GQ85{1GuL%)k{1sUS2%I>9ykfszS*ijUzymATQ_5i1b?EoY4UClKCtnPqZ7vt~FXf+?_=$ zeQpO1FBsb&wh^#RotfWG@d;av@3>>Y${Iec~`5S?Uqg| z#Z{-}IXgr%SBsyp9=J>V1P2P7^TD2Xe3_q3;luef&LWskq3LFnmqU(Ua2boXaNajzREibYRXwX)$-h#%E zc_CUf)+dl9)YECbnLVP%W+y8#vYAOX=nL*ZK9wWyk^7YyMaJ=RzhPd>H=}v-WZAX! z1e4LlkzOE_96$^ZCCL4yF}(owWW3|{=km8v<~_AaStRVBV`Y?drM}AUEEkYwxoS_q z8f0!bG=2gP;NuCUz2folz^wD803UDidXifUBYcFC1Aqad1bmPs_+xO{S&`mFJ*dxB zitO_{U!Qq*eEF2J+y5zp1?;R$h{tuJa%S`ieg&q)|BgP+(!!J7crG4iDU>)e&JzB< zO0}pNAj<=PUm?zt=)jzDGJ%d*4SekdI$}L14U~aP;G=Pvx>`Io1dd4xL4veMG0P0| z=rEh@{*<{AHVG+}PFCQMTml{8BC9!V15eKrA8cxc#vjP(y>=XuTbLs(GZ=ZMJ!7(Z zM%pUJ7hEyP(f(9~)JeJ3ST3`Vtpz4N1W3xi#&)osFYT1}rm=ccw!W#;x-}gx&5tHf zOWH5S?iUk}@pQHpr|_eh2ag{(B;_7)+~zWK$R2fOa}PEsjvY26 z(XTGf81s9tUw!kRw46G5`qkN9Zyt|d5lT$buM$roK$Zvk)p-00VGz85zelA7{)5Ng z?_PdueT2VHzW2Q^-SJzCY{T{WKmEp)PkiF$O}8ET`8U2$FyzPKle(N{KMrpc2*HoT zLjo8-4u7k&_v7$JSs<`cnN`Pq`mxJ2+mFL?Yt@2QAg-B=`EzL1vIbifoVhXEb65^S zRmK&|LT+|n1xkHI`O<0dVY z6%=P?%lu=7c9etdI_)K2Dx6=UGlPkCEimC2fVGr|l)X&nl0&+vm_*+zmu1|7%bXLV zg`?1gRK7hz*YXQTe|g(e124R6%)6Et!}Zy_mu>F-%6qqO{J+2N`=DN6Wk|KYS(ka> zy`f0aIoN8J5r#9ue8$o{OM12HB)Is&_=PyV`(*OKy^Gz8F-VV1VTnI%30&*D-hQvj zPmb-I+$B0=UF8yMJRrc3$h+ZRK@J@8eC+mnz7peO6TQwB0*jiot_Q}UjJYG&H@uLT~{9y2fO{?xNn|uE3){`HG zzFriY3y@7UejHvLR9g5(w=niB<|$|f~PK(1WwH9#I>CC$ei zD_!yib+%sN8m%|B=GuH=^~#kGD_5_4RU6Bhwl;Mu`u@%XU9R3_z{~HsyZ3+2|NlGx zhtL0i{zs{fw5$(DnkDh@I2i*-4e^R(8Hph?zRt=Uzc%AaSOEnnKmiI+fC3bt00k&O z0SZun0#6mFj|EukEuMEE)U&Fb8ebtGy z)gNCXvITi-@Mnl89Xrh@<=S~$e96nSq&&qgKj*a9k~?F`^S*&|Z(gas`2MP%?%KT=iAGh9kMG8*4p5Iv>3*q}ZfTaN zbm96KzJYyC;n$gd>6Lbgps*7Kexp=c5!NO9Wwk8Fr&IPIrx`JgI4?jNMox#sa21ml zL>AyWhWzEygR&^nVkyL@1ZRa(hTrCi<~t`{d5rP#!*TN#+YylM(ubP6tQN7rF_@px zFLy@o^_x;>wcd@knh@22(l7B{?=HqoLq6Gp&bFga2Q*hUKi1`ZdClr-6FT05=JMl& zBFNh-fk9^tEzR}G20380rqwNyevEpLtdvr;ub(p9-h}IBVo@%gaE=HtSB#G1bMOAP{b ztwgLK(IAh^!^K&2K#%HvpX{*KLL06;A&)j_$O2sGBdEvc^8-?g1*FSDr%1yLt;sJh z;=+A$_x)hXCKUH!3St;UlQj%a$S=7*OnV(dv$2l#sQ54qjfSl`twLxsI-pCW31t?K zKE=AGU+ND|T0!nj;0Z{!*9c;@{(m}8 zHzC~W*t!6rR588A_;|67-`O}1VTo2DvJnd@YV{lQ>o-ietKR`sVUN{^8x=%%S)Is= zsA<8qV`*q-?PnLa&coBV5znkXJVjVJYw`HhAT38)1)Bmakchm68+6tSa2`WL`UL3Q ztVI*8T3=IwR-BcY#zy!=6^ z~8^PXg^-T~&H*}GC zGJva#X9+UgSN`Hl!AZTYv*x4~5uOYK;XeJhkYqu67~jM-P=%LSeZrn!KWU>_fwksF z=nmM0s~Sk{#gOaa)&Z|pK|5*L`xVsQ*w;W|f_~heim36)nzs2}yehGe8VcRdn z8n)Z$MW1o#``$eo(vA+_#KxT0)^jF4#UQPaT`7g99%9A@Puv~U)XqiG(2di2o$Q#1 za{{)Fy)lZFIpD_MK5gHB?c{N*{j8!#R{d`I$ZfknBj@eZ%}-4Kc>BI}U)_qUm$m=y zQR1FFC7l?5#2LSn&i42hj%^;5w5gBZyuRbCj%TEQYUBUnLf_2B-|mdxNoRZf#bawm zC4K7SpO}AVT_&4Gcm4|tXE^^+XZ%h&+vE3)<&R3n)W@H9=ejkYBYjhw|GJ`YW;XvZ zXZ%h&+vA@z_S~q1rau0O`FGai)8@Zn$@JzwS-s4s00k&O0SZun0u-PC1t>rP3Q&Lo z6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)U zP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZ zKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt z00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun z0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP z3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3d9REq#Yf; zX^7-C^qz@N4M8T3T`7g99v&1KJaKnWQ#%(0LpM(Ab+Th3&J9=~+of4Lq+7zW2WQKr tR`y#tjnaj@m_(&fB9d-Yyfb{I(zKiMi78&IicaYqNvQOs$E|$&>AxKPQ7Zrd literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json new file mode 100644 index 00000000000..ca72947620e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2019-11-07T16:22:14.8425353Z", + "event": { + "action": "auditlog-archieved", + "code": 1105, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Eventlog" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": 1105, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": 18197, + "task": "Log automatic backup", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5d93e0eddc5ac3e2edde2d2adf989a95a1f37a2e GIT binary patch literal 69632 zcmeI$U1-&H9LMqR|2*yNY&&Pm1PL`Q&9XMNTx!c|?!m-qGnW<=xZI}GJ%rmzlSnFw zA_^nB2_&K}yfJSA5vhv^48nr2$nJuuZYr~=yVK|Ue{l1JN=g^O`*%3|Km4A)|JU!~ zucu>ZpmT7j-zrlozOhfoz|v;*L1mGvzOJ89{^F_|p#cOCKmY**5I_I{1Q0*~0R#}Z ztU$-mK->0_o%%n1lrDDM=h^yE;AFw9dEuefsPvWp^?pwF?f7|W3$t=&wRy91S+gHA zQ*+Fg>i$ao4DoN%sms(ktUf)>QlFmwjLUx(-}ifO>E1v^JooDQulPrj>ni#fj@$CO zhvV~gD%+_xk5{zgWjuXf6&?Spzc(d6=u~vDaG}OQw#m4Els;+p_Z0Epv|QNxW2RgT1R$e?U*iYqQp2Pg=i?*to7=)Hk;y&OA}d z+HM=RA!Uv!BO5f^b`=}9C+sd;q|cab)t!Eo>D76Yj)S_h%SLrIY6B|Sr0Y@LUt~`y zZ$!u2ZLvN}b+*`+>u>-0?#C{;N(JTe?;5LQ+(vtHw$b*eJL0j=dS{3CCh* zSR~~g1~x|*z63lSnVqu-G=M%VPUPJM-cr`)=^|MVPUN~E@R<$^;zq(<_i&a+2`KI8*-uy{}dDl@({!ACCROi#BTpm^*$tH5_gK9m%?lAC)u%l>r@Ao(~ zn&z<-zOIhv>{b;V(NGkfpx zbJyCmbf(x~b2E00ifU?xU(IB_(4wcz+jPrYgVkF}x%u#$w?bG>Rl?M%E6>-X+fS*v zey@4d8&sOJZ|!5hxA?wUSNP?g4F}Dxt@Y#SAfqAQS0l2vsHB#E<%ZTMAK%FO^xRJ= z^u~WYW25HCg!27~z2r8V|K#bGJx}>vTJ;@@ zp~rsEEb%m7pXJ&Cmf0QQ`4XKs>!Us4^;5M+2ES?e@XPM*p62@w^Am;{O0Jeq72gi35h zr`EQ#70~J^+HtCmI<2j>MO!;+i{rcPFxGaa({@m)rA|?5amG&iKlib_$?k>?x}Vd` zxjWx}ulqdr-21!des{mE3$G7#gxhJP^Oy^R*gNDUDs)DA`PAoylZM{-)R9O8A_0+r zNI)bY5)cW91VjQN0g-@6KqMd%5D6Sr0(If_H5HiZT*P+T!`}{W|Cy`h%~xPTpadcbKC&GA;h_7L_F-ry1gj-r*Sjvq|F#2nK=`6 z8ss@1?V7jW-|*~{`HOYojBwI zvfGoFMRjx?wNp1maDFQ`|F!1kGX+_+k-8|1oBg8Dm)X@{Q{ z9M8tS16TT}2WLIB9zJK|ya(6k(Dk_2js4kFhR?Y;Dx(T~w?~ujA9m((hKAljUDcul_C_pdT8h}7P88?Y=@7QBePw&NfZo{ z<6mv`;fxX=Ev5k#61NJdz+3I526(%{`1p6rgg9X>rCQuO4V#};j-xr_k2!QPqG*B0 zI#B!$l?4`E&_{kx&`W-wlS`-Ig4Og%*%PSQcbvz9xR>j+1%c6RC z>i)yrxmC`t`-&%C+BcXS#&B+ zY|FX!^#Coy?M}o`a%ZnuRN{l!SK{Q`CdLKd%tfLdN~SgN+Kvox6}7>S5)Zc` z)~U+PIm2qu27-9}ROEGXpe?b!B;?JHllCQukh9D=(USKBb0~-NvJHW3hw#7$xm2UP zaX!K-CswR$;4c(1Ej;H?4pk$@2r|yv5YC|SL2FX&>c{M>Vhh8 z=5$-}WH}{J>l#{%^y*MqO=zy2G#B5qqgQ6*dNn?c#L{1cNNu;gdv*X_D4SSNSl~VV`TUVm&>eLD!M>oy1|J{XTeK8TXCFVs^6hfG#>wO?T+vK@4-Qs@?3=f1BFdnPUG(rrCHR2(-vzB?V8 zpZmNlCy07$fv~TE$RknF+dj~f4>55y&Np$L5er#3EMzUD!QDKUHx?TC<~->Z7FO>tqeN0ETq0_tUV{jq!S<;ZY9!+phxrM=V{+u zd+d8^%r|3&+c4)W0=e1{`8q^WS?GZRGn%Cz3xgp6mnCU?u(G&Rm7r7A6{n>M(~mqB z=+H^El+)l2-U78=okvvf!gbEQbgH&7ytbJty-1bi$*C5N5>nS2w_KL_VtljC^cww~ zs6#F^GMy8XX)!b`j1TvL%)KTY)#6C&Dwn!lUGwA@>o}51c?JBpq1S0a{WRk{jI`U4 z32Ayeoc_iam1AKZ4WZciE|M68!!EoWA88Yk)yN#$6Ja`dYWaoi8{feYfIxN|d#coD!B6Zn9blbH^XWX8FY(9axLOW> zWoVad+-!tlQ%?C9pk(92KH2E0z?OLJ>?GIbt2ARNoTJV;$8c=_DVKE|cIgaXno#|H zC_Z=J+yr@W5>pHw;P4Q)3#!NpuNw^y9`)#$n@|J7aae{_AGJQxx%Z~Wr!4x(^mB8U zom#T>^T@*-bWdERTqZTRqL$4QFPQVuj@DaN=1liizjQhqNqh%g>N*@==?}yWq*kLy z^|-1AAc=Nvyw|m8ZjHp&=p+R2HTo4SbQi(I^W^goipQ)(X!KBpG7OgaTkp%&o?9ln zQfwR#`(~#@5v@~aM6Y7(he;c?J%-~QW>}a<&&~GEz54XSug+UA_08}9zT%lf7~Yxk zy^X_>mi$&k;!iA@+ZOx`WG%VnUX2VUx7cUkPAG|`p4>ubb|tgS)yOAJi+nQT7}XL# z9v)I!;M@*VSl(RKqgdQ*yC22Uu7a1*ENoTGqg&QWrrtCy>Mo=?nkCIGCv+4GdaRc7 zD#V$}VrEk*%3$S0%I= zMw{TYs{P+N^ZXb4))c>c)09^~*adN!-uUY{{0wMQifG4M8Ei@CFslg`Ou-cmB`C_3N&-)6^Qcw3LqZuX8tmL;tPrh8CY375$bQN?-c$!^dU?$JV#)~!P9?h)ogoI{7 zGocx#595C$AuB#IzvAPi+2jCwDDM@JsmRI=>En?Zb;LzczqhmkPgxUuNw+ z|7=^kQtXngTeR9D_7?;s>lS6Dhddk0=xk!5{q^78FHN`nx*gBPnstXI>+WUUy?X74 zR)_$Bt2*k2j8zY^c(vHjMk-}teaKfD9>7r$LaIe8i;Ps7IeG|cMG zT%noJOlT%FbDd_7ey_Xm2}3h}H&v6+Y@E#|y0=o%>dtDRnb1sVCNy)MW^*?B{`8|b znl%c|gl5r~8ISEZ(N=dHp_$N3XeKmsoo0*f{^>LK8JZo&pVnL=G!vQ~Bh8|^BQz75 z3C)CNuG4JQ%)x?t4bArBeTx?h&4gyhNHeQDVw<56$tp%!#VD&7GrEc~aTUnAzdg49 zPD8Un{7sepvln?^mAtQNtpDi})g7_Tgl1x!iEZY(ZMNm1&c&8yyYa75E5tSv+w2%^ zGpjp}{6bo2CNvY8Wte7(zc6dwwerRt#x{#gB>c6bak4^xoUG8#3%`V4X}_V$ zYRhkgU&1fpm+;GVel5u@es`PUR~YN=mkGawUupBpYD>59OZX-H5`MYPuebZYJk#>4 z5^q?%NcbiEN}FF%Z4rJ6zl2}HFW33?#IrB_^=4y#t;YI|rNS@aSK9ot+EOR{5`GE4 zgkP@n>sP?Jp);Ec_CF zrOmIXw#cuUgW%AcxQEd@^3BQD2!Y|kPwRXzuO^4_2bIt<0j^Mq& zwZbpqSK70QQEd@^3BQD2!Y|kPb=r=*{_wux*FE@$%o^dB@GEV8MYTovCHxY83BO$D zSLMg=-8RGUYYkS@FA{zUztZMcR9l2!!Y|>M@XK|6-Tz45hn@5E{NYNxo4#83CHzX8 zUshY>ZS-h1@=sy%Phs*;VHy3Wu*CHn^l@`VtKrvfJOir|ehI(Q=2ui(#QqX~iTx$^ zm+SV|U9$pP)*60&QcQHA@JslWHov0UBK#753BQD2uJh~i^Lt;p!tkpC>klswehI(Q z=2ui(}k0y(PpkV7` zYG1Y$(b`eeu~kQ%me$%LtsNi5u|C^j?6lKP+d*X<>xfdTGj`JdxsPu**)L&(?sl3v z-_E!DJ?`_IbMNn-yLZ2>k8X@~MB8cT<}(*|;?p5NQK2(5$Y(w;oG|d(XHG;C5DAC` zL;@lKk$^}*Bp?zH35Wzl0wMvCfJoq&5~z=EtliYz2_Ii?!+q}L+n5x1zksM~&x}qT z`uN{DpHowPxM2O!5(w&~NM z(|n%e(c8k+KWu#ZiGxmo<4~TnecEYv+En@Yz`H*_d|L1Qcl@oh?ehCk6Ao2VM0enj zE6Cfvyez7xtErv3DTeb~um`U)H}@B0(H82WC~o%SMwT;+HX&Gydg*+sz^k7&;7U8f zwBooNpB=c;M?E;}p^XSxj`JQ|ub^viuN$A|QYBt9aa2iFcyD*J?;mvLa|Q<9g08II zdYXgOL|c(^OyvjzuNfG)80E4WJ+duCD^>1SBd<1u>cidH*dx{$m+uPD3KX^rH;KYw za)N7&J)Bh%pvAOV#l)=wD)86%sS&}hH6i}hIxaz2OQ{a`&cGgIljCI0`cn?ALK3YI zSqG}$p^Ctw3kN9Z3;QV;aB}H1T(FitA$uIPm|z`{R5$MV!nqU(K*v*XVokj5l`LvN zK-N`M1tJdQqe(cKWbCwlTY#FCF1X42!amN>p;DZ16X5OfDM7jb3S_mgh&Y(TDP_^= zII%6~s#im_9JjYZZ#|G>8|2PGv#2Bhv9H9*cT9?Nzmh*pa$qg-z9iz$PmuP7NRW%nCDD@ig>xu}%W@MU*$(0U4|1ti z1>U6{7s36Fl0;_%2^F_p2>y)@o!$itw za~T-uLLRmg`Nb32sK6Fg@XabCt==VE4rr6OEIDsv8=KvLfc5Tw*sFn#K&l1rE+{ud1^eJF!bLFrE$2Jt3unC`tnh7 zjycD~JS!fva8S%TRhm{Mw|H!yj?J++-&5kTvj@d)LcBJV(@(|2ma_>pyMnG#b{H?I zjTz7}XPKN-2c;!d06lxfjF&P?m-0Ll_w0Bni-yGYu4Qlp=?>1j0aCgWdp8;h*LR%m zc4wHJzZlOsUv(e46N{qGte*x*i81NR4~>{3b8xUV#Os=^W0sj5RU_7N%7vkE`n{@G z-0JewmyZU?TJe;RZS)LiZZjM3-V2M0CdALx@jYv~MA=Qd%A5Ok?z$NVTT#nA9glU% z)^l=PIw7+0R;tFa38C|KXx1Kwo*WO&c;dc*OBRD%xjAtR3=_Csp0dyb4rV<|KOUz* z$MI|rRu&hj8gwdMabB8K{m7AfY~<)^rJM(Y!h*R$oySx!#X2w2aXs7cU~Mym7vr6KkX~b-#X9DEBh!kwOp9S*QM|Y>Wqvl}s18TkR`p1Mule#% z&}n!|`2vJ*L$A{c{j}gcioChMDj6Zp3WT`EBhHCB&RkPg&d>Cfch?>O^sKU@B|%m7~A8%Z3**r}>qgO|s-uW2lm|FG z#O;C!v7u^X=fR^M9kb~-A|A(Oxb)G6M>-GO@c5)fKbtx;clqfhJN_4Cs6e;EO5i%F z!4?H9WbffEWcv&!%Fpyeus-gGRY_3Di1 zWsLm_am@Q;INoK3g?aQ$xqrqLXC8fd_T0&DJn)CA{YNmoGxd8DheJL29Y`RUT(eAj z@Y7HeP{;wK`&upT(K!(lvcR`m!T zH~a3#@U*KDWF!w;RrA=MwUVhnMUT1*d5+{sbIXYw!-F2J=e!ze4(Bnms}>p2Qy$qv zX7!Hf8AlM{bMuJLMPlBb@JYB69L@uFiqurjth$gp3W+;(KII=DpMwnl8u=1BckLkW z#Anbsm6wT8F;C?1R(Pd(b%tL*j=(!FBpNdMMph32g?^COoD3(09*1|AoG_ z#c$s*>E#c0LtLge{yGjn2ilY(nfI2kOQMHg{B8$qmO6kEcOf5j#BC-q2>av#jFbof zatPx>T8mfe^E-N+!-&;mQih%$nIcJSrP#e-W^JeS0O)0D_9GmB8@r~p&`fBi2Ak}A zYA=xIi-l%9?<+JLe!AC-W|Ty;lGg{G_+6EzSpW{x<*+Ta3C;TOE!$Av>Hm;sJO?m3 znz3`svmWff+u3_<6s7p^;+VCX_NNm#b}x=^5stM(X6pM>;h1oYCq_NKzZ8y*j$GjY>e=0^s|a_=W}$kiq>{wLNlRR zKl%}OHEK0Zgl0msbknTowr3tpq}ingX7U}`SnA_X5uusTOlXGb!^Gc6$cm5j zulQKFzJ2XJ8IHT z^UrRuG@FSP{QSdUwaHAQ%ruU2{i3yM@JslWaelq~wGUTWer*E3E)sqTzs%Zu{@J$PO7Y>fZqZtc z_+Jo^tXq_o9`fB-T4xiJ{jdM@etD|p*EjIpSc~qkWZk{2yH}4L(dJN!4=;YX)*|1A z3BSbu68|gB{#WwTJZ`(?sn>pL<_~X&|HV&NQJZ`lCf|mQ^4l}42+f3MLNlRR#%WfuCGh8;B+#r$XeKmsA7(td z-$Yy6afD_;LiCp*s!DcH(cU?4P~J z^Qz=|Riph+7uR;gHxrtPZzjH3#(lHx4|OiKG~0uJmAXKDGx5!i(>JrWa=#P;V`ssYahifguFX5N)OZb&>eodI3BQD28Ryq;es#&= z>kYrw;{P(22)~41Df7#<7U7rhOZX-H$~eE~eOkTUXZUrfm}s%^OZb&Czg%mPUo#88 zgkQq1H1jL@*&O%$a^L%o;n&d|qKNQojPWaT&$M@KN4zninb1sVmS&nI|C;&X!&kgy zX;v2^su!A#F`A|G*I=%-2)~41!Y|=h#`(2w(yPr!=Nxp-0lPlNbARiEU&61HXA@m( z5q=53gkQq1jPvV^U3dNQJ;Sdb;2$z;gpz7huiv0gTBUonT21% qFX303`IY=@=H1`i)7E16)rP0h&li4;F@9z4*UYZ%h&MKrX8#3vtJI|c literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json new file mode 100644 index 00000000000..423f7e92280 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json @@ -0,0 +1,92 @@ +[ + { + "@timestamp": "2019-12-18T16:22:12.3425087Z", + "event": { + "action": "changed-computer-account", + "code": 4742, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUacList": [ + "ENCRYPTED_TEXT_PWD_ALLOWED" + ], + "NewUacValue": "0x84", + "OldUacValue": "0x85", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2048" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": 4742, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699934, + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx new file mode 100644 index 0000000000000000000000000000000000000000..64c00c642752930f8e1d40fc50cefeebdfad178c GIT binary patch literal 69632 zcmeI5dvH|s701ur-7HJO=0S`C28>n^K|)X-Q9u)tEFcM>2>}&_NCJdx9wv*TP{CGZ zsKzs_L{X`!OA^HfZAN9pwAv!ZaG#k?p16|%YNt}m~CoiK-jXp8qpEu|E z+QT@vI-xvQ;P_KBNir%SkJdQpJZbi85H^G~_a~&o>7TA;oSn2uNbn$J+Sf8+0@@U^ zwe9}fH8(x~!oEXJj^ofUXVbXzcG^^V|KR&SI(lBmW844M(s;vTs0oKE&!g?w@p(aqFEZ4|-rR;>PY=Hh{z4B9}g6vo9aT*z>y(OLwHPzPN`lkw@IRXEdxFb&u* z#{~1wNWf>s3r#%Ap)@xtD4X>^2kPUkyXzgf*WkaqR-EepWe7=EA>Z(p5;J0U~Qg z^_x`@SajJw@_Vwq9I2-TZl&5%?Zu6eSv$mc^FkHLXe@y0hYs2Tye zt->l0aUc&B;-JvzY1Kv_)v2~1!Xo1A98M{N&c}i6 zIqTjG&;ne(746mzIW|J>95jOpd=UF$9DLiPIP+Us$h29>v;sk!PylYCMubt~;a*X#f&l zYh-H$kUf+FUME+n6B}b*z77?wK*$CtQkyC_H(D+^KBv2TAp)>feQdGsQSxj!!MI^yeT^YnFEx2XK}fYCX!Tg-Ub| zLinwPUR~{{C8#CmXKFf(^1Z(7JUZ7$!x0q9s8;AM5T@%DpaKd|9)4`FvCv@?@ky3rB2IcH&vL?||oNGf{w?p~6 zXi~2_O+xM0<2u)nL$0B*+wZK~Q1{^c$M;`8(>wm9V4@VXf%YtXxyzb&-mm%OiGQCH z9)0h9d-inYqEH+P?c~EQla-gsudxzY16`>Ux&i0e_Ellaq-9;Yr`?B!ITd9H6PHp{#rf zJ!01)UL$#e9?IwNmzeN9%2^AU-bm||{=`aZV|sPWX(pyJEV_m{XrE*;W2J;bajut| zxD#Wg%u9%yyp|a{ehQ_ohLqM|ZG&=ief`>8PBA%uC6;qgb$e}m!l*O1Pc@{(c=H5@ zAV*ems4mnwfVGhF)jG@^bC>X7-}ciASoIpDxkR108b@>JN|D^7h`liS|Fn6)M4bw zxeo6qrfxU304(#l_~ukPjGpJ~n6r(9CdXu&4_g_=hixhIvkrTe*wZ@CwQf@9Ji#+` z8cC(R2;m!{+YKmvJ-)-py9p&O=qJuXgt#S1oHKQtnWn6qpV5}#QTy0aPCTMud2yY? z$n`9pLQ)Caw&hmp#L6R0jaQcN2pzKz-D4X$5ADG=!0PtMeqzL|4Qn|wm-85LfaLzkiWjKzoDp{Y0POP7+^%8C{9p>-~Yafz&cosTyb10Hn8{8y|E9x=AguH#!0le6@aMJD#Xhf3V}Bb~UB4HLy;E)+ zf8zD&Ge^JugFluYIELY!soy);P4wh9BLRQ!nz`-4k3-Rtd+y~ZU~-Rr9Ik|tc=cMfcpe|f))BaER{A@LYp46$sSX7_&XCXd!=)E{*gNhUq8MB;xg9wUhJL*+7uy~ z59YB;qG`?FcEDz-11PZx`M5czGx0&#JNIFvL;#RO7#GrVd{Up^(Ow@TR*y*;dU|Av zB(W4>WecY@L~r@n>Q2K!(96>7huFU#tI$l(I}6R!V3U1$?FI6DvCxd?eT8OyPxmIH z899kGEBJl)zTcHPMO zGLBiTX?h`!W4o}wRXElJnW_7y!ZG0(PmCtHe<>Ur7{@-PM2?kzx8$F%8jkV(&+E0p z60eNCp+UhhzMnTRj`3*O-jUPlP=rk~epziPl37KfaS)QsDw^ka${-AxRg_spe(ENj zvx=pE*!$9RhF>oaBUn1Kh#xjc_%-lZ#hCLsuvtZ`I}xFo(5wq~B>FUJ84iSILbG(! zto?x(ACITmbp~c~k8H4bWA4$+>P|>#CNvY8VfrxsHxi|=tn$Q1dVRAiRyHl)Z+x>b ze6wqXX0c}+2gTf?do;7UQzA4InhDK>X1FKX8TW&<^gq9NeD=g@OS7r?Jrn;hSS>Qs zC^L-%e16gD&U|_9Lue*66Pl%&X1$;Lm{qm;*=LP!7RkZeC4^>!%r{Htb01b)77D+F zU&1fpm+Sm`{~I4&W%;!h{8}pf5`Lxp+@jSM@xRb* ze%*(AWA(x>;aAH1ifW784HJHe|0Vucn*FcdZ}WIy>vM1Y#LOQ)2>*-UuA&yX8zy(d z26#8j>dq9Qnb1sVCNy)MW>0;uEqAY>8NZvVPG~mByfOElRJ6LYOlT%F6PgLlT&LOO z4ZgqrIF4quLNlRR^kv2a`%Sdf9Y<&;G!vQ$&0MG1oQHpQV3(oU3H)iz)j~6&*(uU2 zsyjk6p_$N3Xy!W2mQ2`^^N69@VZ3kgDxsOs>=bEcbw_+NbRv0*QJ!Lyrx?@v6l3qF zKvw?a>BBn>&9>lgs_dV=$os0~eN_YfPnW3fh;Jq|6W>gHGuM5yO;5DUwKUs}f0bG! zzM1%Dr|6qm-Erg>(n2$#nb0iFH0%8fv-%y2Z{KEov&eA5Uptybp3om8Pw1!f4Ifc$ z5q=53gkQoh*ZD=Em3i^}su6w-GH)!M{Ic4zU-%{b5`GE4T<6!W9p{g_+xTA(c!;Wn zU&61H-|%6z)@JslWGQXnQBEM!9ehI&XUuou7?{{-N@{9c+I)+~-GKoUMuR+Ey_ugqA)gAH1 zgl0lBp;?+~*8A7YPaeJTHA}O~08y3DY>?3`oxcW)YK!no_$B-je!0%C6@_osotSaR zxd`m~6z~156n+W6Ql3qWYK!no_$B-je!0%C3${JM@XK|6&HC)Ud&U`lEyvUJbA(^Quax-})fVBG@Jsk5{BoUNkM0@vQOk5af4CU$ zrY{$M3BOY2m(><|8$G&>{8O0xQ<(fySX%!ntoQR9^jUrBD#NecxCd4y{1Sep%&(}n zi2o)068}s5FW3FAhb9F!tuXxhJfG+a;g|3$Wqw7qMffHB5`GE4T<6!dmvy{$o#9t0 zo`P&wu{c`Okm;S=hODQAg(*<=vv@!ZsWusz9mAh_}cG{$06W|8pPsA>ji; z41^d6F%V)P#6XCF5Cb6wLJWi$2r&?1AjCk3fwUM{*tvFod)GRQ@ttj;<2K%gQ(*EK zrGCETx*s~FhyR!DTsOY#F831-C|2rsqm+8PNU1%A?mJ5DTcXr4a6=4rdnQetFQZLv z2cS)Ee=_ACGS_+S%ec1I1J7~z{b%DO8SiOhy?GYv-f7NHLfJ)l=KY@MuuLY~Q@~5Q z?ND*rq$}vUfB50()6w+tI9taBC4YYSz84}Dk%%gboPX#+*UM9R{?u=F?>T70Ejxa> zuJs>p!JDwuyehQ=r+h(f_m>r^g=&*pqqa zdT{qh?2CjLmwus8EeEjcaZ{=Cauq2)-O$67afRvxwNcl^tqN69Ft0$JgkoDwiFcbv zxsbI)Ex^6Quosi$_?Rg_EmbGu5zRnZ2VTEJgFw`k7pmfDd4Vb}jEqqS;et^5expaJ zRi;=6Fx7>7(eg2>un>Jb5kG{)Tc0UX%TSPg)u{_97K*9~_%XrI>B930Rg>dZ$ZCx1COo1JBt>nafLv8 zBYs?Eo;c@kq*9X;g)z77Akq0K z*$hJJ(r~lWDpjN~(%-)v1t`_nadWy#G@{mn6bPKdE779JIFR*xbtc+dh|X#PyRK99 z_&YUzWh$=E!@re^*gqZ*6|sEN)Dm1}M{NYG4pNmm5G9I5La$v`tWL#SvOV*rWom3e zVR@CRDO4XqQ4pivLAy|4&U=-pajHaB;Vy_CXWUCvsV=84;?E-ds#F!&BdVpK23HD> zyp#{bR=sV?wTs`Pr2Gxo>Uz*((Z*TMt&;#}vdF4cr{P)``nns$->YhU?^KJo--!Es zLzZk)lXhIxw7KcpCAZ#x?3{whkH@@Na0K+6X{DbO)xh()m)9Nk@cpNKwdL=3)SM5X zSPK2L0jJcg+!kC&A`$_;KofK`u2c3c#F3howDj5TLUbG%k9Q|wFQ&{Zij-@iF&On8jGs2 zEI-|pPl9tLaC){nN7GLNQmI+s)SO{zYQf^XVFmgpRm}vHASkvv+tfWG0cDk^ZtAxz za_VOQ^)g_o4SN@eo9|ofh|7A@^1+FgW18(9;nRtCX8$Y$mZ;vMu~CDzNc}}QM1i;w zZS}c&q{OMocVv$okZ6&@m%Xsqv_fIJ1#OK+jY2RJ6e(B-^`TP6>b=bTCi_Kk&ig!4 zTo6uj0FRx3qXo3l8J7{zCftg~;m^dn)oZst{o4K;Z@szTG#I1<-FpKdkbuv`-&VY# zNFcTORWO7C9}e7ZEekk0oA!}X?}7MvQv4AJyCm()7hR5vaV^UW=jsbaqw>NH`hwA) zyzsETU^FE!ys9r4eMmV|g?H9X9)%OpXe`-|-*Ih47P%1@SYy$XEJ=OyTb>vl!V*&; z_jHNnI4P$t=;eu#_t7v%BX6`OaR1_{WG=kpJ|u;htr9;=NOePu#B6orw;XW;Y`rdT?8 zd>hKK&jyjlsil?3IhBxeeAbZUoRP+qbF4dLIS1Yr>CF0*@SM07Nru`h=L!;Xjx{ru zbCk@53dFBKb!tDz7Rn#Wo9Cztfp~01q#CbPvQ%3ohs34C_$~jdr35vvSNn2MkSu9q zkawf?KbAcn5~l@r&PEtR>B`a?q|BrAT$8pmb?-WqTLDXg_E-<((ztz)!wjmTN>Mt_A_fv!O_UfOzh`kN8-{x^vO+kyIy%a%8|EhjrEf3?nK!p z*mva7XbctvC3{LJ6XnT$wB($DXyP4dA)@vY)7qTGJMOPXLVel^L_3sYDK|Gea^(J(F17d z+@j-(jxCPxsS$d#6m>8Wjl~A(rDdqwh^J70c;6H5CAOUsR>!$Qj}FI=#9%a5;q+3< z^2vSUj4mowC7)kw-c1j*oiWiEEx%LsWz`@sEdjO60|r|0{tgX9A!zhFP@}W2XwVz_ zF2)##dW@QoW0tW_Nm2((5-L;jLn!Ij7LLRx1{|MOG`0_(P^g=rHNcSucUl8p>wpdb z4)nRR3{0jcS~YpU zdu}}H$tO>~@Re~>Zurb?x42tn+qK$;nF-%Yo!RT*7@duMx|#{|YZC6y!a2ovjCzmy z?+%zbeOC0}%@OLqNd5Sf`tO~x1RQXa+Vi4Z-?rzR*#1gYV|dH+eY!5GZM>|%Xj9cy zmmLm^(dfU4I2HYuR=y6P{Zi^pw_KKb3HfAf@RX9)T{E?(0W?gGP77~BW;>F=*xxB7 zN1|*(AAm;&u)E1U!{rD?c|iIkoz{UzHX1se`-}fr&e2|W?6f1Iq*M3kQrZ)5pTJ?2 zPGxi%#OUS^Tf@=KdN@M!Z*Vnj zfzt#*>3`wF;Pn4&J-1SiY06o!0cPlZhOq(~U>77?0hn2-GxC)Vs&lQ-%bAMu)olm3 z>4kQHz+qLsiXD(jz7AE3x%(CGs?Jco#INYF%?8htu6*699+UQ{#~Lu67dWiqIY>R$ zd|s%>@>7rXx%JoX%MUa9f=bi7?Sb7; z2XX=YP+L)C4sN;w*cj2!1>eP5Jc6@2 z!wq6{g4>)Xlf&3L;TvjGQG)`dI@k}iE2@F<^G$z@KW5hIM1Kr6kAX_sA;xH!N}SWs z;XYV2%&15WOJepFP3x_Co3uFETmkXxO-9TDnI%pri@2=}#vd@&fR;PGe>dP5p_!K= zqF@y;JJ8&qiq8(>?8=1Yk%->$&o?E{45sp1rl0kj2RiBnRkeY(oEAuDjJ9Y3HE=#q zu5+%=nFCv+Ul0C6(go?G9mfl-(8mf*9~=*6P9Fl9CCyqE@s19iATftNy!1kbpy!u6 z%h5Y5E?LvC%HimrmB1*+RJ;-CGn7}W7e(+>|k|FMqj>4Vz1zckSg(&9k+Kp?Z$4{m)x zZ;)Fb{0Mdc{&O2NHpDIeU%n$D|HJr@yowJ27h&Fn{6juE9eQ({6+SvHQbQ6<(wph{ zNFW;#deh5Sf$Pm-^5{_XWX*Z8V`r+W+jmd=uO-JfHt!m~o@CgZS5G3!jPxY(`BPTt zYN+y=o%FN&<;#t2MUkw9XpVV7rf(i ztS)uifuFTPS3|V}X^#kG*5q^0cA&fO5pANn+mZXMrrFs}yu4vVZT;71L38=?bf~-Q$)ktCyDhE8FHLF8l#4hQHL2f3w8cP z?>yc)h)iw3J`p?Du^f%#Q0MhtqcX&{9BW6aks(wvZC3lT+*QYOF)<^LlYO@uDYX;V zx$eZ9qse(rBHxih8@*Vq!aR3vcnViVvA+^oM3V6~S*N^W&o&_k(%ELcOY*uFE-KyI1hSkSwRx?yX8MrbO%r)2UwQE7eUtWN6}!M; z3Cm6v1Fr`BAX%;FztJCRzr4)*Rv`IuCZmI|v%)V2$Mqh$O(81Q%P#_lB`xRhi+5$e z0a{_Nc$wOA~Nd#dDDQYvsm2(Pq(K z%vbXzEBx|dpZ@ali@=fd`U`&RK=YOgA7-Y%{A=nt5=(5g@Z%nZ`CBK$3^SJ|>n#1X z70F{nI{C7pkN2KF*{VF1_GCODaOA8!{dFi$Res9T)gn)s7x4xw{Nm4_>E#!JBj@F5 z(0QPR4}+4Y17-1YBQu1e#Zf>+fFMfZEn_f6B5IAyHzTW;$Xs_m{eC-hV zx*z20SFG?$h0k8~@{7Qc^YWGUD*ZM=<=GcL3`)K__Nq6VzW&ND>4E+g(#K9KbTPOb z<*cp1k+X92?NE;9shv7nB5;C3qcMc~MJIU2N`Dts7}98G7Z)_Xhw9y|4B zLoY{f{ghQdfV4+H0PR$PBWLAn=ewbunxA&6wnJ!-(0_J|6@KyiRlWQoaOAvv4cf0N zd>E8`b^BFkA{JKss{9fZH$--dUzPJ!U$sIX{`o*JeFz*@r&wPR)go!Ki{53`@m1n(w^7{0!Pl`+3laidKE;_x4G&0HiPG%eRaglKW}r#!QE+vPW<}IO(%@v7C5ZR)gbL&cYk{HS3CIeYX;AMICa@0+0$Pw z&O8a$|5C(b|R_RRI6FL((LOR2$-z{qBtA|G(opr_O3`G0S zhRzlhee;>@$uqy+koGj4!T&69Sf#Td^@cm1P>X_yj!&0))VmCxCro_l+3exjKkkwC zi0A7eR|F2Lcn)&h^ND?;;kYL+*Z<6yaS!KF@3z7({&`d{zX%*TKkf;79#!}-vvE)Q z_~~@>s53pIpWejxvPm~zw?Z$2%U8~$3LH5rU+0bs=jChA@qWUGLCM$D@qXIB;EwnEh84OPT#nLC6*zKMj(#qbqbfh;XgnT;cIrJ= z_$9raDsbey91Yq|6+R3~j;6Cyy(|CV3vjPX`KFxuh@ zc4~gg*LXZNDd#-^8@cJB0XUkB(xsSnZq_-8+mH*n2eXt;=4O*kI%S4vC+Buc%6cZV zG?V|crNa^}RUq1IBQhF$>z#nB9jX->tcz6zGg!|tbs5}Zp!|@|#oVg1FgF6uPMoy> z*7>R(P;?=)@)~3}j>bmm+|i&wowL^+VZfD?<=87#g?m-ypg9>OyOBf}FnWBJjzOXGe&#$7&Og;_+^{=OWG6tC2&~9bCCM$-Zw-2m7n@6DZc6)L%E9iME;ls@I z*9VQSnuRqdva;IIVjZee=B+4aA2#%I@|*W&QNH^1n6yXvNM?h}de)&X zhTZUp!SnK!Ti(f@9y=yd!!aPf_o0V^SYIOT$#_@b7%_Y~L5($QOPuv3%x_((y+KZ% zEqa9{Pde{$4GMo}#Fs@H4MpQ{m{_-Z?bfGX+kfM&Hy6wU!7a!4+8i&^nK-V*K20q( zU+NU^(z-u6Ix{m~U3yeU*8^*Jo_YA5^B0VLsQ$`Y{Z$XABlx!#PoIrersBvb=ZYhommn66=5}<^h3Lo-<^2W&{4zbd)~_)9rfyYf=K=NI2}oQ!mk3y zUgOtPbQ1}%zm?h|-}xZ^A2WF0aYD`e*~7b^f2BRKLj{hIe>33U$KD$X|Niu+W!tx& z+kf4OpT7L@r=EEEPebQl@jY|w$WLNI{=T{U=wAu{^7y!+qmSQtuvI#e_JocEj*yNr zprapIrX#QCpHm4!3Z3}< zKW;jq|3~1kDp!N_|G4{8sSW%(xO*Psdj`)_V$Vk(zVC&I^Fg@t4?XDmRrvZ9huIN? zKyv4|zn$-Y2l1UqX;18afx{}EgVbLyydUbXJl9|JPk-MEzxd}dy!;|?#jnTQ^uqXBfy1hN4N{M}`&H@a z)AepW_U{JIUwrTtt9ne@lW~~9VHM9o>ahiX4fR-l>aj_(9-s2*2UhsSugARnB5;Iy z4CA3`>JT&c*QA6GZRxQiJ$elBPHsK+j1_wE>oGUIFn@!n}H*P=5&=R^@7t`pey)m zWlw*ti_}oIyW+{DJ?bxxcLk2U%8zb;KK=V#QRrOL>&kUJ8TpNIW2xfF=9+t+?>c7W z2ay$sSi;Ip*IB7n>xi<2puXj>G^?>j@>CobBi7&)tm16KeW}NgrFmFmxe2Q!H(>2# zHU2H2-TXkFE!S7uJd-_6+hykrkcE9s1J zXO}{z{MZV;ZI9OA)e7t9#^cVs^d@jvixyO0iag|M-k1thhbf)E>ALOSWJ|FWX?wW2d!& z%QpcIw!Z?_a~F<1fU_NS_1p%I1J_&z$eTga3v^qXblr5V9gi98U=4a}A+W=eL;F_664cy)`owBCp5XAg zA4^J2CI68RF*&53H+*=-qc=2UPwu}PB_FD3TgLLB5XUC%0R*)f`c>et%7s|xdC{@X}sQL)mfr;{CJmr_8rS+&Ajg{yu1F61aK)vtG^;hT^ z@?)X%MQ87WM=yW|WhD4Qt-1ZN;IHUWu2Luc?D9uS4t%3(+q0^1)g96O__exUb?-jD zVaDrKJ70eF-BmZgc=cveHglc43Gd#HUZG48jf^Q_&JQ0NCEt_(e+jyN!SMgRC*GDt z{(nKof4li#+7td4IQ9zv54C@3O{D8zvB$jq+mOZnMH~R_X!a}nmww|HP5=IWZQa7` z$#;L8o3uxGn5R?Vu-d;~JIig?KL=(Ne$AvmTQ4ZkTu7^DsFqLmY?0yHRGC{bAKW$> zj{TOYJ(Fy?(spWwbw<0EZ|K;!w1pfUmC7EfCZC{0JIZ(Il1|{8{BHOSMH1sp ao)3o)*=I}9V?F3?{-v(-{;rMdU-kc=Y7lJz literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json new file mode 100644 index 00000000000..efad3a186bd --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:26:46.8744233Z", + "event": { + "action": "added-distribution-group-account", + "code": 4744, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": 4744, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3699973, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx new file mode 100644 index 0000000000000000000000000000000000000000..8dd6395c88c3da32a450ece4de6491b8baece91f GIT binary patch literal 69632 zcmeHQ3t$!1nLhXCK?vMDM66Q8L`6Y2G=U%>K0pYHAjA?;x^^`tkVHa4lYoHQQqii_ z`l_Y2YEiqs%GOe=-L6(et&euM>b7dvZnt)~R#Dq-t=jIY-R$?BIsd(LXKr$D;@m^- z?F>w2?#wxJ{`t@UI{*34KMkF07Ik#4R^BaYE^Ngyq6(C%hqK8An2ss&e8qf9f-r{UOvD?O?kzq-{Ll$?g&-MIcSbsp|@;W%B@;$J<^ zYSnD~T^(<}H|bY2(%=6o`bzq(yQx^MP@D1OKHVY+e13obD!?T@`qud+s!_MT5pA`i zR1fYRg?*6_OF8tA)6CIQC+a93M0F=cVdYJfayW>%i-GXb_0HvO-lHEh|vPg^@ApU|bMN-+%Nd zwbB&p0H(TdFIqN66&9k8C*g;Xc&=81E!8iPhVG)@O8k>lqxT#P++&ue4T>(GV>k?-9<8ZWR(1HM5wZgIhsB*=SW#5UJ4QL}AQr8%T5k zN;ZR#x-{JEvq5{;;JAO!;F@Jh5OG9F~TK%Is58qiryVAr*( z4u7Y`uS~=B`S`a&5&I|Lp(2)VnO1_U?5GWZ)j_IK2cbllDD5EV63U>A2Q~zU~I`_o^D-JJsOrH{d?skR{vH zXI^1$g|Z~4Ub>I=XiEQNkr zk5g(^ZVN9W5s83as0q3m*D3oNaHOUsEq%Vb5FJOx=)J7Bl<{jK{&|) zJaz((7SKi~B!$Qg=o4;5`B^}FS-mD<64#%&eIo+M&*T@^aZ0odEpU# z!DvcecvW98`jB#_5^t=VJQ^pW(O9w_zvJ49EOIk0u*RY%S(5tZcRVpVge9gz?&%WC za8gEH(907e@%hl3@jEWr>v7>lUKqOkW-CWR*l5U?;iN1J@_46~$AxwC*c!H~tye97 z=H!QAxl$hAfX?md+Y9pep7KpQPlp8L#`6UST~zYK7ayyM7JY4EI{-8C_)MIB+7wGC zkMBS^_SqovIJLAAIj0hGj?WsBoHNpxa*lO}Ea$-EBAr=(GM*FHBFRvDwheJ0_05#?3@iShSHU#HAtC9>A5;>Y3km!D7PGz1nsdN)NKbW>DyU|(&qr8wzO@y z2Sp8Nh2|`WU|o=)&bTh!JFzz@aTgjq5zcgV7USvb%^R^T$L3F0i|{q$y{Pf{hK}ZA zUB^oI*GJc1sHMkq;3|%P6=YPekrpCF9P^4}-j$GzB$ptp$oGq?@g!AOF`(2EI3hN! z$RAEvy*p+=;(6g$m!JL1U2paDU;V2+yP=ef)VdF+lv=bDX}P4~Xfew3R}Q7JgXL`t z6LzT&PpRr9Y)fMs(tc*msW=*$nTh>e>_}YNhd#OKZr3YsM>+DAt+8H`-JK}g1pAIW z8jZn%pkz-8WuiQ}kCvP>5KX)zEkx8_Y+9R}c*g_uNT^RcfoO+vEam2AN3J$&>o)N` z4BYrU+VX@xNynY8CF@!(V-rtG)E(p0P4njB$ce_rs&ckSI=AS! zqGO9Ad}@RqEkzwnL}Rf*dTA-@HsUGNAKv$bdx>qQgw=7b(4)igBQY3_l{>wZvV3yi zIHQXSRl(=in0M0yZD&k0M$7M1eOWmOOp8G+^MQd@yuU*OQ3x9S4%F!EE1L6$zKb!& zp&p|q7?`rIoJ(Xup(t(=C^!UP3+@8$6|?b=OSoX#fqAqtn8hklBtTF!py!$&o0V z&e0AFaZhD~| zAaGcfuVM$JlCMM6V(xy$yQ(u)FYzmSY?HzBh@~nY9u)tl~LHJ=T1FsK@eC zkM+6r*k&vI;@4wdei1lAJ?8P23m@9jW79o)Y^`c{>#;3X=*6$c-1Kq=hLZw^RrwmE z9&`7rLO>5@P(_bj1ATVB!Lxe$h?R-)*p+X-*Uh-GeW~S#8GS*e>D~6gZYYFvYbiX@ z+^XhDyJv&$>R~s;;c*6r#TWms_O&TW(TUIVpB@<9F>Aj^zI)kM{!;l69>7u<9e*3A zWgO~a+j%&r|J@F|6>z07qQwc{U_8}lu{W^W7;GK`m9#^Q(J&P_r=i1ruxOZ3 z5!!DYAERl#Rc)0PN1H1ke!aSD}mX8 z<_1-Kb`WP*CoGRd^p1bNDS2ivmESV`tlxalQ7@>f4YcL7KssZzMH8rj^MP`mb9K%f z*lPWH@E?*cNFVJuUTB3rmTUUpcrbJN5XdZP*0B-q=+FrgbLhiMFJuUMez~(8y~9%8 zVV3dwH))I`L-^^%=cRjrzTt#_7(y{1+DoNv{eEPp?S^k0`Sy~D9~}1bg`H>5h}PG8 zVIrWsRtJAEqw~BYNC;T%Nv1EEQ~7RRGV5ykBAs1^PXDwOI_r*)BQvA3MhGQ=%$gi> zYvWXO6(lWC-Hs*x*$*dyIzD6i;lbxW*^xbcP!so;Ci+2I97rDsWY+q@tqDZ*H~1N5@C1NrFjwGaVlZWFtav zdig4Fy*W%C9g3c;K0kKcELC~uu1Wv7_=Lvhox|6Y44d=nNko~Eo)(Tw>RX#JG zT_DR@`TYA(KCArn3@VIw5H;zR&lg$YqoK-Y@{vFm%4g#-blXtEqkBg_GeF!cpRwx3 zEuXhpp{t?FXU4Y+WH~FJ-w)+;-pc2{!I~UB{uKN9Vk>+!RQXIk639aNoI*YekM0fm zJQJ}Be)$aVr^x3`7z|uug{~6wJkIz-VZG5{<1+f01Tt&#+3jaaH4Yo9f5WYt(Gi7; z_$EK|__+~@cSeo~WI2m>@hg$%6yt#1c)xT+;+->{0$I-D-7V`h>ILr{XIy3l@58YJ z1u|=R5897<{N14+HDAZ+I@^MKoPN0#J{pc4D3FDAUcy#aBfn2=c9j9Y;soM_x zycN0{svSssL?E*!pM$mo-F=T}6V>I`i&q%DUwcWH<@rTvaiIA{fy^4-gVu{XL%o={ z{t>-eU-Tl6SB^+NqW@YT%UM49R>((r%SSo}N%)BNz!$9WQ7Zc~ojwxCLi;j>eJQ$b z@7R}2cI34$UGqSstE)yNT~R&@WFcLppevF6dxx%=j>1bH_w3qO5*bdw?JB5Yw&(&;e(yoi$~q2 z^E;^-^Ih@h(qgLd;ya)Sfy^4-JMWw^d)wavL)duUc=1aw?t19#>rXoV2TKutC|M^6 zn`E6xnLQ#okDBCfU+Xs1E#qIDEdHQIbo2FA_-KwJ&y&_|q~jxjET_lq$gh{#dPhfJ zXS}vbcyuV^c7JZX(L>|gl9{hRVq&->1E^t`FvXjNY zs{ubuR_g_C^oQCnFY~??NWPpY=-@9~;g>_=dXL?784m~?IV(?p6UtMSpYn8-$W!J;yvYi``15Ca`9rqe5JigzfDki_Jt3FlCO@v>dmIFzw%3Zpnrw*vBL^o3@%4GYb$W% ztQ>til%siSr;ZjmO8es$EBrFJol1TYIC5T&25qMb9|k2y)7hzY9#4SBPQBI8%Q0I% zYt;`R?a>cFJ5}JwS^3)eZfK|Gr=6_NxjX1|?tJ ze$`osg%!UlzXZh%k)7gK<$TrGtvs?b_Y#XXo@XT@2od(a(e{<4zvxjHDKSA1)c`t#(DxQOkBlxdUMHL%H zf$Q&*=T#KA_!AiCbe9!=@yEe=`98}=No&@WE zDdI8m-74*AI|25$z+n~7vf@`()Vbpg+cDQM9s5M=j8nyW^&!O{+FsQ;^fjG>t>|R8 zaQiUpIa^3yI<6JRorcandBF;+bSCWyoe3Nvonh7QW;OKH!y}K*y5e*OqWuR$XN!uy z^Gx>SnO|>6dz#MRe-=2b(pivt!yQkkML|Tzr^`I*Hw~UAPI~Ft?BUrz?veJ0=Nlkb z1P-fs4szV{>3yT&xF;{y|16Mk59d+uvBEF@c~mdI2pl;-?g@GxRroNoaZmdA>2&j` zvpl1p-o*E^NjKlJLN9~MSI(mf962jr=Zz2LYktn7&Jp>__^w@6_{AUZ=a#SJ7l9+^ zb+L@CB2<0 zaOAuk4cbl>J`75Zrn6JMEC1jNaIZ`Gj-i*+eq8dLO+SFNC;k?JBWLC7$@_(NYJSSs zcsw=Zy6&^WFaCHxFTV&JIWJ#>j`tHj3`)Kx$NSBRkNTZ>zw!8tUx_>3?|v)v;rCyA z=|kYKDo=y-U%T}rbXGNXiQD1vyCVe80!Pl`**&gPD(c4bUEraAGF@s~ zPXAgnN*@XAFr)N=IGT*orI>YY);WpWkPEp7vy@KeW|K`iWrk=c=XOiVdM2|plmD}& z!xJr)Bid{OG8%j9ortR)sudZmi&Z%@SkE=mlqy{dB1oQ#s)NTLfEJw97U*hnP#bo`ow z%pK#dduHrC9WPZr{L{w9rpDS@r)0g(=wb39kw5kPJm~LxR`}Gfcf5Qma9HKjAoY%W z9s!-M(7|rK^G^oPFa3A-i`g45`SC36i98fIau&~SJI#Y<`h_1bcs^j=uV2a@p8bA5 zX;0>-1rDot4sw3_;X}i5X?~7N<90RVP@mf;m769 zRx{#bR3|PsO8O8x;rmwT#IL{HbkbC;l)zzCt_Eo*xcgJ#+aid@6gz?X>mh^Z6OXy% zWt;j-+7taHa9G82koxPsH$(lEpZY5)zUpBs{NkUt^74zok@Na1=y@yQ!_4&8hmEhA zjWs8-vf9yN9ja62tte+7G4yikoA+f=zWVi;v`6_$JtlBim9IhSF?YXu)}fvRyJ5G% z^RgA2-^rdHJ2q0yF(AJ8p@)K4Un1?vcvs*UF?=~ujWcUYob@HlZ(X6iK~A16dW9rU zI`44}3V&zBmqi*4MdNXpRJ&@;mZx7kV8iXV7R(31EyMTP952#YIIh4xT`e(R>J;zN z+CMuwGc#UYa&$-6gKKu2b;O)KZyzX`{u4=el7gVoK6UpYR_RFE6FL$&LORNTj(%d9 zj=Y|SZnXyUKs7=~luJJlJ@DDNS)`*Bdcd?N_JqKZS9-wR-_YBl2Y7s9gy3D^$Sb_N z<+V%y(hu~c!TXOMz2h(0)4%?C3~7(_&iso4hgG}>=?9woe&`3vPd`x7JjPR2_{Beu z;pG>BW5n1Q{9>>>`XJNsX3+B(!iSlSEr&mk!59b`RT`^wiWyJR|MRpJI`R8|+;l?! zkHBG7t_JD-lwX_dLcA4W6gQo{v6q{|gc4gK!rdcJK`=@%1YXvm*$BFTZbeCOo4~maI8ACTlU!hkG95pRLe~Uyr%zh4HllhgJC+q#kqktJ2Y@>)d+m zUkskV^3W?*^_a9L<1m54DxQPXV+;Qh>aqOPW0Pe)KIPMot?-Lqk9qk;;0W~?#zWK9 zp=R!{NeLg?(ql(?^cdou+&GDGDCwffau!`p(_1Ie#1!SEtUvYltD}K%jzxe%$UVafca$b)G?N1aw3{H=w z&R0Cg_YLHT+n@NaR_Mg9zua^}{UvZ%m8(JOFL!@pF3jyuTo1eQCkD?GAB`NGJ^i&d zQccs{IE7$R4zI)rL{=bT z2`e{UXN6j&Bgz^;eam2JR$-0gX*iyQSc8va6=xIfOFf1x&Bq$cjaV(Y9&0D7@NXHv zVu7`kefaIH08P#&&W0p9#7#LGIJXKZox%P0oisl)h)?>G`lsd(qErSSyP;1Dvfx zpL4Zu6DVLUO33w%xTn8wf@?8VinS8_$7eKQ#qBw!_Q0iBvIQ%8*#>hSJFN{|z6o%! z{pGNpyKw9Qob9Nq=QeO0xaLwo-VB;vsN348>!xe%1k`9jdmA!%{>SmeUc3WWMXyf# z9t%l z`Hy^v$szT;;lryQy{SHXa{t{Z`A|*YJdOv2I5ueyAgE2yuL6fvKJ2=8{I~=Eq#;r~ z|M$DAU+(2NSPI&2~@_l_`RCPs8vXDl1)Ib>}NIr zW(7C^N3*iOMC+mRAYu9pbw*=Fs)Ts}QsxkFxUySI80wZ&beqjO13*tAhrm?R(nk|5 zjnV0Rfzg)+V9|xT; zI(uI{dLc9@Bf%TA=Jv;ezoJLEN}ckHD|eS1^hV{@XI10MyQ2H^YjwZw-gQF#%-1V- zy!`6BD{p=Ax=p5R<~n&J-n|{YLYX2O8B@ZXA3iKfz9;|x3UvK~;s5(iz9WnL|ALPH zcJsfqC;TsP>=phWYX8!jNY}q&k9qsIK8yW}H~`ww>{s?L{l+hv{{6$6+J@}OcYmCl zv`2WDr&Hjt+P_{q%Wc;`2WAz1&7?nDFD%epNULY4mQVIT4^nOiX*-ZmMI{g$ac zlWe)tc4~%oM!S}8=-9Wkg&ZA~${wmBpP)oL%6I9KPTm?_BRg?58m^>qu$NzcX81O8 z3LtOMwjk{~9k;Dc$2EK(8o#w4+DDHy7zK#s$&zhq^7f0HHZ@(p`1S{mn_DpD@tBu_ zo!9)~gw?xaU|H~fYoiSZ`Shr@^L VvnA-U9`rWj6SSN}@nE#6gY ztyBfIf(nSp<*lt)v?_{LffhNuz=G12n*aB^yT8pQtk3w&OJ6?!*_W5MJ3G7c+nMk8 z`2i>?u`K(Z)BIANrlo-RKmk>8RA8k8fIF#t!^H z(>>J=d%8N?vb-{{k1Qa@9tCc&|TZ6mR|S}u7t5NyQsUc z$_wPOrc;Ez82rei>;k&J4dM5s!~nE&gs|@;Ym?b5Uozts58_+e5R`s zgp?spG1dp*w*n!xsv29>svI!~V7nUO1Jx|-tHN)RO2B6j))G`Y{+HRwPj9pp=Bcm$ z3}q$dR$UaS3e}}JbDfbQ0G?T2KOS~TiSC~pr3#GHXCkdq#Hz*KRD68`#!+{ARX&WZ z#7?DRVw5NHJPQw}boZ*^YKCznc6C;r!!yHG9-_^$VjL`P=g6#)DhK;c!Z(tT<7rOW z+Clvirzl32Rp9a~3=^1jFx^gK+!2XZ7cwdg|-* z5rL}4f;+P+%E+inK!L`YTnUTtbO)@n)kLJ1i^3`bU8kx<{2yS43_y4$K81?8pM{f( zEI&9P3ZX2h8L-vNRHaTpj7U-F^3jp%99$*Sv#zw0>Kg8i>7sgj)lrBFFdAQA7cR`a zt|--AMX4^>3(#YY-ze3=h-U=ipATEHsx!VG^~dnu2nkQUo+rc-H~*a}$6rUK`~tKZ zgzHb8k#6qFgPn~fD_)I5SQW~;8sML<;*YqdcwGGq?B^9S=45r^T~`;)F1lmn!)u0| z8GiCh(M@x~6zKHRMsE}s!S(2S`eog`EY3xY5f%BdWy^sHQR77#=t&^ZR6 zixE!k8;oCiT4L$?YA*_o#N*yx_(oFmB0#Dc1=L`d_5qQtanwNtZkAHWe8QsSA&84Qj`+Q$UIZ60Xhov=~fKM*XanM zmJGI)L$*af;B&Y{bjQEr6ULX%d41P0GamkZ_yLfVl0-|%GX74(HJ2c*X;354rXM=eP9P3%gn`(UO)C8=tN>hV1`WL5c#-TD4 zhy8`{s|7eOHJ{eA(q#IcLToe583-AGJx%vZwPP@}e6C7H9w#8@vhbU%(qNGf6{Rd_ za6GC_$tnd^ns|gHBTg>XlJP$SM`U3;1=b~De%&o#R1`otWUbBGV@AQITq_pRT-jgoboIHhpJqJ-%Xz0 zY?P=SN27erWtgN$xqBPmZAKv|H5*n9gGh;G3ew0Wg2psQv&SLUNaRjaf9?IcN4FKr z`}#IqzUAx{bJsogbIvu;s7cY4v2@L{CPF)T>QCtQY8Ip!e_)MA^}v@LVm8r1#o%(h zs++Ms7iGpW%tTqI;5QLgr=omwP^v8PT$F7x*0QiC0p-fF&q561!-qII2qyxPP~vbH zIGfXZkHX$0gqvB~6bU9WYhisHa%-I7B`OVnS8G&@%u2}_KzI&tOBErqM;h2BrmIY@ zz$P-F^|><0Ks)m%5tbytjs#r8AcHl7kWVStACHg(Lp$POaS7s<;+uxha%@e)dWK)F z7@4;%j64y(>Ez4)kmZY5rum}z;>wpv@DZip2mhCW5oyL}64vNn zCK=4hz#6->8tP~1h?@kSq#!f}NBZN7;a@hkbMobzkmZY5rum}z;>wq7_!ibq6W{|_ zlQlgJ{R?Yl; z4KI;ov;Y&qigFJhVIi{^_9U)WwJKiE&0h5u%&B@`mqx zd%oEJW!|~sJxTU9CxI&rWo+Jg$u>CTuReCHdEd;*mqQ`T7qLw9Mf1g#FIn&}tZfy8 z3-l#P_?UNf$rs*TAzzZ=U$|zrU(ylIUIEtPSTpnA-gmiQ`LB@Wi&&=lqWR*&mvo@r ztdWrk>;dDrhy-wl{)N5BX8VOhiCITW1#^-RgT2e#&vt(zJdQvA!qG(-A?Nfj{|;Hc zh-I2DnlCPVVec{TztDr2^)cRu;kYpJB>}%&V^07_0sUh|AZ`G#4^nnl&u~=)^t1!M_Bp{FTu7*78sENwy@{R^e^NL`I3QfdK&s7-jhi| zSUR?N_k}%W{`kW2o@M4ZOX*KO9I|{7%QRm!UtIhP>s1_K%08}CgAu&r!qz|e!rB*^ zlL@}08DWf-h%na0I6{WKWb6U(#}}9JF#io%zKCU-FPbkdeBoVsj&8{UV>nWqH7<^C zVc#*^`@CmKzOZFa4v{0g2V;)1WZjITWBlK*bQurxeaP}fEYp0^d~xMVioqA&qi21U zEMe<~J!OMXi%P?nd?AaZ_l&i(959GnVc!6Ip#Aw5m+>(5AgA8#~)u@#>1#9j7nMvJ})MgX}%bk z(9erCezr0jUW7HO9DL0B7@xFEM5yUs$}ys!ea!4b<7gRMK3d_*apePK(5{({fHa3pdu)*7A{;~mXXcop+`F+PXMcFiQj z;5|-`%Jjz%RA@&i6kCJ@@91FmGK5Nade_>mt@$>uMkmZY5rum}z;=-3Qu)>_Xq6ADR0XOI^(hRTC zP#-Hs9QGPFu8;9)u|#;BAG`nJG9D%(WcebNX})N_xbP(xeBoFZj>n{ZIeG zr^w9l$!zblKRE~6IbaB5r{R}(W!PWf&%c;+#Eo-~hlvbXzKCU-FPbl|eBsk#Y_qTp z&lWv<%;f$)J&ZYijAP5p_CEQ=CoD~Vu_u}{#`xolHHoW}FYQ8>FJhVIi{^_fU-(1| z$4;_un2g})NzP$G|55@bF^ugLpTQjd=ZFCFo+Vks(PaMT>T?+n6J_xwVbQUzJYS!r zxP8Xnmp+^lp8r(m8>TM%?eVwCe0^e>=8NWw3tvoM!DqhsY%y8Fdy%H6Vap}~wJzR& zNdha_^3TL?GSXY;<7ySxC*-}{d+ITh?o=0i|L5B+E|&sHm9cUW;}V^O<8wbke)HKCGcj>5YK1Lig`*bvy54>YfvyVVOyCs z&oh%GbWcQB!>cPS4~5VPjly}p2{;qyYOgfbIMX)Y)xfta6yuzwn1h#Ze?Tsir|(&_ zA~(#N%*5`&tiz96Bih;^PdIOKsOLVWagMUaMe+9uE4O>b9b7#pXnMI+9jTX+B80VgBYOyeNfIKVvb>PZU+=?@GU zd2P^eu-HWpB*n1{o*jDqQTOFtpOEw5&}UX%u^F#KD21?!Wi}4l#(es$Gl^f|{P~!^5qp= z#2@TNZDBdydn1S-?b_ZB*msWAUF`qG!BANAHe+7f`cBQ;?oum_D%n8 zWbknCtV?}BQluF0{W|*~eOv?wVp$u;fmsh|s1KZn`amV#c2$WMJ=^2-)D5qL2!0$5_F3#(AZb9&H@wp2wB*n+u*JOFFDa`);1=~k= zTXcBAff%JOLf4E~X5*sm)f4+SsVC0IHb>{ypa-QIy)k?TDBpVeQ!&CU3JfEBD9EoK%j@n**qwVO6@g88OzO1xx(f6sf%Y%mtH+_*5`+R@V z&ASo@maj;NikeUnIpdZn*E+F~9k1{-UdT zob>U~ye04Ag~9!R3$e_`h1M6*7iLjl7-`A+i-+}JslTkYa8&lkj&m2cs=i2yz9qj1 zdvo2?{AKICU%$6_>&>jc972DoSZ3o$>q}tRX^y@a_wk+j@|=Z>S^3`w5f^UyA}KBz zo&3%}hrB=L;iB9RE?@P*D<7lsUxeGsVwsH#tuLZ4%%Z?B(vteJ!Kp86EF4Y$_hZ}s z(5m_(DNcFfveUkqx*%`emTGV5=7*PxzKCTujWid^I^7ZNqitwNie)yAw7vv}o#yCEClBsZJN0Fqg^L#lWifKR#|cQH{bTiS$N6hs4a`j_p$y$eG$uS9BF+C3_H!y7vs*AQ(rb%xJXrB zJrO)yxao_e=uKM~`QhT@a_-&n`uWp#-f`T!7`gd6>MvrMjSHykOyC^Wj^L3LY-p^hHuUb65FbZ&B9ht5z2!e3d(UO#ysP4*FljG8-3KUqoM+ zMS)?YCH3V}r@p*s;pl{m(`P-_s`?@+TEkxK@sQM))6tL=%WNEJeF+RZ&C!=?jJv3F z>dQ+OE{@%oFgtj-aMKq_@uX|Y&dm$^>!`I4zJJpD<1*uSqai&XxDd;1Txfj}ePI>_ zhLM)kmqz1XUbb*_c)>UC2MzkE?k8Ai&$pk zLhFm@3$rLNj08nrqHv%3RSQSUhs^nR@Nncdo?lYDa;Im}*qzr8TmM-1E3SOy&O+8- z&O${`EVFUc_Vgu`$MfSsBbL96Q+Un7LF9eMT=ICU)?+2b`upP!e0stS!|&{W`sPg; zrk^1W#IiPwgSIoy5~%3Z$j`iP;o?{4^{WjYF5LW#q&Ph6ro9^%uNd*@%GaOhySd|^ z4xy5EHH1_wvvHyQjQAO5(f{7hv~#wT-w=H{DRz7CaO75xjkHoc@awn(zfYW#bL-aI zOa3{gL0`l&8%J%=&$J_hLNE4!~Mm= z(SO#|R|OA8ZvAkQVnM=$VQ2T+KJxiKw{I$ZJN+H@!)?P?EVFUc_Vgu``{AG`&VIPf z77ivY9RBOz;lQn(EGd@08+YJT?~dH(KRe%h`(s>RZc(i zwuOtj=Tfc<9xmMcjHI~l=&FU|E-1*n^Tzt$#4qU6ha!3y`XH9sxX^wkwERq?cJezG zjt0-&`{lA$t;b4=m(Ab2dhC<0<=pkaYg-?B=AuvOXI{p@L9xunQQPw~ZAV{>c}Si5 z@>dHN^TvJhRq$}(rZ19W(Ti!coN6*A+h1s`?@+cAd9#Zo!80$86ZNeNL~%mwBi!({R5?EVFT>^(8Ru zG^ZcVII~k<-m`F#d&z>L;NikeUnIq0@4qtk<2}2EuQ}NNrlH`mX~}l-G^f72Z{eu_%F~{Ex>fZ>Qlwkr;+(IA`XZLuIMVtO792Zvvpk?&hN?Av}<``#J*I_fT*msl*baiR4^^o3az z7)DxBUmA_K{lLP}lAW85U(u@iA}P-4drij+vo>b_ZsNh+lb@bgC-oPx%*K({m%y;o zEPcUS5E_kx`q09~dviCQ5IkJC>5HVe>dPn2cw}F{?1wkxbofR0jZ4;oJRhT(rOOS-5y$Rn+If!-bo^NQ##n(>vYwUDdF)lb@P-?$h(Gxe;w<&c`j5 z*|^a9BKpEC3JfDHsV|MjL49K3=-wMvj9J~P`XVVlxqr+_i}u9iK6mbxWl#Ni{1mCb zh-Eg8w7vv}o#yDvK)#;QsV|>exTyYWX+iLC;ifN=V*bwG_UyG_VD4Qx59S`TEbj&0 z94Wx_h+>(I3#~7rFQIY&sLEM?*=FJBt3BgaKG&-HA}MwooSxg`w{H%AB5w5u%L=|+ zE&3vs**Mbr5@;jhlQhU-T!s$^R22ck|LV^N3@S(5h#|~IMVtO z7cMBJ9_T772@NnU#FOuS&X;70s=i2yhi^Oc=D%$Ea>N6DFCR7Gu8JF2 zf1$pJWj2nqz66Gy=IBcqBz~h)Uv^r!IPvc{UKu=Gxao_eSi0fDE0U&k&Afa2j2GrV z;{Bosb(c3Wz(XvvaiR6a))!<^U>IpheW`J_k3O?-^zz;zpRH?EeUTKm=Fh)p=b^<} z_tyOVf|%}MlZ^He`tigv8%J7S0>e&o^u?$_I`w6jg^N2*PS_PZT)63rq*z$^%&?5q z??+xWe$I23K6CK79AIJu^hGSQaiR4^^o3az7)DxBU+nQOH5i4z+rrTs6?>s==SRNz2-G?J-2epd$F%2#{( zu%`msGZ2TBjcR-&FUCnCJjrSbBJk~>XQ+YrR2uK&tWf2MI33~B@lMW49BjNZ1Y6bE zQ-`n;tW_fZEbOboZ<0#DC)Exq#r|1{KhSz7eVC`dz6X-s0JFKAe^i(niT9A=eeozR zj~BZKVB-^O_x;Jyjjn*N2`z!COpI3$7VR+)>WPi6U*I2>$0vH#IY^UP!6;#7lq77V zT2Y1`>fGqO=Bq_ZjEkLa8x*dhXi$F~SZy6R&(j_U@|tV#pGGianTpp;g^}+^WR}b1 zt?gaPgpni6$R{K68;JZCNObls9n@IEfEg&FIwKXfI2k=sb(5Sqgy>5VefFeiRR9yF z<5Qs~;gB*MQjD_Yh4Y|xNCWeAVLczOdhLNPGJ-RBsaX8R0772X%~+p{Ba>CG%2a78 z1;2?Z9z~dr$H_9VHV7dJ*dMR5uqOd1ipRbz#K^)CKE%mEcrJdE)I6k?gR@OkMF=Ux z|0FdEdztsJ8LT`988#JP!lDXcg}BsW6jYsxL%xs0m6RcKMXCrm0`Lrc_)1t_C0`pn z62}sj#rS26IM@`2>@%iRRTHpAh}K|D3TuXOTrFaqVZ=3E*qoP;&zR3`Rw&4--JLAq(i z*N6Y9$lZB38%izKJHKfTAsBDTrOtBPY69|bPpjzdCeKgTTd}N->a8Y=scgX`OD?1! z9gt4~IZ{A}3_zb!L$ahJgff!}dZc5UB9w!zWP?7**qen9>E)L!c$YL}gFF$w>*a`-h*&B3 zEkhiCd@&vF1SelU4_Us5WtuOVFR0)h$(J<4cVwWFm1|VNQt*EeK4eY?d`A-2s5D84 z7jJl>M8wEMY#;X0Cy`zL__F2f6?4};mgnTl7a_|Ru}t$t^Tm}fneZ2^fw7U71xBRd z!-gICLYC0Kus&us3fbsO#x|QesrWVH`mc|9UK|jf*gwq4moGz>FJhVIi{^_9U&s{J zQp?c%FNUu$`BH}ZRy@KJ5la7(j^7evFZ;qu@Ev5--jWfc7-vZJ>tC!6Jn{wptr%S% z#(OmPXQ6S5J^*ytc-Z~d$>Nn#>>6iZ4!>b4()ywYN_EG#3wn5z(d)yWpD5MAh}TJV zMJVRX$5t#R%qYSyt{3m4LErKObcI}Mbg!^0CK=Z>0i88gJrQf{2du$$RbZ_ceSoE~ zahh>DoG*&qljivv_Z7yYbBEn_(j&<2JaptxUrLZ}g_?;k$DkYIM3KkNj?BjSVCBpI E0ZRgEKmY&$ literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json new file mode 100644 index 00000000000..bb1f2e0fe39 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:31:01.6117458Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4746, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4746, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700022, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx new file mode 100644 index 0000000000000000000000000000000000000000..600be4fae34a845ef8609613ecc38bd8768ef691 GIT binary patch literal 69632 zcmeHQ349bq`mISOAsh)oz(oZOhj<2ZkW1yrHGq(iB~fHWG30;f9;izKSVjs__zL1*M};dD>uDV27jMUQtK0mGPohttb3o^S&HVm%ZG3b2vEO;zjZT57?Uj0X!?_=uu>=3l zbUqqaILE+66Y)kdjrBb3_hb?#B>=qRNIq8sApE^qzBG4~-&E#T5w z-G{L9M)nNG_93g2T^mtSU&t-jk-6Ln^`fFb-+udvGLw9YPTzcU{xDv+7?4<6( zDld@B>JAYqSItmms!G*j`&xV>FSd5B=@_AAsY*2kJ6ZG*o)k3+(Q4IHb%yGX&ootn zkTS$6#(F>eRv@HCRb#7Kl_O?9Y*!<^znY1CRrpO(3HS`aT7pW)|1vxIX$`i*Jau)S zp{%6bs*563p}G`jt~F8wz%%RW#=cxJfDL$ujejDy8(9GNv-TiZ73Tq{}ya;ggZ!eZJhuNP%} zJT?U4rEf*3k%-8$nqov!j1;E2W23u;)7&{;Rb-UKWFtx#6ZEJ!Y>)z6o;p5KjY0vk zSeQjj&cicBs6N;b=3M;OC^Z7RFGaakBOgnV?~EFux_XiA1=v_mHP0KVh+rmcz!_rw}-q8M|z3J}dk%whnk%CMV-7OOm7PhDL; zB2d*>aA#IU85vaxD9|{QD`63yu7Gv68jtjHQCLNw>tvOP|NZQcehAORr%*BXvv5+8 zQMA@r*$H^IpYv@Pt_6=0*RvZ%-=a7ogQW zz~V*I)6HFZu(P3L#j7z0t3p{<1N_re{1Mj_kE@@K{k%fPoTyH`>*}IeMRyE;Wc8pk z!%u!Gx^XU;0-b)^$PMBmxE_5^pRAjAoU%4{-Zvv^U=(AaoXW9E&&nldK0zb`onrvH z7~#~uf%v7TC6=zQ_M+fOJnrp*ZzMG@0;I}AW>=~SMwW~Ag+(KyS$wBh=QytZh_(%m zD8v<(s<3E}>dg4bR{Rs|#dA5t<12FJ+1y4 zJ2g7i{VLm-$Ghfk!?Z^tmnPy{1^TdDKn<2lqLp&*`jn#$VKL=x3a**uGZMK=2O1XL z7Abl`Aq9Q&z=?Fm*8@_?dS}(a+9vr>hERokH4w-zMJch2%rn&(prbIKZpDy%orVx< z$v|5 zu)h#~wE*X(=F@ssnoQqQh;61h9U=X&r}2KNb_|4;&r!+9;{@bf7Jide8Z7dmqLc*< zjz_gAS*4OWK&#L2~4GX7`ah%9WUz`7*tPsA~E4bKo3>z#KFY?+KN^^6q^MJo!B z5v)%pKqkJv+z3@~RCM0F&aO|s*e^Vh^+`8XW?qRZ$6~#)DnrzbQ=SFjP?d}DyUEj& zjS{uvXq2zH43QKmcW>jn%_sz=X2Gf<5Gk=tK^nP4(3qxZ_87z(j@)VNuf1P)>#}@V zZ{PaMx17Cv&f3R+$+`L)H7U9>mabXWL}&+3-3eV@&4M)J53KR1ZupWz%qBXh7+j85 zburfGpv+i?nJDWN{3gQcRFrQHN|hy^i?U6|S{C*spj=t@S%^V=_z))t;Y2_ZN*oRY zXLEY*5!joAa5GCABf&&w4XlqtZjCX#M5W>HYK&@;St&UK2+sj-sUk%7a0A=Kbd|{! z*hB`jJXZ!7XlMQ;!jc5ok$`I$V6bKY@+k%T;}MczXh%FOE-@@8y0(<~# zvZkk@e_^ex+z3lYjf?(={)M$#`j%wlhz!Kf`3e8R?q#&eoP7BMt?9auv zKfa&`O4|AIdoX1AB9>{sXui1ch3$3ngZ+eA_;0paGQkC|m7+h4trl`B156=bGQbZX zwll#n_6zX1Ouu~L{WAC%r+@h_WcebNX})N_xbh_lxX;CheO+dKjQ3p3`dA9sWQLI= zyfc%DT;%{sXui1eh4raipg$X4hIgsV-ej(^ z=ZpPc=AA3vlVopm61c)p#^#-uY=cAo>SM>6_syJqITW&d5z91RG+$i#k_G?5+Ey{R zKwpxCk9k*@eBs>{@+BGmg==Q}B^}}H6<{rnH8cP1eV6-{{|Z^Yh-I2DnlCPVNe9}^ z8X1|u9x#rJNC0=}U)YOmwqH1un02&NFeeEy*t^XAZ1*R^X$yA$^ge+ggGR+sw7gxTd7<}P9de&FT z61HC0Q#Js#s5E@Z7qUot&saOl0fWdD_6@KH+Mj=M84ptzvV0NCG+#7dT=|j>POvpX zk3s)J{+P8e^ZA!_gt2AA_6kSKugqr@P93%SK$IL!7j+WtQX7-VBBtJ);aWpd-=Z`Ng z<6%4@%NMas^F{N;#lMumN0j2(7q(RBFZlcmMjoXv)26j7q(RzKELk`S-yy6nlG9!E_^8iE6lkoO2C8?aD(0=&G0Jq z^|4~aVXtw+`WT-UON7VysrxT3<6$B~mM>zN=8NWw3tw`<7mjt|sC@GdKD`Xv|MV|> zip(6J%=SL}lXI}01BNhm8h&|KhW!Qp{EIn9+!*J0n8=Xji&&=lqWR*=7d|b{sXui1eg-^6_ z>?He!$q0^~BC9k`A>JeVe-=7AAg(7*C&=~zG%L<@Wu2MeCCVK7Lz5s7ioGLwrmnm>*D>F zB(Q=l|4jTQV~wohxPE#WdLw`S#brE9+mPjpSf=@+`QpMC-bE=l{0m3E@cv6VIKuui z`j=Ap7mgp}e{&>Rxe-_lv=7SZ>Y`%2CDSpWut}QbkY{GX5 z`!|*tSF5-_F7M@@laHBjr@G*WzubnIZ8`HdW^uj-tGf}6FBCW>zProxvg0v1D<@v% zl&zeOo>TcBIRUK#lrYOSC*6?bR?uq2=bw9%SNto|AKp;{Z%;Y|M%t79Fml7(lx+F$kZ_jNV7u zRe(IHMLzKyn0_8JV{>ZiF2<9`U6ggl1?d?xTLN$94Do!{teB_7GSiq9dnyWM25c*{ z=6Pn4gzkw5tABNc<)IKdu0c4@Hx6gwTrSfuuNk{&Rz`KkB}`>l1Pw9Q^FcD>mbm2&E8KvCPIn>zGfUbtdr(oIjs) z=Zjb7{QBl>|MK!DlLSBRk(n94%p=o-&uHL}QFAcojpOf9tNh2lvuE{hTeSQoMZUa( zi}-`xs4Xl*rA#dQe_j5}jG&c2>jTTI@=yNFnS<^MTKT)x2P8!pVJuSq;s?YsyZl>E z`$_m8%C+(umFKJ%K5gM3x9dgee`rx0NQ#YhKyVusq0?{$&3H- zngO#VFwgK~DLUKi#ym5`1Lpx4hTmr`T%6bC+=AfY;&T^VNQzIiotovjrZD@D7i=Hd zW#QrZ2V(GUJao;7Wi~EaUp=vJqk7^zY;$z(RP>-!qc?`{0Oeaxe=bItMS)?2Zv|xk z5dY^Hy>P|GTiI$*ljQrA8e1mySwXK8O9p<3BjRbfg`=p**OopQG(Y2}FOuTRl}8`k ze{zpeHy`_H=dtmh*N{lVfFrTY#!>65Z?qnLG2R30)Rz?&E_y$`W?ArX;ifN=Vy_=A zx_MXPfV@RpqBhR*^<8@&FfpW~Qev5n3#~8KJTZz{6k__a(!x>Q%!yqeYEgZW6d@_hLPs1zj#>xmHNvn3rA&tYCmUDi|UJ{=v(}& zus7FE&R@FD`}KQ^w%*M8%OUiaie)yAw7vv}ou=rEaUb8QFV9=Jn3?}W5OLwAFOuTo zk;(6TJLvsUj}+y8aQVs)Uilc6|03L87Rzj0XnhfVVHO33k>=Ew^-g_RZQ*FzzaQWB zaEt1Tq&Vrx%TD`d^8CEDTdKXKn;%&s`XZLuIMVtO77 z;lfQ{B*pK0S47^v?3Q6Sp8m-#PmHcxw;3I_rMOQcmf5(_`Xc(mED8)G&8aW7PJLNp z;i%7$eBYxjsxOiv>U2l6kG7#9DVEtd()tn@cABCu9Xz;C?bMgG7A{^KkUundxNy@K zN%8Q4&rgqC)O+YXyKnmF+Lddw??>CH8~R_wG8-3KUqoM+MS)?YIrU|RQ(x9uIEs!w z@Wf*+sxOk_TV=)J-+b3CXTc>CqqZz6-^cn3^+hbRaisMnFzhr%UyM6fPJLN#;UZOi z^*r6|dB<_@V&vxQsK1D1HZHWjh`un30>emi>PwMR zUp81c+IsJuotCtyzDSA-KCM}tnzSzaw(BO{eSNn{8Pu1HfFrTY#*x;Sz_8O4eVK-P zko}zcveClD=EJuf6+B$H>5HUz=C1OA-lD9LSFI{a_$qhS>H_$j9Q414Wi~FfzKFgs zivq()bLz{bPJMaN!qEvAr_X%6MfF8ew1&Od;~}Xpr=uY$mf1Mc`Vts+nxZe&7P;ifN=;z`$(otqc-w-IX|eE+2P$7IIuMnifYa3Pl2xX}6{`ob&< z3?t2{FAc`Oylmm<@ceJy4<3%(#=l64!)C`F=SZ3p>_329}kLSmOMl63Br|_DEgUI`ix#Wo!t;b4=b@#^|`1FJuhThrt^v#$h-Ix92d!tEB~a0!fuDKZ!o_dS>r)dvT)6oeNpWb{O?x*iT0ZQt6|XC@;J0xH{+KvB=hm&a zmwY>_USGsA8%M3r&$J?a!L3}6vmX0r3l|-SrtAnFF5L7*QcRm4*C!`YoqcQE-5141 zmi_q)4DuO=I*3?i<3j6;=nJ#xf3GhM?j!!i!qLNnPipgIi`HKx#rT@I14}!cHT0(I z+jrmfu&FP699Jx}aisMnFzhs?oxFTmZ{K>SzPxGSB4Og$QNhE7o4!bjjd3CRB9_^> z(E1Wu`qE$=)Ful@hab6b#8WM*FOnh}Ye$ZQf}ax0Y#eEQ37)>xa5gQczPx4O!ng3& zk-@`-o4!bj-#u47d12M2k&7nwo^|lo8x}6c7^qq_0K_sI7g}FLUzkOKVI*k%aDTOM z^q zZQ-K!`IPH|hYL49BPs4Xx@y6g3kovtys_?g@$-B2qKF=bK8R&DF0`KsEkDzso&1i4 zqk(hwez~+o>#>sJW%D+#8vWF3Id?tq+SZ4jz35Z=nU^teP%N`?)cX8P>(Liu9#W^i z{LR9}+%cbg6+B$H>5HUTv?FEaN4w4$dUdC=AFleMWOo6cQN?4~N-VQ+q4h=dg<15! zug8`-`}yCsa1`%}tc+ak(s}J_Q>FIwC-!&4Q*qnD=EVFT; z^+oiBSriyXnzNle#i=jvTR7^w;_ zhLPsfmj>f)Kd^ALc;}|$m$#_CNQ$$2U(^1=tPPoe7=Lj0#An9WO8rGFvvH*LB{1wX zNnh|5ga+fFKD2Q0-kc351P>Q(`XVW={PM{&9^Ka``;qlI?S9pD!{Rj{&&TNJ7t3s1 zXnhfVVHO33k>=EwFlYT`tA(Tfi>F?_qDA#ZQv9fPf19^n*f{F3HaA`U%A8ZGL|?=* z8%J7S0>e&I^acItWtThKM;}?Zc>9Us1;N9Go4!bjyXJO#ect24^B&6?8gXy!-+OQj z)X8}HidbgjLhFm@3$rLNj5MddWIFZbW2wJX9kq95i|Wf_D@Ejqu{3TUiDfp9w7vv} zou=qZEoOoCI`!r67A_uG8TEPaaN(velHw)D^i21CUo~XS#HVMR`^?;HZbX}z^Kpx1 zHZHWjh`un30>emi>Pv%hP@h;hy7z|VqgJ)3zDSBs?H_g0!aXs$&!4+x>C=B1J4xy< zVwsI2tuKLLrz!fdU7VE~>v;QV={`xao_en7{M)-FwXMpL`CJ#;y8bX~CDP zL|?=*8%J7Sf~PMvn6IV4sW00tT-@p#u`+nLaMKq_@u5K%F6_PHI^T1(8z1>-=~6Wd z`oeLRVwsH#tuLZ4%%Z?B(wy~|2KT3TSUB3&^Wid!__i}|{_CbMhdt2y@)6_iso4!bjrRy)eB56|R%)7Tw-#G74 z?-xa=yS#}39%7k|3#~77fEqz{=9p39$J)j z@6>->5Yshmg3&%gKb}}-<4EgEVAyGjz8Ez~r@rj6aB;`U3A=)a3pag{6blQV9g>my z!|jnRRt1U^VJkJ8LB@%mB#xxD^ximPDA)KypyvM2OIAU!B#c) z)FP||Yn6yU6Z@+0o1_x(Nwq^tv41Aw_qX0jALgm6>xN|4!)z|+9~GvC<2|H!Up$J- z+FiMyiB?%j; zR+PbqIyN}3`D)P;<6@`T28F9A8q^mDR$B+o^|Zx-yymI+Pa~MIOvP)a!pQd{GRtM+ z*0wHX!pIS3Du4;o z@TpJ}a7Y;rDMs1y!g){|q=EUmu%3@sy>`PF8NnI6R4jgD03omHVyw@>k;y7oWvVol zg5N|Hk0MOR<763F8-S1m?2lJj*pmPh#baLYT~O3IMAB2@$&0eA*Jd?hTelCKRO zj$;YSV*D~j9Bhh1_8C*Es&QB&M5kg+3TwJ?Tn%EKVZ=3E*qoPagvR3`Rw&4--JLAq(i z*N6Y9$lbX(8%izKJFjsLAsBDTrOtBPY69|bPmAd7CeP2;Td}N_>a8Y=scgX`OD?1! z9gt4~IZ{A}3_zb!L$ahJgff!}dZc5UB9w!zWP?7**qen9>E)L!c$YL}gFF$w>*a`-h*&B3 zEkhiCd@&vFI455|4_Us5WtuOVFR0)h$(J<4cVwWFm1|VNQt*EOK4eY?d`A-2s5D84 z7jJl>M8wEMY#;X0Cy`zL__F2f<#X0Pp6BGt7a_|Ru}t$t^Tm}fneZ2^fw7U71xBRd z!-gICLYC0Kus&us3fbsO#x|QesrWVH`mc|9UhEg1*f-3{moGz>FJhVIi{^_9U&s{J zQp?c%FNUu$`BH}ZRy@KJ5la7(j^7evFZ;qu@Eu^(-jWfc7-vZJ>tC!6Jn{wptr%S% z#(OmPXQ6S5J^*ytc-Z~d!Qz!t>>6iZ4!>b4()ywYN_EAz6MA@*(d)yWpD5MNh}S`N zMkwaY$5t#R%qYSyt{3m4LErK?bcI}Mbg!^0CK=Z>4xKetJrQf{2b_xQs=!(?`T$E| z;}qj`IA0XIC(ZLU>?@2%=MKB=q(_k3dFaTYzLX%{3N-^?jzKrZi6W1k9hnXD!OEBa E1F5)aY5)KL literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json new file mode 100644 index 00000000000..734c1f25acc --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-18T16:35:16.6816525Z", + "event": { + "action": "removed-member-from-distribution-group", + "code": 4747, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": 4747, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3700064, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx new file mode 100644 index 0000000000000000000000000000000000000000..7ff600bea926268919831be6690f89977bd58d6e GIT binary patch literal 69632 zcmeI$OKeni6vy#%=hf-7owkx1RGw8(FceTg5FaU}Rl-BGRU|QzLR% ze|`Sv{tIm{^mX(Xdad$EL=O(=JFui#Lr@uV!}kr7i{IREBQ$^j0tg_000IagfB*sr zAbigrBazdB~ef3&G+@U%=PI_A#Rn#wj__bcCCKDOecvq60j zSZ(ma?B=6!tA2g@!UyM@cOF0T!;YS3k836#)!JxBbm+Mtc-{uP~> z?NQ+;^=aE<16EMsunN+_V%w&$5!-3^+kE{D+ZH|PRZO?8TlC$pC%bG&cSF{v$QIoX z>G^znUS)&&zQ-2mXOXTJ*iwD=UhRH(++89l7SCy|;&mJ9%2=oERm&q`k4o^?VsWF! z6|d;U{aITd_P$$v^(bnWN|)&Dh?8;kTPa(o!49aeCdRa9^F z$=0N;RoK2L;!=0j7_3#cQe}7Q%y`OqGjqPr+2d-WTV(y3et$Rwr^}}-lgKA6lL~6A zSr6h&pIlvKPeozvi*b)Z+5PHR`lKG;LF8uLj^t)T5Y?$KN8)sR#Dw#;ssnNjw>AOa?h+OL;Hp zNY;(fenJiUkbNX2`9wZvIUmbGRf;!+s05*)0kj)=xBwtYtI4wffQ?T$Yvaw#YUH$X8o788n3HK3{T~*eub6hm9-|zTBAyp^t$phYq>Bke5j8O-8ERf&cMzlX6i|D$suo0 z$BYB%=1Yftr@WxoYLVu@`HiKeqO}_5_$_OmZP2qpt@V(Sf7s^zWlr-n`%#tq3_WtI z%{uaO*PgC7SDiTZ(DLM6pVd_=ls4$Zy3dE>?cJ}}UU~PA>4mAU9Xfe(xIr(7M`@i> zy7b?yeyn`alPKPxSB44Qt>?b?wd>n|(|RtwI+W7F`HSbJvvg*B&r1h+ty{OSw~Bn^ zDt){MCh7$4%XnYZ)|_(9hH*7lO2fB#pKrOg#_P4cmXGANa_#DIwL4X>#}ai3o8vOG|-Mh=9Y^S=_VrmKCI9u7sH;+sp5%J}mCjk6 zQ*2Ur)<*aKN+fjcuddheZ1nGfdf%dTD(J0^-(l_Tex#f9F>S%dzI|W*bj#?8caj@w zwE7d2{j7gFdOB^=XOC7sZp-$ZQ+k@-is00IagfB*srAb_Ofvi9HKj&Q&ZzfJawU3U|HMO{1V$tEgm!lED+NDuX`#UAIyGN7ii zV3|i?ZDzLv^}H%ACJ@6JUbhtuo$Bh@j!z%CczhM z0yu5H-C0m_6$(y(KkkJO^YKP$MYMA}`9KYi=5Ui1% zL)Zg$b{7L>ewPoc%Y0Y}EQO$lPx$g-eo8rICj5(oZ^0}GUN)BO`2fuE z?2wNegh`q?DSiGaRLV=xtYV;AGhXiKSd;*MR+g+VmJIWRI76uUsbc_X z>~yH|TxZpj26_ZQg(JpDzO5GOn!%OUjDgxfnaAI&t_}X;+PD^aa<96!Z>6=9V7)Zv z5#Yh9Z(9pwW3Ob1=e24>jbkzPPQf|FNW_;-Knp`)f8zEFSSy49XTU?_UKW#58v z4Be;Te;WKY+7_GqH8ceVEl|&57%YKW!|{;PqoJhWRvdbdKKa|q?c-kE4%GmyUJ-_Y z&`A2j_69-S<-j~xaut^0xau^R`X@9QoaWse>a%_+jjP@d_iTgXDm`^V|45xseX6Px zh?}y-TyO!GFMxMn+XGOJv1!=HJEmZ=Soa%Ap0@K;Z2rap_m-|lph^N6+Et8u42KtcUAjgpOya z8^;`aZu5QJiymxOyKmFFGyWGow7M;Cudlt1wt(uw2|xG#E~mrQPsg=v78vpKT9}6l z3rbJ`A3ukhtqP{U@?wXe81624S1N|mg6fDZ5n~Vrrb_qL0N%ANgQ;x;JZKHQGX8hGw^!bA zOAMICU_4`7V|<_Haozp=z8PC7&TVzp>w;ei6@=WkHD z;^@$!42mvbe2^}b^Ef%+Q!p}SnOXZgdgDT}__w)|{LJO4-Sc0m+pXY5RTs!J5hsRm zQVm@|efSsW9lL!-hPAxOV)+G0-mv~p32Vdm4ZJc@YZ6GOUtd)f3i5+Q&X4QYhJl=ZaLb9mG z+aFGgkY|FoA#ZIzaOdMf$58=(?oT@|{11QPXCAnFE~F9*}1uJ`Cf-wf^VQco5&e z;k>UeJ(prFZ?ZTzOp<4IFO1(=&|qfg)+%rEOz^HD?^NQA?fhHLd+l2{OysRM{wIri zyzTy~XM(pOZ>|2{`S>3%`i03O5bqPv>i>5 z+WZdtg>*cCJQML@7$2_nKU=E@mpJb|ZTD<2kGGy4kVQS-X>cJ6c_w%p@^+6N;Kizp zuK(5Q!DSvF_2)l*rmLlTKo&pVEXj{wFNxn*u-^Of990jV6VokH-)3ULw4~KU=H+Kk)dNm-^+m zQ!Ukhr^QDkd0fbbK8qhN9gO$pk^YlsB0db`qZ;~;*M(f?ymt&N{LVbyLv_v*ErY_vzygRh*^qqOU^{yu*i+a4H;64-bOz<}3t)~k$zt2R; zr=it_A9J$A8_7p5(Q^%f9AZ06(82{#@vL*20Fl0%~R+BYN8}* z31L41J^#424QhBpu-!FL_ss<+fd}QiB0v3AaG-&Z|>i6L=kLR*$3?GZ37$#A= zZ7w^AQ)R+Td?Qge=>GIyfC)}#ifXl6xzp_aLYudUEcQJi$@N%zzxSpeOJ26m(O;xN zl#pl6C=vO%?kxXWrRxxX<-8|$`*WnVyvbrfxg>Ym|Btv0112W_8{!tn2gsW|6TE9U zK5+8J^9jFk-X9MvH<7pQc_waAkM~*_50Ynsw;^xse#4z#hv>*zhiQ00|F!3te&_MA z|JpMrH(ILyWO4r$N$$2Lr`PLU@*dn(Pt^nROvHy_e7N3UaOwdbH>%*g8~h-BW-V{B z*lUU;*Rk*JIWIEl#y3}0-sG9!?JnNf&XqK%@YZ>B2NQYg=|5T2P`Z2v0t9n45iTE&#k80|_ z59i%1??d}0OZWH4VpDkjO7f_63A1mOc5NS|@+Qv&Z+G(c<-CU+THs|ZZ?YIRUXr)? zcj=iwzxI6>)~dY8Gr_xtyq(vBV1Mt&d6#;r8?`!d$w&5?DsS>k@U9{6O8Otbc@La&!bIMB`cD@1csGUpJ@QQOHso!x{=)^6 z%CycudWN-nKo*BhljLmA9r1f7g+~9T8UK@KB0db`qni33#CboQSAU+hyvbtPDM@Z= zKNnl_^>F)=sjB{yXM%SPc~{c^V9q*+sP)Z>j$%OcMNZ$sWD>wgH3kM}-m zGYp^BjTaI7+uZ&9UA^Z~k;Ql5xs^lS_m3*RtIk)8epmH?JQML@7$4Qpe>@&=7w7Hw z^5G}UbbrFD{CdR_59zO&FIuTrWbvimlKjz-!Lb`|`WzmW&DbfpZ)Z1LuTGwc_%)1Q z*LvmTje50$^KMf%%tYRLdPNrXc;5_BJrleQd81zO=i}D+8SD7eqy(0NaY1_U8jp|0 zU9+}rGhGj~_qUS8H6bJ9z@WYHyY4QZegUql_lJ8Kw!(`%6Y*gfAFlPl`P}WZ&=0)M zdGFY>Ny8iOY3&Mik2en5;6h@2L55}is{UP!K{|IalEtdL=YU6D;66?A%*k8a#i)CK z8r-?)$Gchb;ryduv8Z$sYh8P8!F z1KsE2uIBOaVe^xn7g?(RWN`;ve_XcWVASqz3;OmVe}nT5 zPmJhhEpM{;i!90SPl!mE_k^@<{39xF@=Wk{7jM-6HJrC^m#!xA*3*BosK>iGJokb; z6TA(1yGQ>!-cJA5^7u$Qu)Z*Ip_Su*viNJMBsV@D5?kE%^^=kNRXrfjM0^;=himSRCz`0d$uq&*UA$5M-{ic@j@&Ylx1Ro! zMLphU;rI=CCU_h2c8~r?DEgnF9RI0wJohagANyKI_Udn`{*%QwawVA^Yt?6N)21=k zSEzbGo{9J{j1SlP?>wH1c`Da)-lvnpdz;5wFOMl%)Z_g$oR22Y1aCv$T0NjV_chOF z&00fTX!DqE;Bm5`%aHI%mg)joY_eFAONY+wwdZL1w9w9~E|6y;P7LG3wJtC^&yUMUqF< zni!LR?+ZtKZmGIJo{2ayj1$+oaDsFJ-#2mIpA5g?X)SNEcq>hk>!*L+eNnfcLpEv7 z50YnscMW+zOuTV_@g2@PXw;*2^LXp+FOo$)-cfLZlROi=4S8$(fjiGv*+$u4CyR4dOLEDT<_Y-+)^$01L)CxsOvHy_e7M$s=eQ7cVGHM- z_h^sv*77Ecp_!8GBR7gFe#!5Hr(achlV^f=4SAPq^?xhzF3dEMx1Rpzaf^DqcS9tS zXM(pOZ};fG<9Y!d{olspqv7_B-VZOaQvb=~_GC$pcxO`27s^Yv-us2B2jrQE55xGV zhW=x}zn$|wm+_W~y!G^eEb8$-1^2CzXM(pOZ};c{9}hb2E7Oh#ckuW~x5Z>^v{Vns zV!J3wZkUrCyC!8{S?NJl56CkSABOQ!4L!hdLJ{Zv`lE^CtmRD>6Q{%RfM!EtUiaQ| zOtZVgu508%@yKImD(Ng^Fo z`(`LxYW8tL?S0~8@yyu~a@){$iTUH=j^xABSDQkgF&SRunTQj^IH`s%;QhpVIq%=X zDm1*UxKErcR^^SFupjnU$TKHzai6&EeZ-aS6Ca6LX|(r=@8f)b{wZUX&Gh!HeNHV| zEUpK~`GVFaE>6mA+Nq_ZJud*hu(`uXQJ-`BlJ+s~KsIN8!`a9*CJxx~P^ zq8{&6uun&x3EqahwR+&b<3D(0I7K@y{E)}V@+U90ebG`~Ad8>vmE;#&jg8-(y7Gs^ zv8pbRXCh7vXX2{+`(OI) zKdLT}XCh7vFKa7#6hMJl=Y`Ko<3Q7X>p$o(bNDyv@>uQ7l)h3m@}1 zseOLt5%c0iPZ!8y`#ebwn!cuYVfn$i4I8PtK%R*>F^m(}x{#~Yg(IBzgB6`WF^{*N zE|5h%-py+S{kY^%J z4CADlx^R^9er-t6OXl&`(*?4q$2$$qLy%{Jw;^w{bOD}cpdBw9<8gATXGyJ>EY$_F zcu%?{->kQ~&tHO{EPU!cRTs!J5hsRm;#wCfM=alDyaBt3G?A z_A`!NRe6(Vf_DvhPoVK3z8~kjw;V6@x0W|qTzo;2ZzPL)yzO;V&jfEn-g^Ch&GS_%&n46L`zLvvEFU&*R)MAcK3N=L zm*k6s-b`FPHneogAypU1GZ80-apJn)cjmFhe&AEi`()gJMb`2ri{o2L^8Ldv#Vp=> z&(Y6&sJzKD!P{ND@p_|EocB*zxhC?~yAF*k>hazR=aI-W!P}6xwjZeJb!a15Dx8DP zz_`HYQ{uHJEM0kmuJgIK<~&y$&u`-cowfHTMD{PYuZJFIA>=Xd(y>F-%HIzh@rqFO S;4>b%B0db`1N9$j_WuCLoq5#& literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json new file mode 100644 index 00000000000..e00d62d4e0f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:03:42.7234679Z", + "event": { + "action": "added-distribution-group-account", + "code": 4749, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": 4749, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707497, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx new file mode 100644 index 0000000000000000000000000000000000000000..f0100046be4789f214519c4b32710437dbce5348 GIT binary patch literal 69632 zcmeI5cU%u%? z&t;XBN=3|7G4?eV;Zf=LliAxI)*QYn@%GTrUaR0t=vJ=fNFsctCrGCZb0gwG{z>|i zVI&%UPlLDd5Vmr^l@S?D!bupcjDi(Ls%B&mY!*$1lh&jmyrM`5Ea?y1^o8$EFdqy{ zB1r`NiXa1EODFgp0m~bbQLt_p%o~$N@M;R*8j+Up+5f%ysC>T+RJpkiz*p$Eh#+GU zNXEdCqqPvIPp}mVTSda!=J57J7=0G1NoNon4l4<HzIT+15yQkRAHQYj8l^!tuKaZH!+|FRYZax^e;fCE!B*PKRA%Og(eX- zr=mwPBDLTL{&R->U_yLg^%(G51f*jqq&wZzh}fzj*#qFmTz14Z31z|PU~QVZ!>0W~ z0CiC)Y@`x;CFKn)&4?M* zG6iJD4>1(1embyKHV6O~$( zo7)*SpizxFuFWtLZ9;_u3RIl(UokLJ*#g$?q&L{}0A~fk-*qT)hEJ#WOPpZ2E4%^; zO?@{wD2C+~PA0IFI%*_nRT7nu>ac||M(6>)#-t0JCAG)S)STEDsx8Zr8fsD=HU${9 zZ(tX)Fy*{Vh%GT8|4wl=y#X+Mh=HEzFHm9EwM%nh@xA8pN7L%nzPbLGl@ck z0a~L4x-TrJvCjkMG^eF3&4^HgekzL3}hA<3iPCq2eM0}DuS z>c$rASatLEw9dDu22z8Dd3wHidxKuOH{FXWshqdBX}-M!VZTsfU|~RP==M$6_W5)M zLYnp?L$v(lDaAbvl|7rWJ+*;FIYTS(PhorJsRW>?)mCiZ`gtnLeXwugXKAGD{}HNv zA(aNgdl`Bj&dZcQeMH+mm7rdAi8cfH4EmPP-4Sy!s0scC$KV&I3+P69TP5*ud@SU!w za~dwF&VdjYBfw`gzjJ;cA0Q{8laVcaRBQD0fU&23{e0w_m4?Ak82xYS9)o!bZ*TYv zg|oxxLq20 zeFUDRX<8CK3fVC9siQ=KZm)t$;L=!qEl7q4Q0YWLK{&e*q|NF zreRVC8bi60)(2=Ak`_yq8UU?wK|>0BIzt)9N&BhHn`wVHraOZjCxQ?%QHVhi>pVE+&-n%GM6bSReswDl|@=kp#>yVCip7A*N5fVlE{w$9NqkA9OGhj z)2xb}xN?COCp^#oZo}!Je#xzR2F!=T3FV>+G$5cd!37sCAXMpc5yQAhY^!eO&6NwZ zc-f)#3&+IjZabT{x88bP;UWbZK~S0Cf(sYGfi4&085g(j&YbDXl?$|J)}wV!(59uX zi&K(@7(peM#*1yh1u7F<=!1)I7#FYGX<7zx^pNB=v1zWUhwcnW{gQD3Y@jm1 z1s5)$ys8^7zGYlos9|2At{=~GCt4gMKYh~F+17uqbDdewYARf$L-_)g2`;#B0j%L^&wavX?ya(k%hQ41^Cb%fT1-6fY|Ncjd740Y{v_Fsf znYLF+&~7zZyO5CVxgD>ZFNVKAu3xP;`1`|tHMH3InE&aKBfoOl+vnkrv#_248>2Ge z?*jh*u)WF-8k;_~{}p?WY5y{g+)&yy`%*3_AC!|=#>cCElQupm1|P+b2WXK*N%FbF zVSejZ)qVZvRwW*!Ksf@H2|fz&@hR~D`kpZ!(0pJD^Y^2Qe{7xInP)u$Ert)25-i)f$Bl?$|()mxI|Z1=gR zy{WllH{&AIEKix>f(sWggjtu1X^e{@4?@pw<;n$GR1rxYw)%M8UYumOmM-43%FKFmy6kqiy@WoTO8)f1zL=;9zMo=gtKPd@6UTJ0v>3* zh=Y1ADid6A;R3FT)#YLi`FHMvDG_;i*&f49hC_#xNrgY}QJLVP zNG?jgKNhHnDWlsT`yJzCwavhI^*>5${8wR|pvBJ@|7mOLb=CD?*>C*R?0y=tP!2_9 zf)hP(0+-b1=VTG%kRPL8F0eJZBZ zI4P`u7A^jDCERX@y~bzDiItIw4;4<*VH^-D6Py&uNlEnEt4!^&enaQUjEgPH&z4W+ z$^}}CzbwfEV$`k+9tPIVaZ>P^}>*q-RLV9Co+|CS0DS#WBg$7jFBKjPHl=Ym)4|xw23Em0mUK z996h5hj@X?1Q+_?Vh!V>f6JkjWv*Pjw`d=h&^_s~|DLS3HTpsYmF6P>(0+l+1Q+_? zVlCrhwPE5HaiKip1zH^V+mLZ&S3;+>Lq`^v9a6YRfqr^aCb;0jh0c9I>3w|GF)r#q zohD5$1{cM@UlUsNNs{ECj)A`G$F>_}3>Up>>m$%YkIDoW1-ST>`!&IH=ydPbw4V99 zT4LKv%ZuUfkGp?cVeQ*!@q$rAldk<%Ycdipuer|3lQED-pfcg_0{$+I`!&IHxOB^t zsf>$h%WR|8apeLnS|=q|T-ar(>n8WGT^(VtIE@28LH>Zs1Q%SmfakR#7c_2cKrY^$ z-m$(ITogZln8qwV9xcgdHtcj+@4WqbP?W;O4QSs+WrB+WTzpFY0MBOC%^x;0e`k5$ zJhQnN{w{w0fEE*6HXVJq=4;>7m>|!&TNQuzfH;84gue^;yEO6#c#0#&0XpBrxR~d4 zz-b#-F3_UyEAu_orZ#t9x%1cd7jhIX?m>SBDid7r=7PqJ&5VnFuUnVjUJNdZpFf~Q zr*)FNEG@+~-ba&b_*CKIHH^bUWrB+WTzpFY0Qc$B%^$Wff7hO{w{w0fEK@4 z>ij0DTC(>7LzlB{fk0YLjE4LHl?i_r@ONqC4p;-r z{YR2)XtUNW`H!2cetE2L@eukoQJLVPNG^(Vy^!*>Y5Gj!!k)_dj_%BJa*35>79@;@Z;|t?+QJLUGFPy-A#&zS#4#tUXpS`~v=gJ9Mj2$e=Z7Mx* z+d6Q5ct#_5UNhX2uLoS$gvtabdfaPoKHWH;mF_Ve&2Pq=b|7Ohhy`AWmy9TO(iFni>ta3VoGL1lsyJ#Z31 z;5kXU@njF9%2cUVbh^3i^>Eidf+4kI2o+V zNgCs%$ILlW0#{DZV%IQ9wz&AU&%xwvk1tMFIO$WC5L6~O(E}%a>GSuH6WR}x&NwO8 zGyUDe5v3JR3LC$H7N=L077aG~2jx0i9T z>`4|mAIXyov}kWvvwQXLxB6|&Fx&mOg~Ej$w5_2s!G%7!$Y5O5KbPzs7sZncw7Bk= zB=4&o=QVk|+0)Fw6fPv_uR&#k3w?00k8xpcdh^bKF+90Iizm#3Cu9$OY#f+)PEG)Cb-ZC7l#=a?uV(1Q+_?;t1oS)xON*|KiF8T1@;)l5Op?Iv%W_Zkou-ok5VFpfbUQKDfwa zTm8l-$1;u57sO--g@Tl&k7gO5HC=f;DQqu`TA2&GA<xJ>#U0&Cyk= z1*Mg*6vhc!%%~{IRjpF|=LSaCYE_SrTENLO7>|L<1Sk6DgvOQAjFaze#(X=j)Ho?@ zJQrGQ;3>)DO=owU@NC)7)$1ypR58p`CO9dQlad(E1=p)!K11hc7#HK7?47-cD;H=n zvYsSY>z=KdyX~{H*W48@vf#RUR3^CK!UbIKrprYZ8YpH+WlFw90X zFSA?s-J29H;^F>|s7!Fdg$uZ@8o8k5jkAo4vMHyIY%4V`3M+4*#i$W5&Tq!U&dUaM zk8j;g;i49_lcO@hMUh;Te7Q7&=v*&Lc{#^8+4nOUqFGp4<Cjvo?u;R560i_?uqHz_qPz9uyYR85IZ01V_(CKt5W81C!R zuyS+Fu6u)O)w!o|;S2Q@R3^A6l8f?0MS8$XL);16H<);kK=^D-h7xD^bb7zU36{IU zD-c`&*SnG^_-smAz*eoaPH`k(!QFs{Q7-C1%M*Q!q`Q8fIF{Q>uVfB>v78^+Nh;pgkbL$`KVh@UFyhw&} z1}YO=6v;)&*He6I!Tl&HAGEwd=T{gf!=EHS*|4Ov@|D6kL5n-nCE54fH~#zXT?lA8 zRpDd~jQ2rhf|I`kCs!FKlLx=NaBeM6PSE0`7Lt7N-+y{enY^#FL$Jb$2I2`S6P)OQ zll~-}L|{Cj<&vKmCv_`EUEZ*}v^XiO{(=_0#!9k{I=$o67J)AxJtIVhYus+Ycpy|J zI4P2olBmA`7rN!tYmAGzX;ULMa^(Uo<|ae^rTWZ{3+)@6KMVD5%0&ZcBtd0@3ocwl zk`P@kU?8V<3aGOB7GEyVq72tduXG-(ne+4fkQe?67geA=9hC_#xNrgOV7gpfXIxCG zXyLtuYrH^{-Rm!u~dEFnr&BwixjBCpfbS)7cO+hl~O)#FfM+XK6NTzF3@7= zB}uNQzT>g)L3j217=;Tj-~yEiF1T>vmwz1CO~%ERx^6w)_V6rsqQ%WqB{?|L+$E#D z&E47W6fUx$+=fCB9Pk}f zFQKbPt$iC1W1_qXF(J0_E=R0M@t@0s7S+a*+F*)T-`<;FOj^X%-)M1I0^A4G`jq$Por|iyiB$Y;4*jX9O!&K`{7uV;Lz%z(-0yO~ zIQ}mFbGOi<+3Y_W`Yg}#-sPZ@+Rjq^9c-1SO!&Kizv*+g7DEvl{0BL;ij+kA6C4Wb zlQf@)j8!|;Tm0|gOSr}Xw3z-g^poDd?YY}<-itny6fRak96)7)ivnEyANhPZ^Y`<{ z)~3l^{f!p8o`Z2#sr_8i4URY13uM#h@0r7R2~;NhU6TGD#{AurktKRkG$pu<;g7LBspFH(R>azUgbLcdp@gf*%BB)Gop${&i7#H@IS DCIe-Z literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json new file mode 100644 index 00000000000..5cc18e986c1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:10:57.4737631Z", + "event": { + "action": "changed-distribution-group-account", + "code": 4750, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4750, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707550, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx new file mode 100644 index 0000000000000000000000000000000000000000..528c5c98f4b962a68caeb5f52c548141363dd917 GIT binary patch literal 69632 zcmeHQ33wDm+OA0^Ash)o4pBjaAfghOB;-<1lFSSs5V9tU{<31o0TGfQghLP)58U+@ z@AX<&))mxWbVUS|!&`Sn(N$4&71%`(kM#g$U4HYwZ+Cy4PH4wCGUMcVs*{=Nqq^(s zs`q`rs_N>hz_jXM&9o}ja*4BcEX1!z#VeKSX&K~aZ>RQb-1M_AqA#FRK&OCC0i6Om z1#}AN6woQ4Q$VMHP63?)It6qJ{AdaUrd1bBshf&AzPbF+??N6%qrjAoN~K?1d!89O z{BOqd;NhpFIIqwW`dr2jb+?8*y^^)(XGQ z+RuG=U|)3$drrajKC6-B@D_2@TG!&a%dGXW2phyT*R;3}!-QI1M0&J#=`W2otvvzZ zjz1oG+MaDZ&6my|kLu*Pu>aAw$yK@j;-`=7I(quOw``qSdCtAK6NW12qHe(|Z;;EH zP6;ZYW~(Yyry8*RTYM7FvkpGhIYG@;wQ3p;&cuNPPqvzZU=3=zI#CVA-%M43Jyi%( zj`czKt-+odsvcYQsv02&VY?pt2dgb%qtJ1}RmCV{s`RmDh_rJ`x)O z@yb^d)EES0UQIIsDF%vDy|B^C!f9Z>SCtugG1UkX#|S+t4I88Ymxqr`RO66=%oZjQ zqx0}e39279ggNKEmZV1G@CC@XdZc3|(w#vQRCh0uy#yPJtt*~%ZAU~}W29*jf>yx* zW>F==7|BBx5mQ6wcW9P_auSj!QFV#;bO2hKv?Lgx>`3j?a6y_(OU#syOX;9G(3V9w zNd)2EuR5wCBN*+NW>_N0IsxH=L5txXzU-h1aK#1~PP8=OPR;A4v{RiEDGJQ??B}~E zMr~e+_w)lNB@-@aITxxIzi3Iv>qKg)_F zm6S+nW!5grPeKY$vC>u&Af>%Ziua@%aH1GWH!1o|~&minCz+b6i>KEdoBFpy- zO2S@d)GXL)CaO|LAw;4mboH1-bvo{n@mY7;Np+3)rgTw#yy_4H1sIJFunQMv-dB?9 zu98$290lmH#!r&!V1zSv;wy-)RMips)E8p^b3R(@p z{dc`F&pb31b~cx+bTuCP>X6s<0RK#te!xAYW`np0t|#BtukhOK$E{6W_|@ncAP7StpQ^D+&&tJr2|*+R?Kc2j zj{VfWVfdw|C6=zN_afs+JRa?hPa-uh0i+s>#I9A7j3gKBi%UjAGy9ISu5m=u8SR^$ zQHndPRB_23)s^A1tnkM)g--!8%8{Lu5krHWxlJ*}nK9*BXEH|1w$x^4`jOsrBuvq! zv*Sb9>5NzG^oFpr6uCA@od-Kfe1V~ynP8roZP{r^mzjp0fdIENo2*PUt<1O1J)!9y zyRR)_s4B-vg3Tl4$8bmZ|tq&se}vw4wyb z!SbXJGV$+=jJ@jRny#DHJ^q%*l&fb3#b>ZQ>88p|F;V4IthZEUh`Mpfp#Tn5xeUJ> zJ$+ayQQLbUf6ZmM#7Mb&9iOd6Rwy+WRt<+piDe4X$R&Zsv_`YXBh)CQPD_97{ddo9 zD<0_^Tz}E#Q&-Gi`@qk+)?lL~MOVh$HS?M{?c`}Zs@n^NkY@aYH6GOyA99GvL7(ezC0h!2g zI1F6P>AgqeXeRcXN!k(#CNgKh`ZT20c*9H78vbsEQ7keGB_{&me&CiWLS&CJuuV+Y zK}ml}t_(5I&h*KEB|fB$5BD&{V9gMuQ#OvLV~-C<%du9D-z>17yqbg(dIi3-kanTC zVkF+yIPygJ@gz@K;MegC?{XOj9I>jWtuOVFRpx<1Rqfee(<{rjL0?qCSi^K zWsNTWKO<(9kYB9%QRm!UtIW- zV|a;7qXw7(R;1&T0cI2#e8~qB$RYl+E|ZS3SFXVmmg0QaPrmrDHcLLF?1@>v zh-I2DnlG+=DS#g-0vq!1O|Mb}Uige!%Mf^%T%#102UgGnrDJ~)(vc;xfYCCNiQ@rm zhvExbproEJzk6erFJhVIi{^_9Uszu!KiE!Kh;OsjQUES+trG2FthJC+`Ctn9k`I0a zv0VU$v0Z@Y6@=sqpO?YMIQ`2vG0PXRO!Gza#g#9azlTa&rQ zmM^w{nNP0xOp>k5ncxcdGBlsO6d4=}RUSLsd~W9C%f6W9i&&=lqWR*=mqPd#mbS{l z1^SXq{FzU6$rnCdAz!lKU$|!0U-Gb@tpY5?v1AsyzVGt9@;@=l7qLw9Mf1glFL^+_ zSt277*aF6W5k7E-{)Mf`X8na-iCIR=0dq1Dg00Iu&U$|aJWeS8!d^z`A?Nfj-^DCn z#4^nn%@-HGu=SYFU+6*1@))1PuwNMY;=?c3*b=~=0BldD&&dQ^*yAX}I4=|XLh;4w zf92%Me`A&}VwvU(@>cgBYuO)$JuHKUmtb9_5RAwMTiEht`WJGBe96atdK&s7K9kAD zzC3L4=?h!RLh*(DJ*&)qmeQWQKW6zNmTA6dzPR`omaEvqlxj^< z7PcL;zRzctjWtuOVFRpwk0w-7- zp~s+qA%DzLnEC!o9`>S(!Hcj&<;R~{9^;#q8Q5$3mumFrXB#uy(AZmsy_wlY#-9A_b;jPzWLzk| zxb%nd#4KOLGR+sw7Z?9h0UuF`cVAdjp}*k!FYJlTcPX3R7vmGnN_Z9XeKEd=$$HHs zgy1ty_R0*!7nlApaWTsmu}t$t^Tm}fd`qkxm^a@uX4#A7uu5=)ZD5tgTDiduK7XkK zm&hoNZ!p9-FBjkCA^GCcA0|F#`68BSzG%L<@P*|o_MPO@7e0qEdsOn7Kl#G?JfF$1 zH92VP<1h2P9AVgM+`K%-x5YBxaenOii%Wl)gqY=vSf=@+`QpNt0QkbbF6@R9W{gYYWXM3_A+kP;Fp>y%er!s6W2<2bQG2+HM`@^1v0p#E482h(|KidgrhUxvMJ&^N(R^{?3!kD?8~%koU-+QN|F;`3vMmSP#VF2~V|5pTaYBLP(tEiKFFO%~vvS~7 z4%y1#=sA@CfdkMgKnbI4bI|<+PgaXb8#u-`M{lmiiEQinX%jc(V3G!NDhC-KeXu$H zgW`k@0}<`AN^|0jp$j`5Fdc)8n2iCxm2EGe))q-pmo=`L0XR%MOz z%qR)nW3aDj>I%z4Vef=y`+2<(l+O6;Oq+JxMn5B;N|QONM-Vr?-L{; zlRH{`ZU4l8fiFjluglbde3cjhTw{^(n}x4pSsUeRtfOFfuQcYr;GmO*gFAZ^fAMZq zaUd~bY6Vvuh-DfF5mAHTx4$en7yvvZTR6D#vAt_Qj2I4{chLih@rQ6AmbGCV3~b>Q zIJ733D2uQ8QN@A82xE-JiGzQkYATj#97LqN+5!iMSU5O8<6(~% zv$REK{vkI#kQhlEE-i5&mT4SB1P3UkI`yEdg@e^q+gEpsDh?z@+@-O!#DQ3*aS#z4 z;GG#K4!T)5_+9Ys3B99=1BnrhYpysD%QOxmf&BK>I3kM(ErFsmCDh?z@w{jxO z2V$AVK}2u>?m2PL!@_~@nc3S_XnnE9(Ns*LUtV7toci*Vg`1MM;Qdk67m4xJs`B`+ zzUk>-bpGU|%}c7kVEKjmB9_@W()tn}c3Pt^M!zAazO1)!k)u9;C~~-P(-(=+o4Y9S z-6co(Z{PmX+0%C1bi|vealVA|i&$pkLhFm@3zH~3j2ujTDRb(}1`9`9Zoj$9vZ(5d z#JK3g8B23A*A?Ax#gtpG>^UW$`f@ICB$nAY()tn}c3Pt^GtsAKkW*itws5g&|8<8% z4i|3vA~Bw{vwE1ftZ>YwtIB+z2j;FRfzR=y{Y5OZaiR4^^o2B zxIUJb5VW~%WPa|eGz?O5`~A6i0Dfao*%tn z;pmZ*=Y1DB9J%#Rl^8GH;aPmzjw^?+d!YMoE`I*zQr3@#qM#?1**I!@`Vz};*`mh* z^Ix7LzG&ef@s7jJe=w@$Sc$Rm&a^!r9(C1-oBI#kv@zfGGsJ;d)`oG=cAg^w6`h*- znU^eF{Lh*FW<(AbZhl5$91(ZT?hQ*;jJ*Hxmmcc7spDVwp^$bNgj6iEaiRT;_!%bA zFYjmCIm@vxi@qG2x-D`zax2FsS~2eVUD}>MX3XPB{pplr+dUN3@{7cnJ|k_<@=ilXTytf|UOWF}>dP)P&WU9_H@M!ZFRxg*@J&87DRQ`Q(-(=cB`!o?#4;NfT3=#IUz+uU+Gycu|9y9i zemJW7A~B+}W-QM4_qM`MiDfp9w7x`6UuJOp6Q{nsYT+Wd`1&!C!-bo^NQ~b+Q9pHY z-NrFXCik7Y_g5PhFGU}y22=pVG8-3KUqoM+MB!m1V(oCRSvdOdn#Q`w;mEBWPGT(a zO&ES^?`@-=Jo?6srLX6`!FD+6i&$pksO{-XEVsi!Pn_*=n=BkmS~TK!k;8#oJy~L` zd^2s&@!su$CqFvdd*g*>Id&wT_lRX}7zb^qo@|V#B*rg# z)GZqS>ym<-uWtN(`XxsnO%dG>eGtoRTxdTNTYjclJ^2j_N5kgt{%mX{kPox;+A_KJNHBSndi`PP%N`?)b{*L+tC-}{Yj_3{N2LEg7F`G9ywgN>5Ifz zwmo~!dpl1baaotD?=StdVpj=X@>I|mvCPJW))&ziCebfnj;(UG^S^1~DB<5%ls+0& zeUTWuF4!@@Wc}IW)^FT4ulJG*J=B+JcwQuy**Mbr5*~J1(++1`*{LsYS-1$Ce@R*7 zaN(ve665fkN#`a&M|1j=D6!(nT-prFQP9@qVO^(8#)v`Sx+Fb0pa{PM1ai?`-) zI4W|uaMKrwaph+Zo%rW3`W4-`-rwQS?i-dq1@gR)c7CzU#)Z}w(HACBco;dD`V!|X zzihE^GP^`*e6FYinFrS6d3E2F9}ORX4@CdSgTek7LJIMVtO9(G!zFAbPg!RyqQe^|J< zdu7rmk;8?XzDSJcAJ!)?_-)P%P-BIPj9zyw6*(x4u3ML`XVu+>VH7}C>1-!G8;!)U&6yqYsxR2eQt(RU;b&~ z;+4L;kBA&D-1J3aygB#c+s^6y)aaYMcd!5b=6$=$Fhv*q%Nb5^@*lCTv7$r!jzU;Jcank_b&dA}yOe933t-j!~y{rAe z#7O9iSZ3ow>x<|MlPEll987(&`@c*_FZ^8=j$W?mx@ld+^d;5X2lE}F&eH=A7|mt4 z#K`AIuj3=nkLKbX`r$|@v8;{ZsPU+7FKpXw-XqrowTn*PTDU*!x5=mMKLKgLiGKQgrfM*_WSyF*iZESv4fb-X>>yr5t- z=iwp=o-8#50XUoXiE1$ZYK{4=Yg9D?&cyzinB%$@CmVByV5=TS8nCYdYqbbJ2gmC0 zo2h*G%dz)V;`khdAFRe>UiMKc&ePb~6Va}R*<8*(Bo2Eku@;By@_2E05H>!r4&RxT z-0TiG?REuBWn{dAxMYucQZHVHu0pjD>;kL}2F2 z_+k)h=QezTMslqAc zIGH!jliDE;jMs(rVoY(>6CWf5NAOaq_)P(XysDeAJ|Aahsemd_xhfmK87duFn1@Nt z^RYGrdwe*at_pF)2Nb2_SRq0b;*21|__05L-%PatvH5YeiK+~HO7WekM&l^c9yWuO zrz63p;zL-}VP7e3wHz7Mpwf`;<8dcdNL-OB0**;?BK|nVI`6UppHVoMu;e7{43P$# z(vW<{kg93|)(Fw*Sd+|}Wt=wyp-wbHmLg|LU}r$hHIDFlCTC2G8jO@2glo4vJ_1KL z+59kdw3?6fC_o&3{0+f+5$s?ZavxJJ7Zy&!8dItO$GH|n%J~s*uJH-tI|r$|09Qk< zrFs{(Od;%^p=MKO*>BZ{H2gR!db`o{)Ad#?YomIr$zm#7~rzU+=!zKCU-FUVQ#T`l4C)IEzWC=@Hrd!Sg6X;U%@K<5DnOvk{4%Vv?E(4*m@mqy3q4;7t+zC#; zd=j&K5z91RG+$7_JCHBAhVRHnAuC`M!Lso^1b<{sK72g3?p3>&&U=6PmNd`AB`Ctp5`S-yy6nlG9!E_@+VSW2xz^}igx!sJU8 z%3JB!pMkyfFM0T_FpjbPrQV*QnX}un)S?PZVivqyzTR&o@s8 HYy1BJhHf;7 literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json new file mode 100644 index 00000000000..acad53e1f9d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:20:29.0889568Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4751, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": 4751, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707667, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx new file mode 100644 index 0000000000000000000000000000000000000000..032e261daab16f024031cdea84919c4b0bc4f05b GIT binary patch literal 69632 zcmeHQ3wRXO**?3u5CXY?f{3?(pdjTYprB#{ArT~8govPcK@yS(B$xyNQGe=P>#ep{ zthU7}qV?WdtEm08{yyse*Gp}!muhS6qqVK5h}289{O@~azU=JDY<6ZhyKv8T^!Z{CmudrXfQXlkCYDb<@@8x>GQL2A|Qj-ye2>W_I$!~5%n|$qu zHu?J0J^xqkaUQ!7$CerNd=sBPbAu!UjW$-g*Wz#QaQA27+$vmit8pEk)7k53^heOw zK@zkH`U9MI$RXfqPsVuSUnP-<>K!@fpurpEs@#A2{rlbtqh&Qf)%NwwkgC3xqb;ePpONuFA(R;m^FvK3$CMJA{QoYtmRsUy^A z{I#m3I8ujmmSBGrwv9N_qMGrkSuMkvqwu*I$49F*_^t`tL)94kjmO>?H4*>o+M92U z`xK4r+Vw7YC46hH$yf8$I$XI;w+Mhw*|lpC=n{@@Utgf+>ekOfTeUc=1>YWqca?x~ z=5@JhHi%t`FO@1TR+0RLE*^&W%T>py)%utCszjCKOvzERaN61K89SHs@O0J;H4Wb# zjCVdE$IA?Vy-*#8ODsW`HRARgH3{sx;#`#oQJ@O)DO$h*sdtB>+;B zrkhMFRgv7tu3fWn0;L)mcVtt6?x>Z30*Q0RN;EIh53sIKr=q<|FslZ`b-5ag|D)QE zjKc9L_?xfT`%`gI5zCuK72qftwHmZKovPFUI3r&q^s?%Fbv*8p?YVc_TkVmPTiizt z%2j=FD!{1Uz%Epnb6*9jpDIv&@GU@(J-!Q6p*~L^#J?(hDpe(TN7R;_K{%3g*fqQ$ zUS%7m40yM?^1+uQ?_*ev$NeAl-HFauvp{FO$Qr3mz_BLqx*6baRUpY?zugb-e9F8$460e^?3L|a_M+i-i>d&8ogAHcN2yW`GTQAzKnHS zJ}}mDkrphDcw2#cCV#5YyHudjqMm3m7eh!vzD1x!_E7z?EpYewxwre7gAY7}RG6(M z1NpV!5_#lYsYQd1g83Wn8PczZk7Y&RQ%^Xh=fyX-^GAa80UDkYWvDD z5ZVU`CD@G^Bosg{baTS#f!tm=%bhwHV&$RN0vfC)M;gh z+Vj|rC!h5C8(&lx^uvJ_SNHkR zT@^3jFgqD=dlI`<;7kX}?NBdFk0~3f7+;LaEyu*4t4uh8h-j_x9nsmVUCh!fqmx0D zPym5990e4W{7sz7nt?Mp_-V#)>^Pz>s!A{tz%V@$hJm-_c;-jJY>0|72)^U7oenn4 z13firksd#bz<3IhS)j_qmeTi2f{Fj>*v`)i{@>R4e?~nc=vT?{FO)^>!~dIomyg}g zu?-dX2hUyihgm;-{EhmVJwM+Cwz&A;fnDN14xD1m6Phu>7asY(DE3}FHdb8RQ`Hmq zzQZvw{xM=`K=GGxdZrRLP_NZ;9W)ayYd_5)5;XH;CN<4rjv%c`T(5xRhvR4iwl!H9 zM`cmyk?6DP*%0GMD2v)Rj+&YlU0b&&z=aq0PdRkXv^8}%fACK8(7#Q9R&>YFaO`p% z9f;FhW2gwi(Q&1nakLtr#N-J-mQolQ5om@)y2MLbY!tdqiSM|j!{4ecqBdASPME|Q zO<_hKEEQ-gTDY{^IP$V3OVk?jypap<8Kr7SacZzX~FF{q0B-% z?$wtbn)}XP9DPc0{}BN2ahIo zTTbk_$KjGJaPfao)pc*D;>UE1V)^+orx5?@3j8@f2^haYS{$+FZ+pI0JATf?*YtVr zU$crg(~l{G^DC5Di2pu6d~L!z196jhaev!!_paNp<%{=rPHZgv4vx9_zX-b>>^N~r zyzVWcBaqkOJQ&}zC7==09<M^!-46Jj3T8Kh=`}j=Q?FxnEh*sF*PikBCTKG` z7+wYb1oxyXfL2C_oCMcWjnz6hPdv&@ievay0L4sy(c@>FDHbt`A=ktJJ1(N}Nt_M< zP8X($(_nJ;enp&q3xC0JDwJ7>)5nWX8L_R9U84{TjHrQlOIR(K80$I+P@K_jX#n~e z@QDQxCo-Z{j<<6CKjMM77>4blG;t9uj`$>TVZ;%W$uFVILR?535t3NrB3yv2>o5`2 zMDr0J%n}kG#K}TzPs|EVc50l&$J>(OL@2X3-X`*c`J-@wrLMz@|CN};h*w8taO7hO zsSJA7kvnAw=rYJ$i*NZ0rA$<5ImF}z@kCsmhV4l%t}b}`ygf2!KYc}98Sy7+(Ik`h zQ#IZ~nZ@xZhD^jHA-29Q-DGxg*JBMgsvLYFuS8slep{Rsd};k=#8;BxODMBYze#+> zUj4>elp5-{uQlJepz5kg2Ot1NI_A2vKd9Z<0LocPwj54@4`24&2Dy-fQBEToG01=6BP zAmwjEVT>{h$4A9^TV@s^gv9Y7d_{p|z|aP(&Qjy8*EvMf+7m#SgnSl$f0#9X=cvj^ zWuzm&*WSK*;E9+2c;+p&7p}Z(eD%Y^Z=uXWetXBUq$q-o<7pVH;_5rLRvXeKt29zr z1IGFqhOm~XG99*B2Fr>ml?HIv>_~DPue`p(?*hn`kFvt=&7F+z;(LyIY4%?h9s8qy z9KGrHMdMErehXz5^4mMUh2H}LkMDGNZg%DjRFW}lIS+Zm3hd25*-oW~LFB?0$$yS} z>X+?V!NHBdL85X0(FJeh6dnBG>@BmN?)Pftjpqsugfa_p;2rmEq4alrAy^rB)`CA4 zt2yI*mEM<{*u}aQz7CS1PD_FKZ!yS?t_92C?`Xc0|E1vn$64Y3ot?;mU$@+J`L@RU zE3ZH4cL!JO*jOq27s@Q;zgG?j|5@u9O!jvz2F&i2R71k_K_?z*tg&%!>+T7Rnc|z0u-g zBbct40-s`)j@vqEMyKjornxNEF zBVINCX>a^1EBx=&-blcIq0B=5d+iP3fAF|MCNW?}9+cYf)eFRd*c+dwiHBhM=Ra%v zGd}+;`oe^**c(Ebg?M28c_*e^P+zcohEq4f#rXX(L4RZ|#y|5oPU*o?>`R=n-nC9d zdUz{^nD-e9tA(?gIIFJ(pZun|v_Q@{xuO-YQ8*`3ro4QDE0p1lSGkLyG1z{VCVqnD zsh{h_UOn-_pKU#K(e$co9{W%J?{|JWM(`t)S%@F6y-NIqvsW{LouC%>~U97YQTr6=^ZvUMX9NgTATrr6hxgwNV zE?0f1^G&O z&-~d}E`K*(xjut=@hdsbVF-Kk;?kl?r0`cLvyi`D|5f-K+<*1*Fg%Y<54C)4j^s(7 z0l)u~6@J(IjA!9@)AF60Mh+?{zj)3g6%P*BQ~MVj&qA4n{PvFL@=)WM6K~1mGZBYE zr4Gh5D_xk&FuMtd$Um{ucBRS3U~vX*rx|tbo$-=blc^n~_KV z%J$Prlqv%NxUdEEgjYW+x9(54!YL!Mb=|sZeT;RT$Zr#np+pgy22U=Bg*1EpGs3)%w{vCT;nAHnQ_SF|38&pRZ;hfrprobcKM%tLim-a#@7 z;qsB`#sBssX3B}1`NRuxGYs3@G;tFw-|&={EAi`V32yxIRn#v+nT5FV>KEcBT)fXe zcAOe!f<^>QCcxQf?MZwPC)2Ub%L-2Z+KK)#NfbLoD6?Guhtg6b=(XHI3QLO4XA8 zVviJL1qV-bqGwD3MLq~+mg^aj58?DoI4qFC`=81{FLw!@2 zCT@c1nO}CIXUs_~lrO}MP-Y=+yn2SX2^UZ6TFfMhu$kSCkcrqIv`>3w1s8wmMDLgc z3NC~)%k_@PlW=;cYq62KJTaN0<%{Sg;)nLjXUNa>c5(El56{hDKK;8s@Bh4@$Zzt!6#OsB3g7ScksrzUE|gg=Kgf6bwc+GP zV&2za#e!MLs?I{zl~vrF^U;KTXZiTf*84Hh;M7jx@m0hD@vs3Jy*Mj)*guMVjj`U3 z;9+ya>n&ei^8TDV?|$am-^{IEBl<)rvvj?mmz(GjWMaMPAH!yhd$NWkV`8g#BJ0Uj zqsO6ro;?&>cR}mo_Tr7iYbUzvP4ky=&n`&1-gJjwBwcTszeu{;J3>V6deaxX1FIC< zaDk%=OmN^be0&g(E*|uqQc;F77f!U|)Nd}^!gD#~%G@PgWU9qt{p^R+F-@xugK`zR z*F-U=`+C2}DQXzB8(t@H+;RL3z_uhSv-z)1xAhlVgq+^bo4bI3C1KDRsxi zYY&{CLHqO$+9`%!k{12yx@n&ZWftotu0tp5AhEVPtSC)&J*3WSy+M?6Y!qjdrV5t3<&3UpHS7*)@#1lVZ`<~tccyO6yXlgK&C|Dv zoDs?_mot0>ALY!{&~Xs|n$|>X^-MvaxDBhq@>%5!DJx}mY|zITG7rQ#cygst2xTwC z+j-sEn_K-HW#WhSE9YPAofRBCto2oVoH-eegfh$J3vm=Kev&SJf<{$LobgfcdJZpf zL44eY?LZeFeXsaIN^&Mxo!Z<8;;qJW|D;8eOv)L~w-(AQ#0Q`C_vYo!xa`{J{sqrI z@VS2-&X(*$EMpjZ?%(+Ua_~u{nOooz6M*m}^4K%T9h?%c^vm~g@p{GwH>HHvVD)iN z``F*oqB+@3^rBE^xnATvL+VA&H4K*@U=41na}CW-4LezskG;aS|@+m<~P?B@|8E@L3yc$bZUWco348@^jl{* zpnem|EX0B6H}tPwA9;6B8?v^xsXVZr5OE;(@cu3yezoSd4C)U(Pu=jVq{Yn_5B}r6 zm%dT`=ntOH`(n|6yQn`nk4Gr8Tz}Avp#F%4)*qQPDa=l%){w|Cnt_6*7uC!hGNdKR7NzBWjU z=5p{NSA;Ul<;tbIp3nR`y)vp)W>wCFdlkoJpEX1ScHapg?-d~~=u zsAe|?$uHHy!7hK8O?Ig?`Y1S;32*w{FOrWOxzEESERLOE`HG z4ktlnhlwZX9r1$~0tZ7}9Gv;)`j;{%H+J~Q4QbI_;9Kkyq0Dl*akeWrx~hIIQ9jA3 zrIiT@vg(fc><6>6gGiUo>*$>I*k?h;EG3>q9}Ue4uJrRD4Ed4_S3;TP@`bnxCtt$l zmxAFbs1!1Br_^Cx{YU*qW$ZcXCq|ghUXH(597b9^Yt5Ixdg7?jvo}9>-Mhzq zaPLBqFG87x__*ke&mX({4rfeqfAF~6W2gV`1@|t`>woZ%ahQubWAf;Cv0H@+Z^N;5 zr=6B!+G(SnPFVxF(TLg=RAVY-)Tdq1U+bTkxI_u3%wK3;vfW{tqr>IVp-P#^09jaFN=1lU z;F$UzsTBMQWftPsyKWGHa2Vd5O5BJ&en^`5305ER0`X(6$DIT}LYam5@va|4{DjkwnZZs_jcE>Nl-Gzo zJ{`CjkrlkWqw!*_+noe2LYd|3f{46fPLwj|>r_Cg$r}?vTK=fU-@HluQ0~md_8Tsa zzWD3M8MM2$5l4n!CoP&}irx~+EcffgfZ1Jim)YH^VT)SK!IO$=9Elzq>Eh|W!W|jJ zlh$K~pC>JvHz;@#$}H4l-aNehdaV69qXQs+M!9(T{HL3TrQ-JmvzwiDo3B8nSIqB| z7QYzNZ$jnvQ>R_LaKN9A9QENVf)}C8LcDnEycmZZf_E_eH6L|&%e3=Dx2VotMu%%y zEyYpispoSM>)}&Imf>8kkV)6-EPU@Q9wZKxxPd4Nhu6rm;Kgbh7T`Ix{qvz}rW%W9 z7Z0H@!S(8h2g(uVKSsN_SdlYo>*$Qd19bk&sQ;4|FMP4zp$+#ab>{8;v3)s0Tzrxr zqs($#G`RL~FkEzI3s1q~N@nb_77H^q=>?pY04*!P-=KCc>|DuzaXZGv!Ho@LGKd4` zd1UeOL0U|N1EI`v93YON{i3eIK^?f>>PiY{v7{zfdW6A18>Gbvf`c;PV62OS$RQIl zh=WITd?g+S(qbYU2xXSzKY= zi;3_dlv$1s&KqF-B-8i^BPGCh1Z>;uB|gIEaV`!WkI-9H!%D2jy9sumHD?;A$VZD*I`+~!*-2__&h-}JP2i$=Lv|1d3cA*6LgJy z@V^SJ?RfR$JoQr)P-kn9n+k_=Myc=AuDxc;{d-CM;Az0s;V!Q3ocHYv+F73yS4Q4I zS~N+eoyB$dgfh$X2E-LHMQnW?y2tF^uE!dY<=~5Zs0SjhM2}6(3cj=+Gx7+@@FkR4 zsK>l{gxz0{?In7Q{{18u4}&H*ynS@W{5mHN7+)VIEuQnhd*68D#Or6>dSv7Avq%0m zNBlaW%tAa!eHi+8wYVBNgSEBOQvIm zofT~cjV1fY9O8s{nU3vIS;326omDct2xXT0Padc za#nEUS7((BM?#t9{t|IS4DBv;RwgP^(`9sw96VtqeBwy-*wI?^sBGH1VW+Aa$M}bbyhjzS93eX#X&}WtQV$_pGzRh(GrR!9f{tFxADu1K&I(gE;W3vyv7Q;Xo*}90y`o z*x(y0rR!gb3)-E;Nrj7#hjT|~5FdVZR?=c3d z)sv^DU^fJdqpe5&FGp2IDkHHvD{1kzpXS`tH1DpeA5PxbsO~#vAF&&RG7E9Apz5kg z2cUoo;|#??jz1erPR!RUKd{nzF^Y{?x$hJr&B1!VXW$d7_haQoX4j#)616~)uN>!m zZcb%Z_nT34!#>d02I~I=TLF3+LHxmiqzr>f0$qEkskK;cQUpJHt z2SSRtVzl!+59IVd-dZlA~Z z5%k6Mtl;HJtuLBTOdQ-E5Xvl+8x`kmnOW3J!32ug1Hsp9k8wX0n_#|Lr{{0gVTPZ6 zMHTr>`LGFcVus7_ZErr(oH_gNhzRY28Ic(t`%hXlfk{14og1UfLVj=k{0G}l-tKfa z_oMedIq~>hMhfCQst5x{p3Se_|y}h%7Pcv5RN@cyC zacG9?^$f+kmmh)RuaojxuM7w_a#gR`B9iFO&=~LYd`$lgJx;>xE1NY57CpGu@Rttn-+i z6&(513njymP}W^9#5Me|_QfigzD~3?okb>1RHR-n5xMPuv7d;~bMZk>#;)l(+qV z`MYP%zU`Oz7kCMH33v&333v&333v&333v&333v&333v&330zPD+eUN!`^FDqjITeX z&eOaNqrd}=B9}grIIUwZ{FmvRdgK>f!8fc)iu~6ikvHo_UQGn=h^%f9xdvv4`F_54 zfoC2?n*6Lmn*99S#Q(MlXV{|%%Z2E<4*%aWMw0i0(ik)E;~p)yoe( zb@E3CM}F@qaKc!9E94|D$sj*3F0Gesa#XT1E>rk_FOK8^bMvp8>gAY>$tZ44;zoTe zE&C8{N)E}@vJu}&8AeDJaRzbSit~Pi9F__En~)r0w&MQ;!Z*sTxHpb-hqU3_g{wB{ z#cwvB{N${E@z~7FE66LGZxcI{vO{jeo2OKYDByiFGq->)o1;HF-XJ%r)Q=*q5yU!- zyWKbjY+?N17ZY+Lh#kXCkyJ`z$&Z=xuwhj~ep8O9CvmGun(F%MWILjL+{F0b!9@XK zT`ya4@7Hi7S>*Vd4gc0CAHpjJA+r5of4?GuqDv(t8Bf(oG7(!Mmm|QI^mi{_Bp)%+ z_Cr$RxED_?kwgM{ycU0K5g++pz1)C^%&SoqNf;?Em*LN4rkrj&o{*g?FAl0GaV8j( zX8fTF@biteN%?JLAhU%cVsbIQsa}2+f2`&l_GMmF=zb;BenicJ0A|q$;wbS@i&&;UaJ+F=4%&wxo}{d(i#4LO6zY-;b|DNL}}Xd?7x~ z)4xc)`Zug8-+)?mf&Xj1(5r842c5I4tQPqw!p4!;6Da(X(o)1z3%Eam`{a-@_saWE z-nH}C&WEml`o(KE)vZ6XEGz|GLC0_W+eur!^LqQwzxIFc8(nkX{ijY%E{B3J7V;^9 zOSY{1Y`v3($X3u>Re>HvIP1P`IJ2c?S^C^W0vSieZhvXb#T zP5fDO?tn~(R4+2QzhcKrt0#Uy{MxmAV0P}?Ri~AtKVqrPB!3|Z)tWu#k)36M~OImQXgXw2KyaXqsX(@L2)ocbak{(h3!*)krCYOLbax! zET)$4E2M2HXg^QfaK8s(z3M89a~DFhxZA7lcS173JP7AkKd52PYyiLQI5TdW`3>in zmdAyEOL5huxME*03#vOo;SjzpC~!HX+@-im;~x1NLTDBgk<%=W9DaLn?!h;QXM1Xf ztF+;Y^bLY9DiG-&RC$q691I~3yA@Z1;7sRa58|Z}s{_xFyDr?(^4Gehbt* z;;I`IF}He5>1Y8L%&WBGih7~BBF7_&=V4q?4!t;cDDHT#R!U$`o~w57K^liZCAsQ^ zw(yE2Y{c-winRw}yu;kdAzm8KGxlULLk*6kTk$GVxd9CeJfAj?>%;)_~DePT{BMvLOK2fwT_262~nn3J`VTkW8U zd<{Zda=2z)M()^V4TEZ3W8{!ux}N9;&#e1dGRc!}=X!B9g52z_A-*~kU#tU0l#Z~C zWot{GGU|$&#de9>MU7)U!uFT?IE>$J+-t)fmeShEFWtu=Pt+*Z)yxG_&az2vSkE(@ ztugbIrIamp4u|et=+=yKs2#p^FN2aNmA#;rwE-z_1D)i7`o@}%^+p=k)UOfnIfQ5U zWt~B()KcGxT0;F|y++Q46=y7IgWzWfxuf~g`NjOyd6-uE)Q(uXPV7W@FLu+%nlILStnpb=*=n=(Vy(iKn)##;wqUiw7sgZegHGMc7>m)4`%{E{ z^7qY+m%sDS>n~V4?z1Q2XK2U01UJLh5L!g$Vhyng2G4!6PW`>7PB!cCX%UmM{vV)7 zTP$J&|MJG27>2@>0Bhu@l;MR@yD@a>#KEot2Mw(dcLoOs4)$Y)ZRC^uE{}=aVfj7y zxkz*&2wlOwz?0E3EO@0S2 zycxC#j^`&~wxMN+_L8hkjRQN%f%2d;<#eR-xWeTBy}|qs$srMXN739aHY)Q;hRLswnf&3jt^)jmR?XX;fygQ02WgpB2 zw5+ru|7gXvAJa^dU-G>kmbyD5<@>gzF4tEj0_8fycb=kRzCV&I=y5+v?yiu%a~HTS zz$`4?3^|0ahHz+QYDHyBd9jKum_2kX3-wt0X$~4O4tdg6O3Ro=M`&=Td4_f`Vow{< z&7e7iZ!Bdza)md-T0I{gNc{ou`G+A1zD_2{VE#AYDyF=9q%zItOAFdI}T3RjiSL<}LR@E3GAw6C1GRJAA-H3Wd zmxkKN|D%e+BdF!5M;f>yV5s4`ji8nFUu|fZEeCU@nS(qHfHF69?aX>E2c8$sk!>dp zg2wid?c}~Dz>|@-lc!UCLgo7#$A!(W)#y<|0*+=HUI0w-*;y(v(8W>@pneXF(rX5dk0LM3KQxylQJ$NVk zo$Oin;4K^&aRA4(IPj*H)Pj*%n?`7Iq!}&?I=gUYPniZ)8hW(hk!A(TjXaVon!22Jd5VhpoeQp{5hadhIDWn`t_0I$5LdbGv8&U`~xmI--Qzx)ZCWn=dtvI1kPij*Y;+R!5J&`xHdl8mxd6SW?+Yh@ufYq zSgYCMR6PW@efZuohN5%obPzPk16jobN&m%~}x|jkCpe>uB?x zR6tsu$D@jtbGS(9NdhZ5Nub=Y_=9n6CVY(`xB5(rn1W^k3I(vZ_>RX5W@A73EZKt)KPPf!*>G6`dtLYGU}KOw9^|?U`T6IrZjr7 z&L5EroZREva#%06xhLOB$^KLWmBUOl4eLz(;#TJA5;9X2n4yM!W{?oUCQ7$ zfb$j{EhyYHd1~*rPK41+xJ8*a>5-GcTj^W51;8E+g&jE4qv{iel4U5mZpd%;w2dGo zt&k`k^GiRw1NUiUyA_-;Z?+p0fyNbW_^<~&F{X=oRwI)-OL6?+DJ6v}%u`~f&8&bCRM z@t9S|E>)e4BOQ&B>o#E&GfB=@jqO48$ih#TJgNvW6S`5-fu63C?7!0`y9bAMbR`Z# zRno3+bdcqfbTlP?JdE^gHD=Fy@CH6hCt!{PbgzMxTKUwI_y*G}d=x%Ry`+9_#`&{G zKd0Aqe!I9IQ*QlqHEcFzOQfYp%{^Nh3;KKchRru@cH*I{VWaCW^@)0^9k|Qeu(60j z=IefwOb`r~Tf!un$=a_En5-=fu@cY6EANiUqdLpOI0Ep*4dd|F!EzNtxywtb^N z+}^6OGm%AeWg|2b_^R{RGja_Hwm{XgkukExYG|Ihm)<=f@|8RpwkPx97^Ow@3QsL#* zu=&zlS^rP7WI)jW^A93zCtd!Z;dateMY?(EX8eFI~pvleAx}Usi-m!}w)IbbZg+ z=~4Q%(l1MY6lxyy|NMNU<7}7zXLy`#DRPXn=j;E;xt2J73f_qe((myPEx+Gwx}@^B zgUkPO+N5l=#8Two_x%2!X{;+kt1MR(VLj6cZZGWr3FMV>pghikga;y(hs*ynEDuYO zLmm{_Z2wQS?k@QtKg3xcH2la*!!KS^67wbm2Rer>L0Ux!_8Lbw#*R=Y?@4to$9sl}<(~4;QW!mPekV zVtG(xvvDPv{-@OwL0svN3_sKT&AZoB1y`~u+x)c@IdHOt;!0-S*&wd;aHM>@aHTNc zmLdn=9#`_XlC^8=v$lpDQ#g6>PI;}~r7d!PzLLSJu|$e{r-->>V1B+*`7tm*Uy1gF z;<}-9onf0^)+E^cG>9ub5@|c>!j;19q@~EwPI_F)<4PV^^4lO+A1(8^lE;;*Ys2!m zlE;-iu2dPX0a^|@|HW^E%$at68|3wn0`ZEd=fC)Ekhz%bMY#=f1NJZu;!1xU={Vbk zD}~3|mLkVEd%n1m+QT_MYrXnMEx)hCCMu6RxNxOuld?5_Sc)9{&IMQEP9NMT{c6+# zbD6J%WP`ZUW0A_kg)4>SVJULRgCYyzN(`{L64$GI-0&lJ{PRnN{I%=VN3qVUP1)ve zo}yx$%&+qr?K+jE7a_0B1^*-qQeY*>o8w4k~&g-8s6r>Ize{5r4E>d!lUomcLd+6}$q#tMaX%*&^x#p}H0*I(v*Tg6-Rrk?N1DeGBW4rO2T_ zzI}^Uf8Ocs+c5f=-O$4fbduX33C5J7`kCd?(&F}QJv6`hNwd!Y{p7x6`=6`sUENw0 zzd$i5lYM^j6czVB7wQ+t4T#Wp5Bdc@6)E2?zrZlxd5Vhp_I`ohFEHr+XV?2G_WkjG zfg7=@+HigovmLnJ2i+gRu1(x(PVG~Kt;xSh;XRNPK_zd-L7==}n{U!ZPpsyVaJ`vrQxK<^jW zhCMW>i=5%h9X00uTWar(jPl3gzNSOinT$J~reV?0z9F2`(1N2AAsq30zd-L7s9S<^ zmqPCs$c?;*fFpRnz-sm~ykFqO>KCZINP~WXUx{>_?eYr@kF)a>6_2y$>lesc80*di z*PD3S^82lQ>no2txcmaeq^wZ~kvv7k{LaNMkUjoR^hT~m52R}j>rJ%DhM-^IGm*-} zsF+iwh_NSuHPTGx(JNlAJ^}X zTip`q_s8}7`FVoG6T;+uFB3CUJUoRQuX^z9#^_paiuBQ zFXKU6=~SfSY!|K+9%oyM9OLZy;!4J}AHCgxPuEq0+`&@h;CC*# z5_^#vS4yMqyzn~aEz%ammHsSJdAM+;uske94tY>yvvH*mo^5>SH`a5=S z$>T~-+;_)J_rGe1^LploM>p;M(7zA-{lL!q&&5O~)wfdq4wu{Ul1ao&9>7I?ERE>_ zQ}`Z&m^b1(X(kMeA>m0(6c~d-4P)BC1pZCH;b974!?+ql+*_$^ICo$=0iBOF;_x1@QrA}}m*U~$36aHo$z!-kB_tV7)k!jeq`1SuTL_G&AlXDLt^(H7 zGa$|w^(tVm3aFP=2~hPeJaPg7>V>CqkxI&nx>%!%`I?G}>jZddM$EN~@UHsU63n_d zgzu;l*C43h5BkT2(Yg?Aw~n?7?DfkYZ2Y`UcHp-IjMAB=H6PN7@IHKZh^6IuJgR6p zhl|uwSy`7zt(0{MDfi+c8Ci$YhxvC`$Yz}InU-l&%=G_4@pBYjvst5xNrUHzDitgl z9Vj9djY?Zin#d|Qefe0!YKV}s$4Pr(5N|_osRbs~LCi8_k7*b^ zCa$`jsj0q`$4M_%oOCno-$9)8FCrahJ8{y`INMU>7-yFOCw<=XyJPK-D~~%kaZ;1A z#T_g~4u0o?lX4#a>#=sn~jqu30;wo z0V~O_=d4K6|D-SC!1Hw|KVJ$DMlBMp9K6L!tLZIO1G10euzTLI-MDqct6{QbHvI0fk* z9qr~^SD|+f{W^@}gZ;YxNaf+`*M;Sgr>IyS6xr;4og^im-*1WjGg}Qm)A!un`$Wa_ z*Xb{0QnvYPDRT5H7wRvBJ=0dQ~X9iG2a9|V#CCjKGOVkmDLxzEHD2iD-0b}A3 zkEk)hH6GERcwoHHU_266-OXW4Jfg;65)~CqOf)ga?(F|xufBKn>wZ1M%wuHU>tA=j zqh8fl-&gfr^;OmMmW2&VTAG#rNSYgI{3ld_QWXh*l3l*87|{0YE@u*F5Mv<5K#YMH z12G0-48$0SF%V-Q#z2gL7y~f|Vhn_0V0z2K`o*nFVdGmzw*NFA!zobFN2zCiRQ|M; zy5qkrr|inx&v)mrf00t}7c2FbLZx=3+)tF+r$nhE;f84M@w1S3Hlj=(`=d-Ae>3TS zXzuggM%-KIgXbt*e{7s21AS#IGkNjd+syeaq-{W+5Bu_AntYC@fS0gixHxUX61tur zdMIexi#{If*!cRmfejBlpD0fxRNusT!-rfex$^v}om+McS#i@f+m|jl^(NGWsisz{ zYjDa6@_4v!p_;DFQq8JWt;Y3*_!gaM9&RfyRBP2T)q;ns@SreJs}>{KYPCWgu14Xr zO3lZeW~6Dt`AGaP!JUuJe<&8yZjyeZ9uhu1^flqB~n+v#vq93d)QL}aFXQ8YGNVO7A>+o%m#(4bI zDRlyXU51Bf(q$@9^jXs$4(Xp#$EY>>O*|@BSX_cR6{>@9AwB2JpO>iP@%S9jZ8`9`0C;E8Le)P7w9m%H6(+|czTO9g zF3~uxN77~hKoTuL8jT+IBDSeX>w0@AC@%p$MXItO(HpJB;Ux_Pr7mp$8!{xwgv7#p zvaGl2O;|3#OTrLt`g0#uuagmu77dA@bso|+G?*UV`-9$UDso&6z}Z?>qo!8AWyPwz zh)jWGuYIyov1ltN)+x(NrED&3ZOc%GFp;hI_d*5MYQWd%f-LeLOE^GHMOb>j*vqup z`AE159|J{+Dk&msC2231SON?$HnOG2#ytQJz0IuI#}ghMZ!S)@)vEm@waX<9?b%rUY1p@PQkra(0Vx<|0-3TQKxFuehr?phD^Cg4ZCJTUF=xMq^H{m{c-*o&_(y}dGv^)jEvE%XSFno*1^9mDXpj#7=y$C2@ZKGazV6qel zCmF|^ybf{Rtnj=!4cH)?XMLTw0WaU?TZCkg^L8)K+jH>V0+lRHs(wsA&ZPIiIR`jB zL!GJHj{~W^Szx_cYu?n1#j0UB=o9p&10@<1OPy%m{j>vRrSIL~S{7RG=K=LhU}+J) zt!Uh=Z;{0=$C#3bIwhCtZf`N47Sx&anF%aWyd_JEbCyW?MLtA^xCUjdc2T6ndXse| zMfP_}B=aQ|jy0u_nVy5Pdf|-}IuqD1x(?olNa?4)ea$tyUlQkh&VRBC!pX9i*n9yJ zghye2{2VZP?!t4Qerw+~x7=7T7fNWhXYZg`Hrmthy8yKkuA|nziB6!<_q=6Q4%ysFEk7;kRgEUR9L-XmQJz`icNXsP9X9io(DSH* z@QlQ_Qt%y0sRjVqY0_ydG7FYUpTd)(Y|<#f_7CYlt;FV-4s%VG^@FTRq3?814yb1a zHb0j7_KByzw&jDBZI^A|u@+L!@ctH@=HmIs04y)BAH|Az^;&ZMV4f)4R9W0~Mn-Pr zR2jL2b66t>W@Y3@ew~qDeq0xvhFrUYHTHAj0*ez*&w!9DB?H1zkMt6SMX;B$u$MPv zxh1fXF2`p;MtPF~Sw2#^$iiHQ>Z7#OwP)nIy*rKjPZqa}HnV}sYeEKCen>tF#l z!v?NVTZa{6Y7p@usxZD&D_evB;YWM@=zJj7pi>9!6!t_6q3Efa z1YJegzo-C{^4K{UKN^eA0-V+0 zya}Ibe8=HCLEl@5vs!${;5#3hLLJhMhjtK)c*_eJ`v-D(lH1y@L`TRX;wMGg9Y#T+ zXofRz4g3Y&MRCwpKXg>MF*snrL9SM~LadQ94m){$d8P2E_0k{O0ko><;hJXB(e)Ab z&J5&kIY~H}M&}8AVPS6(z9yiKK1CwY@+~@Umdy7-bR1RqQqhKOWFNe~?^1f5l$w7< zUyMECgx@dVd@jD)t*!iHjnBdHtS!e%^B#QoBR&vRgeOotnq?wqz_Dm@U+Gqx|u#e zuUaHNS*-(Dql(3rFPrkkI~JhFQ@!$uK0n77-Uu%xb&6yu96t1}=k0ZN@}LI6K^`ky z!LhzMj))vTp8*y9&>2?gzIqIOwGJQR2qp)goW3#}=kpPHU=0{KWnjpkW#m0>aS9+^ ziF`O(>E!O@*T>4Q1DKRhp=4=aRZf^blTmMuH)qtlAN;Qz_F_mC8#KeIID+Z*7Ow(@ zO55qhpNagk;SD3VgfZ`WTA@FTH)3=Hsgx`&w^~e49{0X7WXaWq_ISad!fvbe&5Qj5 zv44P8n?F)59s&p-0=O0oEsKBPsEGXoQ?;4f0&!-Ej_#rr9ht7JR#4Fe;rIGsTV;T)$|^h><2*um%$20pkS8tC3TZyCWbw z8YOa9`P$9(2Y$Ka$!|PSoh-b5zwg5}W1>WE#c6kr5*ho-jf)YwX^j`Owe|15`anEh z5RVr?Z;tf=mr3V}K+hc#(2e{9-EX`gFHIm|7DgP-qRL`Dr>qNRMci3TJx7hH$g1Z& zX!M*!KEc54&~xs2xoYujSZW;2iMRoHGloD1s&= z%i^nVr{^`m!<;#xkTa1gR0Tc2Q&F;a%z$&ZGQ8A%beutum%p-|p5z%AZ{Xm~0(iZx z5rbsuUREBQbLNFbJK_A}7e$y$wF2!7cL>^V_`#*RhE0;VkvLR5^iCB`5B8R3_2f%&lsGI!^b+R@W-eS zS9SEYC=Sct!kjaS5_t;ecjKEGB{KTu?=63>#MTFr-Pb>GMm%1C1`)>-#^VK!FvwdU zi02zRv*7d43cy$6nR}~U(F#_yLwjfLWkxtU^Qu!?%0t{_NcCqq_udj~c}e4Ij5MYd z?6-t7A@D|n9&Mr<)@Z#ZcjPEnpJ4O?wV&|lPtG)4igYJpbJ2Zwv5nvEGg*)M$lTlU!V04$yHP#5`RbFEYp&o_+c8`|^6lckZbP%!z| zx3t1{l3r_d7`0>RXEy!9oCp13DoS3*-Yr%>dTklJF(6C6i_LwG#qrqSyQT|<3jGbf z``diil8$M!9eBn?GW>^DMcemYTiaus3die=yvwa5{jR0#OL}Fxp>m~VP%W0d!#Bh4 zmfeHM6^c^O_A+&FdeSWK8e&c1d7JEb&I-9cfWI1k57{5Ie+&yBZNKEPk^|qVO#fWX zK6z7ez-YYt`{i4XuBm;y@;kqM^P`h*eBsKqCT%^IGMwj|$1xAR-&tsI9Q zUb$`XZ(H8jdRO5WK6v|CXD!1Y<8&7y73uxJ+MAEObWp46qte@o|4^K$!eXnaDUbWg ztp8Wd|Iz3EOy4lPy^R-ZAF|T$*YfZ1%+dgyYu@AGy+5cJ3vl8q_pNiRbBKGw&;N-P zyMB*v<|s$Z&z*I2V}7oRKFO;O#QeM~`1$_H!Qd^4F$3+0tf4n;J93(=Q;WqhpTBYf z*^i1e^8DIGJI>s@^}_1e7q=CjRe8n5H-S%@$n$G(nv0)L2dLgLeGYbKSO>Y+*E6dV z9+Qz*mbDIZudip;Cd_-LqdT{p>kM_MuFgD4&*(;{zqZ(Yf)gP;n z;Ddm5SxL?eMNI zJrx~XBbuoVT>fsp+JH1ut}4H)M;=*VXmj@tfoqpv?_2LogP*hA+kccoqcqevQFof`Gh3~ZKcEIbe$myNn>GTd;k{dICJlpGZ{D~CdS~O zFgp0oOgTyK46{-P9J#m9sX`!k=8icQ3=;rDRUTXASg9F$>`>mnMNXA3_?(or-s4+U zz>s$<9LaOEermNR?A1~Le;N81|1g*}(MCIWxKGcHUYV7!d z5tnpM{6M40#~LNTIK;)l`ED}zMIZRF?^@*icHjMf`K~2h)cOFtjqdGQ;`o6$egKlc z^Y(R&*Itb`w15d8zMo>(1(@z$Ipy9Tk<2~oPE?({(ov6#AF%d$jc3*D`m7pf)k?0+ z$wk+kT@F*$3YbTrA$!OEhO%k<=ku0eyr~)UQ|4$V9=QM`O!aD{Gct0>vL6|ZR<4T9 ze#DhXefkRaUDRuG<~^#$IWO)BZk#b)+(|R0I~MPl&y3)=s2}3+$2->G-tLHZw1bZ_ zcW2db`hMoC!Ei__b>1K~#d?%ZA3o*mxewm|eBuuYrJhEVq|kF%fWIJTh7|3lstD3ixKCjBq< z7`=7x>$o@92hUhs%f9lmd%TresnbnfyuQwy&q8nicjS4eFCV741m*L1pi2LR{=9E! zL=KYA@!G-JQ;|=NK>0%Nb;EYN{HJ?`Pd)O^@JUh%&j&qu>5EtWWy3pv+}!UM527aI zW>fpA%{XNRdHDD0xDfY>xOY2`-M`!8KS4{OTkzf;Gto4KqQQH39D)=L(ir`^Ntf>e z`G67G-W@|aeK*McO-IOYSIEAuT_L^0Gu$|87D&I$7J8c{4qme0P6}zP! z%%+VOZUDeVqx8y0BDS(^OKr^|?TFgRHH@+yHzo#SO`$S%2o~hA(xlTONOpo*&PKZx z0b?(bKxA9maH8RtJ4FWad{}bP@q zH71i~N_{DnNUAC%q15Lwcx#b5TC4X>Q1*$*WLZ*`Asmv7_I>pw9rD1G9Jf0Xzs?4| z(_j>=QlG;ejz_OjhnY083B6p;!MNvCn5$^6*mX~NM&sroR~n%!kps7}sMopC@K}z~ zZI1M<#^f>nyZ1?-XEWS+80#eDO?uHe8pB+&L7`681{ho-f?M^{m|+R?QAcM4l#4sC zoCUZy0>4dqjF|KB%z@p0sUJ{JcshZ=O{04Vc`XWxp3vD1t1^#_{! zp}y(eeR~F&!c^#1)UfCQrl@7?wAQ4`QmQCfR-lSf$gnr=QUxOaOOgNa24x~S9a0qP z8`N5oWrfzxKy)5afawgWdz2Na%7R31os!x`vJB@GcZVS*C1)~!30Z?zC?WAmf6XyZ zLqx`ORHqSfHrXSExcVUBq8!w4QQDaxO1(BhN1842%X*xxn{98k4Fs`{G}fcD8kXF# z8=O~`k>xbHWQS~;uJlgq3`v(eQ_-@ja2-62SW?Z?vSER4a|_VsR^tupD7usFp6!1& zNIl53|Mc{s)tT+Tvk`QQLC_;E1WCyPpFrdj_C(N^yBI+fwG7=Fh2J{-ayxDY4k;~! z>7nAc7V8r_ac${zEAdEtR^fj?;U||p`uM#W{G_w-8Q9=V$$(TJHblFt!D+lmd)q%! z`~v1|QC5v1ZhywcWKCb@D?WCH=EF}4(#-L<}y&; zLp}Wlioc!$QHcKW->y1a27!pKJwVx?4@Ow6=|ehEU#yChPUQjmzMoD4Q3#!Oy6997 zVSA)8tQJCeF46{CkRRM}er_bnIb%6^D-WLmXu2xTS3C zgnjJs++ES%a_KceeibQM^f!ShgpO4IyndBc;#Z*^G|bdXE&uT30d~E_uM&wJWJ)HW zJZy+E_55fIZ;u@`T<~+h-8$wOU8t~KFFDH-%Z5;M3@hyWr&g56)z?HhV-Fwe3Sk|J$_kMtjdcxLRn@;9hriojyeU$j>@>5Ek_T_da06v zPrj!!mmvAHHjpdSF<2rCc)*cPOV<-YB3&{>kd(L#FERo;;jDxGntChc$_UfHZ)|xl zpnrEnp5&@tkerl~rFsHUNcC71ubdp>mXn8w960fio#)wnD^fXWO15y0cnX0iQw~HU zCr_aMK)P%GZlFoO@puII36hgivf$^??D*+wIqCLKPsr&noFLF*DA@K-Zvi{~w1NJK z)T5);+wHCV@IO8$QC~bi0>kVaEOh)%vD9QJf;Y5*Ly9$M0NrJLFqc>faw|(m6tN;5G(@cI$!=xx zDe+ewmXlv~w%iZ$C;JH`5QPw^XZw?Ne2m+lTpcMLgZ#;UItoM~bd3GU{t&Nvw?BDg zq;w7PC;RCt5QWgSr~8xP`H=p}|54qJjsj7;>DaUU$q4unI?}EjZRq&;hN1I+YwPz> z`je$(QD_9B5IO>OpPj7je(C|V2gjItrJwxkmtME)6{VdlB@<8{0#QJmLo{~scieXJ zSc4z+wa3<{^ZWqJA>S5QnK_TfheROx!q}uQghsCjjWgW(`4S>UGLA0pngIAG$~o? zClH0y4|NFQ6VCkK_8MUK{O)_NA9dUFi4VbL8sS}7k2#+DfP~~xh@jDcKE5X#U}oaL zCLloUunh()f-S2*&{y;VIzwmohafvlN)|c^L?P{^XWL?@JdHOLP0(^Vh}p=(dK!=Q^u|K$IL-Hwg|QM>8bv+OV^2|`EO zVP7?LoOH*i{?|dfu;gWwc9@hb@=_oQp(9}T=~uPx@yf56da0*3)L(Dci+0$lm}1ir zJ%9yfI|Ao7n3Clk8=_1*BiIhB)p6&YH=(B1ZHHYX`1$DmXn=uTZLfnIUK8-RZ z3w~^fGVzmk4ZX|6ANmdic}vcsfg=|=)lNI!DhVXU8HhpFwj6g%t^Q@;;pHb+puAUjM-mih@q zA@xHYe0*Ywn@?OS{b18WFC}fdMam~k$pn;#4N+!4h=xyi;{U#G@RMG;{^hR6PY|Dw zk}d2gB@hMJy1R={c)c}st~Il`%HC?>6PutnU1spP_V&H{_OjbsSJ|gQ1G!SN^do^N zq#yM#Kf>ja(kaM~;HQ&76hf!ikKpkmToEZ9gZv17ItoM~bd3E7em}xj+v-#KJfSvt`Ynkzjb-n<0sHQFeM9q1fl@^ zL}wq=^Pb*3|Fb&p#VM{et`m zQnJ)fAPT8pCZF*55x!;WrLJyF{lunQlzc);mVRJE)Gho7-xmBlaY13%<0ptuC{wcF z$A%~qKi!2-IIF2-_z^Z5d@g?Xyt?P?_7BoKx4qaNl*xGqvU1^E&DbP|X{ z=oI@AJbr}#jFgT+egr=q1)>l-#(o69AK_KEAL05)=^Erm@Y7Ww3ZZN4NAUO&zSHgK zC=j)qjy>9saD$=ahP#W-9JyJ>QKR%DNXeqt2t*-t%(M?YeuNuMz0!S#e0#KAuPE&U zDOvPifhfRE-VJ_)n*=`-=4|YG`~=wtX;ZS`M<5EoPjvP{ZB9Rev&u+@AK_+$V& z+pe_RTa)LPL&tMY zSbf#sY`rE*KZ2AjdW}F7LdQ(|z~e`_)6`3yanO^0x9b(9eIO-^PH97wIgS>Mec*{l zxXa)t{qeR4@Dpesn34rQ0?}@@4|44iQm1zgvB35C5ftK;?>6}S>D_<+b^RS(?Tr2!W3!rpbN@hPAfK}84qL6+x!Zl}Pyxt3?4!_){tVVBDGg^(ueh#CtcgjTk zPsBbda$r|#Yu>}NxUh4Z*Y$Lj`mc4-RZ14R3PkOwfBX1Pz3?CY z-@jYxe_oFI3q)O3e@%DcR}Yx_Upr@T1oXG~Rk1qORevd2*8dQQLh8?^?B&Iy-TnH( zNb4o-y4lsQ{q+)vLh98C{hD~#YU+RYcL&Vw`hHEi7N`o<;93S+N+w+wV?7mtD5Um?9{)T_#+FV$fK$Z_~mE8-m6k$QKzF}UZN9jcP7 auk_Q0O}(dm_>ZP&=$TS|)yhJVQ~wV{6~9aX literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json new file mode 100644 index 00000000000..f7f1d4e03dd --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:26:26.1432582Z", + "event": { + "action": "added-distribution-group-account", + "code": 4759, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": 4759, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707737, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx new file mode 100644 index 0000000000000000000000000000000000000000..927202b07120f79f6933d5b7e8b4608e3c576bcb GIT binary patch literal 69632 zcmeHQ37k~LnXm3SIi_bu#2|PKAc)6s&J3W4;J_#fN|sSWmZ&2PhYSPZP!zIu0>;E6 z9#NM>*LXyOqKNTAgYigQ&2A23;t@3llc=a@VxoyAyF2^;*Q@Vc{kmTd%sfWsz5aFg zJL*+^N7Yx~_tjTbQ(NXYENW?1{v&B_r176n1xi&U{7H8Ex}sm(v%8&1oIy;1m;x~c zVhY3*h$#?LAf`Y}ftUg@1!4-s6o@GhN`a{@^XnJ3E{2V79ohcVd<>^RMK7iLKc&v% z_`6B} zLvx?^uE)LkK6sAB^~c6Z(%)Cc5|bC-y~CW(K-vc6`G_wcrpf1c8gvOehKkcBETQZ9 z;fI5#J?P`Hj)#xfJhkD$=M&|LgzBAGJ9N+n$(83%@7%Iu(6U>u+rD_-8MgovrkY%- zuEQx2zfN{zs0 zg_?^y%}CRP^WpekggeXCQd})n^O15mu9xEe2z4Hwwc>xY8i`L0&PJ+n_-(d}U*Wk* zCfeHG1h0f|OB;*TEOkC|Ua3n&1)tp3HXCpWM?Y9os%Gla&qZ1DkZL)e*5TVAmGPu& z3)RU0b_pITl}f2Z@#jo^IIM4>I$o{PZ{kt8DleE^pk^T11t!HuO(ia3O;c0w>`;7* zS>>3`VK4VopG6i;AlV|Izes~X(xnPjaWYk)iVG9H)F9lDn%=KRi8{?BTLenA;#o4) zOBEJ^#|Pm;s`$L07pdt;NM5z*M2d-$>Hu6EVCw1AHHE5C^J1}1l4OAiRfP*S0UnzV zDpsd}fn*Cw#NransYo4y3u!s${GwEygvaNDZ%aYPd7wL!7OB34Ap1;QTxD`R`WwAa z=ps$idL(TI0A$fTq|xMID`K6Ru%@SngYpu{Q>-cr5}0M6R75|~=~rb<+K zF@*xzUi(y~V$oJk#3{>5Wvni3ZA(yw2$8K1^Z){@HQ=jsK^A*YAROSPA}l>$>|yHc zTqIn9kAb38l@?R9lC>9&F9n4c8rlj0Qaw~@L83xeCkkU8>rh4Ok+KODsa3;Grd6m! zVWO?=WF(+eBjb*4E!Bitf~r8^thSOYO7umwu2*NGys2PTBbw`CH44AO?K{J9e=dSZ)(9}VOS3S1ik4%i3-J1$D4PLaGMD|~lLllUsP}WKpM@p?Xi6c33pi?4+ zFS&4nDTTuHe3aD#Zxo_2LA5~B!Tab^`sib9E;WnlFc*M-_x; zWWAMw@35C@0FWKlJB>zW!M)OF@T53fZehD z^W%lzKIN>}wtTR>?TYO?R->0QvcCnVxn%zF0Lv@uM-UOOUQ4MTEE7eVDodJ9%gBwA zDkHaW32XX+85#LeUT5T&pVWn>sMGa#fm$$+rT(|d`+BGfCisFycn zxqD#KyPT8(8T*?I$nxoxi!I9S60VwVb-%s)97y^!DQoNAB?Rg8a8lVMR zhC`w01zUu@@T9@tVn*a803GeW8S2&|2rz29DvM4cBt$_vH z3>&ycjm7U=RSSVK2KMSmeO9BN&BZ;Y7>_j7P{f<@KL#o0;!dspj=~#XQpIPzQ0`I` zXKBq~Ig&Nox&gJp9=K`*l(SS7MD-MC5i=Fd++)DaAoEuDs(G5V{gFpbb9O%@$ZE#! zi-%dv*M4}E!)&Fb4l!3JAxSPXHC7&IZst}VCV+-nl!wZIwov6$4n9>~dy|?78;YK) z3D8wU{EG@OQQvi}vWcL~E+2VWj zQGe^Y`oL*f^?^@7n_zw5H9X1C2kP?D2Rh0iDh|>PYGDwMLmyva7QvCt0UF5dD&#{PjEp5(T+tI-g$bnz1+Z4M)# zP&C6CxC;J)uA(?-s~8kTp`xT8Hb&`zPvJc)OzR-?EqR;^lwcu>FD|h zduJMQx11y#Or!IJp0KdD2wxLON1q~zX!#Z$H%sRGU^Bi18cy@DFZ|PEF(EZMmGdH5yrgnv_gLvZ^Y;Zaw%C>Zq=BeJnnmC(4uRL?D2vDMO{|wn-lv7 zV*dcGHh-jAJOmIv1h4@DEsKBP*ogfDleL-Kg6_=fI=YHhkXPgYVD>~C<{cwqq6|AP zMx;V<6fcm+5=Gb*;xjrnTJY_Hfk3)&)FeAvaNUAM!-gZSn$dza=rJBNPLRARIeT(< z1mvzpiEJ)ky{Z1-uarLZ%_pmqMK>PseE?&kL~h4vSB?@H{mRV?5xQxO7qqqY?YjCv zJYEow7eH^0^#PYj=ZZkj9TL!m`~zKYydW=4AYc|o9L}Orv7VFagjo@Hmr&19qbjoM zIS&~Rvj|Ajr#K*-lULG>kWJ@Ma#o z-qwggvTPqK56(IB!lIpU{_%@q%%xfec<9OJ+^9a*+oxo_&HOSj*#~cD#!*;PPUzpZ z=F=w2_C>CRnCGMvdR{%ti8Gxz^NH8}^tpA-$%mW?C9|P8>5yspwI(K7v!(bBrzmn3 z72@daqZ*-Fa+v!??2-NRE>F@yUx(N;q6Ul}jgSRQYs8neWI3Wd_{+)G{_AS>as8j0 zwoN*E+a*V<{-62L^UK|(G8YDuk4G@saQxRHd~7(}!u;|x8c!H>J_MgpI2(hHbyVSx zQ6VmL^tC7sOW(qrGl>#;8t3=mn;9iC^5yR>eXi8j2a;XaKX7(DUVsV_#}mfm1x{y> zw>}WhH*{vf=b;rquEsO>R=T1UtZ0Y!&fLq4aCGKX7wTRf-AzWX{w(L-Tise-z43LX zH>MTrw}dkx@J53kXQCTcX}uoa_^U;M(i?6K#5SUBV1PV&j-TB#ms?5tT}#=Q^vZNYy_P*F^(#HgS=vo8qvLmUNG^BU4irS0=;5fr!k&8Wv#o&DC2lR zim>$(^?bB~Jl9E#bTzAZ1iv#z@bA@;ifZ)veb78`RHggAb&J*(sakF=Q|gC%B2uyS z`+fVoa>u~mwY;%)bI}(+c>7srEyEwHWakn~%P9NUQ3l(%VY@Sdys1VynQE z$Neem|5fvU+yy_^H;im=m2JG;-1L! ze`3Y1Kj51=$`Q+RXC2*Go~z);;@GaYpnPMW(r(kK! z=dT_|@uMP*Jm0Wj$2t49UR*u%(zc>=E3dlr7RX5xd43&EbIJ3m0M$FD&%y2t>mc{~ zdS-RP<1_Ngvesel_4Ul!gn7?&bmx|HouOUA)tN`>8Qln)RTn_F;JKWznP5?IRD&zG z`ePLmd=RiI>#5KgIFvUPmi{cPTRt5z0gX6oR8GvnU2jg%eW~eCkxdo8LAH)mRN8gB zcX-#A9*xZG6+9=IoF}~WgC!Wj$jTXocDGy`L$8m|in>=XI2h{#ouLm5$j}FFf1vF|w?6P%tPh~e;#B@7 zG_hD8a79ZvYdd)Lf&F0ia#eSFROwyKrVli_^nnxM5zW*Fu6#FNZ9u9iSC!x0Baam_ zfAHc_OBR$l;{{xmXAE&u+AD+knw{1eb-b+=*xfBcYmkvTGF-8@2{bNUT&44 zuL6FMr*E9W887g!JnVP0=NbcOPg*WJd^}t_R%i-Wd_NRznCq!JtEo~YtqR;m=NP0O z0wfOAtFzYlR$=9P%*nf(4%czz+KF7p)&FDy8jl13Tj`j}eQyGkVeV|SSeH0P=i=O% z;MqvWS}~S6xVP6KL{><*vyTo_*6F-5pRmNBt#r7Yt}`SdX)KD24WJ?&XYT!SCW5A< z#3=j|Mu*;+DJSTiVV3KFBli|MRS4wH+%d<3VH{wn%44e>D>Xxp9nSl=$f@!LpOdrJ zdwi=36!LC`BYBS0Pp$go-2`VMa_}$K?O&jnRPn!MQNq1P4s*(PdmJlAE(q@IvBUb{ z4;QPlR~U9M9fgo!!0W1 z=mWzp>zMd~Mw5>Xzq(X@MGV#^z++&_y5OtE$O1x2jFdVZ`TsX55(~U z==nQtU&nau)p$b-nDF8IDRy3f>7MPU-1{R^xM$sos$*9=>UQx1);_QCteV}QRpYE$ z$(1>|=$f<3VWG7G=FzCg-m$;ItlIwhyrmd#YR3GOS=xz5DZmI*y&CDXj2yD;M@FNS ztD>_VaV1ipzJh%h^_rY{kE(Ibi+h3_XH1uL(2VI_i+9XtM(|tI4{`Y89cyrJPsBUg z!AF_9vuZefKXcVUI3$%?J3vjc9;MSqO*(J(Lk~Qk_+vt;XAmX1_Db`T4zEeP_WG+e zGjW@*Va7Ied~42if1FtxOt*lK3-rurI*FI-Ju10NCD$?K+IB&yMqsY9eN>=iz0WrO zzhp{3@7insL8vSs#;tj$n)_@sB-OuLEqAP?qcv=|TDv&cNf14xWYS|buoj4{aHDq9 z!$TL3_-tOu@ zh_7yaqu+(@_bV_4ejl3Vn;83k#R@sFAHRb8vIV<+Gmn!e*v@ktTTtfzA@2&5$>SZ9 z{#Sa8-n#b<+?(x#XEd&5UwPR*-b$_1Stc)D-(b#Xptb)i^1R!Z57S(R@_9U1rT;>I z-Zwm=1j*-k?a=J0D5r*@eBt++Av<3F^L-+x9(`x%1Sy5*1D?A4#cTe${+&N<>hsHo zfC;79PKh87|6Uyz<6bfMZs)P*cYFLNcqx1f-n(Nus-|!>cn^=mkfK23ZeipNp5w|?|iX4P@ zq;comGx8uLlvbT}??}4Y%1zVEvWH|9lCahD$g!8?A$TmpB4m!|Oe9@za?BO#p~*wR z!DbX50y-SoiulZXqw0(BlE}bZ8&=Ojx`y#asD*4?O*u%m=e;?IONY)czXH2i9(^npAdl3XzH!SOGySvKr|w^y4~plb_GsUGmi8bFHD*p{g- zuy%Nj$z)2YFBc|~stQTi>+=}6wOAde)%zwW`=n$tl~gH&LsHPbufD899+;BjcE{k? z*`Rj{jDi*F^SHzD=oRWnlSa0nm+M&=_nZuK71b5H?kUe`+#KXeBXl`(;5HWZIyV{~ zOEJ35k-n9fJjQ?bKIwC8fjb9dorJteFFHqKm`gS&;ACxp!6hQNRWFShmM|AMIwPQ5 z+=1oH!@XhnZPH`JoR4P??Dk9jfO^6+2?TB$-9y-GaZvPxj;>ghc~mTcC`ZK#W@G~p zC(&uqbPGn3f8^s!VD0{fk7u;ZNX@w4ukUp<9|vnYy@$G_P))MxRXQyti+~V_Liotn z8H3~;!-)^^VuS5(@KX0&a^xvCUh~VEE)=bq=g-~Muc7+A886(t>AitZgDOUk{Q*v? z$FlioowX=Yi}t|{R+eFs=LmdOp#3aFrCEZOvI3JhxdBT@j%$no2-HuLSR3IGfI&@k z0KuWY>D_&M8ic}R=vLIQ=mBO|%h+kHNu>%^aWYk)iVKlpPu!&nMEO@p`NtdV6DjGC zqDbGM){;yWSvv#KdBhG(XGq;6Rjeut5J(N;i zOYYbe&fAw!Zl#p3itlE< zXZ@cERu3@sKRtDDb!PqVXae142=u6nKvJ>*C=mHNdlKj?olGEhwG7=Ff!{j(ayxDY z4k_IU(?i8?E!HP=;@Z;bR??C5tit~RB2TV(?1}p_4($h0}DA z`gUNX^a-kO%10j?qD=ZkS>MLytZ#L~O?BZJJ*2+vz|DgUJ^Q>itLPECzU_{FWtS9i zGT!vdpOmOc*5hI=I8} z%w?dw2R!`-iXTsbC`AAGFBi_1K_Fe%UZCvHg&?ff{2`yHFIGj$r}6-O-_Iw3D1=Wt zU3{uXXM2n>tmdQhT%ZjuXE#6L++M^<>P5D`4?Yfzl#he+;G;kk!bg>G3~-B&vs^0p zk>F~#mdFAfaHP}H^rRz^CK=L^l)4Nr3IaOetb^^EdMo>tVWxfG z-11&P``(rQBo}%?{iKvE=m|t2=n)lfKRL+VPaY=yz$u6ATx-j%Nc%}svPE;mQwT(v z{XjJRL=d^lI$nn z!2e#*PgdANJl3@4Wf*4XV4>r8ihE6lB6vd^IHXvE3eZ)?2Xl2RL2hMfh|;Y{0}bg` z_GY&-<&^lVj?5{qI=bHv@+bQlBoKu#sC)a9b$pE5pIjX&AA|hKem)9BA$*Me$^H

k%=MasZ z{2jNQJlfDlef{xuoll=2J6TG$r~^-&K$Pi6=xjUL?N9dF$<`Amj*GEf*5R^~x8u$j z1AYBvr+-|J)sZbE#Gl;JdS{S3O-hz_BoKwPBey$^QEHAmt&w<%KTYQCZGL}t1o#E{ z)1+j$zL31|LqdkwIAfB(JLkG(t~8{2jJ&Lk@7Lf z4)gO-APV7QY=`;nun}%M?5mOTHOLP0^Hm@U;cIud!=Q^u`{e({U5<|eQM>urz3eb3 z3BpI(VP7+RoN(8OzBfR-u=>j=?Jy}>`b&W*gpYvTr(e~&$1A^X@KVpLufNg8i+0!< zm}0XldH@T|b_C9EFeS@7Hbj|rMz9@LtK-f)ZbD71+YY-#==0G7Q#zkMw_+H+5OELg z`83LuEcCG<%A`-)HS{hMhd955arqrVA7{LBOpejYIxIXZhn}Zr$MxXurG}oBzn*xf zx>MQ_?Xb<*d1F`VTQ2(`$PSZ|r5y=GA??U*hY>%=4pZB4DR$Up2EPxcH%EY9kR2u^ z3w{Do2!6o9CnpxU<;3OE4mLjgQqtyIq;kTPOh9?q5M{Q5Xyk+^{_h)xKIz5lUhaJQ z1jz|0*`kh80#SgiyQk!Y*IQHPS~H8Q?5z|zu@QRH6^5Rx@7$+%54*l~mVFvDkSiri zI}(UO+EF+2BU~9NpMv}dem)6AA$*Gc2p&JeRgv;B$dBOXqd*kG$JmeH_al7O?MJve zQoaWH5&V1=h(h=p`w={Tgl~2^J_0X1rJ<`T2 zO8Y=c7X4Qs3b2#+fFI!&q0hKk*LOaBg6xB|DOuEbT}j3Ta1q`Vqcs@H_nYV_l~o!x9eM!egr95+L1sM(vG^BA7NvpdcSOp^ zAU}eij{;E$A7ej)-;eMUw;$ooNckG%NAUAiAPV7Y>__nU5jJ%>J_9 zc>c*Nulc*J*F@<@kdj5O5r{(gm}wt){0Mg&ywur;JoSl4N>MeS~T{7 zCmvz5p-=kbZ4uBX&^|CF3w;ElJ!&81+9jk;?;K)*>+vHf#4F!p==rmI{_>mpyE@w+ zcaokbQli$Cs!0|=>9my0cGM56s0l5&d6B37fKy|xlLJ(-l}G#8jJlLMq=-j z@%SH)eN^PYuGH4Nhi7qTi^2b)v*x_qG5AX{LI0MYp|{#u;NUMM3;qI8Kz(AC-dHBR zlLPUPc^vl|e13oWdnYX1+}ZpTze$CQpHedC)BhP?fhdHZnYh{OZg4)w_YGdp^j$VB zD!fY6G#6e{vfw2UwHvP`GCzg&@V-d#lJ+;hhg1LjcnL%yc)8mj_oV0cd~>lFWL`c0OMP|J5$OO3A`kfv6q$w@?1mi~QmL z1A7GjwK?z?h&l~_&3BPk4;uV8%o-R0|1Eh{qE2w(FD1+R9|BPb{;bMgSv=C+t{;jN zFR9nfu6FImOCSots{`6K>9Ez{f6sUO&FuVkO}-YW3f16R23krcUl(FM6@e%O|4hEx z{m{pF_Hd+l)oXpJx7y*-7yNh$L?L)px%8zvYyde1Uus31V>?{$E;kDIT(d(}lK4tH YeZ=5B<->n8MZ?cR)mtqul78y{0jNH}DF6Tf literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json new file mode 100644 index 00000000000..dee61d9d371 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:28:21.0305977Z", + "event": { + "action": "changed-distribution-group-account", + "code": 4760, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4760, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707745, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5928adae29bf34979c7f9802ede861fd6b936d79 GIT binary patch literal 69632 zcmeI5349gRy~oeJSqOoUpr8~Hf(xzz!cwCY1c4}J5ersrv5F)t5(qCOh~l$(Ds2@N z_flIG7hGz!w2BHFcC@65UPB)K=qU#SneDD`okQoD15zbLg&fl{N<4Uy?%Yb)#g5Hk7LA2Rv)yIFp- z`JUhX5Z}#B(&t!w{>*fe^i7hn$ZU)2-fiAb#j=&y=BA|WaG91KPk=|dk3rIDlkN&w z?(oBLOuMp=M?d~qanCuG4{nbY$6~5`?EFCotdXtq{S)u6-+jQ6Td#j}Vb!;8#h!4f zaXr=bc*`B+V^jA$HBl{7)oQV-$LH_jnSZwV@sZ*@wOlPyHTZEUe#ncBRP(V|y;`D< zQA6;zRL#LR)mUaW-Ves>0(?`aYVoO7&Bc;~@wpb?4^ijfx5aoJriS8g1l|o*75HDB z5Wm#=6puAEy^Uif$E|i|zM7%V#g^+mi7@bSO--jkFFB$gt|(B`J?YCJs|rii;ny$Y zSt-Ui`MO*+4azRUk4p9Ep#bW1~B|e$mB>-!Z zntwq@ z0+3pa-{L*GsoY!~_XY6$1id;3*I~EJQMdB0~ zQ>FO8Ccwvi{qxm{IDkAXL_~2hZYfV4gb&hk&VIf?O~%jX;<(jh_(LB{V7ucuc z!&PRBqps)%p$j~wpH6{?edOak6-DbUai5x5sfgy%)U*gP#ECq-p(}P^xuJRHX)BiG16M%K$H5K}&snFAQS!L=Je76|Kx)#R2RF$RdQyKQY0l#w( zx#T=`@bwqZTt4&KN$WO^8I^PBV@1gnw1ciVV#*c?5qw{?=Ah%Q*mc;WC5<0Vu0sRi zQaDa?@s^R5j|msjh{Qop@CHyLJoD-E^3bTJ0`?+x zmWNz?U%UvQdH4=9+t|-vqpP*X4D4Z*iWkMy-dujTS^i*u`5v&0**Ki@AfY~SaD7Q} zE$Jw;CM6o(N~|>}fHwmPiTZ2jw4i5DuIQQDf}S&Q)Xq|8Lr*q*F+*81Pp>)B=;^sG z&9E32;9AqyGGA+Xv|0BEe;<1$t?S;)E_!_@U0e1PP@0G5Vl*Ef7c>nXmvSTdKwol^ z=UB9RtHD0=_)Gy^2GDp>S4hl76H@SRF$9sly@pd@-t%*Jyys^&J{&`Mg=uOuEWZjz ziN{E9sm?PxI_4wI62f&UzM(G}o$ws;S^NiL4j*~F@vr~T)8?M{8_lhA8dBZnetQqQ$)<4z{!@GLZEE@3Xle>AT&Z&AReY2-PR==R?+M0N zjDW9v>gvw-73#j?<@byqaACpY*ZjIHo_ABfpM#0<4|m{gOMc;a?1k+QhTxlgJNL

WzId0M(lx`1`Qnp50OW9iMZ3MoJmdcFE){ZSMWqawh8{=ErxW~zDDMz=Zi76V= zKvFbpxqTssp?%T75#LmwKwH{IFONfrM;_x-a=e}F#oL1tR$Bb>SK!H&7lo4J3e#P? zg%_bsclG|b>~XO8If&p52=lEi%RGlIj%~TR)uris7h<^+5hIyt)M4HE(4}=b6R`AI z&}d$(GJ@&;L`Y$x#^Pcz+OV!zTH7ZcVYc}Rh7RY`f_l6VCd}IBGbxo_^+`SwXpUHD-@HWbG5KH1k+0Ao;byjkg zXzH!BGceb-{5mR6=ZKSGsCJIX$|xlROQ(J`m08+3T~NQ|{IHA84;f!;4 z)M_))y~Lb?^;!Y5;I#M9-v%>?T4Zy&o5*LzN)B5*Jw+?-a|*LBd3_i4Ubij#eA)XE z%u;l|INPfheHrL#p^UU^fm5Jq9r8owlm6EI?RC@JYXeE?qKy}ISH;xnq?G+;6`r!+ zdn2D_t;()!*01cwW`7>DF)R;$my}IQ%K~jO<-I3mN zBwmN(o1^f0F#gK%+i?8pM=4%hwTdJT%T}YKMQW8=ygvocs8-SEnW9<+R-1f&D5_O> zo+qkR;8=p^Z?4MIwaTH+TIE!n^LQp3eX?f`S-P;~tUdFm-#A?TxyvET#-elB)GF*J zj%pRO@Q`Yiw6h;SU-mP_T%9R?(QA~nvuk&a;_olcU^ClGyT%A^Px4`A7=GS|^FZ9< zv1q4u&UOgCNy)kjk!$;B1ScVvos0ZUpL5D28@97hoyit(wNk=v0<8#7tf z8M&$l04C>{%qf{aB2)JAOTO1<5PGYzcrW>8Ci&w#OdK7L*3LfoXZySTdE@3K$8El# z?2x@{&iun&Z&ab;Im4@>Smnt$frF6iyT7mCuHrEsgNJ4%onxPcI?Ny1GaOr+g>7hX!j2&8|;*UvAbF#;TI>GwHi+C%4)^m{_1F#>3wDgCplmmKj*f@q8Y$1ux? z-_95#ApN){i?7TJovdRgHZsI8l2m$ zi{I<|7mVS1(G2P99*tPek46DRqX2@#_ySjZM%4(MPO#UtD9&EjSb5(>uj};c^AlHQ zu^QQ$jb7I^^LC%zYw>r>rmt$sTh{ZcRky|xqX4eQ+m=QFq&=oEc>Xjwn>N>FrQM(D z+LoVXnX9tebgsC?{?<0_tDnPJy{&CH`|oGd7?sz|l~^3Fm&rNQV0>kSRH_tD*BMAL z%&I6BDm4g@D(!KdQO{h|GZ*#DWpGD>)??xGQ7puTm%P|uHvCO9S3F0tu%lw3T$St( zD{3wlCJZx*g;6YAinf`!i_lnnh^}Nsaui+3n#tXLQe)voPh60w3*U!PZHr=I6bt1p zZ+S8Im6#n@7k>D>zC%aru}}=tu7;A&pCwnp(RHV2)AqRYX3o1t*PZgtDDk4`y3^>o z(~i0BbnQ0ZwI{hev9Xw(mpR{Z!EuM$okn?1l;=cwPJ8p5)ay=@^PI;_o)e4iP3?_uYv%l? zotMbS@s!ct|A*$_aE<7b8BC&kQ=?DmV0XWg-{0wvl#lLB&2#6`b*FBN;o07Ey*UV@ zds9~fQC{p{_1@GSech>4f$3d$I_H$dMc4g);>5>>Pnz+~Gx`;`_qtO_4K_sMi=%2J zsz#z}q`lQh>iFX1YUDTB=yi>*JC!*`TkLO5yN5JbIr!P|7xB8&V0=a5fk!ExuIo<4 zF#F=Z!g|8(8uT*G^X7`+rBQl*za`#WG*ybTV7ZnWf_Wbjj}lzd%z4N8dcl?Y>(|TQ z`Nu;WWZvXw*g?8QKSDXb$pdG(4W(_3mNW;USX6K18E7^2p3SW?(*e;y*+(dAy0IXw*g?nc0Uo(|VA{#fHbk>UR#x4iAwmJVc{5^2p3S zRAXaomhdhgZ%^@}>It|r;7rWlRf^A? z_qWu{Ew&teNu`(@j3bt7ai6IPSb8aHms)R5t~&2m8577k>Np<-=K_~leIz2XNZ?#< zyxv1^OV1j??R)+hmxAl)ZRC?H^BKN=$M7Bb{1HPR4ZZ!j_=;rD9~Jo;Wr45Vb~E9t zv&EBf464-ZAm8sAzVDT9{vbPiMKbv^{)t9e;M-pNWeb2U3*VvGo9`LE|9;%TM{Ew= zepfpDgGeUd^{`*j$ia7v^7HY%68@nIE&d#|{8HS#yAFSx=dV<8F7hSbd(KeF+`Ket zrbe44?-0fIU6<76S1UzMZ11Iby~Oa^zWwf*;qzMR;3bmDYbfd$(a6E;&;YM}z-t=z zuO6)Q%$lX>iKoY`Pa$KsW6o2}`Pu0qNp~*plP>k0=Re7Xd=ACyrG`(JYgV2dKA#m1 zJ|bE8h(-=RBLaMAPpN!3TdF_%D5K3e_{^CoNo1+_$LJ&VFs*1Ba)7w~e@Bsl%v?CoggYAy9U~(>4+7x>WQY~nr z7nQk;UP3Gg`7C*m3#6#a443C7kM0C6Gr$Gi4(h!9)E2zp(by=Gg^Ot9upjmh@JtB% z2gv0d&(qlbCFS_V-A6)k+Mk*ICx^?;{vZ3=$kVc87b02Ok7(rB|IF>e_PHdJY8N`! zLjEUq!FF?n;nH_>MJI4^`4y2YTtp)WmyYl&HmOvpGD?SA| z(XWU`4o+>2Pc|EOd@_94kw-4{FKf}%uQYt#8dZLl-@eWtbikTQtU=7l{f}&>(*MY5 z)!5kiEbu1h&Gn{U<1!UklfUy;yjR5rsvPxc&Zj(|S%T+Sk$3U7-oxhKr__!Y__{sz zH!RTycefS25_c2qg|*TdsWbucW(KOC@rXJLj2B+K*LD5gyWs9gxBc_Bw!Vhk6IBKs6@(FXtj&fQY;dvk(tPuEN@nc?<8%JQwk2uva54!fPYe zr~BV>R~~2J%hrQ-N&75?onB?^v-eMK3)p8^{o@Ueyg($2pA(H7?RPNPOaHh#ANTWu z@u2VZUV%O{CT8lvYFzT~IXF(}15MQ2^VD(VLO#sHuQq&6pLSoJ-+sg5{(MWU1m|(c zf%fwx+S#>+N3W0jZS#3_g#SMVjY0hXh8WH}LF$e?<5L<%-p+>i9(!ee&a|HuuUh!i z8~b0q96oGGp|4lM|MU2!_444CN{NE4Ua^DNz|7hYJQ>HFx`p4Bz zrAC0C-*o5OJ?Y=^;QRV@Bg^)Ed_djWZA%`ifa)d!9ErCQ0eDA5dgg(6H4&gYVh?3Y zr7bhHmSYqg!Y2KB25Sw&S|$qcdSA+7G%&Jyn0`O@?*4xaVIJBPoKs(oce; zI=BS?@R)*wJ_~=zGp8=ZS<_*NOEZxb&%l3w=2WZ{_w1K;Onbi0*zsF+9}oOx=>0bH z9C1PA-&P7TN{8oVP@hu9#!v59s~bG_d1 zIQ_uf1H$KVxr2vD79OIJgU7G{k3k@lTu*D8Zh$?~(n}RBl-_@~XQO0fQ{wHBXL{dp zscKkm>KZ}~{aNHiJ7RtHeZ%eT{nvE@H&;J|NEU9Qk%QZy05|3vGtf?%(Mg|-oEabk zW*K@04x1JI>Qc{R*?GndGxv~(a9LxxT=Q@DjtJkLTwFx5a1o6~qEYC)Y@2H?&qq@gUd#u6WO(iK?$#&5=jF-=L^65J!bI(&k%Lzz`G8Hs zoe$_1S4R%CpEL1#qv7$_g*z7gCiM2^Ixj1d$>Uj!s}hYIJi9`6qH# z@(}-Zi{Y|*#HXFW#pS<5vTzZN99+WoU$(Vn;=i=bCHXIMzSZ!(rT^|R;rlO_-HBx3 zD;hcYw$1Krub*1?=%|UlSh2ebaJkKJ`Tm`g>%-^b@?#>ITz*vSYvkb4em`b2O3#mJ zZg3XlCGqff!>!?yO-)Z{B_4`oa{CPZj-ru+TPE?)CghHXj{Iw#;gK`p<(s#L&co%u zL^64t3Of>w96ZAIUpB)`{Ff%1 zU)r|l_Ln9T4%QEM8y*+G_O(vn;flK=nLHjYR7x~*@MwSBwJD_+ccp$v#9ihsKNdfD z>t8y7n=6m|)JP_`&oCZSG;(ljTOMb#O3mXm7u4sH$FZH=W4QeN@}3`t-@aV&S0oD; z(a6Ci?D%UF%q0FMY%b`($oVIRZ^Li@GyZDm@xf(xB3b;GXyoAAHoLREeyZJ>JUG`o zkHkEf`S87l%Z#myE5hgE@?#=dxQIp$F75YYHly_Xn6rMk&v1M5w1IW6g>Fx-cqo#| zjr|~^k%L<%@z5sZj)$5^SBZ!8Uq3ZGj(+r^&)x`~hs%G7Wb*h?cV8n1kFfoh%`g-H z<*Xl0z#gqPe4l&pwH-S{=X;~$e7Q&_-xH93iAD~-UseA2f&Sik-$ghVUWYThr5J(1 zcU5>d0cU-e;hZnWhwxgE#TYZdxs2+tgq#abz6Qi5+aH!c1M3I3B-@ek>NtN+ep2`U z%y2yF)v{~f3!S5@-HK##d>A8~L?Z{sOxmp-Gu`dhk;ner@c8J`F`dA}<^M%8d2pbO zXyoA0e*bS%O3(jmYDwcT?l;^H+;2xGaC7AoB3ZbJMh3Qf~+R7x`{9eDB{jk%W=k{k%Mn0?b&AKZqJVV_7{f7M>h@X1Rk!qAd<=BGVl!D#RWsH!0M-c#Bl4jaZ4v~bLAN#S-6Qt4sLDBGi+9=c}7Zp%Y5Te!)3u~ zo2Q1~zFb^Hva~PJsKdC}UO$yfB992>Uz-h=L#~)`QTSY3?Mx(-OMSjlqLG73``ek# zD7|);;1wiq5yeDwLI z&qC+n%D+T1d7OarxT2B6j=t#m7kZaINXox{W%#aqYQ;a)gJIv#(ZyFJlkcfGZz&pO zfv+6_GRbdsY~c0E!_{EswNg+0+VFko(KWH$(D}OZFOf{XyK#O~G;;9Gq&?fL-0fLY z87Aii=;t0YJYK(ceJAj6#RZW}9uFX07L6P{+8-BeO6kP~P0gH-qa87>{>E_2U2#G@ zd^>XG86uh7W?{UxXyo7)X8wgM=_JqK>*I#YPj(#ND?407va~PJsKdC}k+Zq{3*QTu z3UK+Y;j-$XG2O?RxiAD}?;pPV? zkO%!a+u5^*%fln?=>#q=|0R;ir3QJEXyo7$w*RuNE%W-u+~+|27dby?_}=%y#m{EP z?nJWKooM9X+cvwiBWH8@7w+>Qc2@x|TMd_EKF^Q$4&AT2{Fq24m%ky85RDvM+V96~ zM(O!6oo!(J4|z%c^}ONs`ie`=*e7&uu6QVt$?ZyT6OA0)GKq&aA$L5~L{V>zC?y&>c!cf0Y=)WmFHM$r1-j_|cg25^^9zRWH-@j8wSVY* zUG^rD$@fs?U!swNZzlF;`+B#%=}aPVzMJjvcZSD~!rMB5hs$q?WZ@wiIe4_+Z`qX6 z^IL|RfBhi+{)>iN{iVm89=;v9@-LAr+(aV>x3M*;ry?(0QY2S|A zRP3$-T>fCVth(%%w};Qg<;O&_a1o6hT-xu)Y)0w%G0hE~D&!^k*Gq=m=piqSACQ%J zD3Zx-E%FV~$iXd>cxV%H$3sIz@~@%L;AO+(l?N_-eqiW4T=#tv$>hQFH=>b)M>g*J zgb_#NMEha;d&TfNYRqMwz-yu7x&)C-UVCtUM>KNq>aYCk68hk}gcEW1G+t@Idk&xH zU4>AEs}C07ss!H0&-UJ&dyn_6oarvN;Mh-3=Ye#m=qyM(=A7)yeZAY&eUK_SvIVOBwE;|y*((Xhf2d~WR$mY?U9VNW8 ze_n@ie~01ni?2=G7CskOJ|&XLWkj*Bk%LRv`IJpElYA;bR~1V>MZf>L;d|{RpY$Fa zdOLO1gCd!Hx1gPhMh?E2#6R16x#OSCGK|E_NL*o^V`pK z0vDJ663N0vG;(kW+ke^CmWlt;Hdn9baT5PU&N~g?|N8N|L&I;cF1r)SLFA=kcNNfNm*H~KM~8nad@e3OCX&g8<7Y%82bcEyF`H3(eoV(i+=qg^ zq#pc}wAYu$Y#Nf4c(~I@CbzN3H$)=`w@l)pO~@S&H4*E&_O}d=x=;T(V|eI1T>eWW zlgC>a4D5)0qq4$RBzx@?*IS83S>W5=_`vxK zFz>m<2j+Ee8@|16K6}@g(D}OZTaiq@d(fUmBM0A1+Oy5d-JW&S>=Ddw-!VMy{mzO` z;Ngl3B3XEdMh+hBj|(=X^x}f1hS@qKE-x zDmBm0TySp+^5DE<1$fQHJRkYqli$g_V|*`@iFmU@a2{9f12IPgxq7o^c;hR01z!nQ Y;G^-TqrWx!ng_PWj>MG*Rru+D0aK_hm;e9( literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json new file mode 100644 index 00000000000..ded73373373 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:29:38.4487328Z", + "event": { + "action": "added-member-to-distribution-group", + "code": 4761, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4761, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707755, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx new file mode 100644 index 0000000000000000000000000000000000000000..ca909040c8f0a95c3e50561194a41ca4e691a7b8 GIT binary patch literal 69632 zcmeI5d7Kp0x%W@c=72B*3QAmX06|n%fjEdDdoV1bL%d=@MTSjah72GmsDpsl1S4)3 zUyX_j8rR?z6^$Aa%@sE!MpP6H8ZHuFRNRP(*KnU-)%kVTnRy1fdZxPkgPu=McUM>U z^Ypi#?VLL2)Q}mIhfbR@$<(~%*bUY4m@v7-e0o+3-%M(PhdZR z{RH+C*iT?Tf&B#b6WC8+KY{%O_7m7oV4nnr%$PiAYQ=PEf)knQzRFyx=>=98zdZU+IPjd)u&&&)gz1aXV6E z;`R@_|Fd>Gw%sDzCfCsC6nXuP?Iby@hK!l^yYSij?DLVb?@;;9r)qo;_SxI*1>uqI ztphu4(*1z!cieGuOdFw($GsIN5~fLFVTZOi@mulyg`KN+w4HV5ja#RepL3`D66`gg zxw%oE;s@gPRFix U}5nF=#UUjL`u3ofv4K3$w|=9`&jhP*jj-pEh%GE-%@IcAnQ z$#j*!*=C|_nI!v6kmp_GahhzYGL`bG(oB{;yU6QG+1}O6llLm*@dVRN{(8!@Zl+ZJ zPfCiP?YzoK?Afzjjunqv<(L9fW-gL%p5sXr10S$w&sfomNA&Xrg=VxT{X&sdE_+qU zyFZlsP#WX#6?tZqC_7W$G^VJ?Bnr;5_Hb;=Jo6(n*ZZWrRcwlL2jrTOvfIUWkFO^j z5P)^687%J|BliNB9KPn*cN&}1T~VGX$SKM-1$l`BO z)4g4CATVJ{6FGsxQwdd%=NA=YuS-_W7f!yA9z z*bIrc%MMEl=_-&Dtkn!;T6?3pPt7(~`S)<}N9 zd{6PYo*@754uc+YG!1lV{8l4tvlC^<+45(#C^Ury2(37@OM4dz;i;A_0TeYdg}I4l zo;e{HT8dc@ zGUtlCA#$+Bh`UZV-Q|Cm`@@^@g>oyYF5Xf3?a;?JC3cEi4Hm3_xW3eXYozGuhOEx! zKV(~l9P3Ik{@JE;t>4sHe*Ii|AHNWLPBHCoTry_W)A^;Ew;xgDQtT9bkwpi7S* zv5qMM&zs(K^uVh>JocGp)n5#+5(mLva-1g1Q)E`$244;%Vt^j(8T16%j@Z{%9+7Eb zOTVbhlLH6G!@EfM1&De1;#4CA_DplWhn%r5r>TI(;XBrT$Kk0@G;%&sCcm)U-I_U{94x$%NI*38>D;~O8I(&s z^Y)@=nH;tA%>|+-9G_;$Pv-ld>}B=zLYL35SS&#MWJ=2dU(4S1v&W}?WAhrH)qmvy z{^wP?uIv#)X^Pw{#C>pF#5HhSx?9QZQj(i`fyEDRGvqhp_>2&`NT4}Q8;Qg`aUmn| zEg?zdV9#+1?Q^_tBG2&}&L_uEqQWTCS1i9=juMWM|4mh%(IGH*vU`y0Y}tZX(l;47 z_?q!Uat?0!E#+V9Zeu53y#Avf%w2Uy?pNZZ2uaX%t|#e)Zx>fH;^D?zgStv?zNfzb!Iqw*#kC|-3Y&zHLct3L*9i_;^0up4X5Z(&kd8uo!9u=dM`L={6L9PHe4+D zxHIax7V>7zsEEjzPE_>2*ZqI1Y2*E{g@>E|{yWvxl)O!}S<@t?k;3E00UoV|N15lf zRr1SAR6k|%`QSJ4 zd%8*iX>Z^MjwSN=iRHNTvoo^5ajwFVlEHDU96M^HaBLmm*j6~A&X_6I1IsV*UQJ2* z*hRt(ouSL&iief*M3_i0Yfm0)ePnfvmT8|!=e2?0~xKt_{?6N#w zeDk?1@c5;|gOX`4)JWlRLcpIoC~pxul))7neYWK_*pA?{M>RYTReSZ^ma5;;YP{ewnO}k8Y$d51h^gK#dE*uKF^Eg zh(&&*8Vvjf6RHo_qEKhg_VV6riRKd}%lXzMc@R9v0h@>0i{S!MM0_ zs5Tcr?ns6s7ue00mP_7(PYxX%d0f`~jFQQP8Yx`r?`JNf^!&`{w(c(j!3*|;IQ5m~ zHfL$CMMEOzrp0SY2DjDHsG>#+w=nVAC8WpeKph!Poj6|Nij*+sti#PZd5~Lmbz3EjY9URFkvVgAJUl2FJid|k6gA3_ zM>zXH2mJgXj}Df{UuWL7FdiP13?8E;PEw-`d4#i%HHcT_fjDxE`jT9c}=0q%I9PJ_T(*M(9gr6()C@S%L!fTA9c>;UzY$0Ms8G<&GY;W(?2!l6O!Atz}M zh!e+KsoTFe^PTAJL8~t)8TNql71XE>4h>shnCelFG-tfTV<*d_{FqC+uZpGKqGa&s zS(MT!LmuJshgop(=68ZTI$Iv+AN*vmcz94Ucx;oCWYj1_9^vW>^o4W^^5|lDG+s2d ze>^-WnLMabhCIUA2hI|f1bK9|JTBZiaBw_4C>cCf%bgl!$RnJ6)Z)?2@)-E$gO|m_ zgObUE8fC~MoP9J&$oZt8eRQ`x7N2p-;&^yaGI(s1er9TvA&+qOffjvnkjDv@$7N?e zwKN_cluRDfC_^6M>_a+83X|sp&yyq4!}7T1@h5&CJ }{tZe7kNMJmrA7*m(b6_y z{n1ID`R7N6N#FSx={YWu*OR2bhrP)2WuQ%oH+}+VN;}KhJ)B3z&>jqOsPf*$=!w)> zL6>DGu^meAhoWID2ENPhrN;M{**<97L)KqTizyhW z802x1<EQJjkPuHVT-WxG!YF~^# zmm8k1xoGKMj(FY7eDim&9#}5huvcQwp0niXJZX8r<}hX9c6r`h9_?6lOspxhW3J_7 z3C3Kvw|l|<>|O`d8dZ*Q^LgGd3iv6;RbxoS-bO0>qmI2^8MIeR1kfqgpP#*b;il;0 zr8aJpk`XVPN&h=FQsQMc#tcjK-ezgzFlJ1t^_^APw+mNfL{VRIA(#B6wGVO{Q zDRvcR{FIwh_3=}FCY->!1Y8DM9__ncmIWT#I6O*bT|$i%9`zrG=Thn*)|2jdR~esA zJ8C7|23c;$+}Zxy=^&k-{aN{#Td6zWN)T z@kphj!BER%*rW#rM$bcwJCqC_rPAL>jT9dBk2@}{^x}?hM^dGO7yI#lWVyZi*7Awb zbJOgIlEH1K^g~f2gmus)y{(JnycPJdo;=lZobv6m%J3W| z28Q4mtS2dNm$Z^@kZ++LF>%{>OT}EgJm`-cD~3lD0PA&-#p37)|C1UngFd0bq1 z&Yx2}(v45}w#?!a<-xB`mOJ(M-ujh{SEgU#airz;)}^cd8a20IJfgglrEU8gsS2pa z_m-Pj2)QAikFwlux_R_J!*k0#A5vb;d`OPe>-)>`vgN^ic$(!n_TAU>A56AmqVe0H z{ZU>gsnB!<4h{`F4$C_;$asnKf@fJCTgO#Re<)d(MO9yD=LIPl zJeElR7d29NggYXaB2iOlD$5|fLm#pp{4-ZNPj~is10yWBzN67jfD^>=1 zjJG_x_H2G~^gOil>y!*0IIlyE6dqyDue)}lpI`SqragI}U*;UkV@&bK15!Mq=|^zR zPgr^AN7yKL>hb;UN61O`V7NCBu$Jh#gTQ#g4+|dDp}Co#*YD zuN-Im&v};5gD1BL@QKE*g8fsJS1OTaqfnt9G1*lb=W9}S1;3nNx$WNYWkvLMrNt*o zX1u0Gid}_?Pp(zz@yS|JFg~46KRYs~GI}1`dH6CbnLMbG!lVA@;ay7Uorm|SReraY z{p_v8jwV`eOUiD`0yk}(3nh~qHBz`mIsQk6l7a{7p<(h^Zn>;mGjDFnp3;p=nV)~4 zyqf197^kS$_cu-@JbvH^o|7!cRR`U&D8(_V{HNI$CBweDNjr`jHJE+56;)m1sHBNV z`zjSpCR;A|j9PX@ic7loC2hhG=Tn1ukMb~cqNCJP)FUQ)+V^=Gu_N$;J>hYR<@STp zk|$E!qOvC~&Qmh&i5e;PRR1{d+E#jT-ml(eojGzt9Xi!=YkBx_JAWH_|A5xtM9JXR zL@F+7q;LyYhq{dRU5EO7q`w+mU{~Gbahm1R`ta+|S{*qbt^b6Q!RLQvJUBH{_{7oQ zB=HNJ$m;^jtK!TfR>s4NlF5r2Mb68$x4Qb9WX)ajLY+F@@>*DtD0?Jw`_k%lN+vIA zr0@z;ue&t#dfoT9DsX`P;BkiK@!Z1ouSd^A>wlwU@R(DO(n#SELH`@Z>j!zvv^;hW zFMBf{9+XTT)F?w9ZVRRE{z$)7;;l~|!5)v^Y?7acg?~s z_dgbk|4}md?vnG@)JWkQLH-Wf8|-e5<4g^Qp@AL?jL;@4-ZNPkDW5Vgc@bYBcy#` zy_jJ9xXki+dDHR^Yh#HYlnfsIrF}?^GUO4`K5CA4tF}B|`ta|^#>0b>X&=-mLmuJm z!&`SaXdjC#k1O|-E{TT+C42EhY=jzR$RnJ6l-FD*^K#2$Q1yFP#KVJ<=`YkMLmuJm z!@JI8&^{Jh9@l=tp|B5u{?%M`snC*cu+EVP@@ca zgtHInpH7S;5A>5QwLF#-e$X>|9$Nn+C6fm=Qg}q&|LC#|)Bot79kT1tv;Pr~S6IHi zUOT?qGm-nB#+Q=4cqHeCs8I}jUEdAE*FW22uY(@s`=6HY$K9X(G#>arRB>8reUvs79d&$7|$3Gjn{c7V)C>eZl{ZneB@Qq`<$#Q>O4$e1}h=xD6 zyf$sRZ%p*OW-If-C>gxEN&AHwDZDzG)O;{pKXsJM-88Ytuvdq#IrGc) zV~nM!@IE<9K8Gti&lD^2J=U9H1}@;!Q67I``5bWl(w{`nXMw_plF5e}DSUbc_+Y+V zZ9bK9T@hSmcAEU|3L!Q?=uHp`lRP4`Wu-co6-MEVlB>^7NY0Y;IaSKpty$m$POao| zndM|Y>waeRoV4+%lnhQ-)h4Ntzviu+XX`myx=(O|scnE0?5OshQi<;8G^`gDDRe2d=A0$>c(f6#K#Xyd1e> zNuj!~PuzX4S0(oS)Bb*N_@({*r@Y&1Y&>>B$@Cv;r2PKycHw3)-7frEOV(4PUBGXy zwpw@>7r#;tDlVIAxlj zTsC@svV0K0zyvpaV;)>CdK z_x_Z(WMj({rao-UmOtZhQ{pSxqm`T`r(VhN?=9q0>8xfxSn^GoTm@^8WSwa?3RfJo z;)stgz3XzAF?J`HU;aXuc<*`~mkMO_lH~DsTcX^Th8|)JHSt53Nt+mgV58f59}V zsN>_UWX3sar1)`J+AG&tKI2C{T$S?QsQ75@6-p)_YNYUK*!GHBQ`I%zTRaz>zzh9A*IQnP z^>0T@2-2Xb_V#b+wR@o9PwRlcs^%U zug-`5>8Pre8)rRHDyrKI&`F*$19X*L5z*Voqs;(KB=?15N6MHp2|MnT?@3veUvoMt~cAoa;3)K89)$b*ap zok1GW30IQD7;v=q%H?@Z(_H^sk;U-aTc*CXKrV$aD3JH^B=6-J9C0o&%16XW;b_`7 zlYep>AqRb&{NeNG$_V@+LUD{aLE7Zq<$sstmM*e=fc%x=Lph%P(yv!oJKk3HWt-ne z-fyGLzl{y z0uOSz$#S{=XAkv^-kvlrluRzvsKL0@t|zqXE{M003+(3q(OxEXydZimnxAdAlEGzb zKqG}q{r${kl%AjYJ$~nQ{v5nuPpHRkw%k4}n{oWQ$m6wEw^A~>Q6q(0!`7{Ctg2nN z`jwho--C549&fR{?s;-|RXn^XnY^e`b&N>j9rgavtM(qQR|}$7j>G%zQp_f78y(QZjhFBIBy4k-{VD z^WHAQ@aJU{XkTC52wYiz-e&opwf?Y9FGkK+vo}fx-!W2|QzM0M7<+T0m2Pi-#F_=a z0}sUc+bxe*7j(`74=pcJGI>xVg-8AKqDv{gyy#Pt2~y09t%Tc3%WdXE>$AX3tFtH> z+|Z*)jTCNC)}Jy@A3R`B@UuHCm*qWoXMu|rzbKhpsFA`Y>iFeaTbTG|dx6~e1J5G%lGZvKD(mltF<2} z8GP@S_9`_}_=bs>t}W{E(pJL3_QQRa$C7u?$N~>7?@}^&tZi%zHBxxgKkvGf(#yMS zKREr@_cIRO`Tw)PO{?Q}Tgl+|jf}^nMhdsg>NuBG?K;lqBJFe5aqzPTESG=$viaxH z`Pnd=SKb7 zc4zD0JZC-8hb)(}4Hc!)bJ5}$C6fy^Qn=JVj=7A|i(_j0;bF^d>)19`??!G-`HBz{R$%if>Js5zS-@G3=4=sLCGI;#DNlGJyN7V7lWf&%Y zsqKeh@{3kmzOO$1?v@WC=X))JWm`W0M+Z)>=lKmC3jbjKarw^FiLT za(Omb#s^#|BRDWV1lPK$kTC-o-%%xdq(<wwhw-T8*6#2vS>UGC6O>GD)JWl$Sv}#hs$EYcxdiLjHI~bJ zeF|1Y?_XLTpk(?NHBz`lod;ZkVe){_Ry^WEu{*ZI!TB-Ew|d$8_e9TEvpY&AUuvZA z&CKrH7+>4&{2VDIHM9)QwW0XuT)JWk{|2XC{N-vHjxq%n+;S-kI z=A$Il&EOH)N{Gw#=D3Lmg z8Yw)Yj$barF!9UQvBqo<#4qrD((-+DW7l@OV&O~4$1R2t1~E>+^CVlEwehqWmUV*s8!#h-gw4xnKt&>k4(PGEgIhOa1-KWt5(uCAkIb zuism4X3X+7U&j)!DH+`EmijBHQSEgF!o+KrkRGp<`fHu#@xmA1KJ`uHJhb|YlEDMl zf2T%@9ev;HFX>(Sv_}2)2g`TqiwnLpk8eu&2RW+wm>OS72H&&fyd^b?fv=kZ!qm5Z zZoquy9;OTGTDGVDX!$U1N1xf~wHBv59BZWu(^MXq$y}aO4v*VIsN64$sTW)y^hUG+WM_Qdh$>26l z#%og}gG_#oZO94+;Kg|Tg5|bg=)6_=vBYai1~*)1n;I$H!o+Kr zkRGpnB6Aq8k;m3s9yc9cd2XY~d1&EpAaVc~B#TNB!fL zODVm$!a^^$$*+$Fbff@PV{2+23TKuA9@c7>Y zQW_~dqK;oK!!Ys7CyP~q7C-uT#xHRGv*mksk7eVIjGV7#ZU0?ElMU2YNYU}f825@r5Cp>HFq7JzgTW_esR+H=LgxoB~WlF5Y{ zDO~Cw$6Q9~#WA0obgF#w&gx4vE98gx`F`H+&qZKc#3)JWkLCLg+l^n7TEu>R^M z8oX_JY+iHuYi%Oup{@Hw$>4$WH`GYs5y!euGU5oFU_bD`&6d}R{jSOauj$IX1WE?4 zU2=Yh8Y#S5o7B97Rx&T)G&9SaX@E6{FZO03V6Ee6GAjY=9lO!Hl{gO8t(@%5Pr!=# z!Bua)>#8#zfzLaZ%fgMthqjHyjwl&iR!h5v8Yx^F){b1yL;S{dc&cQkhEL3Tooh$$ zT3(NBxTat9yfizaWcnR7Qh0^4BbP^Ac9e|Hsq;F>`&%rR-<>gJWAt3KdWw?4rDt(U zBZW)U^^{98Og$B#Yl>M-M=Rd#7 zECvU}bJPXzTOLEs&p#x39$Fnm$>c$e6dv`jqg+bq)loh*S#Owi6ypA0Ew{h??%phL z)7pcSOm5Uj;TC0kP%<#{ApC5rUV0S@XgHb+^Anydr<09+Fhw=@}cE&`WMHY6FnC# zj!`nWVEha6(7{Fxdl ze8c#&%S!iWKWi2R>)VekkB6>UkOdxEUZ7<1phgOh`sW3gQhIs8rzThHU|v98-C?=i z`r;vfi{6g3I)jqQjT$N3GOIIOR<-L4pNp(b0Uo&cVWB+c$#p&oygRlP%JoJHO>;bz ycM83`T%`oPA6$<@UV*Euby4A8mk~4gn&AVuRo~Y8oW9qu*_7xcGY`t;t^WhXA)bf; literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json new file mode 100644 index 00000000000..4b346ef8e59 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -0,0 +1,65 @@ +[ + { + "@timestamp": "2019-12-19T08:33:25.9678735Z", + "event": { + "action": "removed-member-from-distribution-group", + "code": 4762, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "group": { + "domain": "TEST", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "related": { + "user": "at_adm" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": 4762, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3707841, + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx new file mode 100644 index 0000000000000000000000000000000000000000..1f75bec6aa635cb75f814fb6a8cc3db3d87280dd GIT binary patch literal 69632 zcmeI5d7Kp0)%S1D=72B*3P@aFfPkp13UL%cb}<5?Lwv-5iVT~;44D}O1$7WGCKz$U z_-a(5qHzsAq98GbMDw^KF@g(d(D179b-|68_!!>vtGd7Lx-(~_t7odqKj``Nba!=C zpHtsD+r4#f)ri^CM$Vi))zp3D*afxnnlQP>v`W-nrO}^TwcoS3(Lb{92lf%zM_?a; zeFXLq*hgR=fqew_5!gpyAAx-Y_7T`eV6Oy5%$_!EM#U^?UTg8SbP8P2+?d(T zx1NiSjd?)MsICA0GWZ*Z6&UmJe#U&BZ_N97!EcOdS7^*Y>4pgV*tC~zZWft%940dH z_@`a}3A-H2ZkA=!>gaQ#eE!OIk{nz|#vJ=w*!CX#evGU;Qhswoo!`MaP4(!;PMbPE z__Q!>=yBwca!iFSkNYbd9_x70qgxWiiG*p9Sk$fajr>)-fBM5U?{}Vi`wcs0m7jgP z>D^sm+va%^=Q*a{`$$g zKBiRuPfd!ic0T1K_Uw6Ajunqv<@f?qW-gRpuJI&_fe+cUXM*U(Bl_vWLNm^jeu2m; zm$jFt~CXU?#z%@k4<@?B2R{w6O^j&TS1Koc+Dly64Mia1uYy_F1B$}xw^heNHMj#!vy z#(T$NmbXd{1SU+0e1Hq!@nDAnbE+Ib92OvgxCDMF-+W&_&~wgzsnDDvUtcK4tx`Ca z3wNxVZ`$Sw_Hpvz8vBa_uG(LO&h(fLlU1jR0ysqFvW|xbUId#uVPSLU2y!FAQ(#)> zCYp=2q+-d)+?D~_r^^pQWoY7)&naqdnnRamvJnHq?Vs&$hIy+&kJ+9k#5z&d8#&T? zc=J!2n<4UxHKI7IrAGGD|J|bfOmP8%0uFosKesjz?f(+?sez4J!d&+3nIke7MAkpj zOm<*_r}#WikbihbK@T~a2D&tVwVAcqDY9a<{8=puO<@5-D-P|l;|hiF49k`Pikg|i z+(awSoDhuhSRy7mOxBz%hE(C{jf2+8B=Qn__KcMk5Y=$t22>P!pyr4vKsn!6a`F>x z#jJ;!b41<5Fh7#Lggm>aEzE(rc}1;Fr#y3jtSZLnJ;in9TTM@enrK|ehVk@7=vtKow6>FY}Uuf~X;Zpi9s z{!5ls$g!>z+Mrd+536&J@yc5PB&d|SUP^e`0Gzzy!Hd$a#7vwcb^o)TyEd@9ZUoJG6d)X}0(4>T{c67d;Iox-f){k!$vZbXl*sB0|sqMmCbU)GI^h>Yn(MgMo*|F@V<-i|Fg z#0>Vosja2toubX!7AcJs9zP85=pa1Gytq&$dtM?(8?mNb-VGN5NUTU}B@)6agaN89 z-(LKjT;fI6s^ofAo)yE65mQn9l*#tNU*hldmIBf~zz-Ztqek;_J#X)PtQVSM@_|2oVzrra+g&e3&u6+~Ka>nU zb0vXOBZW_xxa3-o9+!NN+RnICDjMvvJf7Y9WEOb*Lg7Klv=?fm@Hjf)Pu-L_Jw|-1 zTp|pzZM7+p42@R7yaO48J`P_2JTlmpI!y}K&nx9cJ zxlkj8OXK~_Wt5(u`P?@Cbtrhjo)D+Lu-s~v^PY>$AlzilM0ptXW_4C-dT z18}xP;px)O^LvT9N>jD3bOiP{$JlBawV%5V1oynESz+L~cd=5>>ojl-wDFtQQPs;+ zl=w=?uiv*kUOVycW8>jL$>c$eGUVaf zf5SX{AMm=QgFL!g9!2Ji>UeliGI)F??I~)MA&+qOfe!cuK_1;KkH5{ibx}M#C>cD) zNt~oc8S)5cA8Qe>$OCcYaLeOA-PisydLBQvaddJZj#4u1gBmG3(9MZh$~bzA#7qBA zixGaV(4(lt@5wJQj^ed@Ryk<-q%H?)q;P1;d?Eoh$l(af;p{CJJr$2VP%`a-8Yvu_ z&>p>^%ft$fKv_ao&NC z^^b=KC4c$eGUO4?KBR-BFnK=kTsb1g zSRPkDy6z9r^LR+<-=JjhSRn0JYNYTOCv6kfA3fxqe|~h7^qr5Fp5qevJXQL8*o(YC z&SjN&<0o*Yw5Oci!#OSt?ZF@ioaw52R?ubHLu`i<{Gn(Vi-F(rd#UmJWwsC6_K*#h z6S>n?fGhhA`&qs_Pwq1Cu2||BN+w@wr0_+ZOTJChe+2(a+8g|^zvc1DafuV-;X%pZ zae^E#YLp=l*Jk$Cf8_8$JLm_N$I_K!u8f|C);~bW;IUEsj~XdFnyx+Q^`i#c#m8oq zgVr9b%Yhmx9GbE{c*CUbG2zS+!IUuq-5~eA?G)#QHDIi#f#|}s2JpNyybD+%(i{v;X%pdL5(ux5w4!|@_3NP z0L!EB+WVfkHx~P#Wbmk!v6R#(LmuJm1Np?MZ%?p17Tw?aPx0`eWb&X!8S)5cAA+M| z1?>ZM*g(r;?w?9th@OX5-%>Jo43_>iYNYUpy1sQ;hN*A;F&6f`0P9<{<_1~5?I#@@ z;EOpSBkj1ky7NPF^5=%72~Lq8yud7WNH~5?bOa*_Sl|3pHYMc;rK`bjITQZ9jj60LCFLdH5gOK3~*# z*flTQ@qD{G9w`k@5%Pxxyg7Q3^q2O1#X*xK>l*aRDEU z2O4bo98QkB{+U+h~+los+s?e-mbLqQH(JA=J9#fc-vL8IMFR@V60`%X3v{ z4UV3R)}KPj;8H8K5H(V`q|^WEQrKI6qca|x}P zqw#UarIlXX@$E>ebns$7{z;bGi?6Pj5JbySy|+}%MJs~- z_(RJrap`~lnBtbraoLm%e>5`Alp1B|k8Y%D*dP7qBu8ywvY!ind5Y!HWypO`#lwS= z!Q&a>L5(ux5i&l(6BwUhC!;Noiz?6lONvLj@d>|{S$v{A_|*yWq#oZ{zmoCF^eeoM zvD{w0WcA;o<`#@cly`!(ZGR(G0rmLKauW+7H^lR?mfMXtjr&)4Zkgvp%B!0X$&q?} zcR60VBA5?PwHzmGdpZC9WIHArzYW?S<@JyX{e7`N>Jbw+sXq7Czf$Yu!*Q0|svQsC znBtbrd`QWN|Bp-LqedCV|8V(GqQ+t;AD(7;Jb%N4o8#d@$>c$eGUO3DALb?VA@bts zmd6X5-v1~b9+V6oUxLIfn;44RehnI7o=qHSStNr)JWkG?!2IzNjgia`1b4F_$_dA#R_nN z-}I5!36@V$<F?T^P5D}y{HSsuOnwLT$w9@_bJN(K*{*P%uV zk1*%gT|3dwulpX;l|0ZdbGGF%zW9S7DIU@EBRJtTD(^VZXHobf;BT0Zxm&?dkq8oLViPf=c} zM4HV)g?hwfS81HDN!b1d1&Y1%dBMbphgOh#-E3GDW!KF-ltai&3g8;w--B_V!16XyEO~kv~ez!Om5Uj z;TGli9~sRG9;k;#$!odgvT^PFc`18JH!fv<{(DrgH2}7Ju z4dy+{!_0~9QcqEjnCxlq=Vio>zzg<-*Xfqq_ex9FrMN|9PgLaf+EuRjDTzBT0$oXjfCzK36|10Ccsgc4bj{YWzU*JSu=UZMCXB@gJ9$u78UeqXZ zUaq}0)ZZl6+$As6sk1DvMHPv%ha$HxtzM^O@}foxuQ2txOGB^MeUGaG2iOl@XImam zE_&wW=y_=UZE`B(2f6?rNlEI^m)Q!|ALmsZ5G|a>I74Nz$K^~Qs$Id}Di{s%z$zJ>r zf1ySh@(5=ia{bG8c|jg?EswKLUOjegEcQXk;BlwqYig7sk8t+k-Tx!V<0qEKyZ5X( zJsuvEOdixILmnaR0}ToCI9HBHmE|$;$78oe&qJH1PRZc$eW`b;k-{VDdFrlh_3+Lp z;ySaVA*S(L#;(wG3zPsf7H8oQBMv%XQ_6EDF zu{^qLUGYFXJSZ7F9+&t`jWXoX2>%0*d6vgPr=3#zXe{5(>te|-lnfqMihWR{40(jJ zk9s^7Ssup^o0;Kcu+EUERb@M8fC~M zoPE^eaf#*eX5aU|iH8RzgU5$5zl0iP$RnhE;4Z|$_;IP_@%)w*-PXqvKPVYI221;p z8fC~MqSQ9>Z$iygVKrluUo2Mj7%5XCK~uCWH2|#PYc2y-PYh7EAn~WboJ_ zPimAQk8t+k-Dy3@W2xmaV(NR}kB0{(lLs}*kViQCkpAh!MDjpC*)q#xY2n-bqUWLY zKT(AiCnsmg`J5`{?ABcH0jKuzy4-RypY%N=dQRGSR7wUXT-7G2k$=rw zInUN_oOGYy1XJe#C)iQ_d4;(1N`-KOP2ujmE)`hN2=DGJSjS(379{sl2M=%&DdtMc z<;7D5W`RqY*bk;WTokykCMA;#HB#&c=ks#piAxGKbbsQ$-+EVK-#_jCgTpWE{-3z5 z|Act#f|BV!)JWO?@OI&5Fx@WvT1&2{M!SIDTxGc&Jg_tiT(r1C$>c(f6fR8>S6ou{ z;4<<}%SnOw6wcQ>x5+)AEk{>J6v+xL!cyQJ1{DfzQp{*XVBIY)c?PM4f8L$*tN%Qey6?Q&Y? z$QAnY1hJGrf*bL-R`Sw(Ay8pTO)q(!EBWRJ@@|g2pW@Xm)n4sVBg=5FusQNtE88Rd zZ~RTZy}G-6$o>O%3HvM&JH5u*XWRSl2-s&-^9t1Q@m4b995qt>x0kU0_UjF#>Vjdy z-0Qs(`ncB`u0$|Tj#hbJ> zM{BQ8GWk#=g-_GASKOMaq4D10x!?p|=m)ya@;Z3%s%xX?rHx;uWbi`!jv6Vv(itD+ zT1~^_U;Ox=XeIS4IDp49;%C=e9&J89baRSFQ^fz{#Tgj?A4zmFc_MYY%x>}?wUqbv zybqpyeMaushl-ca`t2tXj2s?z&P@-DZFu@|GE( zx2%eY-br3<252F<2eNr3k(0%rr->eYy*%LE<08aXN2jvDF;*7tkYQyN$sVHpImKoV z#QN#Ns8TWt@{Zhq8+qqcyXBD7mWQfaj+e-Tj0K%R8qo=NlEfHrwD!v7eNM|<|5uU4 zu>DMsV8!V4WUGh3d&qJG!N6F+tjT9b@pO5EK>L!%Zz3+nb zXMq>&2<@w1T5j(iwmJ*kw0;OmCO2xNaEo%@^-beQ6q(0)7GtStg2tP`jwj8--C54UT?O%?s{x@RXn^X znY^e`gva%GGSBk-{rXJ>b&N>j9rg zavtNkqQNbe$0xJ4&v`0xf78y(QZjhFAmgg2k-{VD^WHAQ@aJU{XkTB|3|v`%-fH=t z`OLvRo{gNZW^a@XzT>4br$!3jF!ts~E8X7wh&2~}2Ofy?w^<%9F6@~F9$H?cWb&X! z3XjI;MVC@~dC{jP6Qr0I+Y7foj4SSx8B_C2UxP2wPP}E4_7A7CMg!Fu<)L*MDkKEy}-L@%m9$NgOWbims?1&mE zJfe{z87Z%ktel{j3RFV&O~4;EP^%Y7_(CCe9Dwd$;BLx4ZK@z8(u- zO7{5571F3t4161Fzmj_J2(}-7WBI<8J78Dze6{uiC4=vs(q5%T3g0mC(zQiBUfN1H z*nYUj@>sg<^ephu@-8KV$NJ{RP$Pv$td4V8)vx1xF48_{9S1+V&vNmy*ea8Yx_&&c80fF!?uW zbHVrp&i7ls^Zw_foHruR51QRkGUFFDQutN1YFp&?q~$|O1~>GBP$Pv~n0)9G((|EDq#5%e z;@592kK=y7?yI*V=b^`t<@@5J+qSL-BBQ=7*%#I@P*K^5s5X&!-{E+5Ie!j*Z1+E8IUf5)&+9*koTKKqlnjpR zWrPzoQaFb3TQ_Iweyh~6|804E_VYnm;GxBTN(K)Mw4p`{kH*J;mr{E1-=|h*9LB?z zTbDz&XMvkmPf#+sQ6q(0X7z;2s(w9@ep0tlBZXU- zeCQI=^Px{9IW7@?w%+o{UD)^KPa@}`#V<+*j}ob~sFA`W>iFd{3=_X>9c#?Hf%pZ! zk6FGCZ|>b?S1f!fnS7~H4161#9}K3_r1AsWV;d~r%8%O)_&jpHT765&;EQp_)JWkQ z#-CkQx<4!R?e8p)&u;CO1s+;npk(m4Qg~1!g-7G_f=emAykMynI{mbdTWW$x9E;A=QF(!Kd(zsAE{fink85cL|*XNR~BZBqU z6PC;2R}EhhJr~W-C>dOEUj}NVaA~}sxs1~Dvn01*{q+aS&5U2s>C0H+H6?@Fol<`# zHL8DIfiUsfC8Wn|rT*Gzc|85u*BicyoQGC_Q8IYo{_oUCv7_&L{UyCiAJ?hB{%H9w zdv@VB=Fu$){~$*-A5-H?$>4jYoVTP#G4ORWK$!a0&kdNbe2nRZx|Z#!KUu!(et%;k zFLJ(G{YA;(`@Wptq(%zgF#hba(*4<|ax~8iAkIB$dAxc3nk?|p@&YA;$66_usgc5? z@p-|elwMx&so8PKup{Kvr!2R;g`;w!wEPv*?lcVRN`57gX3pG->G~Ul#M(O#P zUv0=048V)=`f1B;;mG-`^J9tElnidT&o(tuxP^(=E+IW$`$TFOuaU=|u{>@(r1G3* zk@L{%14;%DBlQ6_Qh0pV>o3fKmU#lf`ruj1w^y6ZkF|-MuT~#WGWdQd{Snki;Ty)@ z+{~xjo1f{X(%#^Q&siRieZ4aaJhZq)$>c$e6dsL_TP~&a;+9WM&XO~3wHI#BTW+gc zF53{j9clFeC6gO9Qn*E1AB+MI#B=!B3zp0Je)na8ix$5q8C+&d-9(KPE>XuX*V@9j zZ|rpg8Na~!Ma%cWkC(m>kKIu+?T#8Ld^58re^r|j+Fhw|*<`sK|8+r5+sNa( z7RM+VT)vPxf*L7Y8Xw18M(M>dzuJ)TKj6js>m|$W&4oWZr(NXSw0ua(;C8ieqecq1 zF!|6Wq~}AQ$O`5|_}OO5JS=j)n!Qmn_;#22iyA3>!`Pb}>vencD~aU!ZusHLmdEzycVvNw z7PlywJgAYvqw#UerIcRWveew`@ch+stNHoylcKjHt^T59a-&8Hx6JaO%c_1JB$piK zLHOA#mW!D;H49v{_(jR&lGLdF`HZOJmrF2A{PNk_%vX?qV&O^KI6D5NO z&ficYg-0CMeUcGJ-~{`D|GjQ`9XsgCEbyA8%uAqT@Y*Hkcc_uVtAk0+OK30i5>7R9 zy_p8M=I}+{ECgKZc&5xs!1a#Z=-pl%2iL8f=FLyQ74w5vz4h*^&UgeqZ&)siHWwe% zITkyjWN=v{?HX#NaA{gQay<|68~5R@Tm#FJ0mt>fFDnQp1vz|iS zf79~4{%2pd?G?G7YVAQv2H%b1r_@N{8z%p`(M!*NewA4a4v6Qd3*NFkMx2-5E_xnX z9Yx9HL5&n1jjy9zO6k>6J~g@CFzYD9{l8gmfBoIvS>UF%2Pv7{sFA`g%J!gSVCF&i z*$&I)?Mt7}0v9cQQ8KwuBZW)U@yoTgF!9T`xf=gIPK;mR{I=!$uX|T_kKSK3yQ5_A zy;JIUYNYVZ%QdTWsc7-L6P&->RU<%-(BL*)JWkQ#-CkQxoUuXDSru!jaFuIa hRQUI0#0