[8.19/9.1]Add Winlog fields for the ETW security events (#633)

* initial commit

* add winlog fields

* add sample_event.json

* fix typo

* custom documentations

* add generated files

* fix format of sample_event.json

* add generated file

* change custom documentation

* add generated files

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_added_user_account.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_group_membership_enumerated.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_network_share_object_added.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_scheduled_task_created.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_scheduled_task_updated.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_service_installed.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_user_member_enumerated.md

* Delete custom_documentation/doc/endpoint/security/windows/windows_security_auditing_vault_credentials_were_read.md

* update malicious behavior alert custom documentation

* add generated file

* Update custom_schemas/custom_winlog.yml

Co-authored-by: Leszek Kubik <39905449+intxgo@users.noreply.github.com>

* Update wording

* added genereated files

* removed unnessesary fields for index

* add generated files

* adjust the sample_event.jspn

* updated custom documentation

* add generated file

---------

Co-authored-by: Mark Mager <42077975+magermark@users.noreply.github.com>
Co-authored-by: Leszek Kubik <39905449+intxgo@users.noreply.github.com>
Co-authored-by: Mark Mager <mark.mager@elastic.co>

Author: 3 people

custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md

@@ -119,4 +119,5 @@ This alert occurs when a Malicious Behavior alert occurs.
 | user.name |
 | user.target.domain |
 | user.target.name |
+| winlog.*<br /><br />winlog contains information about the Windows Event Log. |
 

custom_documentation/doc/endpoint/security/windows/windows_security_auditing_log_off.md

@@ -0,0 +1,46 @@
+# Windows User Log Off
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.security-*`
+- KQL: `event.action : "log_off" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Security-Auditing" and host.os.type : "windows"`
+
+This event is generated when a user logs off from the computer.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.Ext.authentication_id |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.action |
+| event.category |
+| event.code |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.id |
+| host.name |
+| host.os.type |
+| message |
+| process.Ext.authentication_id |
+| process.Ext.code_signature.exists |
+| process.Ext.code_signature.status |
+| process.Ext.session_info.logon_type |
+| process.code_signature.exists |
+| process.code_signature.status |
+| user.effective.domain |
+| user.effective.id |
+| user.effective.name |
+

custom_documentation/doc/endpoint/security/windows/windows_security_auditing_log_on.md

@@ -0,0 +1,83 @@
+# Windows User Log On
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.security-*`
+- KQL: `event.action : "log_on" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Security-Auditing" and host.os.type : "windows"`
+
+This event is generated when a user logs on to the computer.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.Ext.authentication_id |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.action |
+| event.category |
+| event.code |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.id |
+| host.name |
+| host.os.type |
+| message |
+| process.Ext.authentication_id |
+| process.Ext.code_signature.exists |
+| process.Ext.code_signature.status |
+| process.Ext.code_signature.subject_name |
+| process.Ext.code_signature.trusted |
+| process.Ext.protection |
+| process.Ext.session_info.authentication_package |
+| process.Ext.session_info.failure_reason |
+| process.Ext.session_info.logon_process_name |
+| process.Ext.session_info.logon_type |
+| process.Ext.token.elevation |
+| process.Ext.token.impersonation_level |
+| process.Ext.token.integrity_level_name |
+| process.code_signature.exists |
+| process.code_signature.status |
+| process.code_signature.subject_name |
+| process.code_signature.trusted |
+| process.command_line |
+| process.entity_id |
+| process.executable |
+| process.name |
+| process.parent.executable |
+| process.pid |
+| source.ip |
+| user.domain |
+| user.effective.domain |
+| user.effective.id |
+| user.effective.name |
+| user.id |
+| user.name |
+| user.target.domain |
+| user.target.name |
+| winlog.event_data.KeyLength |
+| winlog.event_data.LmPackageName |
+| winlog.event_data.LoginGuid |
+| winlog.event_data.PrivilegeList |
+| winlog.event_data.RestrictedAdminMode |
+| winlog.event_data.Status |
+| winlog.event_data.SubStatus |
+| winlog.event_data.TargetInfo |
+| winlog.event_data.TargetLinkedLogonId |
+| winlog.event_data.TargetLogonGuid |
+| winlog.event_data.TargetServerName |
+| winlog.event_data.TransmittedServices |
+| winlog.event_data.VirtualAccount |
+| winlog.event_data.WorkstationName |
+

custom_documentation/doc/endpoint/security/windows/windows_security_auditing_workstation_locked.md

@@ -0,0 +1,41 @@
+# The workstation was locked.
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.security-*`
+- KQL: `event.action : "workstation_locked" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Security-Auditing" and host.os.type : "windows"`
+
+This event is generated when the workstation was locked.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.Ext.authentication_id |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.action |
+| event.category |
+| event.code |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.id |
+| host.name |
+| host.os.type |
+| message |
+| process.Ext.session_info.id |
+| user.effective.domain |
+| user.effective.id |
+| user.effective.name |
+

custom_documentation/doc/endpoint/security/windows/windows_security_auditing_workstation_unlocked.md

@@ -0,0 +1,41 @@
+# The workstation was unlocked.
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.security-*`
+- KQL: `event.action : "workstation_unlocked" and event.dataset : "endpoint.events.security" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Security-Auditing" and host.os.type : "windows"`
+
+This event is generated when the workstation was unlocked.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.Ext.authentication_id |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.action |
+| event.category |
+| event.code |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.id |
+| host.name |
+| host.os.type |
+| message |
+| process.Ext.session_info.id |
+| user.effective.domain |
+| user.effective.id |
+| user.effective.name |
+

custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml

@@ -124,6 +124,7 @@ fields:
   - user.name
   - user.target.domain
   - user.target.name 
+  - winlog.*
   details:
     Events.*:
       description: 'Events is a list containing embedded copies of all events that
@@ -147,3 +148,5 @@ fields:
       description: 'registry contains the registry data from the primary event in
         Events. It can contain any fields that any other events includes within the
         registry fieldset. '
+    winlog.*:
+      description: 'winlog contains information about the Windows Event Log.'

custom_documentation/src/endpoint/data_stream/security/windows/windows_security_auditing_log_off.yaml

@@ -0,0 +1,50 @@
+overview:
+  name: Windows User Log Off
+  description: 'This event is generated when a user logs off from the computer.'
+identification:
+  filter:
+    event.action: log_off
+    event.dataset: endpoint.events.security
+    event.module: endpoint
+    event.provider: Microsoft-Windows-Security-Auditing
+    host.os.type: windows
+  os:
+  - windows
+  data_stream: logs-endpoint.events.security-*
+fields:
+  endpoint:
+  - '@timestamp'
+  - Target.process.Ext.authentication_id
+  - agent.id
+  - agent.type
+  - agent.version
+  - data_stream.dataset
+  - data_stream.namespace
+  - data_stream.type
+  - ecs.version
+  - elastic.agent.id
+  - event.action
+  - event.category
+  - event.code
+  - event.created
+  - event.dataset
+  - event.id
+  - event.kind
+  - event.module
+  - event.outcome
+  - event.provider
+  - event.sequence
+  - event.type
+  - host.id
+  - host.name
+  - host.os.type
+  - message
+  - process.Ext.authentication_id
+  - process.Ext.code_signature.exists
+  - process.Ext.code_signature.status
+  - process.Ext.session_info.logon_type
+  - process.code_signature.exists
+  - process.code_signature.status
+  - user.effective.domain
+  - user.effective.id
+  - user.effective.name

custom_documentation/src/endpoint/data_stream/security/windows/windows_security_auditing_log_on.yaml

@@ -0,0 +1,87 @@
+overview:
+  name: Windows User Log On
+  description: 'This event is generated when a user logs on to the computer.'
+identification:
+  filter:
+    event.action: log_on
+    event.dataset: endpoint.events.security
+    event.module: endpoint
+    event.provider: Microsoft-Windows-Security-Auditing
+    host.os.type: windows
+  os:
+  - windows
+  data_stream: logs-endpoint.events.security-*
+fields:
+  endpoint:
+    - '@timestamp'
+    - Target.process.Ext.authentication_id
+    - agent.id
+    - agent.type
+    - agent.version
+    - data_stream.dataset
+    - data_stream.namespace
+    - data_stream.type
+    - ecs.version
+    - elastic.agent.id
+    - event.action
+    - event.category
+    - event.code
+    - event.created
+    - event.dataset
+    - event.id
+    - event.kind
+    - event.module
+    - event.outcome
+    - event.provider
+    - event.sequence
+    - event.type
+    - host.id
+    - host.name
+    - host.os.type
+    - message
+    - process.Ext.authentication_id
+    - process.Ext.code_signature.exists
+    - process.Ext.code_signature.status
+    - process.Ext.code_signature.subject_name
+    - process.Ext.code_signature.trusted
+    - process.Ext.protection
+    - process.Ext.session_info.authentication_package
+    - process.Ext.session_info.failure_reason
+    - process.Ext.session_info.logon_process_name
+    - process.Ext.session_info.logon_type
+    - process.Ext.token.elevation
+    - process.Ext.token.impersonation_level
+    - process.Ext.token.integrity_level_name
+    - process.code_signature.exists
+    - process.code_signature.status
+    - process.code_signature.subject_name
+    - process.code_signature.trusted
+    - process.command_line
+    - process.entity_id
+    - process.executable
+    - process.name
+    - process.parent.executable
+    - process.pid
+    - source.ip
+    - user.domain
+    - user.effective.domain
+    - user.effective.id
+    - user.effective.name
+    - user.id
+    - user.name
+    - user.target.domain
+    - user.target.name
+    - winlog.event_data.KeyLength
+    - winlog.event_data.LmPackageName
+    - winlog.event_data.LoginGuid
+    - winlog.event_data.PrivilegeList
+    - winlog.event_data.RestrictedAdminMode
+    - winlog.event_data.Status
+    - winlog.event_data.SubStatus
+    - winlog.event_data.TargetInfo
+    - winlog.event_data.TargetLinkedLogonId
+    - winlog.event_data.TargetLogonGuid
+    - winlog.event_data.TargetServerName
+    - winlog.event_data.TransmittedServices
+    - winlog.event_data.VirtualAccount
+    - winlog.event_data.WorkstationName