Hi,
So this is something I've been looking into some time ago. I'd approach this by adding new field during parsing with logstash plugin called translate
.
Microsoft provided table with codes:
(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776)
+------------+--------------------------------------------------------------------------------+
| Error Code | Description |
+------------+--------------------------------------------------------------------------------+
| 0xC0000064 | The username you typed does not exist. Bad username. |
| 0xC000006A | Account logon with misspelled or bad password. |
| 0xC000006D | - Generic logon failure. |
| Some of the potential causes for this: |
| An invalid username and/or password was used |
| LAN Manager Authentication Level mismatch between the source and target |
| computers. |
| 0xC000006F | Account logon outside authorized hours. |
| 0xC0000070 | Account logon from unauthorized workstation. |
| 0xC0000071 | Account logon with expired password. |
| 0xC0000072 | Account logon to account disabled by administrator. |
| 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. |
| 0xC0000234 | Account logon with account locked. |
| 0xC0000371 | The local account store does not contain secret material for the specified |
| account. |
| 0x0 | No errors. |
+------------+--------------------------------------------------------------------------------+
That is a great dictionary for the translate
plugin:
https://www.elastic.co/guide/en/logstash/7.17/plugins-filters-translate.html#plugins-filters-translate-dictionary
Table is not big, but it might grow, so I'd still use option below, which is dictionary_path
.
So whole plugin would look something like this:
translate {
source => "[winlog][event_data][Status]"
target => "[winlog][event_data][Status_translated]"
dictionary_path =>"/etc/logstash/conf.d/beats/dictionaries/failed_logins.yaml"
fallback => "no match"
}
In the result logstash would create winlog.event_data.Status_translated
field next to the original with code. On it you can either visualize, create alerts, etc.
Hope this helps! 💪