Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Pipeline winlogbeat-8.9.2-security error #37217

Open
kowalczyk-p opened this issue Nov 28, 2023 · 2 comments
Open

[Winlogbeat] Pipeline winlogbeat-8.9.2-security error #37217

kowalczyk-p opened this issue Nov 28, 2023 · 2 comments
Labels
Team:Security-Windows Platform Windows Platform Team in Security Solution

Comments

@kowalczyk-p
Copy link

Pipeline winlogbeat-8.9.2-security error return following error.message:

Processor "script" with tag "Set User Account Control" in pipeline "winlogbeat-8.9.2-security" failed with message "For input string: "-""

for example event:


A user account was changed.

Subject:
	Security ID:		S-1-5-21-842900000-651377000-000000000-00000
	Account Name:		REDACTED$
	Account Domain:		XXX
	Logon ID:		0x00000000

Target Account:
	Security ID:		S-1-5-21-842000000-651370000-682000000-000000
	Account Name:		redacted
	Account Domain:		XXX

Changed Attributes:
	SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	11/27/2023 8:33:07 PM
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		-
	New UAC Value:		-
	User Account Control:	-
	User Parameters:	-
	SID History:		-
	Logon Hours:		-

Additional Information:
	Privileges:		-
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 28, 2023
@ManicPumpkin
Copy link

I have the same issue. Tested with 8.4.2 and 8.11.2.

error.message:

Processor "script" with tag "Set User Account Control" in pipeline "winlogbeat-8.4.2-security" failed with message "For input string: "-""

It appears for evtx.code:

4738
4742

@ebeahan ebeahan added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Jan 31, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Security-Windows Platform Windows Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ManicPumpkin @ebeahan @elasticmachine @kowalczyk-p