system,windows: fix UAC attribute bit table

[efd6]

Proposed commit message

The previous table was incorrect. Table data comes from MS-SAMR: Security Account Manager (SAM) Remote Protocol (Client-to-Server) version 46.0, 2.2.1.12 USER_ACCOUNT Codes.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• For [winlogbeat] Fix UAC translation values beats#36999

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-31T21:12:55.457+0000

• Duration: 26 min 14 sec

Test stats 🧪

Test	Results
Failed	0
Passed	301
Skipped	0
Total	301

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (11/11)	💚
Files	93.75% (15/16)	❕
Classes	93.75% (15/16)	❕
Methods	78.302% (166/212)	❕
Lines	93.762% (8823/9410)	❕
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

Do we have the evtx file associated with one of these samples that you can load into the Window Event Viewer and grab the event xml with the rendered message? I want to sanity check this. The user that reported the problem had good evidence, but I still want to double check.

[andrewkroh]

I'm thinking we should trim the USER_ prefix.

[efd6]

I agree from a storage/simplicity perspective, but am conflicted given that it will then no longer match the MS docs.

[andrewkroh]

I don't have a strong opinion. My reasoning behind making the comment was to reconcile the differences between the docs¹² that MS points to for this field and the docs that we have discovered to have the correct numerical values.

Now that I look closer the names are still a little different than the old names even after trimming the USER_ prefix. So that would still break queries that might have existed for the old names. Maybe a clean shift to new names is best.

Footnotes

1. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 ↩

2. https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#list-of-property-flags ↩

[efd6]

Indeed, some were the same, but there in not a proper mapping between the two sets.

[andrewkroh]

I just looked at the example given in https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738, and I think this change checks out with the values shown there.

[efd6]

We have evtx files in the security module in beats that give json files that exercise this.

[efd6]

This is the event that is used in the winlogbeat 4741 that gives this diff in the beats PR here.

[elasticmachine]

Package system - 1.47.2 containing this change is available at https://epr.elastic.co/search?package=system

[elasticmachine]

Package windows - 1.41.1 containing this change is available at https://epr.elastic.co/search?package=windows