Handle AD Computer Objects

[sparkblaze]

In the current ECS version, it doesn't look like an AD computer object has a place to live when it's interacted with.

The security Module for winlogbeat has slowly been adding support for user/group events, but nothing yet on computer events.

The main reason I raise the question it is that actually events 4722 (A user account was enabled) and 4725 (A user account was disabled) also apply to enabling/disabling a computer account - the user just gets appended with a $. I think there are other occasions too where a computer account might appear in a user-centric event (they logon as well for example)

Would having the same support for fields mapped under user.* and group.* also work for having something like computer.*?

[neu5ron]

I agree computer there should be some sort of distinction to be able to make when the subject/target user ends in $, something along the lines of user.is_computer or whatever it is called.

Because, as it relates to Windows AD, a computer object is very much similar to a user. ie: a computer and users can be added to the same group, computer and user can "login", etc.. I don't think creating an entire subcategory may be effective. As long as there is the ability to distinguish with one other field, then we would have the ability to accomplish "computer" specific things but at the same time not adding many additional fields.