Drop events using the sidecar collector

maiconjs · March 24, 2022, 10:00pm

I am having trouble establishing a configuration to remove noise from my DCS. For example this configuration where I try to drop logs from a specific user:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security
      processors:
        - drop_event:
                when.and:
                 contains:
                     event_data_TargetUserName: sauser
    - name: Microsoft-Windows-Sysmon/Operational
    - name: Windows PowerShell
    - name: DNS Server
    - name: Microsoft-Windows-PrintService/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

and this:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security
      processors:
        - drop_event.when.or:
            when:
              and:
                - or:
                    - equals.event_data_ProcessName: C:\Program Files\Graylog\sidecar\graylog-sidecar.exe
                - or:
                    - equals.event_data_TargetUserName: user1
                    - equals.event_data_TargetUserName: user2
                - or:
                    - equals.event_data_SubjectUserName: user2
    - name: Microsoft-Windows-Sysmon/Operational
    - name: Windows PowerShell
    - name: DNS Server
    - name: Microsoft-Windows-PrintService/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

None of the configurations had the expected effect. Could someone help me create a useful file?

gsmith · March 24, 2022, 11:53pm

Hello && Welcome @maiconjs

Perhaps this post may help

Sidecar configuration to filter event data for SubjectUserName - Windows - #5 by quinniedid

Or some type of configuration like this.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    event_id: 4625, 4626

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

maiconjs · March 25, 2022, 1:11am

Thanks for the welcome. I tried the suggested configuration from the link, but I still keep getting logs from a wildcard user.

gsmith · March 25, 2022, 1:13am

Hello
What kind of message do you want ? Can you explain this in greater detail?
Also what does you current configurations look like.

maiconjs · March 25, 2022, 1:19am

In my DC I have some users that are used by some applications, for reading and operations in the environment (e.g. Kaspersky Endpoint). In the environment I have around 270 stations with windows and I get several logs for each authentication of this service. I need to reduce the noise by removing the logs for these wildcard users.

gsmith · March 25, 2022, 1:29am

First you need to know the difference between Service Account SID’s and User account SID’s. What needs to happen is find each SID “A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.”

Then you need to filter out what you want and drop the rest.

Example:

Administrator       S-1-5-21-2720602528-101527634-271158134-500
DefaultAccount      S-1-5-21-2720602528-101527634-271158134-503
Guest               S-1-5-21-2720602528-101527634-271158134-501

Please look here.

Well-known SIDs - Win32 apps | Microsoft Learn

maiconjs · March 25, 2022, 12:19pm

gsmith:

maiconjs:

I need to reduce the noise by removing the logs for these wildcard users.

First you need to know the difference between Service Account SID’s and User account SID’s. What needs to happen is find each SID “A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.”

Then you need to filter out what you want and drop the rest.

Example:
Administrator       S-1-

I am currently using this configuration, based on this link:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]

path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

# The amount of time to wait for all events to be published when shutting down.
winlogbeat.shutdown_timeout: 30s

# A list of entries (called dictionaries in YAML) that specify which event logs to monitor.
winlogbeat.event_logs:
  # Application Crashes: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Application-Crashes.xml
  - name: Application
    event_id: 1000, 1002
    ignore_older: 24h
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    event_id: 1001
    ignore_older: 24h
    level: info
    provider:
      - Windows Error Reporting

  # emet: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/EMET.xml
  - name: Application
    event_id: 1, 2
    level: warning, error
    provider:
      - EMET

  # Account Lockout: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Lockout.xml
  - name: Security
    event_id: 4740
    level: info
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Security-Auditing

  # event log diagnostics: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Event-Log-Diagnostics.xml
  - name: System
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Eventlog
  - name: Security
    ignore_older: 24h
    event_id: 1100, 1104, 1105, 1108

  # explicit credentials: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Explicit-Credentials.xml
  - name: Security
    level: info
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Security-Auditing

  # Account Management: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml
  - name: Security
    event_id: 4627, 4703, 4704, 4705, 4720, 4737-4739, 4780-4782, 4793, 4794, 4798, 4799, 5376, 5377
    ignore_older: 24h
  - name: Security
    event_id: 4722-4735
    ignore_older: 24h
  - name: Security
    event_id: 4741-4753
    ignore_older: 24h
  - name: Security
    event_id: 4754-4767
    ignore_older: 24h

  # Active Directory: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Active-Directory.xml
  - name: Security
    event_id: 4662, 14080, 5136, 5137, 5178, 5139, 5141, 4713, 4706, 4707, 4716, 4717, 4718, 4739, 4864, 4865, 4866, 4867
    ignore_older: 24h

  # Authentication: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml
  - name: Security
    #event_id: 4624-4626, 4634, 4647, 4649, 4672, 4675, 4774-4779, 4800-4803, 4964, 5378
    event_id: 4624-4626, 4647, 4649, 4675, 4774-4779, 4800-4803, 4964, 5378
    ignore_older: 24h

  # autoruns: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Autoruns.xml
  # make sure to set up the scheduled autoruns service
  - name: Autoruns
    ignore_older: 24h

  # bits: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Bits-Client.xml
  - name: Microsoft-Windows-Bits-Client/Operational
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 3
          - equals.winlog.event_id: 5
          - equals.winlog.event_id: 61
          - equals.winlog.event_id: 16403

  # certificate authority: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Certificate-Authority.xml
  - name: Security
    event_id: 4886, 4887, 4888
    ignore_older: 24h

  # code integrity: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Code-Integrity.xml
  - name: Microsoft-Windows-CodeIntegrity/Operational
    event_id: 3001, 3002, 3003, 3004, 3010, 3023
    ignore_older: 24h
    level: error, warning
    provider:
      - Microsoft-Windows-CodeIntegrity
  - name: Security
    event_id: 5038, 6281, 6410
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-Security-Auditing

  # drivers: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Drivers.xml
  - name: System
    event_id: 219
    ignore_older: 24h
    level: warning
    provider:
      - Microsoft-Windows-Kernel-PnP
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    event_id: 2004
    ignore_older: 24h

  - name: System
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 7000
          - equals.winlog.event_id: 7001
          - equals.winlog.event_id: 10016
          - equals.winlog.event_id: 24629
          - equals.winlog.event_id: 10010
          - equals.winlog.event_id: 11060
          - equals.winlog.event_id: 41
          - equals.winlog.event_id: 124
          - equals.winlog.event_id: 34

  # As requested by our external CISO service
  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Security
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: C:\Program Files\Graylog\sidecar\module\sysmon\config\winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - name: Microsoft-Windows-BitLocker/BitLocker Operational
    level: "critical, error, warning"
    ignore_older: 24h

  - name: Microsoft-Windows-BitLocker/BitLocker Management
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-DSC/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4105, 4106
    level: "critical, error, warning"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 4104
          - equals.winlog.event_id: 4100
          - equals.winlog.event_id: 32784

  - name: Microsoft-Windows-PowerShell/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Shell-Core/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Shell-Core/ActionCenter
    level: "critical, error"
    ignore_older: 24h

  - name: HardwareEvents
    level: "critical, error"
    ignore_older: 24h

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    level: "critical, error, warning"
    ignore_older: 24h

  - name: Microsoft-Windows-WMI-Activity/Operational
    #event_id: 5857,5858,5859,5860,5861
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 5858

  - name: Microsoft-Windows-Kernel-WHEA/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-WHEA/Errors
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-WDI/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-StoreMgr/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-ShimEngine/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-Power/Thermal-Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-PnP/Configuration
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Kernel-EventTracing/Admin
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 1569
          - equals.winlog.event_id: 1570
          - equals.winlog.event_id: 2
          - equals.winlog.event_id: 28
          - contains.message: 'Session "Diagtrack-Listener" stopped due to the following error:'

  - name: Microsoft-Windows-Kernel-Boot/Operational
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 124
          - equals.winlog.event_id: 158

  - name: Microsoft-Windows-WinRM/Operational
    level: "critical, error, warning"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 142
          - equals.winlog.event_id: 161

  - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 227

  - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    level: "critical, error"
    ignore_older: 24h
    include_xml: true

  - name: Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
    level: "critical, error"
    ignore_older: 24h
    include_xml: true

  - name: Microsoft-Windows-VPN/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-VPN-Client/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TCPIP/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-GroupPolicy/Operational
    level: "critical, error, warning"
    ignore_older: 24h

  # task scheduler: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml
  - name: Microsoft-Windows-TaskScheduler/Operational
    event_id: 106, 129, 141, 142, 200, 201
    ignore_older: 24h
    provider:
      - Microsoft-Windows-TaskScheduler

  - name: Security
    event_id: 4698-4702
    ignore_older: 24h

  - name: Microsoft-Windows-TaskScheduler/Maintenance
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-StorageSpaces-Driver/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Storage-Tiering/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Storage-Storport/Operational
    level: "critical"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 549
          - equals.winlog.event_id: 534
          - equals.winlog.event_id: 523
          - equals.winlog.event_id: 500

  - name: Microsoft-Windows-Storage-Storport/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-SMBServer/Security
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-SMBServer/Operational
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 1024

  - name: Microsoft-Windows-SMBServer/Connectivity
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-SmbClient/Security
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 8464
          - equals.winlog.event_id: 31001

  - name: Microsoft-Windows-SMBClient/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-SmbClient/Connectivity
    level: "critical, error"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 30800
          - equals.winlog.event_id: 30803

  - name: Key Management Service
    level: "critical, error"
    ignore_older: 24h

  - name: Internet Explorer
    level: "critical, error"
    ignore_older: 24h

  # dns: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/DNS.xml
  - name: Microsoft-Windows-DNS-Client/Operational
    event_id: 3008
    ignore_older: 24h

  - name: DNS Server
    event_id: 150, 770
    ignore_older: 24h

  - name: Microsoft-Windows-AppLocker/Packaged app-Execution
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-AppLocker/Packaged app-Deployment
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-AppLocker/MSI and Script
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-AppLocker/EXE and DLL
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-CodeIntegrity/Operational
    level: "critical"
    ignore_older: 24h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 3033

  # Monitor USB Devices, this eventlog is not enabled by default
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    level: "critical, error"
    event_id: 2003,2102
    ignore_older: 24h

  # Sysmon related, need some care soon. It IS VERY NOISY, we need a solic filter
  - name: Microsoft-Windows-Sysmon/Operational
    level: "critical, error, warning, information"
    # Minimum, for now!
    event_id: 255, 16, 14, 6
    ignore_older: 24h

  # NTFS
  - name: Microsoft-Windows-Ntfs/WHC
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Ntfs/Operational
    level: "critical, error"
    ignore_older: 24h

  # NTLM
  - name: Microsoft-Windows-NTLM/Operational
    level: "critical, error"
    ignore_older: 24h

  # General Remote Desktop and App related
  - name: Microsoft-Windows-Remotefs-Rdbss/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
    level: "critical, error, warning"
    ignore_older: 24h

  - name: Microsoft-Windows-RemoteApp and Desktop Connections/Operational
    level: "critical, error, warning"
    ignore_older: 24h

  - name: Microsoft-Windows-RemoteApp and Desktop Connections/Admin
    level: "critical, error"
    ignore_older: 24h

  # DeviceSync
  - name: Microsoft-Windows-DeviceSync/Operational
    level: "critical, error"
    ignore_older: 24h

  # TerminalServices
  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-Printers/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-Printers/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-PnPDevices/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-Gateway/Admin
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-TerminalServices-Gateway/Operational
    level: "critical, error"
    ignore_older: 24h

  - name: Microsoft-Windows-Winlogon/Operational
    level: "critical, error"
    ignore_older: 24h

  #windows update: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Updates.xml
  - name: Microsoft-Windows-WindowsUpdateClient/Operational
    event_id: 19, 20, 24, 25, 31, 34, 35
    ignore_older: 24h
    level: error
    provider:
      - Microsoft-Windows-WindowsUpdateClient

  - name: Setup
    event_id: 1009
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-Servicing

  # external devices: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/External-Devices.xml
  - name: Microsoft-Windows-Kernel-PnP/Configuration
    event_id: 400, 410
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-Kernel-PnP

  - name: Security
    event_id: 6416
    ignore_older: 24h
  - name: Security
    event_id: 6419-6424
    ignore_older: 24h

  # firewall: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Firewall.xml
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    event_id: 2004, 2005, 2006, 2033
    ignore_older: 24h
    level: info, error
    provider:
      - Microsoft-Windows-Windows Firewall With Advanced Security

  - name: Security
    event_id: 4944-4954
    ignore_older: 24h

  - name: Security
    event_id: 4956-4958
    ignore_older: 24h

  - name: Security
    event_id: 5024, 5025, 5037
    ignore_older: 24h

  - name: Security
    event_id: 5027-5030
    ignore_older: 24h

  - name: Security
    event_id: 5032-5035
    ignore_older: 24h

  # gpo errors: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Group-Policy-Errors.xml
  - name: System
    event_id: 1085, 1125, 1127, 1129
    ignore_older: 24h
    level: error
    provider:
      - Microsoft-Windows-GroupPolicy

  - name: Security
    event_id: 6144, 6145
    ignore_older: 24h

  # kerberos: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml
  - name: Security
    event_id: 4768, 4769, 4770, 4771, 4772, 4773
    ignore_older: 24h

  # log deletion security: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-Security.xml
  - name: Security
    event_id: 1102
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-Eventlog

  # log deletion system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-System.xml
  - name: System
    event_id: 104
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-Eventlog

  # msi: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/MSI-Packages.xml
  - name: Application
    event_id: 1022, 1033
    ignore_older: 24h
    provider:
      - MsiInstaller

  - name: Setup
    event_id: 2, 0
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Servicing

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 903, 904
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 905, 906
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 907, 908
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 800
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Application-Experience

  # ntml: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml
  - name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    ignore_older: 24h
    provider:
      - Microsoft-Windows-NTLM

  - name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    ignore_older: 24h
    provider:
      - Microsoft-Windows-NTLM

  - name: Microsoft-Windows-NTLM/Operational
    ignore_older: 24h
    provider:
      - Microsoft-Windows-NTLM

  # object manipulation: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Object-Manipulation.xml
  - name: Security
    event_id: 4715, 4817, 4656, 4658, 4660, 4663, 4670
    ignore_older: 24h

  # operating system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Operating-System.xml
  - name: System
    event_id: 12, 13
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Kernel-General

  - name: Security
    event_id: 4608
    ignore_older: 24h

  - name: System
    event_id: 1074
    ignore_older: 24h
    provider:
      - USER32

  - name: Security
    event_id: 4817, 4826
    ignore_older: 24h

  - name: System
    event_id: 16962, 16965, 16968, 16969
    ignore_older: 24h

  - name: System
    event_id: 41, 1001, 6008, 4621
    ignore_older: 24h

  - name: Security
    event_id: 4610, 4611, 4614, 4622, 4697
    ignore_older: 24h

  - name: Security
    event_id: 4719, 4817, 4902, 4906, 4908, 4912, 4904, 4905
    ignore_older: 24h

  # print: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Print.xml
  - name: Microsoft-Windows-PrintService/Operational
    event_id: 307
    ignore_older: 24h
    level: info
    provider:
      - Microsoft-Windows-PrintService

  # privilege use: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Privilege-Use.xml
  - name: Security
    event_id: 4673, 4674, 4985
    ignore_older: 24h

  # process exec: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Process-Execution.xml
  #- name: Security
  #  event_id: 4688
  #  ignore_older: 24h
  - name: Security
    event_id: 4689
    ignore_older: 24h

  # registry: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Registry.xml
  # TODO: how to filter on eventdata operationtype?
  - name: Security
    event_id: 4657
    ignore_older: 24h

  # services: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml
  - name: System
    event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034
    ignore_older: 24h
    level: info, critical, error, warning
    provider:
      - Service Control Manager

  - name: System
    event_id: 7045, 7040
    ignore_older: 24h
    level: info, critical, error, warning
    provider:
      - Service Control Manager

  # shares: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml
  - name: Security
    event_id: 5140, 5142, 5144, 5145, 5168
    ignore_older: 24h

  - name: Microsoft-Windows-SMBClient/Operational
    event_id: 30622, 30624
    ignore_older: 24h

  # software restrictions: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Software-Restriction-Policies.xml
  - name: Application
    event_id: 865, 866, 867, 868, 882
    ignore_older: 24h
    provider:
      - Microsoft-Windows-SoftwareRestrictionPolicies

# Add JS Infos
processors:
  - script:
      when.equals.winlog.channel: Security
      lang: javascript
      id: security
      file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
      lang: javascript
      id: sysmon
      file: C:\Program Files\Graylog\sidecar\module\sysmon\config\winlogbeat-sysmon.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-Sysmon
      lang: javascript
      id: sysmon
      file: C:\Program Files\Graylog\sidecar\module\sysmon\config\winlogbeat-sysmon.js

  - script:
      when.equals.winlog.channel: Windows PowerShell
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-PowerShell/Admin
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-PowerShell
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: Microsoft-Windows-Shell-Core
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: PowerShellCore/Operational
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

  - script:
      when.equals.winlog.channel: PowerShellCore
      lang: javascript
      id: powershell
      file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

But I am wanting to do a configuration from scratch to drop events not only from users but also from executables that appear in the logs.

tmacgbay · March 25, 2022, 1:51pm

I think you are only running into some syntax issues in your configuration. The logs to a good job telling you if it has an issue with the Collector configuration (in your original post, you have sidecar logs at: C:\Program Files\Graylog\sidecar\logs)

Here are some rearranged syntax… I haven’t tested them yet… maybe later today… but they fit a little better with what I have had working in the past. Most specifically, I think the fields need the winlog. in front of them… at least that worked for me. (Noting that in my Graylog it shows as winlog_ but the beat wants winlog.)

    - name: Security
      processors:
        - drop_event.when:
            contains:
              winlog.event_data_TargetUserName: sauser

in this second case you have above, you had when in there twice… not sure that would work…

    - name: Security
      processors:
        - drop_event.when:
          - or:
              - equals.winlog.event_data_ProcessName: C:\Program Files\Graylog\sidecar\graylog-sidecar.exe
              - equals.winlog.event_data_TargetUserName: user1
              - equals.winlog.event_data_TargetUserName: user2
              - equals.winlog.event_data_SubjectUserName: user2

maiconjs · March 25, 2022, 3:00pm

@tmacgbay Thanks for your support.

I am taking the necessary care with the YAML formatting. I am doing the edits using Visual Code.
I tried to do as posted above, but I keep getting logs from a specific user. Both sidecar.log and winlogbeat.log showed no errors.

sidecar.log:

time="2022-03-25T11:45:03-03:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2022-03-25T11:45:03-03:00" level=info msg="[winlogbeat] Stopping" 
time="2022-03-25T11:45:04-03:00" level=info msg="[winlogbeat] Starting (svc driver)"

winlogbeat:

2022-03-25T11:45:05.025-0300	INFO	instance/beat.go:686	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs] Hostfs Path: [/]
2022-03-25T11:45:05.028-0300	INFO	instance/beat.go:694	Beat ID: 2463d591-5825-4e79-8465-1350a716c9e3
2022-03-25T11:45:05.029-0300	INFO	[beat]	instance/beat.go:1040	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "winlogbeat", "uuid": "2463d591-5825-4e79-8465-1350a716c9e3"}}}
2022-03-25T11:45:05.029-0300	INFO	[beat]	instance/beat.go:1049	Build info	{"system_info": {"build": {"commit": "1d05ba86138cfc9a5ae5c0acc64a57b8d81678ff", "libbeat": "7.17.1", "time": "2022-02-23T23:58:09.000Z", "version": "7.17.1"}}}
2022-03-25T11:45:05.029-0300	INFO	[beat]	instance/beat.go:1052	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":2,"version":"go1.17.6"}}}
2022-03-25T11:45:05.033-0300	INFO	[beat]	instance/beat.go:1056	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-03-22T13:38:53.87-03:00","name":"DC01","ip":["10.0.0.12/24","::1/128","127.0.0.1/8","fe80::5efe:a00:c/128"],"kernel_version":"6.3.9600.16422 (winblue_gdr.131006-1505)","mac":["00:00:00:00:00:00","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.0"},"timezone":"-03","timezone_offset_sec":-10800,"id":"e7ff1b2c-d7d3-4a35-9ae0-a840abc75646"}}}
2022-03-25T11:45:05.033-0300	INFO	[beat]	instance/beat.go:1085	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 5604, "ppid": 504, "start_time": "2022-03-25T11:45:04.906-0300"}}}
2022-03-25T11:45:05.033-0300	INFO	instance/beat.go:328	Setup Beat: winlogbeat; Version: 7.17.1
2022-03-25T11:45:05.033-0300	INFO	[publisher]	pipeline/module.go:113	Beat name: DC01
2022-03-25T11:45:05.033-0300	INFO	[winlogbeat]	beater/winlogbeat.go:66	State will be read from and persisted to C:\Program Files\Graylog\sidecar\cache\winlogbeat\data\.winlogbeat.yml
2022-03-25T11:45:05.034-0300	INFO	instance/beat.go:492	winlogbeat start running.
2022-03-25T11:45:05.034-0300	INFO	[monitoring]	log/log.go:142	Starting metrics logging every 30s
2022-03-25T11:45:06.056-0300	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(async(tcp://10.0.0.53:5044))
2022-03-25T11:45:06.056-0300	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2022-03-25T11:45:06.056-0300	INFO	[publisher]	pipeline/retry.go:223	  done
2022-03-25T11:45:06.060-0300	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(async(tcp://10.0.0.53:5044)) established
2022-03-25T11:45:35.046-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":171,"time":{"ms":171}},"total":{"ticks":499,"time":{"ms":499},"value":499},"user":{"ticks":328,"time":{"ms":328}}},"handles":{"open":205},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":30097},"version":"7.17.1"},"memstats":{"gc_next":11496256,"memory_alloc":6053216,"memory_sys":27429896,"memory_total":53753952,"rss":43646976},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":312,"active":0,"batches":19,"total":312},"read":{"bytes":114},"type":"logstash","write":{"bytes":95382}},"pipeline":{"clients":11,"events":{"active":8,"published":320,"retry":12,"total":320},"queue":{"acked":312,"max_events":4096}}},"system":{"cpu":{"cores":2}}}}}
2022-03-25T11:46:05.046-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":218,"time":{"ms":47}},"total":{"ticks":905,"time":{"ms":406},"value":905},"user":{"ticks":687,"time":{"ms":359}}},"handles":{"open":209},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":60097},"version":"7.17.1"},"memstats":{"gc_next":13199408,"memory_alloc":11951456,"memory_total":91708384,"rss":42913792},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":250,"active":0,"batches":19,"total":250},"read":{"bytes":114},"write":{"bytes":91633}},"pipeline":{"clients":11,"events":{"active":37,"published":279,"total":279},"queue":{"acked":250}}}}}}
2022-03-25T11:46:35.043-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":359,"time":{"ms":141}},"total":{"ticks":1374,"time":{"ms":469},"value":1374},"user":{"ticks":1015,"time":{"ms":328}}},"handles":{"open":209},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":90086},"version":"7.17.1"},"memstats":{"gc_next":12572544,"memory_alloc":6425528,"memory_total":128752264,"rss":43409408},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":229,"active":0,"batches":22,"total":229},"read":{"bytes":132},"write":{"bytes":91686}},"pipeline":{"clients":11,"events":{"active":8,"published":200,"total":200},"queue":{"acked":229}}}}}}
2022-03-25T11:47:05.043-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":468,"time":{"ms":109}},"total":{"ticks":1780,"time":{"ms":406},"value":1780},"user":{"ticks":1312,"time":{"ms":297}}},"handles":{"open":211},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":120086},"version":"7.17.1"},"memstats":{"gc_next":15376672,"memory_alloc":9254384,"memory_total":168663048,"rss":44142592},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":321,"active":0,"batches":20,"total":321},"read":{"bytes":120},"write":{"bytes":105578}},"pipeline":{"clients":11,"events":{"active":0,"published":313,"total":313},"queue":{"acked":321}}}}}}
2022-03-25T11:47:35.042-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":593,"time":{"ms":125}},"total":{"ticks":2139,"time":{"ms":359},"value":2139},"user":{"ticks":1546,"time":{"ms":234}}},"handles":{"open":211},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":150086},"version":"7.17.1"},"memstats":{"gc_next":13201744,"memory_alloc":10772184,"memory_total":206358192,"rss":44777472},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":248,"active":0,"batches":20,"total":248},"read":{"bytes":120},"write":{"bytes":95614}},"pipeline":{"clients":11,"events":{"active":12,"published":260,"total":260},"queue":{"acked":248}}}}}}
2022-03-25T11:48:05.041-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":671,"time":{"ms":78}},"total":{"ticks":2405,"time":{"ms":266},"value":2405},"user":{"ticks":1734,"time":{"ms":188}}},"handles":{"open":206},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":180086},"version":"7.17.1"},"memstats":{"gc_next":11746784,"memory_alloc":7172288,"memory_total":238241208,"rss":42418176},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":139,"active":0,"batches":20,"total":139},"read":{"bytes":120},"write":{"bytes":67600}},"pipeline":{"clients":11,"events":{"active":0,"published":127,"total":127},"queue":{"acked":139}}}}}}
2022-03-25T11:48:35.044-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":796,"time":{"ms":125}},"total":{"ticks":2874,"time":{"ms":469},"value":2874},"user":{"ticks":2078,"time":{"ms":344}}},"handles":{"open":211},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":210086},"version":"7.17.1"},"memstats":{"gc_next":11782976,"memory_alloc":7572224,"memory_total":278319800,"rss":42573824},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":252,"active":0,"batches":21,"total":252},"read":{"bytes":126},"write":{"bytes":102593}},"pipeline":{"clients":11,"events":{"active":8,"published":260,"total":260},"queue":{"acked":252}}}}}}
2022-03-25T11:49:05.042-0300	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":906,"time":{"ms":110}},"total":{"ticks":3343,"time":{"ms":469},"value":3343},"user":{"ticks":2437,"time":{"ms":359}}},"handles":{"open":211},"info":{"ephemeral_id":"5e04e733-e9ba-43f0-b94a-c6a78c2d5599","uptime":{"ms":240087},"version":"7.17.1"},"memstats":{"gc_next":12459520,"memory_alloc":8499536,"memory_total":320516800,"rss":44085248},"runtime":{"goroutines":52}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":374,"active":0,"batches":20,"total":374},"read":{"bytes":120},"write":{"bytes":116320}},"pipeline":{"clients":11,"events":{"active":2,"published":368,"total":368},"queue":{"acked":374}}}}}}

maiconjs · March 25, 2022, 3:04pm

One other fact, I am using winlogbeat version 7.17.1. Could there be a problem with this version?

tmacgbay · March 25, 2022, 5:01pm

not that I know of - did you add in the winlog portion with the dot to the field name?

maiconjs · March 25, 2022, 5:28pm

Yes, it complies with winlogbeat 7.17 standards:

    - name: Security
      processors:
        - drop_event.when:
            contains:
              winlog.event_data_TargetUserName: user1

tmacgbay · March 25, 2022, 6:57pm

I finally got a chance to do some testing since I wanted to drop some of the junk coming into my system…

Try putting a dot between data and TargetUserName

     - name: Security
      processors:
        - drop_event.when:
            contains:
              winlog.event_data.TargetUserName: user1

Graylog is converting the . to _

maiconjs · March 25, 2022, 8:01pm

bingo @tmacgbay

It was precisely “_” that had no effect and no error. After changing to the “.”, the filtering was done.

Here is the tested configuration:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security
      processors:
        - drop_event.when:
            or:
              - contains:
                  winlog.event_data.TargetUserName: user1
              - contains:
                  winlog.event_data.TargetUserName: user2
              - contains:
                  winlog.event_data.SubjectUserName: user2
    - name: Microsoft-Windows-Sysmon/Operational
    - name: Windows PowerShell
    - name: DNS Server
    - name: Microsoft-Windows-PrintService/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

thank you very much @tmacgbay

My thanks also to @gsmith . Your information about SID was valuable and I already plan to apply.

maiconjs · March 28, 2022, 5:46pm

I have one more problem, I am having trouble with drop events related to .exe.

Here is a message that I want to block:

message
Houve uma tentativa de acessar um objeto.

Requerente:
	Id de Segurança:		S-1-5-18
	Nome da Conta:		SRV001$
	Domínio da Conta:		MYDOMAIN
	ID de Logon:		0x3E7

Objeto:
	Servidor do Objeto:		Security
	Tipo de Objeto:		File
	Nome do Objeto:		E:\
	ID do Identificador:		0x29c
	Atributos do Recurso:	S:PAI

Informações do Processo:
	ID do Processo:		0x2080
	Nome do Processo:		C:\Program Files\Graylog\sidecar\graylog-sidecar.exe

Informações da Solicitação de Acesso:
	Acessos:		ReadData (ou ListDirectory)
				
	Máscara de Acesso:	0x1

Config used to try to drop:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security
      processors:
        - drop_event.when:
            or:
              - contains:
                  winlog.event_data.TargetUserName: usr1
              - contains:
                  winlog.event_data.TargetUserName: usr2
              - contains:
                  winlog.event_data.SubjectUserName: usr1
              - contains:
                  winlog.event_data.ProcessName: C:\Program Files\Graylog\sidecar\graylog-sidecar.exe
              - contains:
                  winlog.event_data.ProcessId: "0x114c"
    - name: Microsoft-Windows-Sysmon/Operational
    - name: Windows PowerShell
    - name: DNS Server
    - name: Microsoft-Windows-PrintService/Admin
    - name: Microsoft-Windows-PrintService/Operational
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    - name: Microsoft-Windows-TaskScheduler/Operational

tmacgbay · March 28, 2022, 9:04pm

to make sure they are string values, elasticsearch has quotes around the values… you could possibly use a regex solution such as:

- regexp:
      winlog.event_data.ProcessName: "sidecar\.exe$"  # Anything that ends ($) with sidecar.exe

You may need to use the debug() function to find out what the actual field is…

maiconjs · March 29, 2022, 2:49pm

Problem solved. To block events coming from “winlog.event_data.ProcessName”, I put the complete path with exe, but with two backslashes. Ex:

# Needed for Graylog
fields_under_root: true
fields.source: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["10.0.0.53:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security
      processors:
        - drop_event.when:
            or:
              - contains:
                  winlog.event_data.ProcessName: "C:\\Program Files\\Graylog\\sidecar\\graylog-sidecar.exe"
    - name: Microsoft-Windows-Sysmon/Operational
    - name: Windows PowerShell
    - name: DNS Server
    - name: Microsoft-Windows-PrintService/Admin
    - name: Microsoft-Windows-PrintService/Operational
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    - name: Microsoft-Windows-TaskScheduler/Operational

gsmith · March 29, 2022, 10:47pm

@maiconjs

Nice and thank for sharing your resolve with us. I’ve been watch this post to see how your executing this issue. This is good stuff If you could mark this as resolved for future searches that would be great

system · April 12, 2022, 10:48pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Sidecar Winlogbeat Drop Event New to Graylog Community? READ-ME FIRST Guides sidecar , windows , winlogbeat	2	257	June 8, 2024
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8523	March 22, 2018
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3701	December 16, 2019
Sidecar configuration to filter event data for SubjectUserName - Windows Graylog Central (peer support) sidecar , winlogbeat	5	1738	August 4, 2021
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	1055	April 13, 2021

Drop events using the sidecar collector

Related topics