All,
What I’m trying to accomplish is to get alerts that a Service, Program or Human is accessing the firewall rules on individual Windows nodes.
I created 4 streams for accessing Windows Firewall called:
Firewall Rule has been added
Rule: EventID must match exactly 2004 (A rule has been added to the Windows Firewall exception list.)
Firewall Rule has been deleted
Rule: EventID must match exactly 2006
Rule: Channel must match exactly Microsoft-Windows-Windows Firewall with Advanced Security/Firewall)
Firewall Rule has been changed
Rule: EventID must match exactly 2002 (A Windows Firewall setting has changed)
Firewall Rule has been modified
Rule: EventID must match exactly 2005 (A rule has been modified in the Windows Firewall exception list)
My issue is Windows Defender is adding and deleted rules using both EventID 2004 and 2006. This is good but I don’t need Notifications every hour on 1000 nodes.
full_message
A rule has been deleted in the Windows Defender Firewall exception list.
Deleted Rule:
Rule ID: {9A5EDB9D-5B48-4822-B9F5-A8DAB3B72F7E}
Rule Name: WinDefend Outbound for TCP
Modifying User: S-1-5-18
Modifying Application: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\MsMpEng.exe
What I tried to do,
What my first attempt was on the streams “Firewall Rule has been added/deleted”. I looked for unique Fields that I can make rules with to filter out the Windows Defender service/s. As a test I added and deleted a firewall rule. The only differences between the two messages from my human access and the service was in “messages”, there was the name called “WinDefend” and “MsMpEng.exe”. By adding a rule with “WinDefend” did not help and I wanted to block Windows Defender messages from entering the stream not adding an exception. I’m not trying to drop Windows Defender messages. I just want those messages in a different stream with no alerts attached to it.
My Second attempt to solve this was creating a pipeline rule as shown below.
Pipeline connections
This pipeline is processing messages from the stream “All messages”.
rule “Windows Firewall exception list”
when
contains (to_string($message.message), “WinDefend”)
then
set_field(“windows_defender”, true);
end
Rule “Firewall Route to stream”
when
has_field(“windows_defender”)
then
route_to_stream(id:“some_other_stream”);
end
This works as expected, but it still goes into the stream/s Firewall Rule has been added & Firewall Rule has been deleted which means I still get a lot alerts from those stream that not needed.
Any advice, Ideas or direction would be appreciated.
Thank you in advance.
My Environment:
CentOS 7 Latest Version
Graylog 3.3.2+
Elasticsearch-6.6.1-1.noarch
Mongodb-org-4.2.0