Filtering a Specific Message from a Stream

All,
What I’m trying to accomplish is to get alerts that a Service, Program or Human is accessing the firewall rules on individual Windows nodes.
I created 4 streams for accessing Windows Firewall called:
Firewall Rule has been added
Rule: EventID must match exactly 2004 (A rule has been added to the Windows Firewall exception list.)

Firewall Rule has been deleted
Rule: EventID must match exactly 2006
Rule: Channel must match exactly Microsoft-Windows-Windows Firewall with Advanced Security/Firewall)

Firewall Rule has been changed
Rule: EventID must match exactly 2002 (A Windows Firewall setting has changed)

Firewall Rule has been modified
Rule: EventID must match exactly 2005 (A rule has been modified in the Windows Firewall exception list)

My issue is Windows Defender is adding and deleted rules using both EventID 2004 and 2006. This is good but I don’t need Notifications every hour on 1000 nodes.

full_message
A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID:	{9A5EDB9D-5B48-4822-B9F5-A8DAB3B72F7E}
	Rule Name:	WinDefend Outbound for TCP
	Modifying User:	S-1-5-18
	Modifying Application:	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\MsMpEng.exe

What I tried to do,
What my first attempt was on the streams “Firewall Rule has been added/deleted”. I looked for unique Fields that I can make rules with to filter out the Windows Defender service/s. As a test I added and deleted a firewall rule. The only differences between the two messages from my human access and the service was in “messages”, there was the name called “WinDefend” and “MsMpEng.exe”. By adding a rule with “WinDefend” did not help and I wanted to block Windows Defender messages from entering the stream not adding an exception. I’m not trying to drop Windows Defender messages. I just want those messages in a different stream with no alerts attached to it.

My Second attempt to solve this was creating a pipeline rule as shown below.

Pipeline connections
This pipeline is processing messages from the stream “All messages”.

rule “Windows Firewall exception list”
when
contains (to_string($message.message), “WinDefend”)
then
set_field(“windows_defender”, true);
end
Rule “Firewall Route to stream”
when
has_field(“windows_defender”)
then
route_to_stream(id:“some_other_stream”);
end

image1120×275 5.73 KB

This works as expected, but it still goes into the stream/s Firewall Rule has been added & Firewall Rule has been deleted which means I still get a lot alerts from those stream that not needed.

Any advice, Ideas or direction would be appreciated.
Thank you in advance.

My Environment:
CentOS 7 Latest Version
Graylog 3.3.2+
Elasticsearch-6.6.1-1.noarch
Mongodb-org-4.2.0

Hey,

As far as I can tell you end up with the message in both streams because route_to_stream doesn’t move a message to a different stream by default it just duplicates it https://docs.graylog.org/en/3.3/pages/pipelines/functions.html#route-to-stream

Try using: route_to_stream(id:“some_other_stream”, remove_from_default: true);
That should take the message out of the default stream and stop it from matching the stream rules you have set up as long as everything else is configured correctly.

@MajesticCo
Thank you for the reply,
Even though I move the message from lets say stream A to stream B, once it hits stream A it triggers a notification. Stream A collects any EventID 2006 (Windows Firewall rule was Deleted). Unfortunately, during my testing on how I can modify stream A to filter out Window Defender messages I was unable to find any unique field from the user and service on this particular message.
So basically I have two messages made, one is from a user and another from a service with no unique fields. In most cases of a situation like this where the same Windows Event ID is in different messages I would create an extra rule to narrow it down. This is where I’m stuck. How can I soluve this problem?

EXAMPLE:
Backup Job Application Finished Warning
EventID must match exactly 150
Severity must match exactly WARNING

So, I may have solved this issue. Digging deeper in Windows Events and Regedit, I found something that I can use that I have overlooked. A security identifier (SID) a unique value of variable length that is used to identify a security principal (such as a security group) in Windows operating systems. SIDs that identify generic users or generic groups is particularly well-known. Their values remain constant across all operating systems. By using SID this filters out Windows Defender from entering the stream “A” and with the pipeline rule from above will direct all the messages to Custom Stream called “Windows: Firewall for Windows Defender”.Adding new rules to filter out what I need.

Windows: Firewall Rule has been added
EventID must match exactly 2004 (A rule has been added to the Windows Firewall exception list.)
UserID must match exactly S-1-5-19
ModifyingUser must match exactly S-1-5-21

Windows: Firewall Rule has been deleted
EventID must match exactly 2006
UserID must match exactly S-1-5-19 # (%systemroot%\ServiceProfiles\LocalService)
ModifyingUser must contain S-1-5-21 # (Domain user)

With the custom stream for collecting Windows Defender message I added some Widgets for a quick overview as shown below.

image1556×565 16.7 KB

image1819×588 43.5 KB

If there is an easier way to compish this or something I have over looked. I open to any suggestion.
Willing to learn something new.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.