Help with Winlogbeat config

Hello I just can not find the right way to write it… Hope someone can help me

tags:

  • windows
    winlogbeat:
    event_logs:
    • name: Security
      event_id: 4625,4624
      processors:
    • drop_fields:
      fields: [“message”]
      ------------ until here it works---------------

'Now I want to add…
(reason is… I only want to know if an administrators login is successfull)

  • drop_event:
    when:
    • equals.event_id: 4624
      • regexp:
        winlog.event_data.TargetUserName: ‘.*$’
- not contains:
          winlog.event_data.TargetUserName: "Administrator" OR 

winlog.event_data.TargetUserName: “root” OR
winlog.event_data.TargetUserName: “Admin”

but I only get errors at line in yml conf… nomatter how I try to write…

Nobody ?? :confused:

he @xxstyler20xx

I guess that many people use that different. So you either have a light configuration that collects data that is following common patterns:

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar,nodeId}
output.logstash:
  hosts: ["${user.BeatsInput}"]

path:
        data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data 
        logs: C:\Program Files\Graylog\sidecar\logs

winlogbeat.event_logs:
  - name: Application
    level: critical, error, warning
    ignore_older: 48h
  - name: Security
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 141
            - equals.event_id: 1102
            - equals.event_id: 4648
            - equals.event_id: 4657
            - equals.event_id: 4688
            - equals.event_id: 4697
            - equals.event_id: 4698
            - equals.event_id: 4720
            - equals.event_id: 4738 
            - equals.event_id: 4767
            - equals.event_id: 4728
            - equals.event_id: 4732
            - equals.event_id: 4634
            - equals.event_id: 4735
            - equals.event_id: 4740
            - equals.event_id: 4756
    level: critical, error, warning, information
    ignore_older: 48h
  - name: System
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 1022
            - equals.event_id: 1033
            - equals.event_id: 1034
            - equals.event_id: 4624
            - equals.event_id: 4625
            - equals.event_id: 4633
            - equals.event_id: 4719
            - equals.event_id: 4738
            - equals.event_id: 7000
            - equals.event_id: 7022
            - equals.event_id: 7024
            - equals.event_id: 7031
            - equals.event_id: 7034-7036
            - equals.event_id: 7040
            - equals.event_id: 7045
    level: critical, error, warning
    ignore_older: 48h

It does cover the primary use cases for Pass-the-Hash type of internal lateral movement. The event IDs are pulled from advice given by Microsoft and the aging NSA paper: https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Or you use heavy logging with Sysmon and much more data. So sorry that I can’t help you here with your exact use case.