Hello I just can not find the right way to write it… Hope someone can help me
tags:
- windows
winlogbeat:
event_logs:
- name: Security
event_id: 4625,4624
processors:
- drop_fields:
fields: [“message”]
------------ until here it works---------------
'Now I want to add…
(reason is… I only want to know if an administrators login is successfull)
- drop_event:
when:
- equals.event_id: 4624
- regexp:
winlog.event_data.TargetUserName: ‘.*$’
- not contains:
winlog.event_data.TargetUserName: "Administrator" OR
winlog.event_data.TargetUserName: “root” OR
winlog.event_data.TargetUserName: “Admin”
but I only get errors at line in yml conf… nomatter how I try to write…
jan
(Jan Doberstein)
3
he @xxstyler20xx
I guess that many people use that different. So you either have a light configuration that collects data that is following common patterns:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar,nodeId}
output.logstash:
hosts: ["${user.BeatsInput}"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
- name: Security
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 141
- equals.event_id: 1102
- equals.event_id: 4648
- equals.event_id: 4657
- equals.event_id: 4688
- equals.event_id: 4697
- equals.event_id: 4698
- equals.event_id: 4720
- equals.event_id: 4738
- equals.event_id: 4767
- equals.event_id: 4728
- equals.event_id: 4732
- equals.event_id: 4634
- equals.event_id: 4735
- equals.event_id: 4740
- equals.event_id: 4756
level: critical, error, warning, information
ignore_older: 48h
- name: System
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 1022
- equals.event_id: 1033
- equals.event_id: 1034
- equals.event_id: 4624
- equals.event_id: 4625
- equals.event_id: 4633
- equals.event_id: 4719
- equals.event_id: 4738
- equals.event_id: 7000
- equals.event_id: 7022
- equals.event_id: 7024
- equals.event_id: 7031
- equals.event_id: 7034-7036
- equals.event_id: 7040
- equals.event_id: 7045
level: critical, error, warning
ignore_older: 48h
It does cover the primary use cases for Pass-the-Hash type of internal lateral movement. The event IDs are pulled from advice given by Microsoft and the aging NSA paper: https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm
Or you use heavy logging with Sysmon and much more data. So sorry that I can’t help you here with your exact use case.
system
(system)
Closed
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
