How can I filter from a sub-field of a Windows Event?

Graylog Central (peer support)
1

Hello all! I’ve been searching online for a solution to my issue but I’m not finding anything that’s been helpful unfortunately so I decided to ask here. My apologies beforehand if this is a common issue.

I recently inherited our cyber security duties and I’m trying to make an event with a notification for Event ID 4659 which shows when someone has deleted or accessed a file. The backlog of this message shows the field I need: Accesses. This field in the event shows what action was taken on a file, so I’m trying to make a custom field that pulls the string from this field so I can essentially hide the backlog message and produce a nice email definition.

The actual event when shown in XML or in friendly view shows the data fields I can pull from. So in my event definition I can do something like ${source.AccessList} for example and it will pull that field. No problems there. The issue is when I try to pull from the Accesses field, nothing is populated. After looking in the event details, Accesses isn’t one of the data fields. I don’t even know how it’s being populated:
image

How can I make a custom field that reads the Accesses field? Currently I have it reading from full_message but this shows a ton of other garbage from the event.

Our server runs Graylog Free Enterprise 4.2.13-1 on Ubuntu 20.04 LTS. I tried making a Grok Pattern to use regex to capture it that way but I don’t know how to apply it in the notification. If anyone can help I would greatly appreciate it!

2

You have a couple of options, you could use grok or regex to extract that sentence from the full_message field, and then store that into another field during ingestion, you then will have that field available to you for your event. Doing regex in large multi-lines like that can be tricky though.

The other option is that there should be a field containing the accesses IDs, they look something like this Microsoft Windows Security Audit Event Accesses IDs – Ivan's Corner you could use a lookup table to a CSV file to do a translation of the ID to the matching description, and then store the description in the field.

3

You have a couple of options, you could use grok or regex to extract that sentence from the full_message field, and then store that into another field during ingestion, you then will have that field available to you for your event. Doing regex in large multi-lines like that can be tricky though.

Luckily it’s only one field. I made a Grok pattern called ACCESSESDELETE that looks like this: (?i)Accesses: DELETE and confirmed that a sample matches:

image
image488×728 22.2 KB

So you’re saying I should be able to use %{ACCESSESDELETE} to match the string in the events? Where do I actually use that? Inside the notification it seems to get completely ignored unless I’m not using it correctly, and setting it in the Template options for the custom field I have in the event definition causes that field to not even be displayed in the email notification.

4

You cannot do grok at alert time, you have to do the work of finding it at ingestion time. You can either extract the value of the accesses into a field like Field: accesses value: delete, or have a boolean field that is field:was_this_a_delete value:true. Then in your event you can either search on field values to find something, or pull field values into the notification. But once you have hit that event you cannot transform that data it any way, it has to have already happened in pipeline rules when it was ingested, and then you are just reading the values.

5

Starting to think this is beyond my scope of understanding.

By ingestion, you mean as Graylog processes the events through the pipeline? Does that mean I should be looking at pipeline rules instead?

6

Yep exactly. You can probably do this in one single pipeline rules. There is a bit of a learning curve to them, but once you get the basics they are what really makes Graylog sing.

7

Thank you for the help. I will look into learning the syntax needed to make this work.

8

Okay, I think I’m getting somewhere, this time I’m just checking for the Access List value since the Access List values are more unique. I created a new pipeline rule and inserted it into my pipeline and I can see every time I trigger Event ID 4659 the pipeline rule shows 1 message being processed but I am not seeing a new field to pull the data from.

Here is my rule:

rule "match Accesses DELETE"
when
  has_field("AccessList") 
then
  let accesses = regex("%%1537", to_string($message.message));
  set_field("ActionTaken", accesses["1"]);
end

However, I don’t see the “Action Taken” field inside the event after its processed. I can select it if I try to export the event to a CSV but the field is empty. What am I doing wrong here? This is my notification body:

Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
ActionTaken:             ${event.ActionTaken}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Full Message: ${message}
${end}
${end}
9

What are you trying to capture with your regex, there is no capture group, so it may be matching those characters, but it isn’t capturing any value to place into a field.

10

I’m just trying to capture the Access List value inside the event and set the Action Taken field to Delete as long as the Access List value is %%1537. That value specifies an attempted deletion. Then I want to be able to display that field inside my email notification. I could simply display the backlog and see everything but I’m trying to make the email notification clean and summarized instead.

I’m not sure what you mean by capture group. Is that an argument for the regex function?

11

So if you just need to know if that value is there you could use something like

when
has_field(“message”) AND
regex(pattern: “^.{16383,}$”, value: to_string($message.message)).matches == true
then
Set_field(“was delete”, “true”);
End

(With your own regex in the pattern etc)

If you need to actually get a value with regex, capture groups, which are just () tell regex what to actually store so for example “%%(\d+)” would store the number in the variable but not the percent signs.

12

Hello @BarryBurton,

Why do you bother and waste time/giving you headhache by creating regex when Winlogbeat do the work for you ?

I know writing down regex can be a challenge (and give some achievement happiness) but I suggest you to use Winlogbeat agent for Windows Logs as it parses and extract automatically all the “subfields” of Windows Events.

  • Screenshot example:

image
image1320×1129 57 KB

  • Take a look at my Winlogbeat Sidecar configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.lab.lan:5044"]

path.data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
path.logs: C:\Program Files\Graylog\sidecar\logs
path.module: C:\Program Files\Graylog\sidecar\module

winlogbeat.event_logs:

#FileSystem Monitor
 
   - name: Security
     event_id: 4656, 4663, 4670, 4907, 5140, 5142-5145
     ignore_older: 24h
     tags: [filesystem]
     processors:
       - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
       - drop_event.when.not.or:
           - equals.winlog.event_data.ObjectType: "File"
       - drop_event.when.or:
           - regexp.winlog.event_data.winlog_task: 'Authorization Policy Change'
           - regexp.winlog.event_data.winlog_task: 'Audit Policy Change'
           - equals.winlog.event_data.winlog_task: "Registry"
           - equals.winlog.event_data.winlog_task: "Kernel Object"
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
           
           #cant see the diff between human/computer action opening a folder, too many logs
           - regexp.winlog.event_data.AccessList: '^%%4416.*'
           
           # dont need to know who read which permission
           - regexp.winlog.event_data.AccessList: '^%%1538.*'
           - regexp.winlog.event_data.AccessList: '^%%1539.*'
           - regexp.winlog.event_data.AccessList: '^%%1542.*'
           
           #we dont need to monitor synchronize status event
           - regexp.winlog.event_data.AccessList: '^%%1541.*'
           
           
           #we do not need to know who read/write extended attribute
           - regexp.winlog.event_data.AccessList: '^%%4419.*'
           - regexp.winlog.event_data.AccessList: '^%%4420.*'
           
           #computers always executing dll which gives too many logs
           - regexp.winlog.event_data.AccessList: '^%%4421.*'
           
           #too many logs for ReadAttributes event, on everyaction, it reads attribute
           - regexp.winlog.event_data.AccessList: '^%%4423.*'
           - regexp.winlog.event_data.AccessList: '^%%4424.*'
           
           #dont need to know some activites automated by the system using user permission
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\PenWorkspace.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\CLR_v4.0.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Internet Explorer\\CacheStorage.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows\\Recent\\AutomaticDestinations.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Packages.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\User Data.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\Application\\SetupMetrics.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Edge\\User Data.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\[a-zA-Z0-9._~-]+\\cache2.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Temp.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\D3DSCache.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\DeliveryOptimization.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\NVIDIA Corporation\\Drs.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\USOShared\\Logs.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\Logs.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\System32\\LogFiles.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Token\\Cache.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Roaming\\Microsoft.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache.*'
           
           
           #dont need to know recycle bin activites, we already have the Delete event (%%1537)
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\\$Recycle.Bin.*'

          

     
##### ******* Windows OS ******** #######
   - name: Security
     event_id: 4608, 4610, 4611, 4614, 4622, 4697, 4719, 4817, 4826, 4902, 4904, 4905, 4906, 4908, 4912
     ignore_older: 48h
     tags: [windowsos]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
      - drop_event.when:
           and:
             - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'


   - name: System
     event_id: 12, 13, 1074
     ignore_older: 24h
     tags: [windowsos]
     provider: 
       - Microsoft-Windows-Kernel-General
       - USER32
     
   - name: System
     event_id: 16962, 16965, 16968, 16969, 41, 1001, 6008, 4621
     ignore_older: 24h
     tags: [windowsos]     
     
   - name: Microsoft-Windows-SMBServer/Audit
     event_id: 3000
     ignore_older: 24h
     tags: [windowsos]     
     provider: 
       - Microsoft-Windows-SMBServer
       
##### ******* Windows USB ******** #######
   - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
     level: 'critical, error'
     event_id: 2003, 2102
     ignore_older: 24h
     tags: [windowsusb]
    
   - name: Microsoft-Windows-Kernel-PnP/Configuration
     tags: [windowsusb]
     processors:
       - drop_event.when.not:
           and:
             - equals.winlog.event_data.DriverName: ""usbstor.inf""
           
     event_id: 400, 410
     ignore_older: 24h
     tags: [windowsusb]
     level: information
     provider: 
       - Microsoft-Windows-Kernel-PnP
       
     
   - name: Security
     event_id: 6416, 6419-6424
     ignore_older: 24h
     tags: [windowsusb]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
          
      - drop_event.when.or:
           - regexp.winlog.event_data.DeviceDescription: '^Microsoft Print to PDF.*'
           - regexp.winlog.event_data.DeviceDescription: '^Microsoft XPS Document Writer.*'
           - regexp.winlog.event_data.DeviceDescription: '^Generic Non-PnP Monitor.*'
           
          
          
     
     
##### ******* Windows Registry ******** #######

   - name: Security
     event_id: 4657
     ignore_older: 24h
     tags: [windowsregistry]
     processors:
       - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
       - drop_event.when.not.or:
           - equals.winlog.event_data.OperationType: '%%1904'
           - equals.winlog.event_data.OperationType: '%%1905'
           - equals.winlog.event_data.OperationType: '%%1906'
       - drop_event.when.not.or:
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Drive\\ShellEx\\ContextMenuHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\ContextMenuHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\DragDropHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\CopyHookHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\ContextMenuHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\DragDropHandlers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
           - regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\\GPExtensions.*'

##### ******* Windows Firewall ******** #######

   - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
     event_id: 2002, 2004, 2005, 2006, 2009, 2033, 2099, 2097, 2010
     ignore_older: 24h
     tags: [windowsfirewall]
     level: err, info
     provider:
       - Microsoft-Windows-Windows Firewall With Advanced Security
       
       
   - name: Security
     event_id: 4944-4954, 4956-4958, 5024, 5025, 5037, 5027-5030, 5032-5035, 5031, 5150, 5151, 5154-5157, 5159
     ignore_older: 24h
     tags: [windowsfirewall]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
      - drop_event.when.or:
          - regexp.winlog.event_data.DestAddress: '239.255.255.250'
          - regexp.winlog.event_data.DestAddress: '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?'
          - regexp.winlog.event_data.Application: 'dns.exe'

          
##### ******* Windows Service ******** #######

   - name: System
     event_id: 7022-7024, 7026, 7031, 7032, 7034, 7040, 7045
     ignore_older: 24h
     tags: [windowsservice]
     level: err, info, crit, warn
     provider:
       - Service Control Manager
     processors:
       - drop_event.when.or:
           - regexp.winlog.event_data.param1: '^Programme d’installation pour les modules Windows.*'
           - regexp.winlog.event_data.param1: '^Service de transfert intelligent en arrière-plan.*'
       

##### ******* Windows EventLog ******** #######

   - name: System
     event_id: 104
     ignore_older: 24h
     tags: [windowseventlog]
     level: info
     provider:
       - Microsoft-Windows-Eventlog
       
   - name: Security
     event_id: 1100, 1104, 1105, 1108
     ignore_older: 24h
     tags: [windowseventlog]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
     
   - name: Security
     event_id: 1102
     ignore_older: 24h
     tags: [windowseventlog]
     level: info
     provider:
       - Microsoft-Windows-Eventlog
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
    

##### ******* Windows PowerShell ******** #######
   - name: Windows PowerShell
     event_id: 400, 403, 600, 800
     ignore_older: 48h
     tags: [powershell-legacy]
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
     
     
   - name: Microsoft-Windows-PowerShell/Operational
     event_id: 4103, 4105, 4106
     ignore_older: 48h
     tags: [powershell]
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
      - drop_event.when.or:
          - equals.winlog.event_id: 4104
          - equals.winlog.event_id: 4100
          - equals.winlog.event_id: 32784
        

##### ******* Windows Privilege ******** #######

   - name: Security
     event_id: 4673, 4674, 4985
     ignore_older: 24h
     tags: [windowsprivilege]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
     
##### ******* Windows Process ******** #######
          
   - name: Security
     event_id: 4688, 4689
     ignore_older: 24h
     tags: [windowsprocess]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
     
##### ******* Windows Task ******** #######

   - name: Microsoft-Windows-TaskScheduler/Operational
     event_id: 106, 129, 141, 142, 200, 201
     ignore_older: 24h
     tags: [windowstask]
     provider:
       - Microsoft-Windows-TaskScheduler
       
   - name: Security
     event_id: 4698-4702
     ignore_older: 24h
     tags: [windowstask]
     processors:
      - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
 
 
##### ******* DNS Client ******** #######

   - name: Microsoft-Windows-DNS-Client/Operational
     event_id: 3006, 3008, 3010, 3018
     ignore_older: 24h
     tags: [windowsdnsclient]
     processors:
       - drop_event.when:
           or:
            - equals.winlog.event_data.QueryOptions: '140737488355328'
            - equals.winlog.event_data.QueryResults: ''

##### ******* Windows RDP ******** #######

   - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
     ignore_older: 24h
     tags: [windowsrdp]
     level: crit, error, info, warn
     
   - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
     ignore_older: 24h
     tags: [windowsrdp]
     level: crit, error, info, warn
     

##### ******* Account Lockout & Auth ******** #######
   - name: Security
     event_id: 4624-4627, 4634, 4647, 4649, 4672, 4675, 4740, 4774-4779, 4800-4803, 4964, 5378
     level: info
     ignore_older: 24h
     tags: [auth]
     provider:
       - Microsoft-Windows-Security-Auditing
     processors:
       - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
       - drop_event.when:
           or:
             - equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
             - regexp.winlog.event_data.TargetUserName: '.*\$' 
    
       
       
##### ******* Windows Defender ******** #######

   - name: Microsoft-Windows-Windows Defender/Operational
     event_id: 1006-1009, 1116-1119
     ignore_older: 24h
     tags: [windowsdefender]

And the sidecar configuration on your Windows host:

server_url: "https://graylog.lab.lan/api"
server_api_token: "paste_your_token_here"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: true
send_status: true
tags: 
  - winlogbeat
  - filebeat-windows-firewall

collector_binaries_accesslist:
  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"

Also make sure to have the Winlogbeat Modules:

image
image979×296 12.8 KB

Winlogbeat Modules especially the security module allow Winlogbeat extract from XML directly and extract more data.

13

Okay, here’s what I have for a pipeline rule now since I’m getting more comfortable. I’ve gone back to checking for the Accesses field:

rule "match Accesses DELETE"
when
  has_field("message") AND
  regex(pattern: "(?i)Accesses: DELETE", value: to_string($message.message)).matches == true
then
  set_field(field: "ActionTaken", value: "Delete");
end

However I’m still not seeing the ActionTaken field populated with “Delete” if I export the event. The regex works, I have tested it on regex101 using the contents of full_message and it matches what I need just fine, yet there is nothing added to the actual event:

image
image786×82 2.96 KB

Here is my pipeline settings. I only have one:

image
image1865×471 31.7 KB

I really don’t understand what I’m doing wrong at this point. My thought process is if I can get the actual event to show the ActionTaken field, then I should be able to display it in a notification using ${message.ActionTaken}. Am I correct to think that?

14

You are correct on that last point. Can you post a copy of the message field (take out anything sensitive) and I’ll try it in my lab and see what’s up

15

Here is the full_message field from the event:

full_message:
A handle to an object was requested with intent to delete.

Subject:
	Security ID:		example
	Account Name:		user01
	Account Domain:		fabrikam.com
	Logon ID:		0xD0000000

Object:
	Object Server:	Security
	Object Type:	File
	Object Name:	I:\My Share\example.txt

Process Information:
	Process ID:	0x4

Access Request Information:
	Transaction ID:	{00000000-0000-0000-0000-000000000000}
	Accesses:	DELETE
				ReadAttributes
				
	Access Mask:	0x10080
	Privileges Used for Access Check:	-

Here is the message field from the event:

message:
A handle to an object was requested with intent to delete.

Su

Not sure why message is malformed like that at the end with Su.

16

Hello! I managed to figure it out. Using the Simulator I could see that my rule was working, it was setting the ActionTaken field to Delete as defined in my pipeline rule:

rule "match Accesses DELETE"
when
  has_field("message") AND
  regex(pattern: "(?i)DELETE", value: to_string($message.message)).matches == true
then
  set_field(field: "ActionTaken", value: "Delete");
end

However, ActionTaken is already a field. I don’t think I am able to set a field that already exists? I changed my pipeline rule to set the “Action” field instead and now I see it inside the actual Event and can call it in the notification using ${source.Action} without issue.

17

Awesome! Yes you can set a field that is already there, it just overwrites it.

Also you will need to do some careful testing because this value is nasty as it can contain more than one value in a single message. In your example it contains both delete and readattributes but I’m not sure there is a guarantee even what order they may be in, or how many values there could be in any message.

18

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.