Sidecar configuration to filter event data for SubjectUserName - Windows

Hi all.

I have been trying for the last few days to get this configuration working…

The issue I am trying to resolve is I am getting lots of logs from the AD computer account as it performs tasks in the OS folders and sometimes within the files/folders that I am auditing.

Basically the account name for the log is the name of the computer hostname, which can be found from the node id with a $. I want to drop all the events with for example test-comp1$

Here is my current configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.ad.example.com:514"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     level: critical, error, warning
     ignore_older: 72h
   - name: System
     level: critical, error, warning
   - name: Security
     processors:
        - drop_event.when:
           - contains.event_data.SubjectUserName: ${sidecar.nodeName}
     level: critical, error, warning, information

Here is an example message I am trying to drop:

beats_type
winlogbeat
message
An attempt was made to access an object.

Subject:
	Security ID:		S-1-5-18
	Account Name:		TEST-COMP1$
	Account Domain:		HTL
	Logon ID:		0x3E7

Object:
	Object Server:		Security
	Object Type:		File
	Object Name:		D:\
	Handle ID:		0x9ac
	Resource Attributes:	S:PAI

Process Information:
	Process ID:		0xe64
	Process Name:		C:\Windows\System32\wbem\WmiPrvSE.exe

Access Request Information:
	Accesses:		ReadData (or ListDirectory)
				
	Access Mask:		0x1
source
TEST-COMP1$
timestamp
2021-07-19 11:29:31.794 -06:00
winlogbeat_@metadata_beat
winlogbeat
winlogbeat_@metadata_type
_doc
winlogbeat_@metadata_version
7.11.1
winlogbeat_@timestamp
2021-07-19 11:29:31.794 -06:00
winlogbeat_agent_ephemeral_id
bec5d75a-4f66-42d0-8de0-a07bc891973f
winlogbeat_agent_hostname
TEST-COMP1
winlogbeat_agent_id
0f067a47-faf4-4326-8d9a-6432eb48221c
winlogbeat_agent_name
TEST-COMP1
winlogbeat_agent_type
winlogbeat
winlogbeat_agent_version
7.11.1
winlogbeat_collector_node_id
TEST-COMP1
winlogbeat_ecs_version
1.7.0
winlogbeat_event_action
File System
winlogbeat_event_code
4663
winlogbeat_event_created
2021-07-19 11:29:33.681 -06:00
winlogbeat_event_kind
event
winlogbeat_event_outcome
success
winlogbeat_event_provider
Microsoft-Windows-Security-Auditing
winlogbeat_host_name
TEST-COMP1.ad.example.com
winlogbeat_log_level
information
winlogbeat_tags
["windows"]
winlogbeat_winlog_api
wineventlog
winlogbeat_winlog_channel
Security
winlogbeat_winlog_computer_name
TEST-COMP1.ad.example.com
winlogbeat_winlog_event_data_AccessList
%%4416
winlogbeat_winlog_event_data_AccessMask
0x1
winlogbeat_winlog_event_data_HandleId
0x9ac
winlogbeat_winlog_event_data_ObjectName
D:\
winlogbeat_winlog_event_data_ObjectServer
Security
winlogbeat_winlog_event_data_ObjectType
File
winlogbeat_winlog_event_data_ProcessId
0xe64
winlogbeat_winlog_event_data_ProcessName
C:\Windows\System32\wbem\WmiPrvSE.exe
winlogbeat_winlog_event_data_ResourceAttributes
S:PAI
winlogbeat_winlog_event_data_SubjectDomainName
AD
winlogbeat_winlog_event_data_SubjectLogonId
0x3e7
winlogbeat_winlog_event_data_SubjectUserName
TEST-COMP1$
winlogbeat_winlog_event_data_SubjectUserSid
S-1-5-18
winlogbeat_winlog_event_id
4663
winlogbeat_winlog_keywords
["Audit Success"]
winlogbeat_winlog_opcode
Info
winlogbeat_winlog_process_pid
980
winlogbeat_winlog_process_thread_id
988
winlogbeat_winlog_provider_guid
{54849625-5478-4994-A5BA-3E3B0328C30D}
winlogbeat_winlog_provider_name
Microsoft-Windows-Security-Auditing
winlogbeat_winlog_record_id
11161305
winlogbeat_winlog_task
File System
winlogbeat_winlog_version
1

Any help or guidance would be gratefully appreciated :smiley:

since it is winlogbeat_winlog_event_data_SubjectUserName, have you tried:

 processors:
     - drop_event.when:
         - contains.winlogbeat_winlog_event_data_SubjectUserName: ${sidecar.nodeName}
1 Like

Getting an error still for the configuration with that change, unfortunately…

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.ad.example.com:514"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     level: critical, error, warning
     ignore_older: 72h
   - name: System
     level: critical, error, warning
   - name: Security
     processors:
        - drop_event.when:
            - contains.winlogbeat_winlog_event_data_SubjectUserName: ${sidecar.nodeName}
     level: critical, error, warning, information

What is the error?

The configuration file for beats is notoriously strict on spacing etc. when I look up drop_event and it’s conditions here it makes me thing you have a syntactical error, maybe a dash where it isn’t called for?

I decided to move a slightly different direct with the configuration as it works as expected. Finally got it to work with this config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.ad.example.com:514"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     level: critical, error, warning
     ignore_older: 72h
   - name: System
     level: critical, error, warning
     ignore_older: 72h
   - name: Security
     processors:
     - drop_event.when.or:
       - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
     level: critical, error, warning, information
     ignore_older: 72h
1 Like