My colleagues and I have solved the issue. The script indeed did need altered. It appears that the script in https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog is missing some logic in a few areas. We have updated the script and removed portions that were not needed anymore. Below are the scripts that worked for us. We also broke apart the Threat Intel script into 2 separate scripts and removed the first script from the webpage.
Script 1 - Stage 0
// Sysmon Installation
// – Sysmon has to be installed on Windows, and be run with: sysmon –i –accepteula –h md5 –n -l
// – Transport should be a winlogbeat
// – Consider using the Graylog Sidecar to manage winlogbeat remotely
rule "Stage 0 Sysmon Cleanup"
when
// Only run for Sysmon messages
has_field("winlogbeat_source_name") && $message.winlogbeat_source_name == "Microsoft-Windows-Sysmon"
then
// Rename some fields to clean up
rename_field("winlogbeat_computer_name", "sysmon_computer_name");
rename_field("winlogbeat_event_data_Image", "sysmon_data_process");
rename_field("winlogbeat_event_data_UtcTime", "sysmon_data_utc_time");
rename_field("winlogbeat_event_id", "sysmon_event_id");
rename_field("winlogbeat_level", "sysmon_data_level");
rename_field("winlogbeat_task", "sysmon_task");
rename_field("winlogbeat_event_data_User", "sysmon_data_user");
rename_field("winlogbeat_event_data_TargetFilename", "sysmon_data_file_created");
rename_field("winlogbeat_event_data_CreationUtcTime", "sysmon_data_file_created_time");
rename_field("winlogbeat_event_data_PreviousCreationUtcTime", "sysmon_data_file_created_time_previous");
rename_field("winlogbeat_user_name", "sysmon_data_user_name");
rename_field("winlogbeat_thread_id", "sysmon_thread_id");
rename_field("winlogbeat_user_domain", "sysmon_user_domain");
rename_field("winlogbeat_user_identifier", "sysmon_user_identifier");
rename_field("winlogbeat_user_type", "sysmon_user_type");
rename_field("winlogbeat_event_data_DestinationHostname", "sysmon_dns_lookup");
rename_field("winlogbeat_event_data_DestinationIp", "sysmon_dns_lookup_ip");
rename_field("winlogbeat_event_data_DestinationPort", "sysmon_dest_port");
rename_field("winlogbeat_event_data_DestinationPortName", "sysmon_dest_port_name");
rename_field("winlogbeat_event_data_Initiated", "sysmon_con_initiated");
rename_field("winlogbeat_event_data_Protocol", "sysmon_con_proto");
rename_field("winlogbeat_event_data_SourceHostname", "sysmon_src_name");
rename_field("winlogbeat_event_data_SourceIp", "sysmon_src_ip");
rename_field("winlogbeat_event_data_SourcePort", "sysmon_src_port");
rename_field("winlogbeat_event_data_SourcePortName", "sysmon_src_port_name");
rename_field("winlogbeat_event_data_CommandLine", "sysmon_cmd_event");
rename_field("winlogbeat_event_data_CurrentDirectory", "sysmon_cmd_location");
rename_field("winlogbeat_event_data_Hashes", "sysmon_cmd_hash");
rename_field("winlogbeat_event_data_IntegrityLevel", "sysmon_cmd_integrity");
rename_field("winlogbeat_event_data_LogonId", "sysmon_cmd_logon_id");
rename_field("winlogbeat_event_data_ParentCommandLine", "sysmon_cmd_parent_cmd");
rename_field("winlogbeat_event_data_ParentImage", "sysmon_cmd_parent_file");
rename_field("winlogbeat_event_data_ParentProcessId", "sysmon_cmd_parent_pid");
rename_field("winlogbeat_event_data_TerminalSessionId", "sysmon_cmd_terminal_pid");
rename_field("winlogbeat_event_data_LogonGuid", "sysmon_cmd_logon_guid");
rename_field("winlogbeat_event_data_ParentProcessGuid", "sysmon_cmd_parent_guid");
// Remove clutter.
let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));
set_field("sysmon_data_process_guid", to_string(fix["0"]));
remove_field("winlogbeat_event_data_ProcessGuid");
let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_provider_guid));
set_field("sysmon_data_provider_gui", to_string(fix["0"]));
remove_field("winlogbeat_provider_guid");
// Remove unwanted fields
remove_field("name");
remove_field("tags");
remove_field("type");
// Remove winlogbeats fields we don't need
remove_field("winlogbeat_event_data_ProcessId");
remove_field("winlogbeat_log_name");
remove_field("winlogbeat_opcode");
remove_field("winlogbeat_process_id");
remove_field("winlogbeat_record_number");
remove_field("winlogbeat_source_name");
remove_field("winlogbeat_tags");
remove_field("winlogbeat_type");
remove_field("winlogbeat_version");
remove_field("winlogbeat_event_data_SourceIsIpv6");
remove_field("winlogbeat_event_data_DestinationIsIpv6");
end
Script 2 - Stage 1
// Threat Intelligence enrichment
// — Needs installed Graylog Threat Intel plugin : https://github.com/Graylog2/graylog-plugin-threatintel
rule "Stage 1 Sysmon Threatintel"
when
// To save CPU cycles, only run if there is something to look up
has_field("ip")
then
// look up the requested DNS captured by sysmon
// this will be the most fired rule
let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.query_domain), "sysmon_dns_lookup");
set_fields(sysmon_dns_lookup_intel);
// look up the ip from the DNS answer
// if we do not monitor the dns, then this might be nice to have
let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
set_fields(sysmon_lookup_ip_answer_intel);
// look up the requesting IP
// this is useful if dealing with non internal IPs
// so you know if your IP is seen as a problem
let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_src_ip");
set_fields(sysmon_src_ip_answer_intel);
// WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
// let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
// set_fields(sysmon_dns_lookup_ip_whois);
end
Script 3 - Stage 2
rule "Stage 2 Sysmon Threatintel Inflate"
when
// run only if one of the fields is true
to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)
then
// This is to make Graylog searches easy
// -- Enables searches like threat_indicated:true
set_field("threat_indicated", true);
end