Winlogbeat drop event not working for specific fields

Graylog Central (peer support)
1

Hello,

I want to monitor File/folder activities on the computers and servers.
And I want to drop on the client side all useless/not needed events.

As monitoring files activites generate a big amount of logs, can overload the network if thousand of clients and fill the disk space in short time, this is a very important part.

1. Describe your incident:

My Sidecar conf for this objective:

- name: Security
     event_id: 4656, 4663, 4670, 4907
     ignore_older: 24h
     tags: [filesystem]
     processors:
       - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
       - drop_event.when.not.and:
            - equals.winlog.event_data.ObjectType: "File"
       - drop_event.when.or:
            - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
            - equals.winlog.event_data.winlog_task: "Registry"
            - equals.winlog.event_data.winlog_task: "Kernel Object"
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1539'
            - equals.winlog.event_data.AccessList: '%%1541'
            - equals.winlog.event_data.AccessList: '%%1542'
            - equals.winlog.event_data.AccessList: '%%4416'
            - equals.winlog.event_data.AccessList: '%%4419'
            - equals.winlog.event_data.AccessList: '%%4420'
            - equals.winlog.event_data.AccessList: '%%4423'
            - equals.winlog.event_data.AccessList: '%%4424'

On graylod side, I can identify for explorer.exe process and powershell/cmd

  • File deletion
  • File creation
  • Changing/Write Owner
  • Cut/Past or Move from/to

glog_example_file_monitoring
glog_example_file_monitoring3747×1880 413 KB

All the - equals.winlog.event_data.AccessList does not work and the event are still sent to the Graylog server.

Theses drop statement are working:

            - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
            - equals.winlog.event_data.winlog_task: "Registry"
            - equals.winlog.event_data.winlog_task: "Kernel Object"
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'

Theses are not working:

            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1539'
            - equals.winlog.event_data.AccessList: '%%1541'
            - equals.winlog.event_data.AccessList: '%%1542'
            - equals.winlog.event_data.AccessList: '%%4416'
            - equals.winlog.event_data.AccessList: '%%4419'
            - equals.winlog.event_data.AccessList: '%%4420'
            - equals.winlog.event_data.AccessList: '%%4423'
            - equals.winlog.event_data.AccessList: '%%4424'

2. Describe your environment:

  • OS Information:

Graylog 5.2.1
Opensearch 2.11.0
mongo 6.0.11
sidecar 1.5.0
winlogbeat 7.17.13.0

3. What steps have you already taken to try and solve the problem?

I tried the double quote, it not works either.

I double check the log format from Windows side and it correspond to my dropt event condition:

image
image782×469 16.4 KB

4. How can the community help?

Is my syntax wrong ?

2

I found the solution by myself, which is using regexp instead of equals

       - drop_event.when.or:
           - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
           - equals.winlog.event_data.winlog_task: "Registry"
           - equals.winlog.event_data.winlog_task: "Kernel Object"
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
           - regexp.winlog.event_data.AccessList: '^%%4416.*'
           - regexp.winlog.event_data.AccessList: '^%%1538.*'
           - regexp.winlog.event_data.AccessList: '^%%1539.*'
           - regexp.winlog.event_data.AccessList: '^%%1541.*'
           - regexp.winlog.event_data.AccessList: '^%%1542.*'
           - regexp.winlog.event_data.AccessList: '^%%4419.*'
           - regexp.winlog.event_data.AccessList: '^%%4420.*'
           - regexp.winlog.event_data.AccessList: '^%%4421.*'
           - regexp.winlog.event_data.AccessList: '^%%4423.*'
           - regexp.winlog.event_data.AccessList: '^%%4424.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._-]+\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._-]+\\AppData\\Roaming\\Microsoft\\Windows\Recent.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\\$Recycle.Bin.*'

If it can help someone someday :+1:

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.