4624 log stoms

james_007 · August 19, 2019, 7:12am

Hi All - was wondering if anyone can help on the following:

event ID 4624 : this event logs everything that speaks to the domain, I just want to log user who below to the DD1 domain and forget and drop the rest of the events

below is an event of computer generated 4624 ID, this is the message part of the log

New Logon:

Security ID: S-1-5-21-3697968490-2924621232-2642631XXXXXXXXX
Account Name: Servername$ - ( SERVER NAMES)
Account Domain: ADD - (AD domain Name)
Logon ID: 0x759ADBE
Logon GUID: {9DF982D6-118E-2412-9006-XXXXXXXXXXX}

Here is 4624 login from a user that i want to see

New Logon:

Security ID: S-1-5-21-3697968490-2924621232-XXXXXXXXXXXXXXX
Account Name: user_name - (Active Directory USER NAMES)
Account Domain: FFE – (AD domain Name)
Logon ID: 0xF7E3345
Logon GUID: {50DAB2F7-6378-39AA-9DA1-XXXXXXXXXXXXXX}

Is there anyway I can block account names when they are Server names, or for starters block all Account domain that are ADD and accept all domains that are FFE

Or is there another way of doing this ?

thanks

james_007 · August 19, 2019, 8:44am

I found this post Dropping logon events for computer accounts not working
where i says you should add the following lines

name: Security
processors:
- drop_event:
  when:
  and:
  - equals:
  event.code: 4624
  - regexp:
  winlog.event_data.TargetUserName: '.*$'

however i can't get it to work in my file listed below

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: System
event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6
name: Security
event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767
processors:
drop_event:
when:
and:
- equals:
event.code: 4624
- regexp:
winlog.event_data.TargetUserName: '.*$'
name: Microsoft-Windows-Sysmon/Operational
name: Windows PowerShell
name: Microsoft-Windows-Sysmon/Operational
name: Microsoft-Windows-PowerShell/Operational

Anabella_Cristaldi · August 19, 2019, 9:02am

Hi James,
Is your indentation correct? yaml are very tricky
Try inserting two spaces here

james_007 · August 19, 2019, 9:50am

Hi Ana - thanks for the quick reply

this is my spacing, you are correct, the ymls are well tricky when it comes to spaces - still not working, spaces are still incorrect ? This is view in text pad, any pointers as my database is filling up with unwanted 4624 events ?

thanks again

Anabella_Cristaldi · August 19, 2019, 10:12am

Hi James
I'm not shure about the sintax you are using...
Which version of winlogbeats do you have? seems like mixing syntax from different versions.,
What does this line means?

Here is my working config.
I drop events 4624, 4634 and 4672 when username start with $ or is a DWM-x or is SYSTEM and drop events 4674,4985,4778,4779,4647,...4766 (because I'll analyze those events later)

  - name: Security
    processors:
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4624
              - or:
                 - regexp:
                    winlog.event_data.TargetUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.TargetUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.TargetUserName: 'SYSTEM'                    
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4634
              - or:
                 - regexp:
                    winlog.event_data.TargetUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.TargetUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.TargetUserName: 'SYSTEM'                    

      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4672
              - or:
                 - regexp:
                    winlog.event_data.SubjectUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.SubjectUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.SubjectUserName: 'SYSTEM'                     
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4724
              - not:
                  has_fields: ['winlog.event_data.TargetUserName'] 
                 
## To analize later
      - drop_event:
          when:
            or:
              - equals:
                  event.code: 4674
              - equals:
                  event.code: 4985
              - equals:
                  event.code: 4778
              - equals:
                  event.code: 4779
              - equals:
                  event.code: 4647
              - equals:
                  event.code: 4800
              - equals:
                  event.code: 4801
              - equals:
                  event.code: 4802
              - equals:
                  event.code: 4803
              - equals:
                  event.code: 5378
              - equals:
                  event.code: 5632
              - equals:
                  event.code: 5633
              - equals:
                  event.code: 4765
              - equals:
                  event.code: 4766                  

      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

Regards
Ana

james_007 · August 19, 2019, 12:16pm

Thanks Ana - i am using winlogbeats 7.0.3 - the line you are asking about tells winlogbeat what events IDs to sent

name: Security
event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767

this is my yml file which works, it sends the correct event IDs, i just want insert your code under -name:security but can't seem to get rights.

even our more fancy new code does not work

sorry about all the questions

James

#======================= Winlogbeat specific options ===========================

https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: System
event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6
name: Security
event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767
name: Microsoft-Windows-Sysmon/Operational
name: Windows PowerShell
name: Microsoft-Windows-Sysmon/Operational
name: Microsoft-Windows-PowerShell/Operational

#==================== Elasticsearch template settings ==========================

Anabella_Cristaldi · August 19, 2019, 12:47pm

Hi James
I'll test your config and I'll let you know if I succeed
Regards
Ana

james_007 · August 19, 2019, 12:58pm

nice one -

Anabella_Cristaldi · August 20, 2019, 11:24am

Hi @james_007 ,
I have tested what you want to do and it works.
I've configure winlogbeat to send only events 4624 and 4672 and drop the events 4624 under certain conditions. For testing I drop the event 4624 for user at_adm

Here is the config

And here the results.... no event 4624 for user at_adm

Regards
Ana

james_007 · September 11, 2019, 10:32am

Hi Ana - many thanks for your reply i shall copy your code and see if it works, fingers crossed.

sorry for the late reply, off for holidays.

007

james_007 · September 13, 2019, 8:00am

Hi Ana - silly question, is the DWM your domain name ?

thanks

system · October 11, 2019, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.