4624 log stoms

Hi All - was wondering if anyone can help on the following:

event ID 4624 : this event logs everything that speaks to the domain, I just want to log user who below to the DD1 domain and forget and drop the rest of the events

below is an event of computer generated 4624 ID, this is the message part of the log

New Logon:

  • Security ID: S-1-5-21-3697968490-2924621232-2642631XXXXXXXXX
  • Account Name: Servername$ - ( SERVER NAMES)
  • Account Domain: ADD - (AD domain Name)
  • Logon ID: 0x759ADBE
  • Logon GUID: {9DF982D6-118E-2412-9006-XXXXXXXXXXX}

Here is 4624 login from a user that i want to see

New Logon:

  • Security ID: S-1-5-21-3697968490-2924621232-XXXXXXXXXXXXXXX
  • Account Name: user_name - (Active Directory USER NAMES)
  • Account Domain: FFE – (AD domain Name)
  • Logon ID: 0xF7E3345
  • Logon GUID: {50DAB2F7-6378-39AA-9DA1-XXXXXXXXXXXXXX}

Is there anyway I can block account names when they are Server names, or for starters block all Account domain that are ADD and accept all domains that are FFE

Or is there another way of doing this ?

thanks

I found this post Dropping logon events for computer accounts not working
where i says you should add the following lines

  • name: Security
    processors:
    • drop_event:
      when:
      and:
      - equals:
      event.code: 4624
      - regexp:
      winlog.event_data.TargetUserName: '.*$'

however i can't get it to work in my file listed below


winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System
    event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6

  • name: Security
    event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767
    processors:

  • drop_event:
    when:
    and:
    - equals:
    event.code: 4624
    - regexp:
    winlog.event_data.TargetUserName: '.*$'

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Windows PowerShell

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Microsoft-Windows-PowerShell/Operational


Hi James,
Is your indentation correct? yaml are very tricky
Try inserting two spaces here

image

Hi Ana - thanks for the quick reply

this is my spacing, you are correct, the ymls are well tricky when it comes to spaces - still not working, spaces are still incorrect ? This is view in text pad, any pointers as my database is filling up with unwanted 4624 events ?

thanks again

Hi James
I'm not shure about the sintax you are using...
Which version of winlogbeats do you have? seems like mixing syntax from different versions.,
What does this line means?
image
Here is my working config.
I drop events 4624, 4634 and 4672 when username start with $ or is a DWM-x or is SYSTEM and drop events 4674,4985,4778,4779,4647,...4766 (because I'll analyze those events later)

  - name: Security
    processors:
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4624
              - or:
                 - regexp:
                    winlog.event_data.TargetUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.TargetUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.TargetUserName: 'SYSTEM'                    
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4634
              - or:
                 - regexp:
                    winlog.event_data.TargetUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.TargetUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.TargetUserName: 'SYSTEM'                    

      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4672
              - or:
                 - regexp:
                    winlog.event_data.SubjectUserName: '.*\$' 
                 - regexp:
                    winlog.event_data.SubjectUserName: 'DWM\-[0-9]' 
                 - equals:
                    winlog.event_data.SubjectUserName: 'SYSTEM'                     
      - drop_event:
          when:
            and:
              - equals:
                  event.code: 4724
              - not:
                  has_fields: ['winlog.event_data.TargetUserName'] 
                 
## To analize later
      - drop_event:
          when:
            or:
              - equals:
                  event.code: 4674
              - equals:
                  event.code: 4985
              - equals:
                  event.code: 4778
              - equals:
                  event.code: 4779
              - equals:
                  event.code: 4647
              - equals:
                  event.code: 4800
              - equals:
                  event.code: 4801
              - equals:
                  event.code: 4802
              - equals:
                  event.code: 4803
              - equals:
                  event.code: 5378
              - equals:
                  event.code: 5632
              - equals:
                  event.code: 5633
              - equals:
                  event.code: 4765
              - equals:
                  event.code: 4766                  

      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

Regards
Ana

Thanks Ana - i am using winlogbeats 7.0.3 - the line you are asking about tells winlogbeat what events IDs to sent

  • name: Security
    event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767

this is my yml file which works, it sends the correct event IDs, i just want insert your code under -name:security but can't seem to get rights.

even our more fancy new code does not work

sorry about all the questions

James

#======================= Winlogbeat specific options ===========================

https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System
    event_id: 104,102,1102,4719,6005,7022,7023,7024,7025,7026,7031,7032,7034,7045,4697,7022,7023,104,6

  • name: Security
    event_id: 4740,4728,4732,4756,4735,4724,4625,4648,1102,4624,5038,6281,4767

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Windows PowerShell

  • name: Microsoft-Windows-Sysmon/Operational

  • name: Microsoft-Windows-PowerShell/Operational

#==================== Elasticsearch template settings ==========================

Hi James
I'll test your config and I'll let you know if I succeed :blush:
Regards
Ana

nice one -

Hi @james_007 ,
I have tested what you want to do and it works.
I've configure winlogbeat to send only events 4624 and 4672 and drop the events 4624 under certain conditions. For testing I drop the event 4624 for user at_adm

Here is the config

And here the results.... no event 4624 for user at_adm

Regards
Ana

Hi Ana - many thanks for your reply i shall copy your code and see if it works, fingers crossed.

sorry for the late reply, off for holidays.

007

Hi Ana - silly question, is the DWM your domain name ?

thanks