Drop event does not work for specific field

s0p4L1n3 · December 4, 2023, 9:27am

Hello,

I'm using Winlogbeat 7.17.13.0.

I want to monitor File/folder activities on the computers and servers.
And I want to drop on the client side all useless/not needed events.

As monitoring files activites generate a big amount of logs, can overload the network if thousand of clients and fill the disk space in short time, this is a very important part.

- name: Security
     event_id: 4656, 4663, 4670, 4907
     ignore_older: 24h
     tags: [filesystem]
     processors:
       - script:
          lang: javascript
          id: security
          file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
       - drop_event.when.not.and:
            - equals.winlog.event_data.ObjectType: "File"
       - drop_event.when.or:
            - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
            - equals.winlog.event_data.winlog_task: "Registry"
            - equals.winlog.event_data.winlog_task: "Kernel Object"
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1539'
            - equals.winlog.event_data.AccessList: '%%1541'
            - equals.winlog.event_data.AccessList: '%%1542'
            - equals.winlog.event_data.AccessList: '%%4416'
            - equals.winlog.event_data.AccessList: '%%4419'
            - equals.winlog.event_data.AccessList: '%%4420'
            - equals.winlog.event_data.AccessList: '%%4423'
            - equals.winlog.event_data.AccessList: '%%4424'

All the - equals.winlog.event_data.AccessList does not work and the event are still sent to the server.

Theses drop statement are working:

            - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
            - equals.winlog.event_data.winlog_task: "Registry"
            - equals.winlog.event_data.winlog_task: "Kernel Object"
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
            - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'

Theses are not working:

            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1538'
            - equals.winlog.event_data.AccessList: '%%1539'
            - equals.winlog.event_data.AccessList: '%%1541'
            - equals.winlog.event_data.AccessList: '%%1542'
            - equals.winlog.event_data.AccessList: '%%4416'
            - equals.winlog.event_data.AccessList: '%%4419'
            - equals.winlog.event_data.AccessList: '%%4420'
            - equals.winlog.event_data.AccessList: '%%4423'
            - equals.winlog.event_data.AccessList: '%%4424'

I tried the double quote, it not works either.

I double check the log format from Windows side and it correspond to my dropt event condition:

Is my syntax wrong ?

s0p4L1n3 · December 4, 2023, 3:34pm

I found the solution by myself, which is using regexp instead of equals

       - drop_event.when.or:
           - equals.winlog.event_data.winlog_task: "Authorization Policy Change"
           - equals.winlog.event_data.winlog_task: "Registry"
           - equals.winlog.event_data.winlog_task: "Kernel Object"
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
           - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
           - regexp.winlog.event_data.AccessList: '^%%4416.*'
           - regexp.winlog.event_data.AccessList: '^%%1538.*'
           - regexp.winlog.event_data.AccessList: '^%%1539.*'
           - regexp.winlog.event_data.AccessList: '^%%1541.*'
           - regexp.winlog.event_data.AccessList: '^%%1542.*'
           - regexp.winlog.event_data.AccessList: '^%%4419.*'
           - regexp.winlog.event_data.AccessList: '^%%4420.*'
           - regexp.winlog.event_data.AccessList: '^%%4421.*'
           - regexp.winlog.event_data.AccessList: '^%%4423.*'
           - regexp.winlog.event_data.AccessList: '^%%4424.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._-]+\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._-]+\\AppData\\Roaming\\Microsoft\\Windows\Recent.*'
           - regexp.winlog.event_data.ObjectName: '^(?i)C\:\\\$Recycle.Bin.*'

system · January 1, 2024, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems with AND in drop_events.when.or Beats winlogbeat	3	685	November 11, 2020
Winlogbeat drop_fields not working Beats winlogbeat	6	1810	July 5, 2021
Winlogbeat - Need Help with Drop_fields Beats winlogbeat	4	503	January 14, 2022
Drop_event when no value in both TargetUserName and Workstation fields (event id 4776) Beats winlogbeat	3	429	February 9, 2023
Winlogbeat - multiple event_id's and processor drop_events Beats winlogbeat	2	133	May 28, 2024

Drop event does not work for specific field

Related Topics