Drop_event not working via process name or path

Josh_G · February 25, 2022, 4:06pm

Hi,

I'm using the processer in the System integration on Elastic Agent to try and reduce the ingest as we get a lot of noise.

I've been doing some testing as I'd like to filter out an event code if the process name is x, I've been unsuccessful so far and have been trying to break it down to see where I'm going wrong.

I was able to successfully filter out the specific event code via:

- drop_event:
    when:
      equals:
        event.code: "4688"

But trying to use process name is unsuccessful i.e. the events with the process.executable are still being logged/indexed:

- drop_event:
    when:
      equals:
        process.executable: 'C:\Windows\System32\svchost.exe'

I have also tried the above code with double quotes and with process.name: 'svchost.exe' instead of the process.executable but it is not working.

What I initially tried to do was the following, but this did nothing:

- drop_event:
    when:
      and:
        - equals:
            process.executable: 'C:\Windows\System32\svchost.exe'
        - equals:
            event.code: "4688"

Josh_G · February 28, 2022, 10:26am

I've continued playing around with this but no luck.

I've tried regex:

- drop_event:
    when:
      regexp:
        process.name: '^(?i)svchost\.exe$'

and even just a simple contains condition:

- drop_event:
    when:
      contains:
        process.name: 'svchost.exe'

Neither are working, the event's with this process.name are still being logged.

Any ideas at all?

Josh_G · March 1, 2022, 5:31pm

For the benefit of anyone who comes across it, as I did a lot of searching trying to figure this out! Here is what I found out.

It looks like the issue was down to the process.name field not existing pre-parsing, I possibly would have come to this conclusion earlier if the event.code process had also failed.

So then I went down the rabbit hole of trying to work out what fields I could use and which ones I couldn't. This may be obvious information for a lot of people, particularly if you've come from Winlogbeat but for someone whose just started and is using the agent the documentation could be a LOT more helpful as I didn't see this mentioned in either the System Integration documentation or the Processor documentation which is linked in the integration.

Eventually I discovered you can reference the raw data names in the Windows Event XML and was able to accomplish what I needed with the following:

- drop_event:
    when:
      and:
      - equals.winlog.event_id: "4688"
      - equals.winlog.event_data.SubjectLogonId: "0x3e7"
      - or:
        - equals.winlog.event_data.NewProcessName: 'C:\Windows\System32\svchost.exe'
        - equals.winlog.event_data.NewProcessName: 'C:\Windows\System32\conhost.exe'
        - equals.winlog.event_data.NewProcessName:: 'C:\Windows\System32\backgroundTaskHost.exe'
        - equals.winlog.event_data.NewProcessName: 'C:\Windows\System32\SearchFilterHost.exe'

system · March 29, 2022, 7:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.