We’ve recently rolled out the Elastic Agent on our Windows servers and since our main focus lies on building rules based on powershell events we would like to filter out as much of those events as possible before they are sent to Logstash. For that purpose we’ve set up an agent policy in fleet with «Windows Integration» and enabled the Powershell (Operational) channels where we’re now using the Processors to reduce the amount of events.
Unfortunately, I’m not able to set up working conditions in order to use the drop_event proces-sor. What seems to be working so far is the exclusion of certain event ids, 40962 for example (even though it seems that also 40961 has been excluded.
Windows | Documentation (elastic.co) describes the powershell events and fileds provided by the data stream, but as far as I understand you won’t be able to use those fields (like process.command_line or powershell.command.name) in drop_event, right? Otherwise I would love to drop events with a certain command.name before sending, for example «Set-Alias».
What fields exactly can be used with the drop_event filter and am I doing something wrong on how to use the conditions?
none of those works. As one can see in the yml file, the winlog.event_data.ContextInfo data is splitted into objects which will be properties of the target_field winlog.event_data. Hence we have winlog.event_data.HostName, winlog.event_data.CommandPath etc. which are then renamed to process.title / powershell.command.path - the names we see in Kibana and the Powershell Module Fields documentation
As you mentioned correctly, the Agent processors execute before the ingest pipelines. Therefore (and according to my tests) it is only possible to filter out events using the winlog.event_data.ContextInfo object, for example like this:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.