Drop_event processor in Powershell Channels

Elastic Stack Elastic Agent
1

Hello

We’ve recently rolled out the Elastic Agent on our Windows servers and since our main focus lies on building rules based on powershell events we would like to filter out as much of those events as possible before they are sent to Logstash. For that purpose we’ve set up an agent policy in fleet with «Windows Integration» and enabled the Powershell (Operational) channels where we’re now using the Processors to reduce the amount of events.

Unfortunately, I’m not able to set up working conditions in order to use the drop_event proces-sor. What seems to be working so far is the exclusion of certain event ids, 40962 for example (even though it seems that also 40961 has been excluded.

- drop_event:
    when:
      equals:
        winlog.event_id: '40962'

In contrast, the following attempts didn’t have any effect therefore didn’t drop any events:

- drop_event:
    when:
      regexp:
       process.command_line: 'ps1'

- drop_event:
    when:
      equals:
        winlog.event_id: '40962'

- drop_event.when.or:
  - regexp.process.command_line: '.*name_of_PowershellScript.ps1$'

- drop_event:
    when:
      equals:
        powershell.command.name: 'Set-Alias'

Windows | Documentation (elastic.co) describes the powershell events and fileds provided by the data stream, but as far as I understand you won’t be able to use those fields (like process.command_line or powershell.command.name) in drop_event, right? Otherwise I would love to drop events with a certain command.name before sending, for example «Set-Alias».

What fields exactly can be used with the drop_event filter and am I doing something wrong on how to use the conditions?

Thanks in advance for any inptuts!

2

If I'm not wrong you need to use the fields names before the processing done by the ingest pipeline.

To know which is the field name before the parsing you need to check in the ingest pipeline for this integraiton.

For example, for process.command_line, the processor to create this field is this one:

  - rename:
      field: winlog.event_data.HostApplication
      target_field: process.command_line
      ignore_failure: true
      ignore_missing: true
      if: ctx?.winlog?.event_data?.HostApplication != ""

So, I think that if you use winlog.event_data.HostApplication in the drop conditional in the Agent side, it should work.

3

Hi Leandro
Thanks for your reply. I've checked the ingest pipe line YAML file of your link and tried to use the fields

- drop_event:
   when:
    regexp:
      winlog.event_data.HostApplication: '.*part_of_scriptname.*'

and also the original name of powershell.command.name

  - rename:
      field: winlog.event_data.CommandName
      target_field: powershell.command.name

but in both cases without success. I'll try other fields tomorrow and will update the post.

4

I tried a lot of those fields listed in

none of those works. As one can see in the yml file, the winlog.event_data.ContextInfo data is splitted into objects which will be properties of the target_field winlog.event_data. Hence we have winlog.event_data.HostName, winlog.event_data.CommandPath etc. which are then renamed to process.title / powershell.command.path - the names we see in Kibana and the Powershell Module Fields documentation

As you mentioned correctly, the Agent processors execute before the ingest pipelines. Therefore (and according to my tests) it is only possible to filter out events using the winlog.event_data.ContextInfo object, for example like this:

  • drop_event:
    when:
    regexp:
    winlog.event_data.ContextInfo: 'Get-ChildItem|Add-Member'

Could anyone confirm, that the winlog.event_data.ContextInfo is the only way to filter out certain Event ID 4103 (based on their payload)?