winlogbeat-7.17.0
I tried to drop the events that id is 4776 and no value in both TargetUsername and Workstation, but it doesn't work, may I know how to write the condition part and get it work?
Here is the part of the configuration file, I added the "drop_event" block under the default "script" block.
Tried the way:
- name: Security
batch_read_size: 256
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event:
when:
and:
- and:
- not:
has_fields: ['event_data.TargetUserName']
- not:
has_fields: ['event_data.Workstation']
- equals.event_id: 4776
and also this way, "no value" or "no field":
- name: Security
batch_read_size: 256
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event:
when:
and:
- or:
- and:
- not:
has_fields: ['event_data.TargetUserName']
- not:
has_fields: ['event_data.Workstation']
- and:
- equals:
event_data.TargetUserName: ''
- equals:
event_data.Workstation: ''
- equals.event_id: 4776
Both ways failed to drop the event, I can still get the 4776 event logs that without username and workstation info.
Here is the event log in XML format (only tampered with Computer name).
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2023-01-09T07:59:51.948022400Z" />
<EventRecordID>8003623364</EventRecordID>
<Correlation />
<Execution ProcessID="688" ThreadID="580" />
<Channel>Security</Channel>
<Computer>DC-SERVER.DOMAIN.NAME</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName" />
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</Data>
</EventData>
</Event>