Drop_event when no value in both TargetUserName and Workstation fields (event id 4776)

Elastic Stack Beats
1

winlogbeat-7.17.0

I tried to drop the events that id is 4776 and no value in both TargetUsername and Workstation, but it doesn't work, may I know how to write the condition part and get it work?

Here is the part of the configuration file, I added the "drop_event" block under the default "script" block.

Tried the way:

  - name: Security
    batch_read_size: 256
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
      - drop_event:
          when:
            and:
              - and:
                 - not:
                     has_fields: ['event_data.TargetUserName']
                 - not: 
                     has_fields: ['event_data.Workstation']
              - equals.event_id: 4776

and also this way, "no value" or "no field":

  - name: Security
    batch_read_size: 256
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
      - drop_event:
          when:
            and:
              - or:
                  - and:
                     - not:
                        has_fields: ['event_data.TargetUserName']
                     - not: 
                        has_fields: ['event_data.Workstation']
                  - and:
                     - equals:
                        event_data.TargetUserName: ''
                     - equals: 
                        event_data.Workstation: ''
              - equals.event_id: 4776

Both ways failed to drop the event, I can still get the 4776 event logs that without username and workstation info.

Here is the event log in XML format (only tampered with Computer name).

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4776</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14336</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2023-01-09T07:59:51.948022400Z" /> 
  <EventRecordID>8003623364</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="688" ThreadID="580" /> 
  <Channel>Security</Channel> 
  <Computer>DC-SERVER.DOMAIN.NAME</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> 
  <Data Name="TargetUserName" /> 
  <Data Name="Workstation" /> 
  <Data Name="Status">0xc0000064</Data> 
  </EventData>
  </Event>
2

I was struggling against this issue for days, and had solved it with help from colleagues , we need to add quote with the ID, like '4776'.

Here is the working one, hope this helps someone who's a newbie like me.

      - drop_event:
          when:
            and:
              - and:
                 - not:
                     has_fields: ['winlog.event_data.TargetUserName']
                 - not: 
                     has_fields: ['winlog.event_data.Workstation']
              - equals.event_id: '4776'
3

Corrected last line.

      - drop_event:
          when:
            and:
              - and:
                 - not:
                     has_fields: ['winlog.event_data.TargetUserName']
                 - not: 
                     has_fields: ['winlog.event_data.Workstation']
              - equals.winlog.event_id: '4776'
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.