Droping events based on ip adr from sysmon


#1

hi i believe this is close to what im seeing, at least im trying the same thing and not getting any success.

the sysmon is being send from a windows event collector with a winlogbeat agent on to logstash

here is the winlogbeat conf.

###################### Winlogbeat Configuration Example ##########################

This file is an example configuration file highlighting only the most common

options. The winlogbeat.reference.yml file from the same directory contains all the

supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:

https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

event_logs specifies a list of event logs to monitor as well as any

accompanying options. The YAML data type of event_logs is a list of

dictionaries.

The supported keys are name (required), tags, fields, fields_under_root,

forwarded, ignore_older, level, event_id, provider, and include_xml. Please

visit the documentation for the complete details of each option.

https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:

  • name: ForwardedEvents
    ignore_older: 12h
    event_logs.forwarded: false
    #--------processors-------------
    processors:

the bullets are actualley a "-"

  • drop_event.when.or:
    • equals.event_data.DestinationIp: [ "40.101.51.226", "40.101.51.130","52.114.32.7","13.107.2.0/22", "20.36.64.0/19", "204.79.197.213", "20.36.112.0/21", "40.82.12.0/22", "40.82.244.0/22", "40.90.130.32/28", "40.90.142.64/27", "40.90.149.32/27", "40.126.128.0/18", "52.143.218.0/24", "52.239.218.0/23", "20.36.32.0/19", "20.36.104.0/21", "20.37.0.0/18", "40.82.8.0/22", "40.82.240.0/22", "40.90.130.48/28", "40.90.142.96/27", "40.90.149.64/27", "52.143.219.0/24", "52.239.216.0/23", "13.70.64.0/18", "13.72.224.0/19", "13.73.192.0/20", "13.75.128.0/17", "20.37.192.0/19", "20.188.128.0/17", "20.190.142.0/25", "20.191.192.0/18", "23.101.208.0/20", "40.79.160.0/20", "40.79.211.0/24", "40.82.32.0/22", "40.82.192.0/19", "40.87.208.0/22", "40.90.130.80/28", "40.90.130.208/28", "40.90.140.32/27", "40.90.142.160/27", "40.90.147.64/27", "40.90.150.0/27", "40.112.37.128/26", "40.126.14.0/25", "40.126.224.0/19", "52.108.40.0/23", "52.109.112.0/22", "52.114.16.0/22", "52.147.0.0/19", "52.156.160.0/19", "52.187.192.0/18", "52.232.136.0/21", "52.232.154.0/24", "52.237.192.0/18", "52.239.130.0/23", "52.239.226.0/24", "52.245.16.0/22", "104.44.90.64/26", "104.44.93.96/27", "104.44.95.48/28", "104.46.29.0/24", "104.46.30.0/23", "104.46.240.0/20", "104.209.80.0/20", "104.210.64.0/18", "191.238.66.0/23", "191.239.64.0/19", "13.70.128.0/18", "13.73.96.0/19", "13.77.0.0/18", "20.190.96.0/19", "20.190.142.128/25", "23.101.224.0/19", "40.79.212.0/24", "40.81.48.0/20", "40.87.212.0/22", "40.90.138.128/27", "40.112.37.192/26", "40.115.64.0/19", "40.117.0.0/19", "40.126.14.128/25", "40.127.64.0/19", "52.108.234.0/23", "52.109.116.0/22", "52.114.20.0/22", "52.136.25.0/24", "52.147.32.0/19", "52.158.128.0/19", "52.189.192.0/18", "52.239.132.0/23", "52.239.225.0/24", "52.243.64.0/18", "52.245.20.0/22", "52.255.32.0/19", "104.44.90.32/27", "104.44.93.128/27", "104.44.95.64/28", "104.46.28.0/24", "104.209.64.0/20", "191.239.160.0/19", "191.239.192.0/22", "20.190.145.0/25", "23.97.96.0/19", "40.90.133.32/27", "40.90.141.64/27", "40.90.144.224/27", "40.126.17.0/25", "52.108.36.0/22", "52.109.108.0/22", "104.41.0.0/18", "191.232.32.0/19", "191.232.160.0/19", "191.232.192.0/18", "191.233.0.0/21", "191.233.24.0/21", "191.233.128.0/24", "191.233.130.0/23", "191.233.132.0/22", "191.233.136.0/21", "191.233.192.0/18", "191.234.160.0/19", "191.235.32.0/19", "191.235.64.0/18", "191.235.196.0/22", "191.235.200.0/21", "191.235.224.0/20", "191.235.240.0/21", "191.237.195.0/24", "191.237.200.0/21", "191.237.248.0/21", "191.238.128.0/21", "191.238.192.0/19", "191.239.112.0/20", "191.239.204.0/22", "191.239.240.0/20", "13.71.160.0/19", "13.88.224.0/19" ]

based on what i can see in the initial mentioned topic i can get winlogbeat to drop a given event id here this would be event id 3.

is it possible to get winlogbeat to drop the event if event id 3 contains one of the ip adresses mentioned above?

an alternative i guess would be to do this in logstash, but if i can get the noise filtered out before i hit logstash i would prefer this.


#2

hi again i have tried to recreate this advise from a privious post

`

processors:
- drop_event:
      when:
      and:
      - or:
        - equals.event_id: 3
      - equals.event_data.DestinationIp: [ "40.101.48.82",  "40.101.65.130", "52.178.207.179", "52.114.32.8", "40.101.50.2", "13.107.18.11", "40.101.51.194", "52.114.76.34" ]

/>
but i still get the ip adresses sent to logstash?

disreguard the formatting when i c/p from the yml file it ends up like this, but am i on the right track here ?


(Noémi Ványi) #3

Could you please format your configuration using </>?


#4

sorry fixed now


#5

this from a sysmon event id 3

original message looks like this

Network connection detected:
UtcTime: 2018-11-08 15:24:06.245
ProcessGuid: {04A01A50-95E3-5BE1-0000-00105E104800}
ProcessId: 11240
Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
User: XXX\XXXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 172.x.xx.x.x
SourceHostname: PCbalbal
SourcePort: 65411
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 40.101.48.82
DestinationHostname:
DestinationPort: 443
DestinationPortName: https


(Andrew Kroh) #6

It is possible. But in your original post you used CIDR ranges and Beats do not have support for matching CIDR ranges so you would have to use exact IP addresses or a regular expression.

So if the logic you want is drop_event when (event_id == 3) AND (event_data.DestinationIp == "40.101.48.82" OR event_data.DestinationIp == "40.101.65.130") then this should work:

processors:
- drop_event:
    when:
      and:
        - equals.event_id: 3
        - or:
            - equals.event_data.DestinationIp: '40.101.48.82'
            - equals.event_data.DestinationIp: '40.101.65.130'

Indentation is critical in YAML.

http://www.yamllint.com/ is your friend and can be used to check that your YAML is valid.


#7

hi thanks

this means i have to make a line for each ip adr i want to drop then?

its not possible to list the DestinatioIP that i want to drop like

...
- or:
- equals.event_data.DestionationIp: [ '40.101.48.82', '40.101.65.130' ]

i think that is what you are getting at, just wanted to be sure :wink:


(Andrew Kroh) #8

That's correct. The equals condition does not currently have support for a string array value. It has support for int, string, and bool. You can see the source code here


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.