Droping events based on ip adr from sysmon

ssi · November 7, 2018, 2:00pm

hi i believe this is close to what im seeing, at least im trying the same thing and not getting any success.

the sysmon is being send from a windows event collector with a winlogbeat agent on to logstash

here is the winlogbeat conf.

###################### Winlogbeat Configuration Example ##########################

This file is an example configuration file highlighting only the most common

options. The winlogbeat.reference.yml file from the same directory contains all the

supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:

Winlogbeat Reference | Elastic

#======================= Winlogbeat specific options ==========================

event_logs specifies a list of event logs to monitor as well as any

accompanying options. The YAML data type of event_logs is a list of

dictionaries.

The supported keys are name (required), tags, fields, fields_under_root,

forwarded, ignore_older, level, event_id, provider, and include_xml. Please

visit the documentation for the complete details of each option.

Configure Winlogbeat | Winlogbeat Reference [8.11] | Elastic

winlogbeat.event_logs:

name: ForwardedEvents
ignore_older: 12h
event_logs.forwarded: false
#--------processors-------------
processors:

the bullets are actualley a "-"

drop_event.when.or:
- equals.event_data.DestinationIp: [ "40.101.51.226", "40.101.51.130","52.114.32.7","13.107.2.0/22", "20.36.64.0/19", "204.79.197.213", "20.36.112.0/21", "40.82.12.0/22", "40.82.244.0/22", "40.90.130.32/28", "40.90.142.64/27", "40.90.149.32/27", "40.126.128.0/18", "52.143.218.0/24", "52.239.218.0/23", "20.36.32.0/19", "20.36.104.0/21", "20.37.0.0/18", "40.82.8.0/22", "40.82.240.0/22", "40.90.130.48/28", "40.90.142.96/27", "40.90.149.64/27", "52.143.219.0/24", "52.239.216.0/23", "13.70.64.0/18", "13.72.224.0/19", "13.73.192.0/20", "13.75.128.0/17", "20.37.192.0/19", "20.188.128.0/17", "20.190.142.0/25", "20.191.192.0/18", "23.101.208.0/20", "40.79.160.0/20", "40.79.211.0/24", "40.82.32.0/22", "40.82.192.0/19", "40.87.208.0/22", "40.90.130.80/28", "40.90.130.208/28", "40.90.140.32/27", "40.90.142.160/27", "40.90.147.64/27", "40.90.150.0/27", "40.112.37.128/26", "40.126.14.0/25", "40.126.224.0/19", "52.108.40.0/23", "52.109.112.0/22", "52.114.16.0/22", "52.147.0.0/19", "52.156.160.0/19", "52.187.192.0/18", "52.232.136.0/21", "52.232.154.0/24", "52.237.192.0/18", "52.239.130.0/23", "52.239.226.0/24", "52.245.16.0/22", "104.44.90.64/26", "104.44.93.96/27", "104.44.95.48/28", "104.46.29.0/24", "104.46.30.0/23", "104.46.240.0/20", "104.209.80.0/20", "104.210.64.0/18", "191.238.66.0/23", "191.239.64.0/19", "13.70.128.0/18", "13.73.96.0/19", "13.77.0.0/18", "20.190.96.0/19", "20.190.142.128/25", "23.101.224.0/19", "40.79.212.0/24", "40.81.48.0/20", "40.87.212.0/22", "40.90.138.128/27", "40.112.37.192/26", "40.115.64.0/19", "40.117.0.0/19", "40.126.14.128/25", "40.127.64.0/19", "52.108.234.0/23", "52.109.116.0/22", "52.114.20.0/22", "52.136.25.0/24", "52.147.32.0/19", "52.158.128.0/19", "52.189.192.0/18", "52.239.132.0/23", "52.239.225.0/24", "52.243.64.0/18", "52.245.20.0/22", "52.255.32.0/19", "104.44.90.32/27", "104.44.93.128/27", "104.44.95.64/28", "104.46.28.0/24", "104.209.64.0/20", "191.239.160.0/19", "191.239.192.0/22", "20.190.145.0/25", "23.97.96.0/19", "40.90.133.32/27", "40.90.141.64/27", "40.90.144.224/27", "40.126.17.0/25", "52.108.36.0/22", "52.109.108.0/22", "104.41.0.0/18", "191.232.32.0/19", "191.232.160.0/19", "191.232.192.0/18", "191.233.0.0/21", "191.233.24.0/21", "191.233.128.0/24", "191.233.130.0/23", "191.233.132.0/22", "191.233.136.0/21", "191.233.192.0/18", "191.234.160.0/19", "191.235.32.0/19", "191.235.64.0/18", "191.235.196.0/22", "191.235.200.0/21", "191.235.224.0/20", "191.235.240.0/21", "191.237.195.0/24", "191.237.200.0/21", "191.237.248.0/21", "191.238.128.0/21", "191.238.192.0/19", "191.239.112.0/20", "191.239.204.0/22", "191.239.240.0/20", "13.71.160.0/19", "13.88.224.0/19" ]

based on what i can see in the initial mentioned topic i can get winlogbeat to drop a given event id here this would be event id 3.

is it possible to get winlogbeat to drop the event if event id 3 contains one of the ip adresses mentioned above?

an alternative i guess would be to do this in logstash, but if i can get the noise filtered out before i hit logstash i would prefer this.

ssi · November 8, 2018, 9:35am

hi again i have tried to recreate this advise from a privious post

`

processors:
- drop_event:
      when:
      and:
      - or:
        - equals.event_id: 3
      - equals.event_data.DestinationIp: [ "40.101.48.82",  "40.101.65.130", "52.178.207.179", "52.114.32.8", "40.101.50.2", "13.107.18.11", "40.101.51.194", "52.114.76.34" ]

/>
but i still get the ip adresses sent to logstash?

disreguard the formatting when i c/p from the yml file it ends up like this, but am i on the right track here ?

kvch · November 8, 2018, 2:45pm

Could you please format your configuration using </>?

ssi · November 8, 2018, 3:24pm

sorry fixed now

ssi · November 8, 2018, 3:31pm

this from a sysmon event id 3

original message looks like this

Network connection detected:
UtcTime: 2018-11-08 15:24:06.245
ProcessGuid: {04A01A50-95E3-5BE1-0000-00105E104800}
ProcessId: 11240
Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
User: XXX\XXXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 172.x.xx.x.x
SourceHostname: PCbalbal
SourcePort: 65411
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 40.101.48.82
DestinationHostname:
DestinationPort: 443
DestinationPortName: https

andrewkroh · November 8, 2018, 3:48pm

It is possible. But in your original post you used CIDR ranges and Beats do not have support for matching CIDR ranges so you would have to use exact IP addresses or a regular expression.

So if the logic you want is drop_event when (event_id == 3) AND (event_data.DestinationIp == "40.101.48.82" OR event_data.DestinationIp == "40.101.65.130") then this should work:

processors:
- drop_event:
    when:
      and:
        - equals.event_id: 3
        - or:
            - equals.event_data.DestinationIp: '40.101.48.82'
            - equals.event_data.DestinationIp: '40.101.65.130'

Indentation is critical in YAML.

http://www.yamllint.com/ is your friend and can be used to check that your YAML is valid.

ssi · November 8, 2018, 4:22pm

hi thanks

this means i have to make a line for each ip adr i want to drop then?

its not possible to list the DestinatioIP that i want to drop like

...
- or:
- equals.event_data.DestionationIp: [ '40.101.48.82', '40.101.65.130' ]

i think that is what you are getting at, just wanted to be sure

andrewkroh · November 9, 2018, 12:32am

That's correct. The equals condition does not currently have support for a string array value. It has support for int, string, and bool. You can see the source code here

system · December 7, 2018, 12:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.