Dropping Events using Winlogbeat Processors

popa · October 3, 2018, 12:24am

Good morning!

I've done some reading in Winlogbeat's documentation and wanted to confirm the syntax of a processor that I'm trying to implement.

I have a noisy event that I want to drop before it makes it to Logstash --> Elasticsearch --> Kibana. Here's the query I use in Kibana to pull the events:

event_data.ProcessName: "*Scan64.Exe" AND event_id: "4656"
event_data.ProcessName: "*mcshield.exe" AND event_id: "4663"

I believe the structure of the processor should look something like this:

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["Scan64.Exe"]
       equals:
           event_id: ["4656"]

and

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["mcshield.exe"]
       equals:
           event_id: ["4663"]

Does this look like the correct syntax to drop both of the conditions that I described above?

Thank you in advance for your help!

popa · October 3, 2018, 2:15am

Currently testing out the following and will update this post if it works:

processors:
- drop_event.when.and:
    - equals.event_data.ProcessName: 'mcshield.exe'
    - equals.event_id: '4663'
- drop_event.when.and:
    - equals.event_data.ProcessName: 'Scan64.Exe'
    - equals.event_id: '4656'

andrewkroh · October 3, 2018, 8:37pm

Your last post looks like it uses the correct syntax.

popa · October 4, 2018, 7:14am

Implemented the change, however, it's not dropping the events. Here's what I have:

processors:
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe'
  - equals.event_id: '4663'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4656'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4689'

Ideally this will drop any event that matches the following queries:

(event_data.ProcessName: "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe" and event_id: "4663")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4656")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4689")

Are there any issues with using ' ' versus using " " when using Windows paths?

andrewkroh · October 4, 2018, 1:43pm

How about trying with equals.event_id: 4689 (no quotes, where the event_id is a number rather than a string)?

popa · October 5, 2018, 1:07am

Looks like it works so far, @andrewkroh. Thanks!

system · November 2, 2018, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Droping events based on ip adr from sysmon Beats winlogbeat	8	927	December 7, 2018
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	803	April 29, 2021
Processor [drop_event] not dropping events Beats Winlogbeat Beats winlogbeat	3	645	July 31, 2019
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	355	July 23, 2020
Winlogbeat Drop Event Processor No Longer Working After Update to v8 Beats winlogbeat	1	301	August 3, 2022

Dropping Events using Winlogbeat Processors

Related Topics