Dropping Events using Winlogbeat Processors


#1

Good morning!

I've done some reading in Winlogbeat's documentation and wanted to confirm the syntax of a processor that I'm trying to implement.

I have a noisy event that I want to drop before it makes it to Logstash --> Elasticsearch --> Kibana. Here's the query I use in Kibana to pull the events:

  • event_data.ProcessName: "*Scan64.Exe" AND event_id: "4656"

  • event_data.ProcessName: "*mcshield.exe" AND event_id: "4663"

I believe the structure of the processor should look something like this:

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["Scan64.Exe"]
       equals:
           event_id: ["4656"]

and

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["mcshield.exe"]
       equals:
           event_id: ["4663"]

Does this look like the correct syntax to drop both of the conditions that I described above?

Thank you in advance for your help!


Droping events based on ip adr from sysmon
#2

Currently testing out the following and will update this post if it works:

processors:
- drop_event.when.and:
    - equals.event_data.ProcessName: 'mcshield.exe'
    - equals.event_id: '4663'
- drop_event.when.and:
    - equals.event_data.ProcessName: 'Scan64.Exe'
    - equals.event_id: '4656'

(Andrew Kroh) #3

Your last post looks like it uses the correct syntax.


#4

Implemented the change, however, it's not dropping the events. Here's what I have:

processors:
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe'
  - equals.event_id: '4663'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4656'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4689'

Ideally this will drop any event that matches the following queries:

(event_data.ProcessName: "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe" and event_id: "4663")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4656")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4689")

Are there any issues with using ' ' versus using " " when using Windows paths?


(Andrew Kroh) #5

How about trying with equals.event_id: 4689 (no quotes, where the event_id is a number rather than a string)?


#6

Looks like it works so far, @andrewkroh. Thanks!


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.