Dropping Events using Winlogbeat Processors

popa · October 3, 2018, 12:24am

Good morning!

I've done some reading in Winlogbeat's documentation and wanted to confirm the syntax of a processor that I'm trying to implement.

I have a noisy event that I want to drop before it makes it to Logstash --> Elasticsearch --> Kibana. Here's the query I use in Kibana to pull the events:

event_data.ProcessName: "*Scan64.Exe" AND event_id: "4656"
event_data.ProcessName: "*mcshield.exe" AND event_id: "4663"

I believe the structure of the processor should look something like this:

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["Scan64.Exe"]
       equals:
           event_id: ["4656"]

and

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["mcshield.exe"]
       equals:
           event_id: ["4663"]

Does this look like the correct syntax to drop both of the conditions that I described above?

Thank you in advance for your help!

popa · October 3, 2018, 2:15am

Currently testing out the following and will update this post if it works:

processors:
- drop_event.when.and:
    - equals.event_data.ProcessName: 'mcshield.exe'
    - equals.event_id: '4663'
- drop_event.when.and:
    - equals.event_data.ProcessName: 'Scan64.Exe'
    - equals.event_id: '4656'

andrewkroh · October 3, 2018, 8:37pm

Your last post looks like it uses the correct syntax.

popa · October 4, 2018, 7:14am

Implemented the change, however, it's not dropping the events. Here's what I have:

processors:
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe'
  - equals.event_id: '4663'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4656'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4689'

Ideally this will drop any event that matches the following queries:

(event_data.ProcessName: "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe" and event_id: "4663")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4656")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4689")

Are there any issues with using ' ' versus using " " when using Windows paths?

andrewkroh · October 4, 2018, 1:43pm

How about trying with equals.event_id: 4689 (no quotes, where the event_id is a number rather than a string)?

popa · October 5, 2018, 1:07am

Looks like it works so far, @andrewkroh. Thanks!

system · November 2, 2018, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Droping events based on ip adr from sysmon Beats winlogbeat	8	928	December 7, 2018
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	809	April 29, 2021
Processor [drop_event] not dropping events Beats Winlogbeat Beats winlogbeat	3	646	July 31, 2019
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	356	July 23, 2020

Dropping Events using Winlogbeat Processors

Related topics