Dropping logon events for computer accounts not working

Anabella_Cristaldi · July 11, 2019, 3:42pm

Hi,
I'm working at the moment correlating windows Logon and Special Logon events (4624 and 4672) .
I want to drop the events 4624 event when event_data.TargetUserName ends with $ because is a computer-related account joining the domain.
What I have done so far is not working and I'm still receiving those events.

First I 've put the drop_event processor before the script processor, so the field I'm looking at is event_data.TargetUserName, not user.name
Is this correct?

I've tried with the regexp condition, and no luck

- name: Security
  processors:
   - drop_event:
       when:
         and:
           - equals:
               event.code: 4624
           - regexp:
               event_data.TargetUserName: '.*\$'

also I've tried with an specific user, still no work (instead of the regexp line)

         - contains:
              event_data.TargetUserName: "DC_TEST2K12$"

What I'm doing wrong?
Thank you very much
Regards
Ana

Anabella_Cristaldi · July 11, 2019, 4:08pm

Apparently is working now. I was using the wrong field name is winlog.event_data.TargetUserName instead of event_data.TargetUserName

Regards
Ana

system · August 8, 2019, 4:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat and drop_event filter Beats winlogbeat	5	4941	May 9, 2017
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	355	July 23, 2020
Drop_event when no value in both TargetUserName and Workstation fields (event id 4776) Beats winlogbeat	3	429	February 9, 2023
Drop_event processor not working Beats winlogbeat	3	329	June 9, 2021
Would dropping events by regexp match be possible? Beats winlogbeat	3	598	January 17, 2020

Dropping logon events for computer accounts not working

Related Topics