Dropping network events for private IP range through Winlogbeat yml config

Hi there,

We are forwarding system network event logs via winlogbeat generated by sysmon and was attempting at dropping internal traffic events using private IP ranges.
Seems yml config does not supports wildcard hence cannot use <10.*>
Is there another way in winlogbeat to accomplish this?
Sysmon conditional grouping rules is another issue hence unable to do that.

Thank you in advance!

My recommendation is to drop the events as close to the source as possible to avoid storing data you don't care about and avoid processing costs in Winlogbeat. With Sysmon that would be through rules in the sysmon XML config. You can filter network events with a wildcard Sysmon - Windows Sysinternals | Microsoft Docs. And here's an example sysmon-config/sysmonconfig-export.xml at 5ded528c3386c11be1ca0c972035617f412ad0f8 · SwiftOnSecurity/sysmon-config · GitHub.

Winlogbeat can also drop events based on network CIDR ranges or based on regular expressions if you prefer that approach.

processors:
  - drop_event:
      when:
        network:
          source.ip: private
processors:
  - drop_event:
      when:
        network:
          source.ip: '10.0.0.0/8'
1 Like

Thank you Andrew for guiding!
I was using an old schema for the sysmon xml which did not have capability for group rules with conditions.
I had tried to use CIDR value in the winlogbeat yml config file which I believe is not supported similar to wildcards.
Pre processors is something I have noted for future use as have never used them before,not too late to use them :slight_smile:
Finally updated the Sysmon config to have the conditional rule groups and they are working.

Thank you once again for helping out, I just love being part of this super helpful community.

1 Like