Enrich information with the administrator flag

franco.federico · June 17, 2019, 12:16pm

Hi all

I try to enrich the information that I send to Logstash.

I'd like to add a field in the winlogbeat index with a label like administrator and in this field I'd like to set YES for the user that is admin of the pc/server or NO for the user that is not admin of the pc/server.

Is it possible? At the moment I don't found solution...

Thank you
Franco

vasek · June 17, 2019, 12:22pm

Yes. It is possible using Logstash Mutate plugin.

filter {
  mutate {
    add_tag => [ "tag-name" ]
  }
}

There is more information:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

franco.federico · June 17, 2019, 12:42pm

Hi @vasek I could add a tag ADMIN for the administrators user in the logstash filter, but how could I found the administrators user? In the winlogbeat.yml file could I set this configuration?

I need an example

Thank you
Franco

vasek · June 17, 2019, 12:56pm

In ~~winlogbeat~~ filebeat you can add field for specific log file. This can be useful if you have separated log for adminstrators and users.. e.g.: adminsitrators.log, users.logs.

If you have mixed content in log.. you have to parse eveng, for example using Grok patterns in logstash. Based on result of parsing you can tag events.

franco.federico · June 17, 2019, 1:00pm

Ok I like the idea to have two log, one for administrators and one for users. How could I set the winlogbeat.yml file to have this 2 files?

Thank you
Franco

vasek · June 17, 2019, 1:01pm

Sry. I thought about filebeat.. I am going to edit answer.

franco.federico · June 17, 2019, 1:18pm

Thank you @vasek. I'm waiting your reply...

Franco

vasek · June 17, 2019, 1:23pm

Based on eventID you can filter some messages.

There is some event ID list:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Or try to parse events using Grok patterns in logstash. Based on result of parsing you can tag events.

franco.federico · June 17, 2019, 2:25pm

I know this list but I don't have a grok patterns to give me the result of user admin or user simple.

Do you have some idea?

Thank you
Franco

vasek · June 17, 2019, 2:53pm

1) Tag events based on selected eventID

if ( [eventID] == 42 or [eventID] == 2019 ) {
do something ... e.g.: add tag or field to document
}

2) Parsing Windows Events
Look at a document which is collected by Filebeat from Windows server. You can use CURL utility or Kibana to see this document. You will parse field where message is present.

You can test your Grok pattern in Kibana - Dev Tools - Grok Debugger. There is nice explanation.

There is some prepared Grok Reg Exp.

franco.federico · June 17, 2019, 3:07pm

Thank you @vasek I know all information that you give me.

I found a script in windows that give in output all administrator users. Is it possible in winlogbeat to check if the event capture is created by one of this users (that I could store in a text file)?

Thank you
Franco

vasek · June 17, 2019, 3:35pm

I am not sure that you can do it on Winlogbeat side. You can definitely filter based on e.g.:

winlogbeat.event_logs
event_logs.event_id

More about filtering here.

Filtering messages on Logstash could be fine.. try Logstash translate filter plugin.

You can provide list of users to this plugin.

Good luck.

Andre_Letterer · June 17, 2019, 10:10pm

Hi,

please allow me to come back to the original question and how identify, which mode the actual beat is running at the moment.
I hope I understood you correctly.

You can always identify which context the beat is running in using environment variables combines with conditionals:
https://www.elastic.co/guide/en/beats/winlogbeat/current/using-environ-vars.html#using-environ-vars
https://www.elastic.co/guide/en/beats/winlogbeat/master/defining-processors.html#defining-processors

With the help of that I can give you following differences:

CMD without admin mode
  env variable: SESSIONNAME=Console
CMD with admin mode
  missing env variable SESSIONNAME

Now the difference between a program execute in admin mode or in a service context

CMD with admin mode:
  APPDATA=C:\Users\%USERNAME%\AppData\Roaming
  LOCALAPPDATA=C:\Users\%USERNAME%\AppData\Local
  TEMP=C:\Users\%USERNAME%\AppData\Local\Temp
  TMP=C:\Users\%USERNAME%\AppData\Local\Temp
  USERNAME=%USERNAME%
  USERPROFILE=C:\Users\H4PC


CMD with Service mode:
  APPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
  LOCALAPPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Local
  TEMP=C:\WINDOWS\TEMP
  TMP=C:\WINDOWS\TEMP
  USERNAME=%COMPUTERNAME%$
  USERPROFILE=C:\WINDOWS\system32\config\systemprofile

These contexts belong to Windows 10 but should be similar under a Windows Server version.

So hope that helps a bit additionally.

system · July 15, 2019, 10:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.