I have an new on-prem deployment of ELK 7.6.2, and have been working the the SIEM tool and like in another post about not seeing a signal get triggered when clearing logs I had the same issue. I worked through the winlogbeats configuration and installed and deployed sysmon on the windows server I am testing with. After everything and seeing the proper fields get populated, I still could not see the signal get triggered when I ran "powershell.exe clear-eventlog -logname security" on the test system.
Below is the default detection rule for "Clearing Windows Event Logs":
event.action:"Process Create (rule: ProcessCreate)" and (process.name:"wevtutil.exe" and process.args:"cl") or (process.name:"powershell.exe" and process.args:"Clear-EventLog")
It seems the when the field process.args is queried it is case sensitive, and it would not trigger if I used lower case. I made a duplicate of the default detection rule with the process.args query in lower case, and it of course triggered.
Is there a way to make the query case-insensitive like it would be on a windows system when the command is run? I did see some posts in other areas about this, but I didn't seem to find an answer.
In this situation (since the process.args field is mapped as a keyword), to catch both permutations the query will need to be updated with an additional OR clause as shown below. There is also the regex query string syntax, but in testing I was unable to get it to work for this instance.
event.action:"Process Create (rule: ProcessCreate)" and
(process.name:"wevtutil.exe" and process.args:"cl") or
(process.name:"powershell.exe" and (process.args:"Clear-EventLog" or process.args:"clear-eventlog")
While that's not too different from your duplicate rule workaround, ECS also has the process.command_line.text field, which will be case-insensitive when queried, and support for this will field will be coming to the sysmon module in a future release.
Hopefully this was able to provide some context -- cheers!
Hello Garrett, thank you for the explanation. I think for this particular Detection Rule (Clear Logs), I will have to wait for the update for process.command_line.text support in the sysmon module. Otherwise, I would have to create a query with every permutation of the string "clear-eventlog".
event.action:"Process Create (rule: ProcessCreate)" AND ((process.name:wevtutil.exe AND process.args:cl) OR (process.name:powershell.exe AND process.args:/[Cc][Ll][Ee][Aa][Rr]-[Ee][Vv][Ee][Nn][Tt][Ll][Oo][Gg]/))
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.