Filter computer object password changes

Good Afternoon Everyone,

We are been overwhelmed by computer objects password changes. Does anyone know how to filter this events so we do not skip actual user object password change events ?

Thank you!

Is there a particular event code for those?

Event code : 4724
Password changed by admin
This event also generates legit user object password changes but includes tones of computer object password change as well.

What does each event look like then, we're after something that distinguishes the two so you can use that to filter them out.

1000's of these computer object password changes are due to VDI feature "refresh on logoff" which causes VIEW desktops to change passwords. so the only distinguishing factor is VIEW_"DESKTOP_NAME".

is there a method where we can filter view_desktop in Kibana or in the forward events.

Thank you!

See the little + and - buttons in your picture? That will show beside other fields and you can exclude (the -) that field value from the viz/dashboard.

Is there a way to filter computer objects related evnts in the YML file before it gets shipped to Elasticsearch ?

Reason: to avoid consumption of space on the ELK stack

Hello,

Two solutions:

  1. Keep the config and the data, and filter in Kibana Search Bar, here is the filter in KQL :
    NOT (winlog.event_data.SubjectUserName.keyword : *$)
    or
    NOT (winlog.event_data.TargetUserName.keyword : *$)

Depending on which Event you need to filter.
You are speaking about 4724 and changing password. But 4724 is for resetting passwords, not changing passwords (which is 4723)

  1. Drop the events you don't need on the winlogbeat agents solution as follow.

You can use a drop processor in the winlogbeat.yml config file, here is an example with other events.
Modify it for passwords, Change TargetUserName with SubjectUserName, according to your needs, depending on the desired event.
4723: An attempt was made to change an account's password
4724: An attempt was made to reset an accounts password

processors:
- drop_event.when.or:   
    # Remove Computers from 4625 events
    - and:
      - equals.winlog.event_id: 4625
      - regexp.winlog.event_data.TargetUserName: '.*\$'

    # Remove Computers from 4771 events
    - and:
      - equals.winlog.event_id: 4771
      - regexp.winlog.event_data.TargetUserName: '.*\$'

I would suggest the links below to understand the 2 events, you'll find detailed information about SubjectUserName and TargetUserName.
Windows Security Log Event ID 4723 - An attempt was made to change an account's password (ultimatewindowssecurity.com)
Windows Security Log Event ID 4724 - An attempt was made to reset an accounts password (ultimatewindowssecurity.com)

You can check this site for the other security events as well, it's a gold mine !

Thank you so much!!!!!!!!