Filter system logons

kickon · March 25, 2020, 2:23pm

hello, in new version of 7.6.1 I have issue with filtering system logons which occur in events 4624 and 4634.
I tried this one with some modification

https://github.com/HASecuritySolutions/Logstash/blob/master/winlogbeat_example.yml
without succes , this one too :

    ignore_older: 72h
    processors:
    - drop_event.when.not.or:
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4634
      - contains.winlog.event_data.TargetUserName: "SYSTEM"'

this one too :

   - drop_event:
       when:
         and:
           - equals:
               winlog.event_id: 4624
           - regexp:
               winlog.event_data.TargetUserName: '.*\$''

  - name: Security
    ignore_older: 72h
    processors:
    - drop_event:
       when:
         equals:
           winlog.event_id: 4624
           winlog.event_id: 4634

please help

andrewkroh · March 26, 2020, 8:09pm

What should the filter do? Drop event ID 4624 or 4634 where TargetUserName is "SYSTEM"?

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - equals.winlog.event_data.TargetUserName: "SYSTEM"

kickon · March 27, 2020, 8:22am

Many thanks, i wasn't so far
how can I add more users like SQLINSTANCE, adding this

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - equals.winlog.event_data.TargetUserName: "SYSTEM"
          - equals.winlog.event_data.TargetUserName: "NAMESQL"

and modyfing like this
- equals.winlog.event_data.TargetUserName: "NAMESQL","SYSTEM"
doesn't work

jsoriano · April 10, 2020, 5:18pm

@kickon try this way:

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - or:
            - equals.winlog.event_data.TargetUserName: "SYSTEM"
            - equals.winlog.event_data.TargetUserName: "NAMESQL"

kickon · April 14, 2020, 5:50am

hello,
now both are visible , I tried with only this one : regexp.winlog.event_data.TargetUserName: '.*\$' -both visible ,
I tried this :

 - equals.winlog.user.name: "XXX132$"
 - equals.winlog.user.name: "SYSTEM"

both visible .

jsoriano · April 14, 2020, 9:09am

Which "both" are visible? Could you share the configuration you are using now and an example of the expected result?

kickon · April 14, 2020, 2:06pm

sure, below my configuration :

###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ===========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
#winlogbeat.event_logs:
#  - name: Application
#    ignore_older: 72h
#  - name: Security
#  - name: System
winlogbeat.event_logs:
  - name: Application
    level: critical,error,warning
  - name: Microsoft-Windows-PowerShell/Operational
    ignore_older: 72h 
  - name: Symantec Endpoint Protection Client
    level: error
  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    ignore_older: 72h
  - name: Security
    ignore_older: 72h
    processors:
    - drop_event:
        when:
          and:
            - or:
              - equals.winlog.event_id: 4624
              - equals.winlog.event_id: 4634
            - or:
              - regexp.winlog.event_data.TargetUserName: '.*\$'
    - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
#  - name: Microsoft-Windows-Sysmon/Operational
#    processors:
#      - script:
#          lang: javascript
#         id: sysmon
#          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

#============================== Template =====================================

# A template is used to set the mapping in Elasticsearch
# By default template loading is enabled and the template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones.

# Set to false to disable template loading.
#setup.template.enabled: true

# Template name. By default the template name is "winlogbeat-%{[agent.version]}"
# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
setup.template.name: "winlogbeatsql0002"

# Template pattern. By default the template pattern is "-%{[agent.version]}-*" to apply to the default index settings.
# The first part is the version of the beat and then -* is used to match all daily indices.
# The template name and pattern has to be set in case the Elasticsearch index pattern is modified.
setup.template.pattern: "winlogbeatsql0002-*"

# Path to fields.yml file to generate the template
#setup.template.fields: "${path.config}/fields.yml"

# A list of fields to be added to the template and Kibana index pattern. Also
# specify setup.template.overwrite: true to overwrite the existing template.
# This setting is experimental.
#setup.template.append_fields:
#- name: field_name
#  type: field_type

# Enable JSON template loading. If this is enabled, the fields.yml is ignored.
#setup.template.json.enabled: false

# Path to the JSON template file
#setup.template.json.path: "${path.config}/template.json"

# Name under which the template is stored in Elasticsearch
#setup.template.json.name: ""

# Overwrite existing template
#setup.template.overwrite: false

# Elasticsearch template settings
setup.template.settings:

  # A dictionary of settings to place into the settings.index dictionary
  # of the Elasticsearch template. For more details, please check
  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
  index:
    number_of_shards: 1
    #codec: best_compression
    #number_of_routing_shards: 30

  # A dictionary of settings for the _source field. For more details, please check
  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
  #_source:
    #enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Setup ILM =====================================

# Configure index lifecycle management (ILM). These settings create a write
# alias and add additional settings to the index template. When ILM is enabled,
# output.elasticsearch.index is ignored, and the write alias is used to set the
# index name.

# Enable ILM support. Valid values are true, false, and auto. When set to auto
# (the default), the Beat uses index lifecycle management when it connects to a
# cluster that supports ILM; otherwise, it creates daily indices.
setup.ilm.enabled: auto

# Set the prefix used in the index lifecycle write alias name. The default alias
# name is 'winlogbeat-%{[agent.version]}'.
setup.ilm.rollover_alias: "winlogbeatsql0002"

# Set the rollover index pattern. The default is "%{now/d}-000001".
setup.ilm.pattern: "{now/d}-000001"

# Set the lifecycle policy name. The default policy name is
# 'winlogbeat'.
#setup.ilm.policy_name: "mypolicy"

# The path to a JSON file that contains a lifecycle policy configuration. Used
# to load your own lifecycle policy.
#setup.ilm.policy_file:

# Disable the check for an existing lifecycle policy. The default is false. If
# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy
# can be installed.
#setup.ilm.check_exists: false

# Overwrite the lifecycle policy at startup. The default is false.
setup.ilm.overwrite: true

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "10.184.226.232:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.184.226.232:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "http"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"
  index: "winlogbeatsql0002-%{+yyyy.MM.dd}"
#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["10.184.226.232:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

I want drop events of logon where user.name = SYSTEM and SQL0002$ ( its computer account )

jsoriano · April 15, 2020, 8:08am

I think these processors are only applied to the Security event log. Are all the events that you want to drop out coming from this event log?

Could you share one of the events that is not being dropped?

kickon · April 15, 2020, 8:20am

yes, its comming from security only . below event not dropped :

  "event": {
    "code": 4624,
    "provider": "Microsoft-Windows-Security-Auditing",
    "module": "security",
    "category": "authentication",
    "action": "logged-in",
    "created": "2020-04-15T00:10:51.593Z",
    "kind": "event",
    "type": "authentication_success",
    "outcome": "success"
  },
  "log": {
    "level": "information"
  },
  "user": {
    "domain": "NT AUTHORITY",
    "id": "S-1-5-18",
    "name": "SYSTEM"
  },
  "ecs": {
    "version": "1.4.0"
  },
  "agent": {
    "hostname": "SQL0002",
    "id": "be086d99-d807-4044-9169-315ffdcd2fc5",
    "version": "7.6.0",
    "type": "winlogbeat",
    "ephemeral_id": "52369727-d769-458a-aba0-0ce648b8d52d"
  },
  "winlog": {
    "event_id": 4624,
    "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "task": "Logon",
    "version": 1,
    "channel": "Security",
    "provider_name": "Microsoft-Windows-Security-Auditing",
    "process": {
      "thread": {
        "id": 4464
      },
      "pid": 604
    },
    "logon": {
      "id": "0x3e7",
      "type": "Service"
    },
    "computer_name": "SQL0002",
    "keywords": [
      "Audit Success"
    ],
    "opcode": "Info",
    "record_id": 83822,
    "api": "wineventlog",
    "event_data": {
      "SubjectUserSid": "S-1-5-18",
      "ImpersonationLevel": "%%1833",
      "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
      "SubjectUserName": "SQL0002$",
      "LogonType": "5",
      "IpPort": "-",
      "TargetLogonId": "0x3e7",
      "SubjectDomainName": "XX",
      "SubjectLogonId": "0x3e7",
      "TargetDomainName": "NT AUTHORITY",
      "KeyLength": "0",
      "TargetUserName": "SYSTEM",
      "TargetUserSid": "S-1-5-18",
      "TransmittedServices": "-",
      "AuthenticationPackageName": "Negotiate",
      "LmPackageName": "-",
      "IpAddress": "-",
      "LogonProcessName": "Advapi  "
    }
  },
  "host": {
    "name": "SQL0002",
    "hostname": "SQL0002",
    "architecture": "x86_64",
    "os": {
      "build": "9600.19505",
      "platform": "windows",
      "version": "6.3",
      "family": "windows",
      "name": "Windows Server 2012 R2 Standard",
      "kernel": "6.3.9600.19478 (winblue_ltsb.190831-0600)"
    },
    "id": "0e61a30a-481a-4bcb-8fb6-126f118c4154"
  },
  "message": "An account was successfully logged on

jsoriano · April 15, 2020, 9:15am

Umm, this event should have been skipped with this config:

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - or:
            - equals.winlog.event_data.TargetUserName: "SYSTEM"
            - equals.winlog.event_data.TargetUserName: "NAMESQL"

To add more rules to match names you don't need to remove these ones, you can for example add your regexp, and keep the rule for the SYSTEM user:

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - or:
            - equals.winlog.event_data.TargetUserName: 'SYSTEM'
            - regexp.winlog.event_data.TargetUserName: '^SQL.*\$'

kickon · April 15, 2020, 10:01am

and finally its working . Many many thanks @jsoriano .
Strange that this one wont work : - regexp.winlog.event_data.TargetUserName: '.*\$'

system · May 13, 2020, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Winlogbeat filtering problem Beats winlogbeat	3	337	October 12, 2020
Winlogbeat filter not working Beats winlogbeat	3	502	June 26, 2020
Filter :Active Directory Event Beats winlogbeat	8	760	June 7, 2018
Winlogbeat inop filter with more than 2 lines Beats winlogbeat	4	601	May 3, 2021

Filter system logons

Related topics