Help with drop_event

nwed · July 10, 2020, 9:21pm

We are just starting to play around with drop_event filtering. Auditd rules are not great at filtering so drop_event is going to serve us well.

Right now we are stuck with a nesting example and want to know what is possible. Any suggestions are appreciated

processors:
    - drop_event.when.and:
      - regexp.tags: redacted
      - or:
        - equals.process.executable: /opt/Tools/redacted
        - equals.process.executable: /usr/sbin/redacted2
          - or:
            - equals.auditd.data.syscall: unlink
            - equals.auditd.data.syscall: rename

Right now, the first and + or statements work. For the second or statement, this is what's not accepted. We want the syscalls to be matched only when the second executable is matched.

system · August 7, 2020, 11:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't drop events from auditbeat Beats auditbeat	3	713	December 8, 2021
Auditbeat "drop_event" regex performance? Beats auditbeat	5	607	May 23, 2019
Auditbeat processor ignores drop_event Beats auditbeat	4	554	February 22, 2022
Nested and/or statements Beats winlogbeat	1	797	October 1, 2021
Drop_event syntax trouble with multiple processors (7.7.1) Beats winlogbeat	5	400	July 23, 2021

Help with drop_event

Related topics