Logstash filter not working with Sysmon

Hello everybody,

I am trying to create a field called "Threat" just if I have a log from the "Microsoft-Windows-Sysmon" provider, but the "if" condition never works, could you guys give me an idea about it?

Tks

########################### logstash .conf file ########################

input {
      beats {
        port => 5044
      }
    }

    filter {
      if "Microsoft-Windows-Sysmon" in [provider_name] {
      #if [provider_name] == "Microsoft-Windows-Sysmon" {                                                                                                                                                                                            
        mutate { add_field => {"Threat" => "Test"} }                                                                                                                                                                                               }
    }

    output {
      stdout { codec => rubydebug }
    } 

############################ Logstash output #############################

"@version" => "1",
        "winlog" => {
              "channel" => "Microsoft-Windows-Sysmon/Operational",
            "record_id" => 9921,
                 "task" => "File created (rule: FileCreate)",
              "process" => {
            "thread" => {
                "id" => 3064
            },
               "pid" => 2392
        },
                  "api" => "wineventlog",
               "opcode" => "Info",
        "computer_name" => "MyVm",
        "provider_guid" => "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
                 "user" => {
            "identifier" => "S-1-5-18",
                  "name" => "SYSTEM",
                  "type" => "User",
                "domain" => "NT AUTHORITY"
        },
             "event_id" => 11,
        "provider_name" => "Microsoft-Windows-Sysmon",
           "event_data" => {
                   "RuleName" => "technique_id=T1044,technique_name=File System Permissions Weakness",
            "CreationUtcTime" => "2020-04-15 03:14:58.941"
        },
              "version" => 2
    },
    "@timestamp" => 2020-04-15T03:14:58.941Z,
         "event" => {
         "created" => "2020-04-15T03:15:00.766Z",
            "code" => 11,
        "provider" => "Microsoft-Windows-Sysmon",
          "action" => "File created (rule: FileCreate)",
          "module" => "sysmon",

I do not think you have a [provider_name] field, you have a [winlog][provider_name] field.

Nice, it worked.

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.