Nested and/or statements

d-ring · September 2, 2021, 11:00pm

I am working on using some nested and/or statements in my winlogbeat to filter out some noisy logs and I am running into an issue where things are not being dropped as expected. I am curious what I have wrong in this section of the configuration where event id 22 is not being dropped.

Looking at a blog here Winlogbeat and pipelines and painless scripts, oh my! – Rambling Cookie Monster he is using equals.event_id: for the filtering and in this one Ship Windows event logs with Winlogbeat he is using equals.winlog.event_id: to filter out specific event Ids and/or events.

As an example here is one for sysmon where I want to drop all event id 22 events and event id 1 with specific processes.

Am I using the wrong form of event id or is my yml or logic off? How I know this is not working is I still see event 22 in elasticsearch.

  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 72h
    processors:
      - drop_event.when:
          or:
            - equals.event_id: '22'
            - and:
              - equals.event_id: '1'
              - or:
                - equals.process.commandline: 'C:\WINDOWS\system32\svchost.exe -k appmodel -p -s camsvc'
                - equals.process.commandline: 'C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -s SCardSvr'
                - equals.process.commandline: 'C:\WINDOWS\System32\svchost.exe -k secsvcs'
                - equals.process.commandline: 'C:\WINDOWS\system32\svchost.exe -k GPSvcGroup'
                - equals.process.commandline: 'C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc'
                - equals.process.commandline: 'C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s NgcSvc'
                - equals.process.commandline: 'C:\Windows\system32\svchost.exe -k localService -s RemoteRegistry'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k netsvcs -s BITS'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k netsvcs -p -s NetSetupSvc'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k netsvcs -p -s wisvc'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k netsvcs -p -s dmwappushservice'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s SmsRouter'
                - equals.process.commandline: 'C:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts'
                - equals.process.executable: 'C:\Windows\CCM\UpdateTrustedSites.exe'

system · October 1, 2021, 1:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1179	November 18, 2020
Drop_event.when.not.or: - not working, Please help Beats winlogbeat	2	549	February 12, 2020
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Winlogbeat Alert for certain users in Windows PC Beats winlogbeat	5	468	February 14, 2023
Winlogbeat doesn't drop events Beats winlogbeat	5	539	June 7, 2023

Nested and/or statements

Related topics