Processor not dropping events Beats Winlogbeat

Elastic Stack Beats
1

Hi there,

V7.11.2

This topic has been addressed before and I've read other people's solutions, no luck. Have tried multiple combinations of and/or to drop windows event logs 4624 or 4634 with LogonType 0,3 or 5. However, it is still not dropping any events i.e. still coming through discover. Here's the latest from winlogbeat.yml. Assume I just restart the winlogbeat service after changes?

 - name: Security
    event_id: 4624,4625,4634,4648,4771
    ignore_older: 72h    
    processors:
      - drop_event.when.or: 
        - equals.winlog.event_data.LogonType: 0
        - equals.winlog.event_data.LogonType: 3
        - equals.winlog.event_data.LogonType: 5

I'm not 100% whether the 0,3,5 need to be in ""

also tried this one, neither works

- drop_event:
          when:
             and:
             - equals.winlog.event_id: 4624
             - or:
               - equals.winlog.event_data.related.user: XXXXXXXX$
               - equals.winlog.event_data.related.user: XXXXXXXX$
               - equals.winlog.event_data.related.user: XXXXXXXX$
               - equals.winlog.event_data.related.user: XXXXXXXX$

there are multiple users

Any ideas?

2

If LogonType is a string in the _source JSON in Discover then you must have the same data type in your YAML. So add quotes around the LogonType values.

AFAIK that field does not exist, but related.user does.

3

If it's useful for anyone else, here's what's working for me. This filters out winlogbeat event ids 4624 and 4634 and reduces a lot of the "noise" and only logs "real" users. Obviously replace SERVER$ and USERNAME$ from your Analytics->Discover in Kibana

- name: Security
    processors:
    event_id: 4624,4625,4634,4648,4771
    ignore_older: 72h       
    processors:
      - drop_event.when.or:
        - and:
            - equals.winlog.event_id: 4624
            - or:
                - equals.winlog.event_data.TargetUserName: 'SYSTEM'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
                - equals.winlog.event_data.TargetUserName: 'USERNAME'
                - equals.winlog.event_data.TargetUserName: 'USERNAME$'
                - equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
                             
        - and:
            - equals.winlog.event_id: 4634
            - or:
                - equals.winlog.event_data.TargetUserName: 'SYSTEM'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - equals.winlog.event_data.TargetUserName: 'SERVER$'
                - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
                - equals.winlog.event_data.TargetUserName: 'USERNAME'
                - equals.winlog.event_data.TargetUserName: 'USERNAME$'
                - equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.