@tudor Thanks for the tip. Tried using dissect to get the filename, but failed for now.
- dissect:
when:
equals:
event.code: 4688
tokenizer: "%{myprocess.path}\\%{myprocess.file}"
field: "winlog.event_data.NewProcessName"
How can I configure the tokenizer so it saves the path untill the last '\'?
Result now:
Please note that I don't know beforehand from what path commands will be executed.. So there could be x number of subfolders...
Also tried with:
tokenizer: "%{myprocess.path}\\%{myprocess.file/1}.%{myprocess.file/2}"
WHich is able to extract . extension somehow , but the moment there is a '.' in the path, it fails again (such as C:\Users\mysuer\AppData\Local\GitHubDesktop\app-2.2.1\GitHubDesktop.exe)
Starting to doubt this is even possible with dissect, I tried updating the security js file to this:
var securitycommand = (function () {
var path = require("path");
var processor = require("processor");
var winlogbeat = require("winlogbeat");
var addAuthSuccess = new processor.AddFields({
fields: {
"event.category": "authentication",
"event.type": "authentication_success",
},
target: "",
});
var addAuthFailed = new processor.AddFields({
fields: {
"event.category": "authentication",
"event.type": "authentication_failure",
},
target: "",
});
var convertAuthentication = new processor.Convert({
fields: [
{from: "winlog.event_data.TargetUserSid", to: "user.id"},
{from: "winlog.event_data.TargetUserName", to: "user.name"},
{from: "winlog.event_data.TargetDomainName", to: "user.domain"},
{from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.ProcessName", to: "process.executable"},
{from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
{from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
{from: "winlog.event_data.WorkstationName", to: "source.domain"},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
});
var setProcessNameUsingExe = function(evt) {
var name = evt.Get("process.name");
if (name) {
return;
}
var exe = evt.Get("process.executable");
evt.Put("process.name", path.basename(exe));
};
var setProcessNameUsingNewProcessName = function(evt) {
var processnamefull = evt.Get("winlog.event_data.NewProcessName");
evt.Put("process.name", path.basename(processnamefull));
};
var logonSuccess = new processor.Chain()
.Add(addAuthSuccess)
.Add(convertAuthentication)
.Add(setProcessNameUsingExe)
.Build();
var logonFailed = new processor.Chain()
.Add(addAuthFailed)
.Add(convertAuthentication)
.Add(setProcessNameUsingExe)
.Build();
var processCreated = new processor.Chain()
.Add(setProcessNameUsingNewProcessName)
.Build();
return {
// 4624 - An account was successfully logged on.
4624: logonSuccess.Run,
// 4625 - An account failed to log on.
4625: logonFailed.Run,
// 4648 - A logon was attempted using explicit credentials.
4648: logonSuccess.Run,
// 4688 - A process was created
4688: processCreated.Run,
process: function(evt) {
var event_id = evt.Get("winlog.event_id");
var processor = this[event_id];
if (processor === undefined) {
return;
}
processor(evt);
},
};
})();
function process(evt) {
return securitycommand.process(evt);
}
But the result is that process.name seems to be null
all the time..
Any advice to get this working is welcome.
Tx
Willem