Struggling with Drop_Event Processor Syntax and Structure

eafrost.cissp · June 24, 2020, 4:13pm

I'm struggling to get the proper syntax and structure for the following criteria for dropping a specific security log event in Winlogbeat. I can create something that passes the configuration check but it doesn't produce the desired results. Following is a text description of what I'm trying to do. What would be the equivalent drop_event processor?

Drop event when event.code = 6488 and winlog.event_data.SubjectUserName = '.$' and winglog.event_data.TokenElevationType is not '%%1937' and process.parent.name is not 'cmd.exe' or 'powershell.'

I've looked for similar examples in this forum but haven't found anything.

Kaiyan_Sheng · June 25, 2020, 1:06am

Hi! I did not test this but I'm thinking something like this:

processors:
  - drop_event:
      when:
        and:
           - equals:
               event.code: 6488
           - equals:
               winlog.event_data.SubjectUserName: .$
           - not.equals:
               winglog.event_data.TokenElevationType: %%1937
           - or:
             - not.equals: process.parent.name: cmd.exe
             - not.equals: process.parent.name: powershell

system · July 23, 2020, 3:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.