I want event ID 4104 (PowerShell scriptblock logging) to populate the username in the user.name
field. What is the best way to get the username to populate into the user.name
field in Elasticsearch?
Event IDs 4688 and 1 (process create native and Sysmon) put the username in the user.name
field, but event ID 4104 does not. Instead has it in winlog.user.name
. Meanwhile, event ID 4688 doesn't use winlog.user.name
; event ID 1 uses both, but has SYSTEM
in winlog.user.name
.
Basically I'm trying to do some normalization, but I'm very new to Elastic Stack and don't know the best way to accomplish this.
Here is my winlogbeat.yml
:
winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
shutdown_timeout: 5s
event_logs:
- name: ForwardedEvents
forwarded: true
tags: ["forwarded"]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: Application
forwarded: false
ignore_older: 72h
level: critical, error, warning
- name: System
forwarded: false
ignore_older: 72h
level: critical, error, warning
- name: Security
forwarded: false
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
setup:
template:
settings:
index.number_of_shards: 1
overwrite: false
enabled: true
kibana:
host: "hostname:5601"
output:
elasticsearch:
hosts: ["hostname:9200"]
protocol: "http"
pipeline: geoip-info
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
logging:
level: info
to_files: true
json: false
files:
path: C:\ProgramData\winlogbeat\logs
name: winlogbeat.log
rotateeverybytes: 10485760 # = 10MB
keepfiles: 10
Here is an event 4104:
Log Name: Microsoft-Windows-PowerShell/Operational
Source: Microsoft-Windows-PowerShell
Date: 4/22/2020 10:43:20 AM
Event ID: 4104
Task Category: Execute a Remote Command
Level: Verbose
Keywords: None
User: EXAMPLE\username
Computer: computer.example.com
Description:
Creating Scriptblock text (1 of 1):
Get-Date -Format s
ScriptBlock ID: 9da3668d-a501-42d2-aad6-05d03d8c7670
Path:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2020-04-22T14:43:20.749036400Z" />
<EventRecordID>151946</EventRecordID>
<Correlation ActivityID="{858fb7f8-1422-0002-8dff-a1852214d601}" />
<Execution ProcessID="27852" ThreadID="22616" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>computer.example.com</Computer>
<Security UserID="S-1-5-21-1812345678-1234567350-2123456778-12345" />
</System>
<EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">Get-Date -Format s</Data>
<Data Name="ScriptBlockId">9da3668d-a501-42d2-aad6-05d03d8c7670</Data>
<Data Name="Path">
</Data>
</EventData>
</Event>
Here is the resulting indexed document:
{
"_index": "winlogbeat-7.6.1-2020.04.21-000011",
"_type": "_doc",
"_id": "P7VZonEBbRXC_CHlvKUJ",
"_score": 1,
"_source": {
"agent": {
"hostname": "winlogserver",
"id": "789dd088-2fa5-4754-bf7f-9953424d70d2",
"ephemeral_id": "b3a91fc9-426b-469d-a4b3-fd9f7699b972",
"type": "winlogbeat",
"version": "7.6.1"
},
"winlog": {
"computer_name": "computer.example.com",
"process": {
"pid": 27852,
"thread": {
"id": 22616
}
},
"channel": "Microsoft-Windows-PowerShell/Operational",
"event_data": {
"ScriptBlockId": "9da3668d-a501-42d2-aad6-05d03d8c7670",
"MessageNumber": "1",
"ScriptBlockText": "Get-Date -Format s",
"MessageTotal": "1"
},
"opcode": "On create calls",
"version": 1,
"record_id": 151946,
"task": "Execute a Remote Command",
"event_id": 4104,
"provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
"activity_id": "{858fb7f8-1422-0002-8dff-a1852214d601}",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-PowerShell",
"user": {
"identifier": "S-1-5-21-1812345678-1234567350-2123456778-12345",
"domain": "EXAMPLE",
"name": "username",
"type": "User"
}
},
"log": {
"level": "verbose"
},
"message": "Creating Scriptblock text (1 of 1):\nGet-Date -Format s\n\nScriptBlock ID: 9da3668d-a501-42d2-aad6-05d03d8c7670\nPath: ",
"tags": [
"forwarded"
],
"@timestamp": "2020-04-22T14:43:20.749Z",
"ecs": {
"version": "1.4.0"
},
"host": {
"hostname": "winlogserver",
"os": {
"build": "14393.2941",
"kernel": "10.0.14393.2906 (rs1_release_inmarket.190401-1809)",
"name": "Windows Server 2016 Standard",
"family": "windows",
"version": "10.0",
"platform": "windows"
},
"name": "computer.example.com",
"id": "9e065853-7052-4895-8371-914b5f33df53",
"architecture": "x86_64"
},
"event": {
"code": 4104,
"provider": "Microsoft-Windows-PowerShell",
"kind": "event",
"created": "2020-04-22T14:45:21.749Z",
"action": "Execute a Remote Command"
}
},
"fields": {
"@timestamp": [
"2020-04-22T14:43:20.749Z"
],
"event.created": [
"2020-04-22T14:45:21.749Z"
]
}
}