User.name field for event ID 4104

I want event ID 4104 (PowerShell scriptblock logging) to populate the username in the user.name field. What is the best way to get the username to populate into the user.name field in Elasticsearch?

Event IDs 4688 and 1 (process create native and Sysmon) put the username in the user.name field, but event ID 4104 does not. Instead has it in winlog.user.name. Meanwhile, event ID 4688 doesn't use winlog.user.name; event ID 1 uses both, but has SYSTEM in winlog.user.name.

Basically I'm trying to do some normalization, but I'm very new to Elastic Stack and don't know the best way to accomplish this.

Here is my winlogbeat.yml:

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
  shutdown_timeout: 5s
  event_logs:
    - name: ForwardedEvents
      forwarded: true
      tags: ["forwarded"]
      processors:
        - script:
            when.equals.winlog.channel: Security
            lang: javascript
            id: security
            file: ${path.home}/module/security/config/winlogbeat-security.js
        - script:
            when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
            lang: javascript
            id: sysmon
            file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
    - name: Application
      forwarded: false
      ignore_older: 72h
      level: critical, error, warning
    - name: System
      forwarded: false
      ignore_older: 72h
      level: critical, error, warning
    - name: Security
      forwarded: false
      processors:
        - script:
            lang: javascript
            id: security
            file: ${path.home}/module/security/config/winlogbeat-security.js
setup:
  template:
    settings:
      index.number_of_shards: 1
      overwrite: false
      enabled: true
  kibana:
    host: "hostname:5601"
output:
  elasticsearch:
    hosts: ["hostname:9200"]
    protocol: "http"
    pipeline: geoip-info
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
logging:
  level: info
  to_files: true
  json: false
  files:
    path: C:\ProgramData\winlogbeat\logs
    name: winlogbeat.log
    rotateeverybytes: 10485760 # = 10MB
    keepfiles: 10

Here is an event 4104:

Log Name:      Microsoft-Windows-PowerShell/Operational
Source:        Microsoft-Windows-PowerShell
Date:          4/22/2020 10:43:20 AM
Event ID:      4104
Task Category: Execute a Remote Command
Level:         Verbose
Keywords:      None
User:          EXAMPLE\username
Computer:      computer.example.com
Description:
Creating Scriptblock text (1 of 1):
Get-Date -Format s

ScriptBlock ID: 9da3668d-a501-42d2-aad6-05d03d8c7670
Path: 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
    <EventID>4104</EventID>
    <Version>1</Version>
    <Level>5</Level>
    <Task>2</Task>
    <Opcode>15</Opcode>
    <Keywords>0x0</Keywords>
    <TimeCreated SystemTime="2020-04-22T14:43:20.749036400Z" />
    <EventRecordID>151946</EventRecordID>
    <Correlation ActivityID="{858fb7f8-1422-0002-8dff-a1852214d601}" />
    <Execution ProcessID="27852" ThreadID="22616" />
    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
    <Computer>computer.example.com</Computer>
    <Security UserID="S-1-5-21-1812345678-1234567350-2123456778-12345" />
  </System>
  <EventData>
    <Data Name="MessageNumber">1</Data>
    <Data Name="MessageTotal">1</Data>
    <Data Name="ScriptBlockText">Get-Date -Format s</Data>
    <Data Name="ScriptBlockId">9da3668d-a501-42d2-aad6-05d03d8c7670</Data>
    <Data Name="Path">
    </Data>
  </EventData>
</Event>

Here is the resulting indexed document:

{
  "_index": "winlogbeat-7.6.1-2020.04.21-000011",
  "_type": "_doc",
  "_id": "P7VZonEBbRXC_CHlvKUJ",
  "_score": 1,
  "_source": {
    "agent": {
      "hostname": "winlogserver",
      "id": "789dd088-2fa5-4754-bf7f-9953424d70d2",
      "ephemeral_id": "b3a91fc9-426b-469d-a4b3-fd9f7699b972",
      "type": "winlogbeat",
      "version": "7.6.1"
    },
    "winlog": {
      "computer_name": "computer.example.com",
      "process": {
        "pid": 27852,
        "thread": {
          "id": 22616
        }
      },
      "channel": "Microsoft-Windows-PowerShell/Operational",
      "event_data": {
        "ScriptBlockId": "9da3668d-a501-42d2-aad6-05d03d8c7670",
        "MessageNumber": "1",
        "ScriptBlockText": "Get-Date -Format s",
        "MessageTotal": "1"
      },
      "opcode": "On create calls",
      "version": 1,
      "record_id": 151946,
      "task": "Execute a Remote Command",
      "event_id": 4104,
      "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
      "activity_id": "{858fb7f8-1422-0002-8dff-a1852214d601}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-PowerShell",
      "user": {
        "identifier": "S-1-5-21-1812345678-1234567350-2123456778-12345",
        "domain": "EXAMPLE",
        "name": "username",
        "type": "User"
      }
    },
    "log": {
      "level": "verbose"
    },
    "message": "Creating Scriptblock text (1 of 1):\nGet-Date -Format s\n\nScriptBlock ID: 9da3668d-a501-42d2-aad6-05d03d8c7670\nPath: ",
    "tags": [
      "forwarded"
    ],
    "@timestamp": "2020-04-22T14:43:20.749Z",
    "ecs": {
      "version": "1.4.0"
    },
    "host": {
      "hostname": "winlogserver",
      "os": {
        "build": "14393.2941",
        "kernel": "10.0.14393.2906 (rs1_release_inmarket.190401-1809)",
        "name": "Windows Server 2016 Standard",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "name": "computer.example.com",
      "id": "9e065853-7052-4895-8371-914b5f33df53",
      "architecture": "x86_64"
    },
    "event": {
      "code": 4104,
      "provider": "Microsoft-Windows-PowerShell",
      "kind": "event",
      "created": "2020-04-22T14:45:21.749Z",
      "action": "Execute a Remote Command"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-04-22T14:43:20.749Z"
    ],
    "event.created": [
      "2020-04-22T14:45:21.749Z"
    ]
  }
}

I found a solution:

I added the following to the winlogbeat.yml processors section for the ForwardedEvents log.

    - copy_fields:
        when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
        fields:
          - from: winlog.user.name
            to: user.name 
        fail_on_error: false
        ignore_missing: true
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.