Winlogbeat Alert for certain users in Windows PC

amis349 · January 5, 2023, 4:15am

Okay I have looked around and found different iterations of a solution. However I am running into a road block, the winlogbeats (below) are not dropping the events for that targetusername or even the event ID. All logs are still being processed into my stream/sidecar

Here is the winlogbeat I have used (does not work)

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
            - equals.winlog.event_id: 4672
          - or:
            - equals.winlog.event_data.TargetUserName: "pcuser01"

I still see log 4672 and username "pcuser01" when it logs into a system (that holds the winlogbeat config (via sidecar agent)

Ayush_Mathur · January 6, 2023, 11:10am

For an "OR" operator, you need to provide 2 operands to compare between. In case of username, you are using OR but only one operand is present and is not a valid logical operation.
If I understand correctly, you essentially want to perform AND operation on "pcuser01" and one of those 3 event_id values ? If yes, then you do not need the "OR" operator for the username field and equality check can be put directly under AND.

amis349 · January 7, 2023, 12:41am

Okay so it should look like...

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - equals.winlog.event_id: 4624
          - equals.winlog.event_id: 4634
          - equals.winlog.event_id: 4672
          - equals.winlog.event_data.TargetUserName: "pcuser01"

Ayush_Mathur · January 9, 2023, 7:26am

I guess this won't work since a single event cannot have multiple event IDs. You need keep event IDs in OR with an AND with username, something like:

- drop_event:
      when:
        and:
          - or :
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
            - equals.winlog.event_id: 4672
          - equals.winlog.event_data.TargetUserName: "pcuser01"

amis349 · January 17, 2023, 3:24am

I think I was looking at this wrong. I decided to only ingest what I am looking to see. but also add filtering. Here is what I am doing but I want to remove the noise from the registry that is associated to the logins for windows (EVENT 4657). I tried layering winlogbeat configurations but I still got thousands of logs haha.

winlogbeat:
  event_logs:
   - name: Security
     event_id: 4672, 4657
   - name: System
     event_id: 7045

system · February 14, 2023, 5:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.