Winlogbeat Alert for certain users in Windows PC

amis349 · January 5, 2023, 4:15am

Okay I have looked around and found different iterations of a solution. However I am running into a road block, the winlogbeats (below) are not dropping the events for that targetusername or even the event ID. All logs are still being processed into my stream/sidecar

Here is the winlogbeat I have used (does not work)

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
            - equals.winlog.event_id: 4672
          - or:
            - equals.winlog.event_data.TargetUserName: "pcuser01"

I still see log 4672 and username "pcuser01" when it logs into a system (that holds the winlogbeat config (via sidecar agent)

Ayush_Mathur · January 6, 2023, 11:10am

For an "OR" operator, you need to provide 2 operands to compare between. In case of username, you are using OR but only one operand is present and is not a valid logical operation.
If I understand correctly, you essentially want to perform AND operation on "pcuser01" and one of those 3 event_id values ? If yes, then you do not need the "OR" operator for the username field and equality check can be put directly under AND.

amis349 · January 7, 2023, 12:41am

Okay so it should look like...

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - equals.winlog.event_id: 4624
          - equals.winlog.event_id: 4634
          - equals.winlog.event_id: 4672
          - equals.winlog.event_data.TargetUserName: "pcuser01"

Ayush_Mathur · January 9, 2023, 7:26am

I guess this won't work since a single event cannot have multiple event IDs. You need keep event IDs in OR with an AND with username, something like:

- drop_event:
      when:
        and:
          - or :
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
            - equals.winlog.event_id: 4672
          - equals.winlog.event_data.TargetUserName: "pcuser01"

amis349 · January 17, 2023, 3:24am

I think I was looking at this wrong. I decided to only ingest what I am looking to see. but also add filtering. Here is what I am doing but I want to remove the noise from the registry that is associated to the logins for windows (EVENT 4657). I tried layering winlogbeat configurations but I still got thousands of logs haha.

winlogbeat:
  event_logs:
   - name: Security
     event_id: 4672, 4657
   - name: System
     event_id: 7045

system · February 14, 2023, 5:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Drop_event.when.not.or: - not working, Please help Beats winlogbeat	2	549	February 12, 2020
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1179	November 18, 2020
Problems with AND in drop_events.when.or Beats winlogbeat	3	685	November 11, 2020
Winlogbeat doesn't drop events Beats winlogbeat	5	539	June 7, 2023

Winlogbeat Alert for certain users in Windows PC

Related topics