Winlogbeat - drop_event (multiple event ID's with specific rules)

Elastic Stack Beats
1

Okay so im having a hard time solving this puzzle. Tried almost everything and i cant really solve it by myself, any ideas?

So i have 2 event ID's:
winlog.event_id: 4624
winlog.event_id: 4672

What i want to do is i want to exclude 3-4 or more UserSID Usernames etc. and i only want to specify every event ID's. So for example which applies to 4624 is only applies to 4624. Which applies to 4672 only applies to 4672. etc.

The code i have right now is this:

image

I think i probably have 'and', 'or' problem. Not sure tho.

Note that i might want to add ore event ID's in the future.

2

Hello,

You were close actually :wink:

Can you copy/past your config next time please, then we can correct directly with your config.

You can try with one more "or" condition :

  - equals.winlog.event_id: 4672
  - or:
    - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
    - equals.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
    - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
    - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'

Regards,
Luc

3

Original Code:

processors:

- drop_event.when.or:

  - equals.winlog.event_id: 4624

  # - regexp.winlog.event_data.TargetUserSid: "^S-1-5-21.*"

  # - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'

  # - equals.winlog.event_data.TargetUserSid: 'S-1-0-0'

  # - equals.winlog.event_data.TargetUserSid: 'S-1-5-18 \t'

  - equals.winlog.event_data.TargetUserName: 'SYSTEM'

  - and:

    - equals.winlog.event_id: 4672

    - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'

    - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'

    - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'

    - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
4

Yes ofcourse! My apologies! :smiley:

Edited! So it should look like this if im correct? :

processors:

- drop_event.when.or:

  - equals.winlog.event_id: 4624

  # - regexp.winlog.event_data.TargetUserSid: "^S-1-5-21.*"

  # - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'

  # - equals.winlog.event_data.TargetUserSid: 'S-1-0-0'

  # - equals.winlog.event_data.TargetUserSid: 'S-1-5-18 \t'

  - equals.winlog.event_data.TargetUserName: 'SYSTEM'

  - and:

    - equals.winlog.event_id: 4672

    - or:

      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'

      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'

      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'

      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
5

Im also curious, so if i want to add more event id, this will be just an example but:
Please note that event id 9999 is just an example.

But every event when its ends, i need to add "- and:" and then the new event id.
Its really confusing at first to be honest but i gotcha.

Edit: After i tested i actually dont get event id 4624. So for example i still want to get every event id 4624 except those one which has TargetUserame: 'System' in this case. So it has System? Drop the event, let every other event pass within 4624.

Big thanks
/b

processors:
- drop_event.when.or:
  - equals.winlog.event_id: 4624
  # - regexp.winlog.event_data.TargetUserSid: "^S-1-5-21.*"
  # - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
  # - equals.winlog.event_data.TargetUserSid: 'S-1-0-0'
  # - equals.winlog.event_data.TargetUserSid: 'S-1-5-18 \t'
  - equals.winlog.event_data.TargetUserName: 'SYSTEM'
  - and:
    - equals.winlog.event_id: 4672
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
  - and:
    - equals.winlog.event_id: 9999
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
6

Remember we use "Drop" Event When "something".
For your question regarding dropping "4624 And SYSTEM" :

processors:
- drop_event.when.or:
  - and:
    - equals.winlog.event_id: 4624
    - equals.winlog.event_data.TargetUserName: 'SYSTEM'
  - and:
    - equals.winlog.event_id: 4672
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
  - and:
    - equals.winlog.event_id: 9999
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.