I am trying to do some conditional filtering of windows logon events and I am having some difficulty trying to figure out how the if statements work.
How I am trying to get things to work is if it is a network logon do something, if it a service logon do something, then lastly if it is not a network or service logon do something.
I am essentially trying to take palantir's work with XPATH and put them into winlogbeat format.
The below code is grammatically correct, meaning that winlogbeat says the config is OK, however I am not getting any logon events in Kibana from the system even though they are being generated.
# https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml
- name: Security
event_id: 4624, 4625, 4626, 4634, 4647, 4649, 4672, 4675, 4774, 4775, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803, 4964, 5378
ignore_older: 72h
processors:
# Pass the Hash Detection
- if:
# only if it is a network logon
equals:
winlog.event_data.LogonType: 3
then:
- drop_event:
when.not:
and:
# drop event if it is NOT NTLM and it is Anonymous Logon
- equals.winlog.event_data.AuthenticationPackageName: 'NTLM'
- not.equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
#Drop event if the TargetDomain is one of these domains
or.not:
- equals.winlog.event_data.TargetDomainName: 'DOMAIN1'
- equals.winlog.event_data.TargetDomainName: 'DOMAIN2'
- equals.winlog.event_data.TargetDomainName: 'DOMAIN3'
- equals.winlog.event_data.TargetDomainName: 'DOMAIN4'
- equals.winlog.event_data.TargetDomainName: 'DOMAIN5'
- drop_fields:
fields: ["message"]
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
# Service account logons that are not localsystem, networkservice, localservice
- name: Security
event_id: 4624, 4625, 4626, 4634, 4647, 4649, 4672, 4675, 4774, 4775, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803, 4964, 5378
ignore_older: 72h
processors:
- if:
equals:
# only if it is a service logon
winlog.event_data.LogonType: 5
then:
- drop_event:
when:
# drop when it is a Local Service, Network Service, or NT Authority
or:
- equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
- equals.winlog.event_data.TargetUserSid: 'S-1-5-19'
- equals.winlog.event_data.TargetUserSid: 'S-1-5-20'
- drop_fields:
fields: ["message"]
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Security
event_id: 4624, 4625, 4626, 4634, 4647, 4649, 4672, 4675, 4774, 4775, 4776, 4777, 4778, 4779, 4800, 4801, 4802, 4803, 4964, 5378
ignore_older: 72h
processors:
# All other logons
- if:
or:
#only if it is not system, network, or service logon
- not.equals.winlog.event_data.LogonType: 3
- not.equals.winlog.event_data.LogonType: 5
- not.equals.winlog.event_data.LogonType: 0
then:
- drop_event:
when:
or:
#drop if any are true
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
- regexp.winlog.event_data.TargetUserName: '*$'
- equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
- equals.winlog.event_data.TargetDomainName: 'Window Manager'
- equals.winlog.event_data.TargetDomainName: 'Font Driver Host'
- drop_fields:
fields: ["message"]
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js