Hey guys, cheers, i really need help to drop some events at my active directory, it’s eating my disk space, xD, I have issue with filtering system logons which occur in events 4624 and 4634, i only want to filter real logged-in and logged-out events, i want to drop events from SYSTEM, LOCAL SERVICE, NETWORK SERVICE, machine accounts like HUMAP-WK-525466$, so if the account ends with $ and LogonType 3, this must be dropped.. Version of Winlogbeat: winlogbeat-9.0.3
###################### Winlogbeat Configuration Example ########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
# ======================== Winlogbeat specific options =========================
# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name, id, xml_query, tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml.
# The xml_query key requires an id and must not be used with the name,
# ignore_older, level, event_id, or provider keys. Please visit the
# documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
# Logs de Segurança principais com filtro refinado para reduzir ruído
- name: Security
tags: [audit]
# Sysmon - não filtrar aqui, controle via arquivo de configuração Sysmon
- name: Microsoft-Windows-Sysmon/Operational
tags: [sysmon]
# PowerShell logs principais, foco em execução de comandos suspeitos
- name: Windows PowerShell
event_id: 400, 403, 600, 800
tags: [powershell]
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
# Logs de sistema e aplicação, só eventos recentes para evitar processamento excessivo
- name: System
event_id: 41, 55, 1014, 1001, 1002, 6005, 6006, 6008
tags: [system]
- name: Application
level: error
tags: [app]
# Logs encaminhados - manter
- name: ForwardedEvents
tags: [forwarded]
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
setup.dashboards.enabled: true
# The URL from where to download the dashboard archive. By default, this URL
# has a value that is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "deleted-to-discuss"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: "deleted-to-discuss"
# Protocol - either `http` (default) or `https`.
protocol: "https"
ssl.certificate_authorities: [""deleted-to-discuss"]
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: ""deleted-to-discuss""
password: ""deleted-to-discuss""
# Pipeline to route events to security, sysmon, or powershell pipelines.
pipeline: "winlogbeat-%{[agent.version]}-routing"
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
# Processadores para reduzir ruído e focar em eventos importantes
# Filtrar eventos 4662 (acesso a objetos) de contas padrão de serviço, mantendo evidências importantes
processors:
# Filtrar eventos 4662 gerados por contas de serviço comuns
- drop_event:
when:
and:
- equals:
winlog.event_id: 4662
- or:
- equals:
winlog.event_data.SubjectUserName: "LOCAL SERVICE"
- equals:
winlog.event_data.SubjectUserName: "SYSTEM"
- equals:
winlog.event_data.SubjectUserName: "NETWORK SERVICE"
- equals:
winlog.event_data.SubjectUserName: "ANONYMOUS LOGON"
# Filtrar e dropa eventos 4776 gerados por contas de serviço comuns e contas de computador ($) quando as autenticações forem um sucesso.
- drop_event:
when:
and:
- equals:
winlog.event_id: 4776
- equals:
winlog.event_data.Status: "0x0"
- not:
or:
- regexp:
winlog.event_data.TargetUserName: '^adm\..+'
- equals:
winlog.event_data.TargetUserName: "eder.siviero"
- equals:
winlog.event_data.TargetUserName: "diego.baubino"
- equals:
winlog.event_data.TargetUserName: "marcio.andrei"
- equals:
winlog.event_data.TargetUserName: "alan.massaharo"
- equals:
winlog.event_data.TargetUserName: "paulo.mazacote"
- equals:
winlog.event_data.TargetUserName: "christian.pacheco"
- equals:
winlog.event_data.TargetUserName: "sanches.aline"
- equals:
winlog.event_data.TargetUserName: "lucas.oliveira.27"
- equals:
winlog.event_data.TargetUserName: "alfredo.soares"
- equals:
winlog.event_data.TargetUserName: "thiago.kobayashi"
- equals:
winlog.event_data.TargetUserName: "edeilson.cruz"
- equals:
winlog.event_data.TargetUserName: "luis.campaner"
- equals:
winlog.event_data.TargetUserName: "franklin.alvarez"
- equals:
winlog.event_data.TargetUserName: "gildiney.almeida"
- equals:
winlog.event_data.TargetUserName: "jean.heemann"
- equals:
winlog.event_data.TargetUserName: "cleiton.marques"
- or:
- regexp:
winlog.event_data.TargetUserName: ".*\\$$"
- equals:
winlog.event_data.TargetUserName: "NETWORK SERVICE"
- equals:
winlog.event_data.TargetUserName: "LOCAL SERVICE"
- equals:
winlog.event_data.TargetUserName: "SYSTEM"
# Filtrar eventos de logon (4624 e 4625) de contas de serviço comuns e evento de máquinas.
- drop_event:
when:
and:
- or:
- equals:
winlog.event_id: 4624
- equals:
winlog.event_id: 4625
- equals:
winlog.event_data.LogonType: "3"
- contains:
event.category: "authentication"
- or:
- regexp:
winlog.event_data.TargetUserName: ".*\\$$"
- equals:
winlog.event_data.TargetUserName: "SYSTEM"
- equals:
winlog.event_data.TargetUserName: "LOCAL SERVICE"
- equals:
winlog.event_data.TargetUserName: "NETWORK SERVICE"
# Filtrar eventos de logoff de rede (LogonType 3) para contas comuns
- drop_event:
when:
and:
- equals:
winlog.event_id: 4634
- equals:
winlog.event_data.LogonType: "3"
- and:
- regexp:
winlog.event_data.TargetUserName: '.*\$$'
- not:
or:
# Exceções por prefixo ou nome
- regexp:
winlog.event_data.TargetUserName: '^adm\..+'
- equals:
winlog.event_data.TargetUserName: "SYSTEM"
- equals:
winlog.event_data.TargetUserName: "LOCAL SERVICE"
- equals:
winlog.event_data.TargetUserName: "NETWORK SERVICE"
- regexp:
winlog.event_data.TargetUserName: ".*SEDE.*"
- regexp:
winlog.event_data.TargetUserName: ".*HUMAP-VP.*"
# Exceções equipe de T.I - Será coletado
- equals: { winlog.event_data.TargetUserName: "eder.siviero" }
- equals: { winlog.event_data.TargetUserName: "diego.baubino" }
- equals: { winlog.event_data.TargetUserName: "marcio.andrei" }
- equals: { winlog.event_data.TargetUserName: "alan.massaharo" }
- equals: { winlog.event_data.TargetUserName: "paulo.mazacote" }
- equals: { winlog.event_data.TargetUserName: "christian.pacheco" }
- equals: { winlog.event_data.TargetUserName: "sanches.aline" }
- equals: { winlog.event_data.TargetUserName: "lucas.oliveira.27" }
- equals: { winlog.event_data.TargetUserName: "alfredo.soares" }
- equals: { winlog.event_data.TargetUserName: "thiago.kobayashi" }
- equals: { winlog.event_data.TargetUserName: "edeilson.cruz" }
- equals: { winlog.event_data.TargetUserName: "luis.campaner" }
- equals: { winlog.event_data.TargetUserName: "franklin.alvarez" }
- equals: { winlog.event_data.TargetUserName: "gildiney.almeida" }
- equals: { winlog.event_data.TargetUserName: "jean.heemann" }
- equals: { winlog.event_data.TargetUserName: "cleiton.marques" }
# Drop eventos 4103 do PowerShell relacionados ao Windows Defender ATP (Log4jLocalScanner etc)
- drop_event:
when:
and:
- equals:
winlog.event_id: 4103
- contains:
powershell.command.invocation_details.value: "Log4jLocalScanner"
- regexp:
file.path: ".*Windows Defender Advanced Threat Protection.*"
# Filtrar eventos 4688 sem CommandLine (ex: processos triviais)
- drop_event:
when:
and:
- equals:
winlog.event_id: 4688
- not:
has_fields: ["winlog.event_data.CommandLine"]
# Filtrar eventos 4688 de processos comuns triviais (ex: conhost, svchost, WerFault)
- drop_event:
when:
and:
- equals:
winlog.event_id: 4688
- or:
- contains:
winlog.event_data.NewProcessName: "\\\\?\\C:\\Windows\\System32\\conhost.exe"
- contains:
winlog.event_data.NewProcessName: "\\\\?\\C:\\Windows\\System32\\svchost.exe"
- contains:
winlog.event_data.NewProcessName: "\\\\?\\C:\\Windows\\System32\\WerFault.exe"
# ADICIONAR TAGs para eventos críticos de escalonamento de privilégio
- add_tags:
when:
or:
- equals:
winlog.event_id: 4672 # Privilégios especiais atribuídos ao token
- equals:
winlog.event_id: 4673 # Tentativa de operação protegida
- equals:
winlog.event_id: 4648 # Logon usando credenciais explícitas
- and:
- equals:
winlog.event_id: 4688 # Criação de processo
- has_fields: ["winlog.event_data.CommandLine"] # Somente se houver linha de comando (evita ruído)
tags: ["privilege_escalation_candidate"]
# Adicionar metadados de host, exceto em eventos encaminhados
- add_host_metadata:
when.not.contains:
tags: forwarded
- add_cloud_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors, use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch outputs are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ============================== Instrumentation ===============================
# Instrumentation support for the winlogbeat.
#instrumentation:
# # Set to true to enable instrumentation of winlogbeat.
# #enabled: false
# # Environment in which winlogbeat is running on (eg: staging, production, etc.)
# #environment: ""
# # APM Server hosts to report instrumentation results to.
# #hosts:
# # - http://localhost:8200
# # API Key for the APM Server(s).
# # If api_key is set then secret_token will be ignored.
# #api_key:
# # Secret token for the APM Server(s).
# #secret_token:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true
#logging:
# level: debug
# selectors: ["*"]
# to_files: true
# files:
# path: C:/ProgramData/winlogbeat/Logs
# name: winlogbeat
# keepfiles: 7
# permissions: 0644
hello! is it possible to get some debug logs in case there is anything useful? Also, can you confirm the fields exist in the events before they are processed by the ingest pipelines? WInlogbeat uses pipelines for its modules, and is possible the fields exist in the final stored events but they are not yet there by the time winlogbeat processors are executed
I was able to collect this from the logs, is this what you need?
For event 4634
{"log.level":"debug","@timestamp":"2025-08-13T07:42:49.128-0400","log.logger":"processors","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/processing.debugPrintProcessor.func1","file.name":"processing/processors.go","file.line":215},"message":"Publish event: {\n \"@timestamp\": \"2025-08-13T11:42:47.648Z\",\n \"@metadata\": {\n \"beat\": \"winlogbeat\",\n \"type\": \"_doc\",\n \"version\": \"9.0.3\"\n },\n \"host\": {\n \"id\": \"3748b396-7d07-48e9-8142-116b02f7b7e1\",\n \"ip\": [\n \"10.42.0.32\"\n ],\n \"mac\": [\n \"00-50-56-B7-56-6D\"\n ],\n \"name\": \"humap-vp-acc01\",\n \"hostname\": \"humap-vp-acc01\",\n \"architecture\": \"x86_64\",\n \"os\": {\n \"family\": \"windows\",\n \"name\": \"Windows Server 2022 Standard\",\n \"kernel\": \"10.0.20348.3451 (WinBuild.160101.0800)\",\n \"build\": \"20348.3453\",\n \"type\": \"windows\",\n \"platform\": \"windows\",\n \"version\": \"10.0\"\n }\n },\n \"winlog\": {\n \"channel\": \"Security\",\n \"process\": {\n \"pid\": 676,\n \"thread\": {\n \"id\": 2616\n }\n },\n \"event_id\": \"4634\",\n \"record_id\": 862657,\n \"event_data\": {\n \"LogonType\": \"3\",\n \"TargetUserSid\": \"S-1-5-21-1931848770-558012088-2016168095-554726\",\n \"TargetUserName\": \"pmazacote\",\n \"TargetDomainName\": \"EBSERHNET\",\n \"TargetLogonId\": \"0x31326e1de\"\n },\n \"computer_name\": \"humap-vp-acc01.ebserhnet\",\n \"opcode\": \"Info\",\n \"task\": \"Logoff\",\n \"provider_name\": \"Microsoft-Windows-Security-Auditing\",\n \"provider_guid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"keywords\": [\n \"Audit Success\"\n ]\n },\n \"event\": {\n \"action\": \"Logoff\",\n \"created\": \"2025-08-13T11:42:49.127Z\",\n \"code\": \"4634\",\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"outcome\": \"success\"\n },\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"agent\": {\n \"id\": \"9fa5d5eb-3e0b-41c0-b2ee-f9c235f61a66\",\n \"name\": \"humap-vp-acc01\",\n \"type\": \"winlogbeat\",\n \"version\": \"9.0.3\",\n \"ephemeral_id\": \"66db6aff-f857-4cd8-8d84-9799fed6d4ec\"\n },\n \"message\": \"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-1931848770-558012088-2016168095-554726\\n\\tAccount Name:\\t\\tadm.pmazacote\\n\\tAccount Domain:\\t\\tEBSERHNET\\n\\tLogon ID:\\t\\t0x31326e1de\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\n \"log\": {\n \"level\": \"information\"\n },\n \"tags\": [\n \"audit\"\n ]\n}","service.name":"winlogbeat","log.type":"event","ecs.version":"1.6.0"}
For event 4624 (This was a interactive login)
{"log.level":"debug","@timestamp":"2025-08-13T07:43:08.152-0400","log.logger":"processors","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/processing.debugPrintProcessor.func1","file.name":"processing/processors.go","file.line":215},"message":"Publish event: {\n \"@timestamp\": \"2025-08-13T11:43:06.294Z\",\n \"@metadata\": {\n \"beat\": \"winlogbeat\",\n \"type\": \"_doc\",\n \"version\": \"9.0.3\"\n },\n \"message\": \"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tYes\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-21-1931848770-558012088-2016168095-554726\\n\\tAccount Name:\\t\\tpmazacote\\n\\tAccount Domain:\\t\\tEBSERHNET\\n\\tLogon ID:\\t\\t0x318421114\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x0\\n\\tProcess Name:\\t\\t-\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tHUMAP-WK-526648\\n\\tSource Network Address:\\t10.42.3.236\\n\\tSource Port:\\t\\t0\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tNtLmSsp \\n\\tAuthentication Package:\\tNTLM\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\tNTLM V2\\n\\tKey Length:\\t\\t128\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\n \"host\": {\n \"ip\": [\n \"10.42.0.32\"\n ],\n \"mac\": [\n \"00-50-56-B7-56-6D\"\n ],\n \"hostname\": \"humap-vp-acc01\",\n \"name\": \"humap-vp-acc01\",\n \"architecture\": \"x86_64\",\n \"os\": {\n \"platform\": \"windows\",\n \"version\": \"10.0\",\n \"family\": \"windows\",\n \"name\": \"Windows Server 2022 Standard\",\n \"kernel\": \"10.0.20348.3451 (WinBuild.160101.0800)\",\n \"build\": \"20348.3453\",\n \"type\": \"windows\"\n },\n \"id\": \"3748b396-7d07-48e9-8142-116b02f7b7e1\"\n },\n \"winlog\": {\n \"channel\": \"Security\",\n \"provider_name\": \"Microsoft-Windows-Security-Auditing\",\n \"process\": {\n \"thread\": {\n \"id\": 10208\n },\n \"pid\": 676\n },\n \"keywords\": [\n \"Audit Success\"\n ],\n \"record_id\": 862659,\n \"version\": 2,\n \"event_data\": {\n \"WorkstationName\": \"HUMAP-WK-526648\",\n \"TargetUserSid\": \"S-1-5-21-1931848770-558012088-2016168095-554726\",\n \"IpPort\": \"0\",\n \"SubjectLogonId\": \"0x0\",\n \"TargetLinkedLogonId\": \"0x0\",\n \"LogonProcessName\": \"NtLmSsp \",\n \"IpAddress\": \"10.42.3.236\",\n \"TargetDomainName\": \"EBSERHNET\",\n \"TargetOutboundUserName\": \"-\",\n \"VirtualAccount\": \"No\",\n \"SubjectUserSid\": \"S-1-0-0\",\n \"SubjectUserName\": \"-\",\n \"ImpersonationLevel\": \"Impersonation\",\n \"LogonType\": \"3\",\n \"KeyLength\": \"128\",\n \"TargetOutboundDomainName\": \"-\",\n \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\",\n \"ElevatedToken\": \"Yes\",\n \"LmPackageName\": \"NTLM V2\",\n \"TargetLogonId\": \"0x318421114\",\n \"TransmittedServices\": \"-\",\n \"SubjectDomainName\": \"-\",\n \"AuthenticationPackageName\": \"NTLM\",\n \"ProcessName\": \"-\",\n \"ProcessId\": \"0x0\",\n \"RestrictedAdminMode\": \"-\",\n \"TargetUserName\": \"pmazacote\"\n },\n \"activity_id\": \"{CDBA9A63-099A-4591-9BAB-846BBFE7867A}\",\n \"event_id\": \"4624\",\n \"opcode\": \"Info\",\n \"task\": \"Logon\",\n \"computer_name\": \"humap-vp-acc01.ebserhnet\",\n \"provider_guid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\"\n },\n \"event\": {\n \"created\": \"2025-08-13T11:43:08.151Z\",\n \"code\": \"4624\",\n \"kind\": \"event\",\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"outcome\": \"success\",\n \"action\": \"Logon\"\n },\n \"tags\": [\n \"audit\"\n ],\n \"ecs\": {\n \"version\": \"8.0.0\"\n },\n \"log\": {\n \"level\": \"information\"\n },\n \"agent\": {\n \"type\": \"winlogbeat\",\n \"version\": \"9.0.3\",\n \"ephemeral_id\": \"66db6aff-f857-4cd8-8d84-9799fed6d4ec\",\n \"id\": \"9fa5d5eb-3e0b-41c0-b2ee-f9c235f61a66\",\n \"name\": \"humap-vp-acc01\"\n }\n}","service.name":"winlogbeat","log.type":"event","ecs.version":"1.6.0"}
This is before any ingest pipeline processing.
As you can see, in both events (4624 and 4634), LogonType and TargetUserName are already present at processor stage, so the drop_event filter should be able to match them.
But I fail to see the event.category present in the events you shared.
Also, just to be sure I’d quote the winlog.event_id: "4634" since they are strings in the events.
If that does not make it, check correct indentation, and as a last resort I would try starting from scratch and adding one condition at a time, since other than what I stated there is nothing else outstanding as being wrong right now.
If I'm not wrong this is populated by the ingest pipeline, the parsing/enrichment of winlogbeat data was moved from the edge to elasticsearch ingest pipelines some time ago.
I was wondering, the processors must be included inside of the winlogbeat.event_logs: to work properly? Because i’m using processors inside of output.elasticsearch:
Another thing, how i can search all user.name who has “HUMAP-WK-” in the name? like a contains, i want to know how many event.code are being generated by machine accounts..
I tried ES|QL but could’t find a way.. example below of one machine account.
FROM winlogbeat-*| WHERE agent.hostname == "HUMAP-VP-AD1"AND event.code == "4624"AND user.name LIKE "HUMAP-WK-255904$"
instead of 1 user, i want all users who has HUMAP-WK-…. in the name.. Thanks guys and sorry for the delay to answer.
It was my bad since the begin, i was using the processors to drop the events inside of the block output.elasticsearch, but the correct way is inside of the winlogbeat.event_logs.. lmao. Thanks for all your help.
Example below has worked properly.
winlogbeat.event_logs:
# Logs de Segurança principais com filtro refinado para reduzir ruído
- name: Security
processors:
- drop_event:
when:
and:
- or:
- equals:
winlog.event_id: "4624"
- equals:
winlog.event_id: "4625"
- equals:
winlog.event_id: "4634"
- or:
# System accounts
- equals:
winlog.event_data.TargetUserName: "SYSTEM"
- equals:
winlog.event_data.TargetUserName: "LOCAL SERVICE"
- equals:
winlog.event_data.TargetUserName: "NETWORK SERVICE"
# Machine accounts (ends with $ in the name.)
- regexp:
winlog.event_data.TargetUserName: ".*\\$"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
