0xf
December 15, 2021, 8:47am
1
So basically what i would like to do is drop everything from the fields and manually include a few.
In this case i tried to specifiy and tie it to 4624 and 4625 event id.
But also my second problem is that "drop_fields" doesnt seem to work at all. Even when i try to drop only a specific field.
- name: Security
event_id: 4624, 4625
ignore_older:
processors:
- drop_event.when.or:
- and:
- equals.winlog.event_id: 4624
- or:
# Exclude these conditions from Event ID 4624
- equals.winlog.event_data.TargetUserName": 'SYSTEM'
- equals.winlog.event_data.SubjectUserSid: 'S-1-0-0'
- and:
- equals.winlog.event_id: 4625
- or:
# Exclude these conditions from Event ID 4625
- equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
- equals.winlog.event_data.TargetUserName: 'SYSTEM'
- drop_fields:
fields: ["winlog.channel", "winlog.event_data.IpAddress", "winlog.event_data.IpPort", "winlog.event_data.LogonProcessName", "winlog.event_data.ProcessName", "winlog.event_data.SubjectDomainName", "winlog.event_data.TargetUserName", "winlog.event_data.TargetUserSid"]
when.not.or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4625
andrewkroh
December 16, 2021, 12:32am
2
I think you need to quote the numbers to make them a string. And I would add ignore_missing: true to the drop_fields.
processors:
- drop_event.when.or:
- and:
- equals.winlog.event_id: '4624'
- or:
- equals.winlog.event_data.TargetUserName: SYSTEM
- equals.winlog.event_data.SubjectUserSid: S-1-0-0
- and:
- equals.winlog.event_id: '4625'
- or:
- equals.winlog.event_data.TargetUserSid: S-1-5-18
- equals.winlog.event_data.TargetUserName: SYSTEM
- drop_fields:
fields:
- winlog.channel
- winlog.event_data.IpAddress
- winlog.event_data.IpPort
- winlog.event_data.LogonProcessName
- winlog.event_data.ProcessName
- winlog.event_data.SubjectDomainName
- winlog.event_data.TargetUserName
- winlog.event_data.TargetUserSid
ignore_missing: true
when.not.or:
- equals.winlog.event_id: '4624'
- equals.winlog.event_id: '4625'
0xf
December 16, 2021, 3:03pm
3
It doesn't seems to take effect. I still see the old fields appearing in Kibana.
Also i noticed at the end.
when.not.or:
- equals.winlog.event_id: '4624'
- equals.winlog.event_id: '4625'
So here we basically exclude event 4624 and 4625. Problem is here that i actually want specify what fields i keep in 4624 and 4625.
Also, when i run this here, its only dropping these specific fields. I would like to keep, so if its not matching with these drop the other fields, if it matches i want to keep them
- drop_fields:
fields:
- winlog.channel
- winlog.event_data.IpAddress
- winlog.event_data.IpPort
- winlog.event_data.LogonProcessName
- winlog.event_data.ProcessName
- winlog.event_data.SubjectDomainName
- winlog.event_data.TargetUserName
- winlog.event_data.TargetUserSid
ignore_missing: true
Can i do something that specifies 4624 and 4625 where i can include fields manually and drop all the others?
I really would like to drop every "winlog" field and then specify which i want to keep. Its not an option for me to exclude field one by one.
0xf
December 17, 2021, 1:41pm
4
I think i solved my problem. With this everything else drops but the specified fields not.
It was easier to use the following:
processors:
- include_fields:
fields: ["winlog.channel", "winlog.event_data.IpAddress", "winlog.event_data.IpPort", "winlog.event_data.LogonProcessName", "winlog.event_data.ProcessName", "winlog.event_data.SubjectDomainName", "winlog.event_data.TargetUserName", "winlog.event_data.TargetUserSid"]
So i tie this to the type of the log source for example 'System' or 'Security':
- name: System
ignore_older:
event_id: 7036
processors:
- include_fields:
fields: ["winlog.event_id", "winlog.channel", "winlog.event_data.param1", "winlog.event_data.param2"]
- name: Security
ignore_older:
event_id: 2
processors:
- include_fields:
fields: ["winlog.event_id", "winlog.channel", "winlog.event_data.param1", "winlog.event_data.param2"]
system
January 14, 2022, 3:42pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.