Using drop_event.when.or I've attempted to exclude multicast traffic logs from being sent over as well as logs containing the keyword "zabbix". However, I am still receiving these events.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- drop_event.when.or:
- contains.event_data: "224.0.0" #Drop multicast traffic
- contains.event_data: "239.255.255.250" #Drop multicast traffic
- contains.event_data: "zabbix" #Drop zabbix traffic
- name: Security
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- drop_event.when.or:
- contains.event_data: "224.0.0" #Drop multicast traffic
- contains.event_data: "239.255.255.250" #Drop multicast traffic
- contains.event_data: "zabbix" #Drop zabbix traffic
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: ForwardedEvents
tags: [forwarded]
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
I changed the field to winlog.event_data for the security log just to test and still no luck:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- drop_event.when.or:
- contains.winlog.event_data: "224.0.0" #Drop multicast traffic
- contains.winlog.event_data: "239.255.255.250" #Drop multicast traffic
- contains.winlog.event_data: "zabbix" #Drop zabbix traffic
- name: Security
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- drop_event.when.or:
- contains.winlog.event_data: "224.0.0" #Drop multicast traffic
- contains.winlog.event_data: "239.255.255.250" #Drop multicast traffic
- contains.winlog.event_data: "zabbix" #Drop zabbix traffic
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- drop_event.when.or:
- contains.event_data: "224.0.0" #Drop multicast traffic
- contains.event_data: "239.255.255.250" #Drop multicast traffic
- contains.event_data: "zabbix" #Drop zabbix traffic
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: ForwardedEvents
tags: [forwarded]
processors:
- drop_fields:
fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
andrewkroh
December 23, 2020, 1:13pm
3
This won't match because containsevent_data is an object. If you can change event_data to a leaf field that contains a string like winlog.event_data.IpAddress things will work better.
andrewkroh
December 23, 2020, 1:26pm
4
And BTW there is a condition for matching network addresses. See https://www.elastic.co/guide/en/beats/winlogbeat/7.7/defining-processors.html#condition-network .
- drop_event:
when.network:
winlog.event_data.IpAddress: [multicast]
Thanks for your reply Andrew. I thought about it some last night and came to that conclusion so I modified the line to:
processors:
- drop_event.when.or:
- equals.event_data.ProcessName: "zabbix_agentd.exe"
This was after looking in Kibana to find ProcessName:
Dec 22, 2020 @ 22:55:43.566
process_name:
zabbix_agentd.exe
opcode:
Info
level:
information
src_ip_rfc:
RFC_1918
.......
Unfortunately this did not work either. I tried modifying it to equals.winlog.event_data.ProcessName with no luck.
I also tried this one and had no luck with filtering out multicast:
#-------------------------- Windows Logs To Collect -----------------------------
winlogbeat.event_logs:
- name: Application
ignore_older: 30m
- name: Security
ignore_older: 30m
processors:
- drop_event:
when.network:
winlog.event_data.IpAddress: [multicast]
- name: System
ignore_older: 30m
- name: Microsoft-windows-sysmon/operational
ignore_older: 30m
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 30m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 30m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
This was received a few minutes after making the change and restarting the winlogbeat service.
event_original_message
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 884
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 10.0.0.188
Destination Port: 62098
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
event_original_time
2020-12-23T17:21:30.156Z
keywords Audit Success
level information
log_name Security
This worked. Guess I have to do another one for DestinationAddress? Still unable to filter the zabbix events unfortunately. Tried filtering it based on source port and it did not work.
processors:
- drop_event.when.or:
- network:
winlog.event_data.SourceAddress: [multicast]
system
January 20, 2021, 7:58pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.