Winlogbeat Powershell Module

fsch · November 13, 2023, 1:35pm

Hi everyone
we try to ship Powershell logs (Event ID: 4103 / Provider: Microsoft-Windows-PowerShell) to elastic.
Using the field "powershell.command.name" in our .yml file ( PowerShell module fields | Winlogbeat Reference [7.17] | Elastic the filtering on commandlet names works fine.

But using the JSON objects within the invocation_details array doesn't.
I try to filter on Get-WMI cmdlet events using certain wmi-classes (field powershell.command.invocation_details.value) or using the field powershell.command.invocation_details.related_command
but I can't get it working using any of the powershell.command.invocation_details - fields from the documentation above.
I assume there is something wrong in my way to address those json object properties ("value" / "related_command") within the invocation_destails array, but I can't figure out what.

As for a simple rule I tried:

processors:
  - script:
	  lang: javascript
	  id: powershell-operational
	  file: "C:/Program Files/winlogbeat/module/powershell/config/winlogbeat-powershell.js"
  - drop_event.when.not:
	  or:
		- equals.powershell.command.invocation_details.related_command: 'Get-WmiObject'
		- contains.powershell.command.invocation_details.related_command: 'Get-WmiObject'

but none of the events are written to the path. in output.file
As I wrote - equals.powershell.command.name: 'Clear-EventLog' is working fine.

Output (when redirecting to file) using no filter looks like this:

"powershell": {
        "command": {
            "name": "Get-WmiObject",
            "type": "Cmdlet",
            "invocation_details": [{
                    "type": "CommandInvocation",
                    "related_command": "Get-WmiObject",
                    "value": "\"Get-WmiObject\""
                }, {
                    "name": "\"Class\"",
                    "value": "\"Win32_OperatingSystem\"",
                    "type": "ParameterBinding",
                    "related_command": "Get-WmiObject"
                }, {
                    "type": "CommandInvocation",
                    "related_command": "Out-Default",
                    "value": "\"Out-Default\""
                }, {
                    "value": "\\\\\MCOSRV2061\\root\\cimv2:Win32_OperatingSystem=@\",
                    "type": "ParameterBinding",
                    "related_command": "Out-Default",
                    "name": "\"InputObject\""
                }
            ]
        }
}

Does anybody have a clue what's the correct way to address the values of the properties "related_command" and "value" within the "invocation_details"?

Thanks a lot in advance for any input.

andrewkroh · November 20, 2023, 5:07pm

AFAIK beats processors don't work with arrays. But you could do this type of event filtering using the script processor and calling the Cancel() function if you find commands that you want to ignore.

system · December 18, 2023, 7:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.