Winlogbeat Powershell Module

fsch · November 13, 2023, 1:35pm

Hi everyone
we try to ship Powershell logs (Event ID: 4103 / Provider: Microsoft-Windows-PowerShell) to elastic.
Using the field "powershell.command.name" in our .yml file ( PowerShell module fields | Winlogbeat Reference [7.17] | Elastic the filtering on commandlet names works fine.

But using the JSON objects within the invocation_details array doesn't.
I try to filter on Get-WMI cmdlet events using certain wmi-classes (field powershell.command.invocation_details.value) or using the field powershell.command.invocation_details.related_command
but I can't get it working using any of the powershell.command.invocation_details - fields from the documentation above.
I assume there is something wrong in my way to address those json object properties ("value" / "related_command") within the invocation_destails array, but I can't figure out what.

As for a simple rule I tried:

processors:
  - script:
	  lang: javascript
	  id: powershell-operational
	  file: "C:/Program Files/winlogbeat/module/powershell/config/winlogbeat-powershell.js"
  - drop_event.when.not:
	  or:
		- equals.powershell.command.invocation_details.related_command: 'Get-WmiObject'
		- contains.powershell.command.invocation_details.related_command: 'Get-WmiObject'

but none of the events are written to the path. in output.file
As I wrote - equals.powershell.command.name: 'Clear-EventLog' is working fine.

Output (when redirecting to file) using no filter looks like this:

"powershell": {
        "command": {
            "name": "Get-WmiObject",
            "type": "Cmdlet",
            "invocation_details": [{
                    "type": "CommandInvocation",
                    "related_command": "Get-WmiObject",
                    "value": "\"Get-WmiObject\""
                }, {
                    "name": "\"Class\"",
                    "value": "\"Win32_OperatingSystem\"",
                    "type": "ParameterBinding",
                    "related_command": "Get-WmiObject"
                }, {
                    "type": "CommandInvocation",
                    "related_command": "Out-Default",
                    "value": "\"Out-Default\""
                }, {
                    "value": "\\\\\MCOSRV2061\\root\\cimv2:Win32_OperatingSystem=@\",
                    "type": "ParameterBinding",
                    "related_command": "Out-Default",
                    "name": "\"InputObject\""
                }
            ]
        }
}

Does anybody have a clue what's the correct way to address the values of the properties "related_command" and "value" within the "invocation_details"?

Thanks a lot in advance for any input.

andrewkroh · November 20, 2023, 5:07pm

AFAIK beats processors don't work with arrays. But you could do this type of event filtering using the script processor and calling the Cancel() function if you find commands that you want to ignore.

system · December 18, 2023, 7:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtering Windows Events - Beats winlogbeat	6	3901	June 15, 2017
Cant filter out events? Beats winlogbeat	15	875	November 24, 2020
Winlogbeats xml_query support for new line chars Beats winlogbeat	7	330	January 2, 2024
Parsing errors in Winlogbeat Powershell module Elasticsearch	1	297	December 19, 2022
Tagging event logs in Winlogbeat in order to filter in Logstash Beats winlogbeat	5	3843	December 30, 2017

Winlogbeat Powershell Module

Related topics