v.n
September 21, 2020, 3:53pm
1
This page shows how to enable modules for security and sysmon but nothing for powershell.
winlogbeat.event_logs:
name: ForwardedEvents
script:
script:
If you want to enable powershell you need to do it like shown here
winlogbeat.event_logs:
name: Windows PowerShell
script:
name: Microsoft-Windows-PowerShell/Operational
script:
Is it possible to enable powershell module according to the first type? For example somehow
processors:
How to include multiple conditions into processor script?
v.n
September 22, 2020, 3:26pm
2
I found the solution myself.
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
and:
equals.winlog.channel: Windows PowerShell
or:
equals.event_id: 400
equals.event_id: 403
equals.event_id: 600
equals.event_id: 800
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
and:
equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
or:
equals.event_id: 4103
equals.event_id: 4104
equals.event_id: 4105
equals.event_id: 4106
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
Pedro_77
September 22, 2020, 8:03pm
3
Hello
I have similar topic, with winlogbeat 7.9 I'm trying to get fields which are "nested" in message field: "message": "Endpoint: xxxyy211\nEndpoint IP: 10.1.1.x\nDomain: Agents\\xxx\\update\\\nDate/Time: 22.09.2020 13:43:16\nDetailed information:
All other "normal" fields can index without problem. There is some special option to start process such kind of fields as seperate fields?
thanks for help
system
October 20, 2020, 10:03pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.