v.n
September 21, 2020, 3:53pm
1
This page shows how to enable modules for security and sysmon but nothing for powershell.
winlogbeat.event_logs:
name: ForwardedEvents
script:
script:
If you want to enable powershell you need to do it like shown here
winlogbeat.event_logs:
name: Windows PowerShell
script:
name: Microsoft-Windows-PowerShell/Operational
script:
Is it possible to enable powershell module according to the first type? For example somehow
processors:
How to include multiple conditions into processor script?
v.n
September 22, 2020, 3:26pm
2
I found the solution myself.
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
and:
equals.winlog.channel: Windows PowerShell
or:
equals.event_id: 400
equals.event_id: 403
equals.event_id: 600
equals.event_id: 800
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
and:
equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
or:
equals.event_id: 4103
equals.event_id: 4104
equals.event_id: 4105
equals.event_id: 4106
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
Pedro_77
September 22, 2020, 8:03pm
3
Hello
I have similar topic, with winlogbeat 7.9 I'm trying to get fields which are "nested" in message field: "message": "Endpoint: xxxyy211\nEndpoint IP: 10.1.1.x\nDomain: Agents\\xxx\\update\\\nDate/Time: 22.09.2020 13:43:16\nDetailed information:
All other "normal" fields can index without problem. There is some special option to start process such kind of fields as seperate fields?
thanks for help