Any suggestions on how we best would target just below events from our backup client for the purpose of dropping such in winlogbeat?
Could we do a regexp match on event_data.ProcessName as event.code or event.action might drop too much we fear?
Hints appreciated, TIA!
{
"_index": "siempoc_winlogbeat-7.5.0-2019.12.15",
"_type": "_doc",
"_id": "pQ-eCm8BLpqjdLaNYc-Z",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2019-12-15T17:32:36.508Z",
"agent": {
"version": "7.5.0",
"type": "winlogbeat",
"ephemeral_id": "0bcd4dcf-f906-4bb9-b234-3d37021cbeaa",
"hostname": "tdchprt03",
"id": "ed2a3cc9-c384-46af-8aaa-cbddc05d628e"
},
"log": {
"level": "information"
},
"message": "The handle to an object was closed.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tTDCHPRT03$\n\tAccount Domain:\t\t<redacted>\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\t\tSecurity\n\tHandle ID:\t\t0xfa0\n\nProcess Information:\n\tProcess ID:\t\t0x83c\n\tProcess Name:\t\tC:\\Program Files\\Tivoli\\TSM\\baclient\\dsmcsvc.exe",
"winlog": {
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"event_id": 4658,
"computer_name": "tdchprt03<redacted>",
"opcode": "Info",
"record_id": 950353023,
"task": "File System",
"keywords": [
"Audit Success"
],
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"process": {
"pid": 4,
"thread": {
"id": 80
}
},
"event_data": {
"ObjectServer": "Security",
"HandleId": "0xfa0",
"ProcessId": "0x83c",
"ProcessName": "C:\\Program Files\\Tivoli\\TSM\\baclient\\dsmcsvc.exe",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TDCHPRT03$",
"SubjectDomainName": "<redacted>",
"SubjectLogonId": "0x3e7"
},
"channel": "Security"
},
"event": {
"provider": "Microsoft-Windows-Security-Auditing",
"action": "File System",
"created": "2019-12-15T17:32:39.308Z",
"kind": "event",
"code": 4658
},
"ecs": {
"version": "1.1.0"
},
"host": {
"name": "tdchprt03",
"hostname": "tdchprt03",
"id": "a543946a-cda2-43ba-8b27-a5d91690bec8"
}
}
}