Would dropping events by regexp match be possible?

Any suggestions on how we best would target just below events from our backup client for the purpose of dropping such in winlogbeat?

Could we do a regexp match on event_data.ProcessName as event.code or event.action might drop too much we fear?

Hints appreciated, TIA!

{
  "_index": "siempoc_winlogbeat-7.5.0-2019.12.15",
  "_type": "_doc",
  "_id": "pQ-eCm8BLpqjdLaNYc-Z",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2019-12-15T17:32:36.508Z",
    "agent": {
      "version": "7.5.0",
      "type": "winlogbeat",
      "ephemeral_id": "0bcd4dcf-f906-4bb9-b234-3d37021cbeaa",
      "hostname": "tdchprt03",
      "id": "ed2a3cc9-c384-46af-8aaa-cbddc05d628e"
    },
    "log": {
      "level": "information"
    },
    "message": "The handle to an object was closed.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tTDCHPRT03$\n\tAccount Domain:\t\t<redacted>\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\t\tSecurity\n\tHandle ID:\t\t0xfa0\n\nProcess Information:\n\tProcess ID:\t\t0x83c\n\tProcess Name:\t\tC:\\Program Files\\Tivoli\\TSM\\baclient\\dsmcsvc.exe",
    "winlog": {
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing",
      "event_id": 4658,
      "computer_name": "tdchprt03<redacted>",
      "opcode": "Info",
      "record_id": 950353023,
      "task": "File System",
      "keywords": [
        "Audit Success"
      ],
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "process": {
        "pid": 4,
        "thread": {
          "id": 80
        }
      },
      "event_data": {
        "ObjectServer": "Security",
        "HandleId": "0xfa0",
        "ProcessId": "0x83c",
        "ProcessName": "C:\\Program Files\\Tivoli\\TSM\\baclient\\dsmcsvc.exe",
        "SubjectUserSid": "S-1-5-18",
        "SubjectUserName": "TDCHPRT03$",
        "SubjectDomainName": "<redacted>",
        "SubjectLogonId": "0x3e7"
      },
      "channel": "Security"
    },
    "event": {
      "provider": "Microsoft-Windows-Security-Auditing",
      "action": "File System",
      "created": "2019-12-15T17:32:39.308Z",
      "kind": "event",
      "code": 4658
    },
    "ecs": {
      "version": "1.1.0"
    },
    "host": {
      "name": "tdchprt03",
      "hostname": "tdchprt03",
      "id": "a543946a-cda2-43ba-8b27-a5d91690bec8"
    }
  }
}

assume it would be possible if I just RTFM :wink:

Something like this right?

processors:
 - drop_event:
     when:
       regexp:
          event_data.ProcessName: ".+\\Tivoli\\TSM\\baclient\\dsmcsvc.exe"

Yeah, that's pretty common for reducing noise from benign activity. I would however recommend to only use single quotes around regular expressions so that you don't need to escape the contents which often leads to confusion and mistakes.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.