search

Cyb3rWard0g / HELK

The Hunting ELK
GNU General Public License v3.0
3.77k stars 684 forks source link

Unable to drop_event in winlogbeat #533

Closed josephtillman11 closed 3 years ago

josephtillman11 commented 3 years ago

The drop_event processor is not taking affect even though the config tests ok. I have also tried -equals.winlog.event_data.ProcessName:


#-------------------------- Windows Logs To Collect -----------------------------
winlogbeat.event_logs:
  - name: Application
    ignore_older: 30m
  - name: Security
    ignore_older: 30m
    processors:
      - drop_event.when.or:
          - equals.event_data.ProcessName: "zabbix_agentd.exe"
  - name: System
    ignore_older: 30m
  - name: Microsoft-windows-sysmon/operational
    ignore_older: 30m
  - name: Microsoft-windows-PowerShell/Operational
    ignore_older: 30m
    event_id: 4103, 4104
  - name: Windows PowerShell
    event_id: 400,600
    ignore_older: 30m
  - name: Microsoft-Windows-WMI-Activity/Operational
    event_id: 5857,5858,5859,5860,5861

Kibana discovery still shows this after adding drop_event processor:


Dec 22, 2020 @ 22:55:43.566

process_name:
    zabbix_agentd.exe
opcode:
    Info
level:
    information
src_ip_rfc:
    RFC_1918
 .......
robomotic commented 3 years ago

Huuu hooooo interesting. Could you attach the raw evtx file? I am assuming the process name is not the full path of the binary ( I remember it was an issue between Windows versions ). Also as a note it could also be filtered in the Logstash pipeline at the expense of volume of course. Please post your file and will take a look.

priamai commented 3 years ago

@josephtillman11 could you try to drop first all process creation event?


winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 4624

This will help understand whether is a case matching issue.

josephtillman11 commented 3 years ago

I was able to resolve the issue. Here's the config that worked:


winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when:
          and:
            - equals:
                winlog.event_data.EventId: 4624
priamai commented 3 years ago

Interesting so this should work:

winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when:
          and:
            - equals:
                winlog.event_data.EventId: 4624
                winlog.event_data.ProcessName: "zabbix_agentd.exe"
Cyb3rWard0g commented 3 years ago

Thank you @priamai , @josephtillman11 and @robomotic !