Windows Security Content Pack for Graylog
Tested with Winlogbeat & Filebeat 7.12.1.0 / Windows 2022 / Windows 10 / Graylog 5.2.2
The Content Pack should be compatible with all Graylog 5.2.X version. This content pack contains configuration for Windows 10 Security Events, for Windows Server 2022 Security Event, For Active Directory, For Windows DNS & DHCP Server, for DFS Server.
Note this was built using filebeat and Winlogbeat as the log exporter. No inputs extractor were used, only pipeline rules.
Do not need additionnal Grok pattern, uses the default like WORD/GREEDYDATA etc..
Includes
- Input (Beats/TCP/5044)
- Stream (Filebeat & Winlogbeat)
- Pipeline Rules w/ stages
- Lookup table + Data adapter + data cache
- Dashboards
Not included
You need to download manually the CSV.
- macaddress.csv
- dhcpv4_opcode.csv
- file_monitoring_permissions.csv
- registry.csv
- windows_id.csv
- Windows-EventID-to-EventDescription.csv
Add it to your Graylog server in /srv. If different location, modify the content_pack.json to change location path (CTRL + F and replace all occurences with the desired path)
If you do not add it, some Dashboards will not display all infos, these CSV are used for Lookup Table to enrich data.
Requirements
- Graylog 5.2.0
- Sidecar API Token Created
- Graylog Sidecar Agent 1.5.0
- Winlogbeat & Filebeat 7.12.1
- Winlogbeat Security & Powershell Module
- Edit Windows-Security-Content-Pack.json before uploading it ! (See requirements)
Agents Configuration (Requirement)
Be careful, by default Graylog Sidecar 1.5.0 embedd two bad binary version of Filebeat and Winlogbeat which are 8.9.0 and OpenSearch 2.X is not compatible ! The latest compatible version is 7.12.1. Replace the two binary with the 7.12.1 version.
Download filebeat archive and extract .exe
Download winlogbeat archive and extract .exe
Create your Graylog Sidecar token API (Requirement)
You will need to generate an API Token for your Sidecar agent to be able to communicate with Graylog. Follow this Graylog guide if you don't know how.
Add the Winlogbeat modules to your Sidecar folder agent. (Requirement)
By default, Graylog Sidecar does not embedd the Winlogbeat modules
C:\Program Files\Graylog\sidecar\moduleDownload the module folder on this project and add it to your computer/server.
Visit for more info
Edit Windows-Security-Content-Pack.json (Requirement)
I've made some Dashboard based on Server names to filter in or out some event logged. You will need to adjust the filter based on your infrastructure.
-
Follow these instructions:
-
Search & replace (use Notepadd for example):
-
srv*---> this filter means all Netbios name starting with srv (eg: srvdfs, srvad1, etc), I use it to show only computers data on dashboard by using NOT conditions, you should replace this filter with either the name of all of your servers or another field key which is easier to implement and that identify all servers.- replace the string
srv*by(name1 OR name2 OR name3)where nameX is all your servers name -
- replace the string
-
(srvad1 OR srvad2)--> on my test prod, I have 2 AD DC, I use a filter where I want to show data only from my 2 DC- replace the strings
(srvad1 OR srvad2)by(DCname1 OR DCname2 OR DCname3)where DCnameX is all your DC name
- replace the strings
-
srvdfs1--> on my test prod, I have a DFS Server hosting SAMBA Share, so I created a Dashboard to monitor files event for this server, if you don't have one you can ignore and delete the dashboard tab on the Web UI.- replace the string
srvdfs1byyourdfsnameif you have one
- replace the string
-
Europe/Paris--> on my test prod, I'm in France so the Timezone is this one, if you are from another timezone, replace with the desired one- replace the string
Europe/ParisbyCountry/Towntimezone of your choice
- replace the string
-
graylog.lab.lan--> it is my test domain FQDN, change it according to your server FQDN / IP Address, so that all sidecars are correctly configured to send data to your Graylog Server- replace the string
graylog.lab.lanbygraylog.your.fqdn.comwhich normally should correspond to the FQDN point to your graylog server
- replace the string
-
Create Index for each stream
By default, the Content Pack can't embeed Index, I recommand you to create one in order to separate Filebeat and Winlogbeat and so on. I don't think you want to have all data in the same index. It is like eating all the meal ingredient at the same time, it's difficult to recognize the taste of each.
And change the Index for the Winlogbeat stream.
Repeat the process for Filebeat.
Screenshots
- Active Directory
- Account Management
- Auth
- Defender
- DHCP Server
- DNS Client
- DNS Server
- Log Event Viewer
- Windows Firewall
-
And so on...
References
- jhochwald winlogbeat security
- Windows Security Monitoring - Scenarios and Patterns - Book by Andrei Miroshnikov (Very good book, I recommend you to buy it)