Winlogbeat pipeline improvements #36657

jguay · 2023-09-22T14:47:26Z

Describe the enhancement:
Winlogbeat user is sending recommendations and pipeline for winlogbeat developers to review

Describe a specific use case for the enhancement or feature:

winlogbeat suggestions

Event Code Affected	Change Made	OverwritesExistingFields
18454	Set event outcome success for a list of conditional event codes	No
18456 & 18452 & 4625	Set event outcome failure for a list of conditional event codes	No
18456 18454 18452 4625	Set event category to authentication if doesn't exist	No
18456	Parse user.name ANDOR user.domain from winlog.event_data.param1	No
18456	Set user.name to winlog.user.name IF Exists	No
18456	Set user.name to winlog.event_data.param1	No
18456	Parse event.reason from winlog.event_data.param2	No
18456	Parse client address from winlog.event_data.param3 Added additional grok parser to retrieve text	No
18454	Parse client address from winlog.event_data.param2 Added additional grok parser to retrieve text	No
18452	Parse client address from winlog.event_data.param1 Added additional grok parser to retrieve text	No
18454	Parse client address from winlog.event_data.param2 Added additional grok parser to retrieve text	No
4625 & 4624	Convert hex PID to dec into process.pid	No
4625 & 4624	Parse process.name and exec path from winlog.event_data.ProcessExecutable	No
1	set winlog.event_data.ProcessId to into process.pid	No
4625 & 4624	Set winlog.logon.code to winlog.event_data.LogonType	No
4625 & 4624	Set user.domain to winlog.event_data.TargetDomainName	No
4625 & 4624	Set user.name to winlog.event_data.TargetUserName	No
4625 & 4624	Set user.id to winlog.event_data.TargetUserSid	No
4648	Set user.domain to winlog.event_data.SubjectDomainName	No
4648	Set user.name to winlog.event_data.SubjectUserName	No
4648	Set user.id to winlog.event_data.SubjectUserSid	No
4625 & 4624	Set server.user.domain to winlog.event_data.SubjectDomainName	No
4625 & 4624	Set server.user.name to winlog.event_data.SubjectUserName	No
4625 & 4624	Set server.user.id to winlog.event_data.SubjectUserSid	No
4648	Set user.effective.name to winlog.event_data.TargetUserName	No
4648	Set user.effective.id to winlog.event_data.TargetUserSid	No
4648	Set user.effective.domain to winlog.event_data.TargetDomainName	No
4625 & 4624	Set source.domain to winlog.event_data.WorkstationName if exists	No
4625 & 4624	Set source.ip to winlog.event_data.IpAddress if exists	No
4625 & 4624	Set source.port to winlog.event_data.IpPort if exists	No
4625 & 4624	Set package.name to winlog.event_data.AuthenticationPackageName if exists	No
4625 & 4624	Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists	No
4625 & 4624	Set service.name to winlog.event_data.TransmittedServices if exists	No
1	Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not	No
1	Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes	No
4648	Set server.address to winlog.event_data.TargetServerName if exists	No

Pipeline processors

{
    "processors" : [
      {
        "set" : {
          "field" : "event.outcome",
          "value" : "success",
          "if" : """ctx?.event?.outcome == null && ctx?.event?.code != null && (ctx?.event?.code == "18454" || ctx?.event?.code == 18454)""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18454 - Set event outcome success for a list of conditional event codes"
        }
      },
      {
        "set" : {
          "field" : "event.outcome",
          "value" : "failure",
          "if" : """ctx?.event?.outcome == null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18452" || ctx?.event?.code == 18452 || ctx?.event?.code == "4625" || ctx?.event?.code == 4625)""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 & 18452 & 4625 - Set event outcome failure for a list of conditional event codes"
        }
      },
      {
        "append" : {
          "field" : "event.category",
          "value" : [
            "authentication"
          ],
          "if" : """ctx?.event?.category == null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454 || ctx?.event?.code == "18452" || ctx?.event?.code == 18452 || ctx?.event?.code == 18452 || ctx?.event?.code == "4625" || ctx?.event?.code == 4625)""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 18454 18452 4625 - Set event category to authentication if doesn't exist"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param1",
          "patterns" : [
            """^%{HOSTNAME:user.domain}\\%{USERNAME:user.name}""",
            "^%{USERNAME:user.name}"
          ],
          "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 - Parse user.name ANDOR user.domain from winlog.event_data.param1"
        }
      },
      {
        "set" : {
          "field" : "user.name",
          "copy_from" : "winlog.user.name",
          "if" : """ctx?.winlog?.user?.name != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 - Set user.name to winlog.user.name IF Exists"
        }
      },
      {
        "set" : {
          "field" : "user.name",
          "copy_from" : "winlog.event_data.param1",
          "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456 || ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.user?.name == null || ctx?.user?.name == "-")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 - Set user.name to winlog.event_data.param1"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param2",
          "patterns" : [
            "%{SPACE}Reason: %{GREEDYDATA:event.reason}$"
          ],
          "if" : """ctx?.winlog?.event_data?.param2 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456) && (ctx?.event?.reason == null || ctx?.event?.reason == "-")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 18456 - Parse event.reason to winlog.event_data.param2"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param3",
          "patterns" : [
            """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""",
            """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]"""
          ],
          "ignore_missing" : true,
          "if" : """ctx?.winlog?.event_data?.param3 != null && ctx?.event?.code != null && (ctx?.event?.code == "18456" || ctx?.event?.code == 18456) && (ctx?.client?.address == null || ctx?.client?.address == "-")""",
          "ignore_failure" : true,
          "description" : "13-09-23 JC - Event Code 18456 - Parse client address from winlog.event_data.param3"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param2",
          "patterns" : [
            """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""",
            """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]"""
          ],
          "ignore_missing" : true,
          "if" : """ctx?.winlog?.event_data?.param2 != null && ctx?.event?.code != null && (ctx?.event?.code == "18454" || ctx?.event?.code == 18454) && (ctx?.client?.address == null || ctx?.client?.address == "-")""",
          "ignore_failure" : true,
          "description" : "13-09-23 JC - Event Code 18454 - Parse client address from winlog.event_data.param2"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param1",
          "patterns" : [
            """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""",
            """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]"""
          ],
          "ignore_missing" : true,
          "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18452" || ctx?.event?.code == 18452) && (ctx?.client?.address == null || ctx?.client?.address == "-")""",
          "ignore_failure" : true,
          "description" : "13-09-23 JC - Event Code 18452 - Parse client address from winlog.event_data.param1"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.param1",
          "patterns" : [
            """^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]""",
            """^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]"""
          ],
          "ignore_missing" : true,
          "if" : """ctx?.winlog?.event_data?.param1 != null && ctx?.event?.code != null && (ctx?.event?.code == "18452" || ctx?.event?.code == 18452) && (ctx?.client?.address == null || ctx?.client?.address == "-")""",
          "ignore_failure" : true,
          "description" : "13-09-23 JC - Event Code 18454 - Parse client address from winlog.event_data.param2"
        }
      },
      {
        "convert" : {
          "field" : "winlog.event_data.ProcessId",
          "type" : "integer",
          "target_field" : "process.pid",
          "if" : """ctx?.winlog?.event_data?.ProcessId != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 4625 & 4624- Convert hex PID to dec into process.pid"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.ProcessName",
          "patterns" : [
            "^%{WINPATHALT:process.executable}"
          ],
          "pattern_definitions" : {
            "WINPATHALT" : """^(.*(?<=\\))?+(?<process.name>.*$|$)"""
          },
          "if" : """ctx?.winlog?.event_data?.ProcessName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "24-08-23 JC - Event Code 4625 & 4624- Parse process.name and exec path from winlog.event_data.ProcessExecutable"
        }
      },
      {
        "set" : {
          "if" : """ctx?.winlog?.event_data?.ProcessId != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""",
          "ignore_failure" : true,
          "field" : "process.pid",
          "copy_from" : "winlog.event_data.ProcessId",
          "description" : "12-09-23 JC - Event Code 1- set winlog.event_data.ProcessId to into process.pid -"
        }
      },
      {
        "set" : {
          "field" : "winlog.logon.code",
          "copy_from" : "winlog.event_data.LogonType",
          "if" : """ctx?.winlog?.event_data?.LogonType != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "30-08-23 JC - Event Code 4625 & 4624- Set winlog.logon/code to winlog.event_data.LogonType"
        }
      },
      {
        "set" : {
          "field" : "user.domain",
          "copy_from" : "winlog.event_data.TargetDomainName",
          "if" : """ctx?.winlog?.event_data?.TargetDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "12-05-09-23 JC - Event Code 4625  & 4624 - Set user.domain to winlog.event_data.TargetDomainName"
        }
      },
      {
        "set" : {
          "field" : "user.name",
          "copy_from" : "winlog.event_data.TargetUserName",
          "if" : """ctx?.winlog?.event_data?.TargetUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set user.name to winlog.event_data.TargetUserName"
        }
      },
      {
        "set" : {
          "field" : "user.id",
          "copy_from" : "winlog.event_data.TargetUserSid",
          "if" : """ctx?.winlog?.event_data?.TargetUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set user.id to winlog.event_data.TargetUserSid"
        }
      },
      {
        "set" : {
          "field" : "user.domain",
          "copy_from" : "winlog.event_data.SubjectDomainName",
          "if" : """ctx?.winlog?.event_data?.SubjectDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-05-09-23 JC - Event Code 4648 - Set user.domain to winlog.event_data.SubjectDomainName"
        }
      },
      {
        "set" : {
          "field" : "user.name",
          "copy_from" : "winlog.event_data.SubjectUserName",
          "if" : """ctx?.winlog?.event_data?.SubjectUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-05-09-23 JC - Event Code 4648 - Set user.name to winlog.event_data.SubjectUserName"
        }
      },
      {
        "set" : {
          "field" : "user.id",
          "copy_from" : "winlog.event_data.SubjectUserSid",
          "if" : """ctx?.winlog?.event_data?.SubjectUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-05-09-23 JC - Event Code 4648 - Set user.id to winlog.event_data.SubjectUserSid"
        }
      },
      {
        "set" : {
          "field" : "server.user.domain",
          "copy_from" : "winlog.event_data.SubjectDomainName",
          "if" : """ctx?.winlog?.event_data?.SubjectDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4625  & 4624 - Set server.user.domain to winlog.event_data.SubjectDomainName"
        }
      },
      {
        "set" : {
          "field" : "server.user.name",
          "copy_from" : "winlog.event_data.SubjectUserName",
          "if" : """ctx?.winlog?.event_data?.SubjectUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && (ctx?.server?.user?.name == null || ctx?.server?.user?.name == "-")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set server.user.name to winlog.event_data.SubjectUserName"
        }
      },
      {
        "set" : {
          "field" : "server.user.id",
          "copy_from" : "winlog.event_data.SubjectUserSid",
          "if" : """ctx?.winlog?.event_data?.SubjectUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && (ctx?.server?.user?.id == null || ctx?.server?.user?.id == "-")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4625 & 4624 - Set server.user.id to winlog.event_data.SubjectUserSid"
        }
      },
      {
        "set" : {
          "field" : "user.effective.name",
          "copy_from" : "winlog.event_data.TargetUserName",
          "if" : """ctx?.winlog?.event_data?.TargetUserName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.name to winlog.event_data.TargetUserName"
        }
      },
      {
        "set" : {
          "field" : "user.effective.id",
          "copy_from" : "winlog.event_data.TargetUserSid",
          "if" : """ctx?.winlog?.event_data?.TargetUserSid != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.id to winlog.event_data.TargetUserSid"
        }
      },
      {
        "set" : {
          "field" : "user.effective.domain",
          "copy_from" : "winlog.event_data.TargetDomainName",
          "if" : """ctx?.winlog?.event_data?.TargetDomainName != null && ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648")""",
          "ignore_failure" : true,
          "description" : "12-09-23 JC - Event Code 4648 - Set user.effective.domain to winlog.event_data.TargetDomainName"
        }
      },
      {
        "set" : {
          "field" : "source.domain",
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.WorkstationName != null && ctx?.source?.domain == null""",
          "ignore_failure" : true,
          "copy_from" : "winlog.event_data.WorkstationName",
          "description" : "30-08-23 JC - Event Code 4625 & 4624 - Set source.domain to winlog.event_data.WorkstationName if exists -"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.IpAddress",
          "patterns" : [
            "^%{IP:source.ip}"
          ],
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.IpAddress != null && ctx?.source?.ip == null""",
          "ignore_failure" : true,
          "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set source.ip to winlog.event_data.IpAddress if exists -"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.IpPort",
          "patterns" : [
            "^%{INT:source.port}"
          ],
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.IpPort != null && ctx?.source?.port == null""",
          "ignore_failure" : true,
          "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set source.port to winlog.event_data.IpPort if exists -"
        }
      },
      {
        "set" : {
          "field" : "package.name",
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.AuthenticationPackageName != null && ctx?.package?.name == null""",
          "ignore_failure" : true,
          "copy_from" : "winlog.event_data.AuthenticationPackageName",
          "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set package.name to winlog.event_data.AuthenticationPackageName if exists -"
        }
      },
      {
        "set" : {
          "field" : "winlog.logon.process.name",
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.LogonProcessName != null && ctx?.winlog?.logon?.process?.name == null""",
          "ignore_failure" : true,
          "copy_from" : "winlog.event_data.LogonProcessName",
          "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists -"
        }
      },
      {
        "set" : {
          "field" : "service.name",
          "copy_from" : "winlog.event_data.TransmittedServices",
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4625 || ctx?.event?.code == "4625" || ctx?.event?.code == 4624 || ctx?.event?.code == "4624") && ctx?.winlog?.event_data?.TransmittedServices != null && ctx?.service?.name == null""",
          "ignore_failure" : true,
          "description" : "05-09-23 JC - Event Code 4625 & 4624 - Set service.name to winlog.event_data.TransmittedServices if exists -"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.Image",
          "patterns" : [
            "^%{WINPATHALT:process.executable}"
          ],
          "pattern_definitions" : {
            "WINPATHALT" : """^(.*(?<=\\))?+(?<process.name>.*$|$)"""
          },
          "if" : """ctx?.winlog?.event_data?.Image != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""",
          "ignore_failure" : true,
          "description" : "05-09-023 JC - Event Code 1 - Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not"
        }
      },
      {
        "grok" : {
          "field" : "winlog.event_data.Hashes",
          "patterns" : [
            "^MD5=%{DATA:process.hash.md5},SHA256=%{DATA:process.hash.sha256},IMPHASH=%{DATA:process.hash.imphash}$"
          ],
          "if" : """ctx?.winlog?.event_data?.Hashes != null && ctx?.event?.code != null && (ctx?.event?.code == 1 || ctx?.event?.code == "1")""",
          "ignore_failure" : true,
          "description" : "05-09-23 JC - Event Code 1 - Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes"
        }
      },
      {
        "set" : {
          "field" : "server.address",
          "copy_from" : "winlog.event_data.TargetServerName",
          "if" : """ctx?.event?.code != null && (ctx?.event?.code == 4648 || ctx?.event?.code == "4648") && ctx?.winlog?.event_data?.TargetServerName != null && ctx?.server?.address == null""",
          "ignore_failure" : true,
          "description" : "05-09-23 JC - Event Code 4648 - Set server.address to winlog.event_data.TargetServerName if exists -"
        }
      }
    ]
  }

The text was updated successfully, but these errors were encountered:

elasticmachine · 2023-10-16T08:37:00Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6 · 2023-10-18T07:56:28Z

@jguay Would you mind asking for the JSON with pretty=false?

efd6 · 2023-10-26T04:25:37Z

I've gone through the processors here to reduce the syntax for clarity and maintainability. There is no indication of which of the modules the processors are intended to be added. Please ask the user to explain which modules each of the processors is intended to be added.

The pipeline (in YAML) with my changes is here.

---
processors:
- set:
    field: event.outcome
    value: success
    if: ctx.event?.outcome == null && ctx.event?.code == "18454"
    ignore_failure: true
    description: Event Code 18454 - Set event outcome success for a list of conditional event codes
- set:
    field: event.outcome
    value: failure
    if: ctx.event?.outcome == null && ["4625", "18452", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 & 18452 & 4625 - Set event outcome failure for a list of conditional event codes
- append:
    field: event.category
    value:
    - authentication
    if: ctx.event?.category == null && ["4625", "18452", "18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 18454 18452 4625 - Set event category to authentication if doesn't exist
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{HOSTNAME:user.domain}\\%{USERNAME:user.name}'
    - '^%{USERNAME:user.name}'
    if: ctx.winlog?.event_data?.param1 != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Parse user.name ANDOR user.domain from winlog.event_data.param1
- set:
    field: user.name
    copy_from: winlog.user.name
    if: ctx.winlog?.user?.name != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Set user.name to winlog.user.name IF Exists
- set:
    field: user.name
    copy_from: winlog.event_data.param1
    if: ctx.winlog?.event_data?.param1 != null && (ctx.user?.name == null || ctx.user.name == "-") && ["18454", "18456"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 18456 - Set user.name to winlog.event_data.param1
- grok:
    field: winlog.event_data.param2
    patterns:
    - '%{SPACE}Reason: %{GREEDYDATA:event.reason}$'
    if: ctx.winlog?.event_data?.param2 != null && ctx.event?.code == "18456" && (ctx.event?.reason == null || ctx.event.reason == "-")
    ignore_failure: true
    description: Event Code 18456 - Parse event.reason to winlog.event_data.param2
- grok:
    field: winlog.event_data.param3
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param3 != null && ctx.event?.code == "18456" && (ctx.event?.reason == null || ctx.event.reason == "-")
    ignore_failure: true
    description: Event Code 18456 - Parse client address from winlog.event_data.param3
- grok:
    field: winlog.event_data.param2
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param2 != null && ctx.event?.code == "18454" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18454 - Parse client address from winlog.event_data.param2
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param1 != null && ctx.event?.code == "18452" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18452 - Parse client address from winlog.event_data.param1
- grok:
    field: winlog.event_data.param1
    patterns:
    - '^%{SPACE}\[CLIENT: (%{IPORHOST:client.address})\]'
    - '^%{SPACE}\[CLIENT: \<%{GREEDYDATA:client.address}\>\]'
    ignore_missing: true
    if: ctx.winlog?.event_data?.param1 != null && ctx.event?.code == "18452" && (ctx.client?.address == null || ctx.client.address == "-")
    ignore_failure: true
    description: Event Code 18454 - Parse client address from winlog.event_data.param2
- convert:
    field: winlog.event_data.ProcessId
    type: integer
    target_field: process.pid
    if: ctx.winlog?.event_data?.ProcessId != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Convert hex PID to dec into process.pid
- grok:
    field: winlog.event_data.ProcessName
    patterns:
    - '^%{WINPATHALT:process.executable}'
    pattern_definitions:
      WINPATHALT: '^(.*(?<=\\))?+(?.*$|$)'
    if: ctx.winlog?.event_data?.ProcessName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Parse process.name and exec path from winlog.event_data.ProcessExecutable
- set:
    if: ctx.winlog?.event_data?.ProcessId != null && ctx.event?.code == "1"
    ignore_failure: true
    field: process.pid
    copy_from: winlog.event_data.ProcessId
    description: Event Code 1- set winlog.event_data.ProcessId to into process.pid -
- set:
    field: winlog.logon.code
    copy_from: winlog.event_data.LogonType
    if: ctx.winlog?.event_data?.LogonType != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624- Set winlog.logon/code to winlog.event_data.LogonType
- set:
    field: user.domain
    copy_from: winlog.event_data.TargetDomainName
    if: ctx.winlog?.event_data?.TargetDomainName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625  & 4624 - Set user.domain to winlog.event_data.TargetDomainName
- set:
    field: user.name
    copy_from: winlog.event_data.TargetUserName
    if: ctx.winlog?.event_data?.TargetUserName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set user.name to winlog.event_data.TargetUserName
- set:
    field: user.id
    copy_from: winlog.event_data.TargetUserSid
    if: ctx.winlog?.event_data?.TargetUserSid != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set user.id to winlog.event_data.TargetUserSid
- set:
    field: user.domain
    copy_from: winlog.event_data.SubjectDomainName
    if: ctx.winlog?.event_data?.SubjectDomainName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.domain to winlog.event_data.SubjectDomainName
- set:
    field: user.name
    copy_from: winlog.event_data.SubjectUserName
    if: ctx.winlog?.event_data?.SubjectUserName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.name to winlog.event_data.SubjectUserName
- set:
    field: user.id
    copy_from: winlog.event_data.SubjectUserSid
    if: ctx.winlog?.event_data?.SubjectUserSid != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.id to winlog.event_data.SubjectUserSid
- set:
    field: server.user.domain
    copy_from: winlog.event_data.SubjectDomainName
    if: ctx.winlog?.event_data?.SubjectDomainName != null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625  & 4624 - Set server.user.domain to winlog.event_data.SubjectDomainName
- set:
    field: server.user.name
    copy_from: winlog.event_data.SubjectUserName
    if: ctx.winlog?.event_data?.SubjectUserName != null && (ctx.server?.user?.name == null || ctx.server.user.name == "-") && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set server.user.name to winlog.event_data.SubjectUserName
- set:
    field: server.user.id
    copy_from: winlog.event_data.SubjectUserSid
    if: ctx.winlog?.event_data?.SubjectUserSid != null && (ctx.server?.user?.id == null || ctx.server.user.id == "-") && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set server.user.id to winlog.event_data.SubjectUserSid
- set:
    field: user.effective.name
    copy_from: winlog.event_data.TargetUserName
    if: ctx.winlog?.event_data?.TargetUserName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.name to winlog.event_data.TargetUserName
- set:
    field: user.effective.id
    copy_from: winlog.event_data.TargetUserSid
    if: ctx.winlog?.event_data?.TargetUserSid != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.id to winlog.event_data.TargetUserSid
- set:
    field: user.effective.domain
    copy_from: winlog.event_data.TargetDomainName
    if: ctx.winlog?.event_data?.TargetDomainName != null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set user.effective.domain to winlog.event_data.TargetDomainName
- set:
    field: source.domain
    copy_from: winlog.event_data.WorkstationName
    if: ctx.winlog?.event_data?.WorkstationName != null && ctx.source?.domain == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.domain to winlog.event_data.WorkstationName if exists -
- grok:
    field: winlog.event_data.IpAddress
    patterns:
    - '^%{IP:source.ip}'
    if: ctx.winlog?.event_data?.IpAddress != null && ctx.source?.ip == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.ip to winlog.event_data.IpAddress if exists -
- grok:
    field: winlog.event_data.IpPort
    patterns:
    - '^%{INT:source.port}'
    if: ctx.winlog?.event_data?.IpPort != null && ctx.source?.port == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set source.port to winlog.event_data.IpPort if exists -
- set:
    field: package.name
    copy_from: winlog.event_data.AuthenticationPackageName
    if: ctx.winlog?.event_data?.AuthenticationPackageName != null && ctx.package?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set package.name to winlog.event_data.AuthenticationPackageName if exists -
- set:
    field: winlog.logon.process.name
    copy_from: winlog.event_data.LogonProcessName
    if: ctx.winlog?.event_data?.LogonProcessName != null && ctx.winlog?.logon?.process?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set winlog.logon.process.name to winlog.event_data.LogonProcessName if exists -
- set:
    field: service.name
    copy_from: winlog.event_data.TransmittedServices
    if: ctx.winlog?.event_data?.TransmittedServices != null && ctx.service?.name == null && ["4624", "4625"].contains(ctx.event?.code)
    ignore_failure: true
    description: Event Code 4625 & 4624 - Set service.name to winlog.event_data.TransmittedServices if exists -
- grok:
    field: winlog.event_data.Image
    patterns:
    - '^%{WINPATHALT:process.executable}'
    pattern_definitions:
      WINPATHALT: '^(.*(?<=\\))?+(?.*$|$)'
    if: ctx.winlog?.event_data?.Image != null && ctx.event?.code == "1"
    ignore_failure: true
    description: Event Code 1 - Parse process.name and exec path from winlog.event_data.Image if it exists and process.name does not
- grok:
    field: winlog.event_data.Hashes
    patterns:
    - '^MD5=%{DATA:process.hash.md5},SHA256=%{DATA:process.hash.sha256},IMPHASH=%{DATA:process.hash.imphash}$'
    if: ctx.winlog?.event_data?.Hashes != null && ctx.event?.code == "1"
    ignore_failure: true
    description: Event Code 1 - Parses md5 and sha256 hash to process.hash. from winlog.event_data.Hashes
- set:
    field: server.address
    copy_from: winlog.event_data.TargetServerName
    if: ctx.winlog?.event_data?.TargetServerName != null && ctx.server?.address == null && ctx.event?.code == "4648"
    ignore_failure: true
    description: Event Code 4648 - Set server.address to winlog.event_data.TargetServerName if exists -

elasticmachine · 2024-01-31T19:04:08Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

jguay added enhancement Winlogbeat labels Sep 22, 2023

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 22, 2023

jamiehynds added the Team:Security-External Integrations label Oct 16, 2023

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2023

norrietaylor added Team:Security-Windows Platform Windows Platform Team in Security Solution and removed Team:Security-External Integrations labels Jan 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winlogbeat pipeline improvements #36657

Winlogbeat pipeline improvements #36657

jguay commented Sep 22, 2023

elasticmachine commented Oct 16, 2023

efd6 commented Oct 18, 2023

efd6 commented Oct 26, 2023

elasticmachine commented Jan 31, 2024

Winlogbeat pipeline improvements #36657

Winlogbeat pipeline improvements #36657

Comments

jguay commented Sep 22, 2023

elasticmachine commented Oct 16, 2023

efd6 commented Oct 18, 2023

efd6 commented Oct 26, 2023

elasticmachine commented Jan 31, 2024