# Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com # Last Update: 12/9/2016 filter { if [type] == "windows" { # json { # source => "message" # } date { match => ["EventTime", "YYYY-MM-dd HH:mm:ss"] remove_field => [ "EventTime" ] } if [EventID] == 4634 { mutate { add_tag => [ "logoff" ] } } if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 { mutate { add_tag => [ "logon" ] add_tag => [ "alert_data" ] } } if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 { mutate { add_tag => [ "logon_failure" ] add_tag => [ "alert_data" ] } } # Critical event IDs to monitor if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 { mutate { add_tag => [ "alert_data" ] } } # Critical event IDs to monitor if [EventID] == 5152 { drop {} } if [EventID] == 4688 { drop {} } if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} } if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} } if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} } # Whitelist/Blacklist check if [EventID] == 7045 { translate { field => "ServiceName" destination => "ServiceCheck" dictionary_path => "/lib/dictionaries/services.yaml" } } if [EventID] == 7045 and !([ServiceCheck]) { mutate { add_tag => [ "alert_data","new_service" ] } } if [ServiceCheck] == 'whitelist' { mutate { remove_field => [ "ServiceCheck" ] add_tag => [ "whitelist" ] } } if [ServiceCheck] == 'blacklist' { mutate { remove_field => [ "ServiceCheck" ] add_tag => [ "blacklist" ] } } if [EventID] == 5158 { if [Application] == "System" { drop {} } if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} } if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} } if [Application] =~ "mcafee" { drop {} } if [Application] =~ "carestream" { drop {} } if [Application] =~ "Softdent" { drop {} } } if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} } if [EventID] == 4690 { drop {} } if [EventID] == 861 and [AccountName] == "ntp" { drop {} } if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} } if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} } if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} } if [EventID] == 5447 { drop {} } mutate { rename => [ "AccountName", "user" ] rename => [ "AccountType", "account_type" ] rename => [ "ActivityID", "activity_id" ] rename => [ "Category", "category" ] rename => [ "ClientAddress", "client_ip" ] rename => [ "Channel", "channel" ] rename => [ "DCIPAddress", "domain_controller_ip" ] rename => [ "DCName", "domain_controller_name" ] rename => [ "EventID", "event_id" ] rename => [ "EventReceivedTime", "event_received_time" ] rename => [ "EventType", "event_type" ] rename => [ "GatewayIPAddress", "gateway_ip" ] rename => [ "IPAddress", "client_ip" ] rename => [ "Ipaddress", "client_ip" ] rename => [ "IpAddress", "client_ip" ] rename => [ "IPPort", "source_port" ] rename => [ "OpcodeValue", "opcode_value" ] rename => [ "PreAuthType", "preauthentication_type" ] rename => [ "PrincipleSAMName", "user" ] rename => [ "ProcessID", "process_id" ] rename => [ "ProviderGUID", "providerguid" ] rename => [ "RecordNumber", "record_number" ] rename => [ "RemoteAddress", "destination_ip" ] rename => [ "ServiceName", "service_name" ] rename => [ "ServiceID", "service_id" ] rename => [ "SeverityValue", "severity_value" ] rename => [ "SourceAddress", "client_ip" ] rename => [ "SourceModuleName", "source_module_name" ] rename => [ "SourceModuleType", "source_module_type" ] rename => [ "SourceName", "source_name" ] rename => [ "SubjectUserName", "user" ] rename => [ "TaskName", "task_name" ] rename => [ "TargetDomainName", "target_domain_name" ] rename => [ "TargetUserName", "user" ] rename => [ "ThreadID", "thread_id" ] rename => [ "User_ID", "user" ] rename => [ "UserID", "user" ] rename => [ "username", "user" ] } # For any accounts that are service accounts or special accounts add the tag of service_account # This example applies the tag to any username that starts with SVC_. If you use a different # standard change this. if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" { mutate { add_tag => [ "service_account" ] } } # This looks for events that are typically noisy but may be of use for deep dive investigations # A tag of noise is added to quickly filter out noise if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" { mutate { add_tag => [ "noise" ] } } #Identify machine accounts if [user] =~ /\$/ { mutate { add_tag => [ "machine", "noise" ] } } # Lower case all field names ruby { code => " event_hash = event.to_hash new_event = {} event_hash.keys.each do |key| new_event[key.downcase] = event[key] end event.instance_variable_set(:@data, new_event)" } mutate { #add_tag => [ "conf_file_6300"] } } }