Sylvain-69/Filter 01 Secret

## Filter 01
filter {
#
#
# eviter les doublons dans les logs
#
#
	if "dc" in [tags] {

		if [host] == "DAFT" and [event_data][IpAddress] == "10.10.102.106" {
			drop { }
		}
	}

#
# identifier les messages de securité Windows via le tag
#

	if "securityevent" in [tags] {

	mutate { add_field => {"SecurityEvents" => "1" }}

#
# Modification du champs IP avec suppression de la version ipv6
#

		mutate { gsub => ["[event_data][IpAddress]", "::ffff:", ""]}

#
# Identify and drop machine accounts or unknown machines
#

		if [event_data][TargetUserName] =~ /\w+[$]/  {
			drop { }
		}
		if [event_data][TargetUserName] == "S-1-5-21-312104408-55515560-629696583-10897" {
			drop { }
		}

#
# tag or drop local successful and Failed logon (4624/4625)
#

if [event_id] == 4624 or [event_id] == 4625 {

	# Tag event ID 4624 en successful logon

	if [event_id] == 4624 {

		mutate { add_field => {"LogonLocal" => "1" }}
		mutate { add_field => {"Resultat" => "successful logon" }}
	}

	# Tag event ID 4625 en Failed logon + tag des raisons de l'echec

	else if [event_id] == 4625 {

		mutate { add_field => {"LogonLocal" => "1" }}
		mutate { add_field => {"Resultat" => "failed logon" }}

	# tag des raisons de failed logon

		if [event_data][Status] == "0xc0000064" or [event_data][SubStatus] == "0xc0000064" {
			mutate { add_field => {"Raison" => "Nom d'utilisateur incorrect" }}
		}
		else if [event_data][Status] == "0xc000006a" or [event_data][SubStatus] == "0xc000006a" {
			mutate { add_field => {"Raison" => "Mot de passe incorrect" }}
		}
		else if [event_data][Status] == "0xc0000234" or [event_data][SubStatus] == "0xc0000234" {
			mutate { add_field => {"Raison" => "Utilisateur verrouille" }}
		}
		else if [event_data][Status] == "0xc0000072" or [event_data][SubStatus] == "0xc0000072"{
			mutate { add_field => {"Raison" => "Utilisateur desactive" }}
		}
		else if [event_data][Status] == "0xc000006f" or [event_data][SubStatus] == "0xc000006f" {
			mutate { add_field => {"Raison" => "Hors plage horaire" }}
		}
		else if [event_data][Status] == "0xc0000070" or [event_data][SubStatus] == "0xc0000070" {
			mutate { add_field => {"Raison" => "workstation restriction, or Authentication Policy Silo violation" }}
		}
		else if [event_data][Status] == "0xc0000193" or [event_data][SubStatus] == "0xc0000193" {
			mutate { add_field => {"Raison" => "Compte expire" }}
		}
		else if [event_data][Status] == "0xc0000071" or [event_data][SubStatus] == "0xc0000071" {
			mutate { add_field => {"Raison" => "Mot de passe expire" }}
		}
		else if [event_data][Status] == "0xc0000133" or [event_data][SubStatus] == "0xc0000133" {
			mutate { add_field => {"Raison" => "clocks between DC and other computer too far out of sync" }}
		}
		else if [event_data][Status] == "0xc0000224" or [event_data][SubStatus] == "0xc0000224" {
			mutate { add_field => {"Raison" => "L'utitilisateur doit changer de mot de passe" }}
		}
		else if [event_data][Status] == "0xc0000225" or [event_data][SubStatus] == "0xc0000225" {
			mutate { add_field => {"Raison" => "evidently a bug in Windows and not a risk" }}
		}
		else if [event_data][Status] == "0xc000015b" or [event_data][SubStatus] == "0xc000015b" {
			mutate { add_field => {"Raison" => "l'utilisateur n'a pas pu se connecter" }}
		}
	}

	#
	# Tag du type de connexion pour les evenements 4624 et 4625
	#
	# LogonType=2 ouverture de session depuis l'ordi local (ecran-clavier)

		if [event_data][LogonType] == "2" {
			mutate { add_field => {"Connexion" => "Ouverture Session Console"}}
		}

	# LogonType=3 Network (ex : Connexion à un dossier partagé sur le PC)

		else if [event_data][LogonType] == "3" {
			drop { }
		}

	# LogonType=4 Batch (ex : taches planifiées)

		else if [event_data][LogonType] == "4" {
			drop { }
		}

	# LogonType=5 Démarrage service

		else if [event_data][LogonType] == "5" {
			drop { }
		}

	# LogonType=7  Deverrouillage de session (ecran de veille)

		else if [event_data][LogonType] == "7" {
			drop { }
		}

	# LogonType=8  NetworkCleartext

		else if [event_data][LogonType] == "8" {
			mutate { add_field => {"Connexion" => "NetworkCleartext"}}
		}

	# LogonType=9  Connection en Run As

		else if [event_data][LogonType] == "9" {
			mutate { add_field => {"Connexion" => "Run As"}}
		}

	# LogonType=10 Connexion bureau à distance

		else if [event_data][LogonType] == "10" {
			mutate { add_field => {"Connexion" => "Connexion RDP"}}
		}

	# LogonType=11 CachedInteractive ???

		else if [event_data][LogonType] == "11" {
			mutate { add_field => {"Connexion" => "CachedInteractive"}}
		}
}


#
# tag failed logon au niveau du DC (4771/4768)
#


if [event_id] == 4771 or [event_id] == 4768 {

	mutate { add_field => {"Resultat" => "failed logon" }}
	mutate { add_field => {"LogonLocal" => "0" }}

	# Tag des raisons du failed logon

		if [event_data][Status] == "0x1" {
			mutate { add_field => {"Raison" => "Client's entry in database has expired" }}
		}
		else if [event_data][Status] == "0x2" {
			mutate { add_field => {"Raison" => "Server's entry in database has expired" }}
		}
		else if [event_data][Status] == "0x3" {
			mutate { add_field => {"Raison" => "Requested protocol version # not supported" }}
		}
		else if [event_data][Status] == "0x4" {
			mutate { add_field => {"Raison" => "Client's key encrypted in old master key" }}
		}
		else if [event_data][Status] == "0x5" {
			mutate { add_field => {"Raison" => "Server's key encrypted in old master key" }}
		}
		else if [event_data][Status] == "0x6" {
			mutate { add_field => {"Raison" => "Utilisateur Inconnu" }}
		}
		else if [event_data][Status] == "0x7" {
			mutate { add_field => {"Raison" => "PC inconnu" }}
		}
		else if [event_data][Status] == "0x8" {
			mutate { add_field => {"Raison" => "Multiple principal entries in database" }}
		}
		else if [event_data][Status] == "0x9" {
			mutate { add_field => {"Raison" => "The client or server has a null key" }}
		}
		else if [event_data][Status] == "0x10" {
			drop { }
		}
		else if [event_data][Status] == "0xC" {
			mutate { add_field => {"Raison" => "KDC policy rejects request - Reset du mot de passe necessaire" }}
		}
		else if [event_data][Status] == "0x12" {
			mutate { add_field => {"Raison" => "Compte désactivé, bloqué, expiré ou hors horaire" }}
		}
		else if [event_data][Status] == "0x17" {
			mutate { add_field => {"Raison" => "Mot de passe expiré" }}
		}
		else if [event_data][Status] == "0x18" {
			mutate { add_field => {"Raison" => "Mauvais mot de passe" }}
		}
		else if [event_data][Status] == "0x25" {
			mutate { add_field => {"Raison" => "Décallage entre l'heure du PC et du DC" }}
		}
}


#
# tag DC successful logon (4768)
#

	if [event_id] == 4768 and [event_data][PreAuthType] == "2" {
		mutate { remove_field => [ "Resultat" ]}
		mutate { add_field => {"Resultat" => "successfull logon" }}
	}


#
# drop successful kerberos request (4768)
#

		else if [event_id] == 4768 and [event_data][Status] == "0x0" {
			drop { }
		}
	}
}
	filter {
	#
	#
	# eviter les doublons dans les logs
	#
	#
	if "dc" in [tags] {

	if [host] == "DAFT" and [event_data][IpAddress] == "10.10.102.106" {
	drop { }
	}
	}

	#
	# identifier les messages de securité Windows via le tag
	#

	if "securityevent" in [tags] {

	mutate { add_field => {"SecurityEvents" => "1" }}

	#
	# Modification du champs IP avec suppression de la version ipv6
	#

	mutate { gsub => ["[event_data][IpAddress]", "::ffff:", ""]}

	#
	# Identify and drop machine accounts or unknown machines
	#

	if [event_data][TargetUserName] =~ /\w+[$]/ {
	drop { }
	}
	if [event_data][TargetUserName] == "S-1-5-21-312104408-55515560-629696583-10897" {
	drop { }
	}

	#
	# tag or drop local successful and Failed logon (4624/4625)
	#

	if [event_id] == 4624 or [event_id] == 4625 {

	# Tag event ID 4624 en successful logon

	if [event_id] == 4624 {

	mutate { add_field => {"LogonLocal" => "1" }}
	mutate { add_field => {"Resultat" => "successful logon" }}
	}

	# Tag event ID 4625 en Failed logon + tag des raisons de l'echec

	else if [event_id] == 4625 {

	mutate { add_field => {"LogonLocal" => "1" }}
	mutate { add_field => {"Resultat" => "failed logon" }}

	# tag des raisons de failed logon

	if [event_data][Status] == "0xc0000064" or [event_data][SubStatus] == "0xc0000064" {
	mutate { add_field => {"Raison" => "Nom d'utilisateur incorrect" }}
	}
	else if [event_data][Status] == "0xc000006a" or [event_data][SubStatus] == "0xc000006a" {
	mutate { add_field => {"Raison" => "Mot de passe incorrect" }}
	}
	else if [event_data][Status] == "0xc0000234" or [event_data][SubStatus] == "0xc0000234" {
	mutate { add_field => {"Raison" => "Utilisateur verrouille" }}
	}
	else if [event_data][Status] == "0xc0000072" or [event_data][SubStatus] == "0xc0000072"{
	mutate { add_field => {"Raison" => "Utilisateur desactive" }}
	}
	else if [event_data][Status] == "0xc000006f" or [event_data][SubStatus] == "0xc000006f" {
	mutate { add_field => {"Raison" => "Hors plage horaire" }}
	}
	else if [event_data][Status] == "0xc0000070" or [event_data][SubStatus] == "0xc0000070" {
	mutate { add_field => {"Raison" => "workstation restriction, or Authentication Policy Silo violation" }}
	}
	else if [event_data][Status] == "0xc0000193" or [event_data][SubStatus] == "0xc0000193" {
	mutate { add_field => {"Raison" => "Compte expire" }}
	}
	else if [event_data][Status] == "0xc0000071" or [event_data][SubStatus] == "0xc0000071" {
	mutate { add_field => {"Raison" => "Mot de passe expire" }}
	}
	else if [event_data][Status] == "0xc0000133" or [event_data][SubStatus] == "0xc0000133" {
	mutate { add_field => {"Raison" => "clocks between DC and other computer too far out of sync" }}
	}
	else if [event_data][Status] == "0xc0000224" or [event_data][SubStatus] == "0xc0000224" {
	mutate { add_field => {"Raison" => "L'utitilisateur doit changer de mot de passe" }}
	}
	else if [event_data][Status] == "0xc0000225" or [event_data][SubStatus] == "0xc0000225" {
	mutate { add_field => {"Raison" => "evidently a bug in Windows and not a risk" }}
	}
	else if [event_data][Status] == "0xc000015b" or [event_data][SubStatus] == "0xc000015b" {
	mutate { add_field => {"Raison" => "l'utilisateur n'a pas pu se connecter" }}
	}
	}

	#
	# Tag du type de connexion pour les evenements 4624 et 4625
	#
	# LogonType=2 ouverture de session depuis l'ordi local (ecran-clavier)

	if [event_data][LogonType] == "2" {
	mutate { add_field => {"Connexion" => "Ouverture Session Console"}}
	}

	# LogonType=3 Network (ex : Connexion à un dossier partagé sur le PC)

	else if [event_data][LogonType] == "3" {
	drop { }
	}

	# LogonType=4 Batch (ex : taches planifiées)

	else if [event_data][LogonType] == "4" {
	drop { }
	}

	# LogonType=5 Démarrage service

	else if [event_data][LogonType] == "5" {
	drop { }
	}

	# LogonType=7 Deverrouillage de session (ecran de veille)

	else if [event_data][LogonType] == "7" {
	drop { }
	}

	# LogonType=8 NetworkCleartext

	else if [event_data][LogonType] == "8" {
	mutate { add_field => {"Connexion" => "NetworkCleartext"}}
	}

	# LogonType=9 Connection en Run As

	else if [event_data][LogonType] == "9" {
	mutate { add_field => {"Connexion" => "Run As"}}
	}

	# LogonType=10 Connexion bureau à distance

	else if [event_data][LogonType] == "10" {
	mutate { add_field => {"Connexion" => "Connexion RDP"}}
	}

	# LogonType=11 CachedInteractive ???

	else if [event_data][LogonType] == "11" {
	mutate { add_field => {"Connexion" => "CachedInteractive"}}
	}
	}


	#
	# tag failed logon au niveau du DC (4771/4768)
	#


	if [event_id] == 4771 or [event_id] == 4768 {

	mutate { add_field => {"Resultat" => "failed logon" }}
	mutate { add_field => {"LogonLocal" => "0" }}

	# Tag des raisons du failed logon

	if [event_data][Status] == "0x1" {
	mutate { add_field => {"Raison" => "Client's entry in database has expired" }}
	}
	else if [event_data][Status] == "0x2" {
	mutate { add_field => {"Raison" => "Server's entry in database has expired" }}
	}
	else if [event_data][Status] == "0x3" {
	mutate { add_field => {"Raison" => "Requested protocol version # not supported" }}
	}
	else if [event_data][Status] == "0x4" {
	mutate { add_field => {"Raison" => "Client's key encrypted in old master key" }}
	}
	else if [event_data][Status] == "0x5" {
	mutate { add_field => {"Raison" => "Server's key encrypted in old master key" }}
	}
	else if [event_data][Status] == "0x6" {
	mutate { add_field => {"Raison" => "Utilisateur Inconnu" }}
	}
	else if [event_data][Status] == "0x7" {
	mutate { add_field => {"Raison" => "PC inconnu" }}
	}
	else if [event_data][Status] == "0x8" {
	mutate { add_field => {"Raison" => "Multiple principal entries in database" }}
	}
	else if [event_data][Status] == "0x9" {
	mutate { add_field => {"Raison" => "The client or server has a null key" }}
	}
	else if [event_data][Status] == "0x10" {
	drop { }
	}
	else if [event_data][Status] == "0xC" {
	mutate { add_field => {"Raison" => "KDC policy rejects request - Reset du mot de passe necessaire" }}
	}
	else if [event_data][Status] == "0x12" {
	mutate { add_field => {"Raison" => "Compte désactivé, bloqué, expiré ou hors horaire" }}
	}
	else if [event_data][Status] == "0x17" {
	mutate { add_field => {"Raison" => "Mot de passe expiré" }}
	}
	else if [event_data][Status] == "0x18" {
	mutate { add_field => {"Raison" => "Mauvais mot de passe" }}
	}
	else if [event_data][Status] == "0x25" {
	mutate { add_field => {"Raison" => "Décallage entre l'heure du PC et du DC" }}
	}
	}


	#
	# tag DC successful logon (4768)
	#

	if [event_id] == 4768 and [event_data][PreAuthType] == "2" {
	mutate { remove_field => [ "Resultat" ]}
	mutate { add_field => {"Resultat" => "successfull logon" }}
	}


	#
	# drop successful kerberos request (4768)
	#

	else if [event_id] == 4768 and [event_data][Status] == "0x0" {
	drop { }
	}
	}
	}