Tuned and curated Winlogbeats config file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A retired winlogbeats config maintained by the Recon InfoSec SOC | |
| # contains most the higher value events needed for detection and response | |
| # should be tuned for your specific environment and log volume tolerance | |
| winlogbeat.event_logs: # Global Event Logs Config | |
| - name: Security | |
| ignore_older: 24h | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Security | |
| lang: javascript | |
| id: security | |
| file: ${path.home}/module/security/config/winlogbeat-security.js | |
| - name: System | |
| ignore_older: 24h | |
| - name: Application | |
| ignore_older: 24h | |
| - name: Microsoft-Windows-Sysmon/Operational | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational | |
| lang: javascript | |
| id: sysmon | |
| file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js | |
| ignore_older: 72h | |
| - name: Windows Powershell | |
| ignore_older: 24h | |
| processors: | |
| - script: | |
| lang: javascript | |
| id: powershell | |
| file: ${path.home}/module/powershell/config/winlogbeat-powershell.js | |
| - name: Microsoft-Windows-PowerShell/Operational | |
| ignore_older: 24h | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational | |
| lang: javascript | |
| id: powershell-operational | |
| file: ${path.home}/module/powershell/config/winlogbeat-powershell.js | |
| - name: Microsoft-Windows-Windows Defender/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TaskScheduler/Operational | |
| ignore_older: 24h | |
| - name: ForwardedEvents | |
| ignore_older: 1h | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational | |
| lang: javascript | |
| id: powershell-operational | |
| file: ${path.home}/module/powershell/config/winlogbeat-powershell.js | |
| - script: | |
| when.equals.winlog.channel: Windows Powershell | |
| lang: javascript | |
| id: powershell | |
| file: ${path.home}/module/powershell/config/winlogbeat-powershell.js | |
| - script: | |
| when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational | |
| lang: javascript | |
| id: sysmon | |
| file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js | |
| - script: | |
| when.equals.winlog.channel: Security | |
| lang: javascript | |
| id: security | |
| file: ${path.home}/module/security/config/winlogbeat-security.js | |
| # RDP activity | |
| - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | |
| ignore_older: 72h | |
| - name: Microsoft-Windows-TerminalServices-RDPClient/Operational | |
| ignore_older: 72h | |
| processors: # Global Processors | |
| - drop_event.when.or: # Exclude the following | |
| - contains.winlog.provider_name: 'Microsoft-Windows-Kernel' | |
| - contains.winlog.provider_name: 'Microsoft-SharePoint' | |
| - contains.winlog.provider_name: 'Schannel' | |
| - contains.winlog.provider_name: 'Directory Synchronization' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-DistributedCOM' | |
| - contains.winlog.provider_name: 'ESENT' | |
| - contains.winlog.provider_name: 'vmStatsProvider' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-TPM' | |
| - contains.winlog.provider_name: 'MSExchangeTransportSubmission' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-CertificateServicesClient' | |
| - contains.winlog.provider_name: 'New Relic' | |
| - contains.winlog.provider_name: 'SceCli' | |
| - contains.winlog.provider_name: 'PasswordResetService' | |
| - contains.winlog.provider_name: 'DirectoryMonitor' | |
| - contains.winlog.provider_name: 'ASP.NET' | |
| - contains.winlog.provider_name: 'LogRhythm Agent' | |
| - contains.winlog.provider_name: 'MSExchange Mid-Tier Storage' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-Time-Service' | |
| - contains.winlog.provider_name: 'MSExchangeFrontEndTransport' | |
| - contains.winlog.provider_name: 'MSExchangeTransportDelivery' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-Time-Service' | |
| - equals.winlog.provider_name: 'Microsoft-Windows-Security-SPP' # Microsoft Licensing App logs | |
| - drop_event.when.and: # Security log filter | |
| - contains.winlog.channel: 'Security' | |
| - not.or: # Drop if none of the following Event IDs | |
| - range.event_id: # Event log notices | |
| gte: 1100 | |
| lt: 1111 | |
| - equals.winlog.event_id: 4608 # Windows is starting up | |
| - equals.winlog.event_id: 4609 # Windows is shutting down | |
| - equals.winlog.event_id: 4610 # An authentication package has been loaded by the Local Security Authority | |
| - equals.winlog.event_id: 4611 # A trusted logon process has been registered with the Local Security Authority | |
| - equals.winlog.event_id: 4614 # A notification package has been loaded by the Security Account Manager | |
| - equals.winlog.event_id: 4618 # A monitored security event pattern has occurred. | |
| - equals.winlog.event_id: 4622 # A security package has been loaded by the Local Security Authority | |
| - equals.winlog.event_id: 4624 # logons | |
| - equals.winlog.event_id: 4625 # failed logons | |
| - equals.winlog.event_id: 4634 # logoff | |
| - equals.winlog.event_id: 4647 # logoff | |
| - equals.winlog.event_id: 4648 # logon was attempted using explicit credentials | |
| - equals.winlog.event_id: 4649 # A replay attack was detected. May be a harmless false positive due to misconfiguration error. | |
| - equals.winlog.event_id: 4656 # A handle to an object was requested. | |
| - equals.winlog.event_id: 4657 # A registry value was modified. | |
| - equals.winlog.event_id: 4659 # A handle to an object was requested with intent to delete. | |
| - equals.winlog.event_id: 4660 # An object was deleted | |
| - equals.winlog.event_id: 4663 # An attempt was made to access an object | |
| - equals.winlog.event_id: 4670 # Permissions on an object were changed | |
| - equals.winlog.event_id: 4672 # special (admin) logon | |
| - equals.winlog.event_id: 4697 # A service was installed in the system | |
| - equals.winlog.event_id: 4697 # Security records service install | |
| - equals.winlog.event_id: 4698 # A scheduled task was created. | |
| - equals.winlog.event_id: 4699 # A scheduled task was deleted. | |
| - equals.winlog.event_id: 4700 # A scheduled task was enabled | |
| - equals.winlog.event_id: 4701 # A scheduled task was disabled | |
| - equals.winlog.event_id: 4702 # A scheduled task was updated | |
| - equals.winlog.event_id: 4716 # Trusted domain information was modified. | |
| - equals.winlog.event_id: 4717 # System security access was granted to an account. | |
| - equals.winlog.event_id: 4719 # System audit policy was changed. | |
| - equals.winlog.event_id: 4720 # account creation | |
| - equals.winlog.event_id: 4722 # account enabled | |
| - equals.winlog.event_id: 4723 # An attempt was made to change an account's password | |
| - equals.winlog.event_id: 4724 # account creation / An attempt was made to reset an account's password. | |
| - equals.winlog.event_id: 4725 # A user account was disabled. | |
| - equals.winlog.event_id: 4726 # A user account was deleted. | |
| - equals.winlog.event_id: 4728 # A member was added to a security-enabled global group | |
| - equals.winlog.event_id: 4729 # A member was removed from a security-enabled global group. | |
| - equals.winlog.event_id: 4731 # A security-enabled local group was created. | |
| - equals.winlog.event_id: 4732 # A member was added to a security-enabled local group | |
| - equals.winlog.event_id: 4733 # A member was removed to a security-enabled local group | |
| - equals.winlog.event_id: 4735 # A security-enabled local group was changed. | |
| - equals.winlog.event_id: 4737 # A security-enabled global group was changed. | |
| - equals.winlog.event_id: 4738 # A user account was changed. | |
| - equals.winlog.event_id: 4739 # Domain Policy was changed. | |
| - equals.winlog.event_id: 4740 # A user account was locked out | |
| - equals.winlog.event_id: 4741 # A computer account was created. | |
| - equals.winlog.event_id: 4742 # A computer account was changed. | |
| - equals.winlog.event_id: 4760 # A security-disabled universal group was changed. | |
| - equals.winlog.event_id: 4762 # A member was removed from a security-disabled universal group. | |
| - equals.winlog.event_id: 4765 # SID History was added to an account. | |
| - equals.winlog.event_id: 4766 # An attempt to add SID History to an account failed. | |
| - equals.winlog.event_id: 4767 # A user account was unlocked. | |
| - equals.winlog.event_id: 4768 # Kerberos Authentication Service | |
| - equals.winlog.event_id: 4769 # Kerberos Service Ticket Operations | |
| - equals.winlog.event_id: 4770 # Kerberos ticket renewed | |
| - equals.winlog.event_id: 4771 # Kerberos pre-authentication failed | |
| - equals.winlog.event_id: 4776 # NTLM Credential Validation | |
| - equals.winlog.event_id: 4778 # A session was reconnected to a Window Station | |
| - equals.winlog.event_id: 4779 # A session was disconnected from a Window Station. | |
| - equals.winlog.event_id: 4781 # The name of an account was changed | |
| - equals.winlog.event_id: 4794 # An attempt was made to set the Directory Services Restore Mode. | |
| - equals.winlog.event_id: 4797 # An attempt was made to query the existence of a blank password for an account | |
| - equals.winlog.event_id: 4799 # Security Group Management | |
| - equals.winlog.event_id: 4800 # The workstation was locked. | |
| - equals.winlog.event_id: 4801 # The workstation was unlocked. | |
| - equals.winlog.event_id: 4802 # The screen saver was invoked | |
| - equals.winlog.event_id: 4803 # The screen saver was dismissed | |
| - equals.winlog.event_id: 4897 # Role separation enabled: | |
| - equals.winlog.event_id: 4904 # An attempt was made to register a security event source | |
| - equals.winlog.event_id: 4905 # An attempt was made to unregister a security event source | |
| - equals.winlog.event_id: 4944 # The following policy was active when the Windows Firewall started | |
| - equals.winlog.event_id: 4946 # A change was made to the Windows Firewall exception list. A rule was added. | |
| - equals.winlog.event_id: 4948 # A change was made to the Windows Firewall exception list. A rule was deleted. | |
| - equals.winlog.event_id: 4956 # Windows Firewall changed the active profile | |
| - equals.winlog.event_id: 4964 # Special groups have been assigned to a new logon. | |
| - equals.winlog.event_id: 5031 # Windows Firewall blocked an application from accepting incoming connections on the network | |
| - equals.winlog.event_id: 5038 # ode integrity determined that the image hash of a file is not valid | |
| - equals.winlog.event_id: 5136 # A directory service object was modified | |
| - equals.winlog.event_id: 5137 # A directory service object was created. | |
| - equals.winlog.event_id: 5139 # A directory service object was moved | |
| - equals.winlog.event_id: 5140 # File share | |
| - equals.winlog.event_id: 5142 # File share was added | |
| - equals.winlog.event_id: 5145 # A network share object was checked to see whether client can be granted desired access | |
| - equals.winlog.event_id: 5378 # The requested credentials delegation was disallowed by policy. | |
| - equals.winlog.event_id: 5379 # Credential Manager credentials were read | |
| - equals.winlog.event_id: 5380 # Vault Find Credential | |
| - equals.winlog.event_id: 5381 # Vault credentials were read | |
| - equals.winlog.event_id: 5382 # Vault credentials were read | |
| - equals.winlog.event_id: 5632 # A request was made to authenticate to a wireless network | |
| - equals.winlog.event_id: 5633 # A request was made to authenticate to a wired network | |
| - equals.winlog.event_id: 6144 # Security policy in the group policy objects has been applied successfully | |
| - equals.winlog.event_id: 6272 # Network Policy Server granted to a user | |
| - equals.winlog.event_id: 6273 # Network Policy Server denied to a user | |
| - equals.winlog.event_id: 6278 # Network Policy Server granted full access to a user | |
| - equals.winlog.event_id: 6416 # A new external device was recognized by the system. | |
| - equals.winlog.event_id: 8222 # Shadow copy has been created. | |
| - drop_event.when.and: # System log filter | |
| - contains.winlog.channel: 'System' | |
| - not.or: # Exclude anything not listed below | |
| - contains.winlog.provider_name: 'Service Control Manager' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-GroupPolicy' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-WindowsUpdateClient' | |
| - contains.winlog.provider_name: 'EventLog' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-FilterManager' | |
| - contains.winlog.provider_name: 'NPS' | |
| - contains.winlog.provider_name: 'volsnap' | |
| - contains.winlog.provider_name: 'NETLOGON' | |
| - contains.winlog.provider_name: 'USER32' | |
| - contains.winlog.provider_name: 'SAVOnAccess' | |
| - contains.winlog.provider_name: 'Microsoft-Windows-Winlogon' | |
| - equals.winlog.event_id: 13 # A RADIUS message was received from the invalid RADIUS client | |
| - equals.winlog.event_id: 19 # Windows Update successful | |
| - equals.winlog.event_id: 43 # Windows Update started installing an update. | |
| - equals.winlog.event_id: 44 # Windows Update started downloading an update. | |
| - equals.winlog.event_id: 1056 # Create RDP certificate | |
| - equals.winlog.event_id: 6281 # Code Integrity determined that the page hashes of an image file are not valid (Kernel Driver Signing) | |
| - drop_event.when.and: # Application log filter | |
| - contains.winlog.channel: 'Application' | |
| - not.or: # Exclude anything not listed below | |
| - contains.winlog.provider_name: 'Application Error' | |
| - contains.winlog.provider_name: 'Application Hang' | |
| - contains.winlog.provider_name: 'Windows Error Reporting' | |
| - contains.winlog.provider_name: 'EMET' | |
| - contains.winlog.provider_name: 'MSSQLSERVER' | |
| - contains.winlog.provider_name: 'PostgreSQL' | |
| - contains.winlog.provider_name: 'MSExchange' | |
| - contains.winlog.provider_name: 'ADSync' | |
| - contains.winlog.provider_name: 'Security' # SecurityCenter | |
| - contains.winlog.provider_name: 'EDSService' | |
| - contains.winlog.provider_name: 'MsiInstaller' | |
| - contains.winlog.provider_name: 'Audit-CVE' | |
| - drop_event.when.and: # RDPClient Filter | |
| - contains.winlog.channel: 'RDPClient' | |
| - not.or: # Drop if none of the following Event IDs | |
| - equals.winlog.event_id: 1024 # Client attempts to connect to RDP server (gives server hostname) | |
| - equals.winlog.event_id: 1025 # Client successfully connects to RDP server (gives server hostname) | |
| - equals.winlog.event_id: 1026 # Client disconnects from RDP server (gives server hostname) | |
| - equals.winlog.event_id: 1102 # Client attempts to connect to RDP server (gives server IP) | |
| - equals.winlog.event_id: 1103 # Client successfully connects to RDP server (gives server IP) | |
| - equals.winlog.event_id: 1105 # Client disconnects from RDP server (gives server IP) | |
| - drop_event.when.and: # Powershell Operational log filter | |
| - contains.winlog.channel: 'Microsoft-Windows-PowerShell/Operational' | |
| - or: # Drop the following Event IDs | |
| - equals.winlog.event_id: 4105 # Started invocation of ScriptBlock ID | |
| - equals.winlog.event_id: 4106 # Completed invocation of ScriptBlock ID | |
| - equals.winlog.event_id: 8196 # Modifying activity Id and correlating | |
| - equals.winlog.event_id: 12039 # Modifying activity Id and correlating | |
| - equals.winlog.event_id: 40961 # PowerShell console is starting up | |
| - equals.winlog.event_id: 40962 # PowerShell console is ready for user input | |
| - drop_event.when.and: # Windows PowerShell log filter | |
| - contains.winlog.channel: 'Windows PowerShell' | |
| - not.or: # Drop if none of the following Event IDs | |
| - equals.winlog.event_id: 400 # Engine Lifecycle | |
| - drop_event.when.and: # Filter WmiPrvSE.exe and lsass.exe noise from 4663 and 4656 events | |
| - equals.winlog.event_data.ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe' | |
| - contains.winlog.event_data.ObjectName: 'lsass.exe' | |
| - or: # Drop the above WmiPrvSE.exe and lsass.exe conditions from the following events | |
| - equals.winlog.event_id: 4663 # An attempt was made to access an object | |
| - equals.winlog.event_id: 4656 # A handle to an object was requested. | |
| - drop_fields: | |
| fields: ["event_data.Binary", "user_data.binaryData"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment