Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Tuned and curated Winlogbeats config file
# A retired winlogbeats config maintained by the Recon InfoSec SOC
# contains most the higher value events needed for detection and response
# should be tuned for your specific environment and log volume tolerance
winlogbeat.event_logs: # Global Event Logs Config
- name: Security
ignore_older: 24h
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: System
ignore_older: 24h
- name: Application
ignore_older: 24h
- name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
ignore_older: 72h
- name: Windows Powershell
ignore_older: 24h
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
ignore_older: 24h
processors:
- script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-Windows Defender/Operational
ignore_older: 72h
- name: Microsoft-Windows-TaskScheduler/Operational
ignore_older: 24h
- name: ForwardedEvents
ignore_older: 1h
processors:
- script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
when.equals.winlog.channel: Windows Powershell
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
# RDP activity
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
ignore_older: 72h
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational
ignore_older: 72h
processors: # Global Processors
- drop_event.when.or: # Exclude the following
- contains.winlog.provider_name: 'Microsoft-Windows-Kernel'
- contains.winlog.provider_name: 'Microsoft-SharePoint'
- contains.winlog.provider_name: 'Schannel'
- contains.winlog.provider_name: 'Directory Synchronization'
- contains.winlog.provider_name: 'Microsoft-Windows-DistributedCOM'
- contains.winlog.provider_name: 'ESENT'
- contains.winlog.provider_name: 'vmStatsProvider'
- contains.winlog.provider_name: 'Microsoft-Windows-TPM'
- contains.winlog.provider_name: 'MSExchangeTransportSubmission'
- contains.winlog.provider_name: 'Microsoft-Windows-CertificateServicesClient'
- contains.winlog.provider_name: 'New Relic'
- contains.winlog.provider_name: 'SceCli'
- contains.winlog.provider_name: 'PasswordResetService'
- contains.winlog.provider_name: 'DirectoryMonitor'
- contains.winlog.provider_name: 'ASP.NET'
- contains.winlog.provider_name: 'LogRhythm Agent'
- contains.winlog.provider_name: 'MSExchange Mid-Tier Storage'
- contains.winlog.provider_name: 'Microsoft-Windows-Time-Service'
- contains.winlog.provider_name: 'MSExchangeFrontEndTransport'
- contains.winlog.provider_name: 'MSExchangeTransportDelivery'
- contains.winlog.provider_name: 'Microsoft-Windows-Time-Service'
- equals.winlog.provider_name: 'Microsoft-Windows-Security-SPP' # Microsoft Licensing App logs
- drop_event.when.and: # Security log filter
- contains.winlog.channel: 'Security'
- not.or: # Drop if none of the following Event IDs
- range.event_id: # Event log notices
gte: 1100
lt: 1111
- equals.winlog.event_id: 4608 # Windows is starting up
- equals.winlog.event_id: 4609 # Windows is shutting down
- equals.winlog.event_id: 4610 # An authentication package has been loaded by the Local Security Authority
- equals.winlog.event_id: 4611 # A trusted logon process has been registered with the Local Security Authority
- equals.winlog.event_id: 4614 # A notification package has been loaded by the Security Account Manager
- equals.winlog.event_id: 4618 # A monitored security event pattern has occurred.
- equals.winlog.event_id: 4622 # A security package has been loaded by the Local Security Authority
- equals.winlog.event_id: 4624 # logons
- equals.winlog.event_id: 4625 # failed logons
- equals.winlog.event_id: 4634 # logoff
- equals.winlog.event_id: 4647 # logoff
- equals.winlog.event_id: 4648 # logon was attempted using explicit credentials
- equals.winlog.event_id: 4649 # A replay attack was detected. May be a harmless false positive due to misconfiguration error.
- equals.winlog.event_id: 4656 # A handle to an object was requested.
- equals.winlog.event_id: 4657 # A registry value was modified.
- equals.winlog.event_id: 4659 # A handle to an object was requested with intent to delete.
- equals.winlog.event_id: 4660 # An object was deleted
- equals.winlog.event_id: 4663 # An attempt was made to access an object
- equals.winlog.event_id: 4670 # Permissions on an object were changed
- equals.winlog.event_id: 4672 # special (admin) logon
- equals.winlog.event_id: 4697 # A service was installed in the system
- equals.winlog.event_id: 4697 # Security records service install
- equals.winlog.event_id: 4698 # A scheduled task was created.
- equals.winlog.event_id: 4699 # A scheduled task was deleted.
- equals.winlog.event_id: 4700 # A scheduled task was enabled
- equals.winlog.event_id: 4701 # A scheduled task was disabled
- equals.winlog.event_id: 4702 # A scheduled task was updated
- equals.winlog.event_id: 4716 # Trusted domain information was modified.
- equals.winlog.event_id: 4717 # System security access was granted to an account.
- equals.winlog.event_id: 4719 # System audit policy was changed.
- equals.winlog.event_id: 4720 # account creation
- equals.winlog.event_id: 4722 # account enabled
- equals.winlog.event_id: 4723 # An attempt was made to change an account's password
- equals.winlog.event_id: 4724 # account creation / An attempt was made to reset an account's password.
- equals.winlog.event_id: 4725 # A user account was disabled.
- equals.winlog.event_id: 4726 # A user account was deleted.
- equals.winlog.event_id: 4728 # A member was added to a security-enabled global group
- equals.winlog.event_id: 4729 # A member was removed from a security-enabled global group.
- equals.winlog.event_id: 4731 # A security-enabled local group was created.
- equals.winlog.event_id: 4732 # A member was added to a security-enabled local group
- equals.winlog.event_id: 4733 # A member was removed to a security-enabled local group
- equals.winlog.event_id: 4735 # A security-enabled local group was changed.
- equals.winlog.event_id: 4737 # A security-enabled global group was changed.
- equals.winlog.event_id: 4738 # A user account was changed.
- equals.winlog.event_id: 4739 # Domain Policy was changed.
- equals.winlog.event_id: 4740 # A user account was locked out
- equals.winlog.event_id: 4741 # A computer account was created.
- equals.winlog.event_id: 4742 # A computer account was changed.
- equals.winlog.event_id: 4760 # A security-disabled universal group was changed.
- equals.winlog.event_id: 4762 # A member was removed from a security-disabled universal group.
- equals.winlog.event_id: 4765 # SID History was added to an account.
- equals.winlog.event_id: 4766 # An attempt to add SID History to an account failed.
- equals.winlog.event_id: 4767 # A user account was unlocked.
- equals.winlog.event_id: 4768 # Kerberos Authentication Service
- equals.winlog.event_id: 4769 # Kerberos Service Ticket Operations
- equals.winlog.event_id: 4770 # Kerberos ticket renewed
- equals.winlog.event_id: 4771 # Kerberos pre-authentication failed
- equals.winlog.event_id: 4776 # NTLM Credential Validation
- equals.winlog.event_id: 4778 # A session was reconnected to a Window Station
- equals.winlog.event_id: 4779 # A session was disconnected from a Window Station.
- equals.winlog.event_id: 4781 # The name of an account was changed
- equals.winlog.event_id: 4794 # An attempt was made to set the Directory Services Restore Mode.
- equals.winlog.event_id: 4797 # An attempt was made to query the existence of a blank password for an account
- equals.winlog.event_id: 4799 # Security Group Management
- equals.winlog.event_id: 4800 # The workstation was locked.
- equals.winlog.event_id: 4801 # The workstation was unlocked.
- equals.winlog.event_id: 4802 # The screen saver was invoked
- equals.winlog.event_id: 4803 # The screen saver was dismissed
- equals.winlog.event_id: 4897 # Role separation enabled:
- equals.winlog.event_id: 4904 # An attempt was made to register a security event source
- equals.winlog.event_id: 4905 # An attempt was made to unregister a security event source
- equals.winlog.event_id: 4944 # The following policy was active when the Windows Firewall started
- equals.winlog.event_id: 4946 # A change was made to the Windows Firewall exception list. A rule was added.
- equals.winlog.event_id: 4948 # A change was made to the Windows Firewall exception list. A rule was deleted.
- equals.winlog.event_id: 4956 # Windows Firewall changed the active profile
- equals.winlog.event_id: 4964 # Special groups have been assigned to a new logon.
- equals.winlog.event_id: 5031 # Windows Firewall blocked an application from accepting incoming connections on the network
- equals.winlog.event_id: 5038 # ode integrity determined that the image hash of a file is not valid
- equals.winlog.event_id: 5136 # A directory service object was modified
- equals.winlog.event_id: 5137 # A directory service object was created.
- equals.winlog.event_id: 5139 # A directory service object was moved
- equals.winlog.event_id: 5140 # File share
- equals.winlog.event_id: 5142 # File share was added
- equals.winlog.event_id: 5145 # A network share object was checked to see whether client can be granted desired access
- equals.winlog.event_id: 5378 # The requested credentials delegation was disallowed by policy.
- equals.winlog.event_id: 5379 # Credential Manager credentials were read
- equals.winlog.event_id: 5380 # Vault Find Credential
- equals.winlog.event_id: 5381 # Vault credentials were read
- equals.winlog.event_id: 5382 # Vault credentials were read
- equals.winlog.event_id: 5632 # A request was made to authenticate to a wireless network
- equals.winlog.event_id: 5633 # A request was made to authenticate to a wired network
- equals.winlog.event_id: 6144 # Security policy in the group policy objects has been applied successfully
- equals.winlog.event_id: 6272 # Network Policy Server granted to a user
- equals.winlog.event_id: 6273 # Network Policy Server denied to a user
- equals.winlog.event_id: 6278 # Network Policy Server granted full access to a user
- equals.winlog.event_id: 6416 # A new external device was recognized by the system.
- equals.winlog.event_id: 8222 # Shadow copy has been created.
- drop_event.when.and: # System log filter
- contains.winlog.channel: 'System'
- not.or: # Exclude anything not listed below
- contains.winlog.provider_name: 'Service Control Manager'
- contains.winlog.provider_name: 'Microsoft-Windows-GroupPolicy'
- contains.winlog.provider_name: 'Microsoft-Windows-WindowsUpdateClient'
- contains.winlog.provider_name: 'EventLog'
- contains.winlog.provider_name: 'Microsoft-Windows-FilterManager'
- contains.winlog.provider_name: 'NPS'
- contains.winlog.provider_name: 'volsnap'
- contains.winlog.provider_name: 'NETLOGON'
- contains.winlog.provider_name: 'USER32'
- contains.winlog.provider_name: 'SAVOnAccess'
- contains.winlog.provider_name: 'Microsoft-Windows-Winlogon'
- equals.winlog.event_id: 13 # A RADIUS message was received from the invalid RADIUS client
- equals.winlog.event_id: 19 # Windows Update successful
- equals.winlog.event_id: 43 # Windows Update started installing an update.
- equals.winlog.event_id: 44 # Windows Update started downloading an update.
- equals.winlog.event_id: 1056 # Create RDP certificate
- equals.winlog.event_id: 6281 # Code Integrity determined that the page hashes of an image file are not valid (Kernel Driver Signing)
- drop_event.when.and: # Application log filter
- contains.winlog.channel: 'Application'
- not.or: # Exclude anything not listed below
- contains.winlog.provider_name: 'Application Error'
- contains.winlog.provider_name: 'Application Hang'
- contains.winlog.provider_name: 'Windows Error Reporting'
- contains.winlog.provider_name: 'EMET'
- contains.winlog.provider_name: 'MSSQLSERVER'
- contains.winlog.provider_name: 'PostgreSQL'
- contains.winlog.provider_name: 'MSExchange'
- contains.winlog.provider_name: 'ADSync'
- contains.winlog.provider_name: 'Security' # SecurityCenter
- contains.winlog.provider_name: 'EDSService'
- contains.winlog.provider_name: 'MsiInstaller'
- contains.winlog.provider_name: 'Audit-CVE'
- drop_event.when.and: # RDPClient Filter
- contains.winlog.channel: 'RDPClient'
- not.or: # Drop if none of the following Event IDs
- equals.winlog.event_id: 1024 # Client attempts to connect to RDP server (gives server hostname)
- equals.winlog.event_id: 1025 # Client successfully connects to RDP server (gives server hostname)
- equals.winlog.event_id: 1026 # Client disconnects from RDP server (gives server hostname)
- equals.winlog.event_id: 1102 # Client attempts to connect to RDP server (gives server IP)
- equals.winlog.event_id: 1103 # Client successfully connects to RDP server (gives server IP)
- equals.winlog.event_id: 1105 # Client disconnects from RDP server (gives server IP)
- drop_event.when.and: # Powershell Operational log filter
- contains.winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
- or: # Drop the following Event IDs
- equals.winlog.event_id: 4105 # Started invocation of ScriptBlock ID
- equals.winlog.event_id: 4106 # Completed invocation of ScriptBlock ID
- equals.winlog.event_id: 8196 # Modifying activity Id and correlating
- equals.winlog.event_id: 12039 # Modifying activity Id and correlating
- equals.winlog.event_id: 40961 # PowerShell console is starting up
- equals.winlog.event_id: 40962 # PowerShell console is ready for user input
- drop_event.when.and: # Windows PowerShell log filter
- contains.winlog.channel: 'Windows PowerShell'
- not.or: # Drop if none of the following Event IDs
- equals.winlog.event_id: 400 # Engine Lifecycle
- drop_event.when.and: # Filter WmiPrvSE.exe and lsass.exe noise from 4663 and 4656 events
- equals.winlog.event_data.ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- contains.winlog.event_data.ObjectName: 'lsass.exe'
- or: # Drop the above WmiPrvSE.exe and lsass.exe conditions from the following events
- equals.winlog.event_id: 4663 # An attempt was made to access an object
- equals.winlog.event_id: 4656 # A handle to an object was requested.
- drop_fields:
fields: ["event_data.Binary", "user_data.binaryData"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment