Winlogbeat
Overview
Winlogbeat is an open-source log collector that ships Windows Event Logs as JSON events.
Related Built-in Rules
Benefit from SEKOIA.IO built-in rules and upgrade Winlogbeat with the following detection capabilities out-of-the-box.
SEKOIA.IO x Winlogbeat on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Backup Catalog Deleted
The rule detects when the Backup Catalog has been deleted. It means the administrators will not be able to access any backups that were created earlier to perform recoveries. This is often being done using the wbadmin.exe tool.
- Effort: intermediate
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded.
- Effort: intermediate
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded. This would indicate a succesful attack against DHCP service allowing to disrupt the service or alter the integrity of the responses.
- Effort: intermediate
DNS Server Error Failed Loading The ServerLevelPluginDLL
This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded. This requires the dedicated Windows event provider Microsoft-Windows-DNS-Server-Service.
- Effort: master
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Microsoft Defender Antivirus History Deleted
Windows Defender history has been deleted. Could be an attempt by an attacker to remove its traces.
- Effort: master
Microsoft Defender Antivirus Tampering Detected
Detection of Windows Defender Tampering, from definitions' deletion to deactivation of parts or all of Defender.
- Effort: advanced
Microsoft Defender Antivirus Threat Detected
Detection of a windows defender alert indicating the presence of potential malware
- Effort: intermediate
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
Sysmon Windows File Block Executable
Sysmon has blocked an executable file from being written to the disk. This could be a malicious binary to investigate.
- Effort: master
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Access tokens |
security identifiers are extracted from several events |
Authentication logs |
audit logon events are examined in detail |
DLL monitoring |
information about dlls are extracted from several events |
File monitoring |
information about files are extracted from several events |
Host network interface |
Windows Filtering Platform collects information on processes having network activities |
Loaded DLLs |
Sysmon events provide information on DLL loading |
PowerShell logs |
Windows PowerShell logs are analyzed, and need to be specifically set up |
Process command-line parameters |
Windows Security Auditing logs provide information about process creation |
Process monitoring |
Windows Security Auditing logs are process tracking events |
Process use of network |
Windows Filtering Platform collects information on processes having network activities |
Windows event logs |
events related to Windows Event logs shutdown or restart are analyzed |
Windows Registry |
registry auditing events are examined in detail |
WMI Objects |
Windows WMI Activity events are analyzed, and events related to WMI process too |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"@timestamp\":\"2023-01-31T18:02:52.597Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"379a53ae-f8df-4fb9-9968-382db61f6dda\",\"hostname\":\"vm204d\",\"id\":\"9ecce8bd-f6ab-41ac-9936-14f8c2c81242\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Filtering Platform Connection\",\"code\":5156,\"created\":\"2023-01-31T18:02:53.233Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm204d\",\"id\":\"68884df7-2cc9-4c09-a619-e1ccce85ac4e\",\"name\":\"vm204d\",\"os\":{\"build\":\"20348.1487\",\"family\":\"windows\",\"kernel\":\"10.0.20348.1487 (WinBuild.160101.0800)\",\"name\":\"Windows Server 2022 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"The Windows Filtering Platform has permitted a connection.\\n\\nApplication Information:\\n\\tProcess ID:\\t\\t4\\n\\tApplication Name:\\tSystem\\n\\nNetwork Information:\\n\\tDirection:\\t\\tInbound\\n\\tSource Address:\\t\\t1.1.1.1\\n\\tSource Port:\\t\\t58499\\n\\tDestination Address:\\t192.168.240.196\\n\\tDestination Port:\\t\\t445\\n\\tProtocol:\\t\\t6\\n\\tInterface Index:\\t\\t9\\n\\nFilter Information:\\n\\tFilter Origin:\\t\\tUnknown\\n\\tFilter Run-Time ID:\\t71694\\n\\tLayer Name:\\t\\tReceive/Accept\\n\\tLayer Run-Time ID:\\t44\\n\\tRemote User ID:\\t\\tS-1-0-0\\n\\tRemote Machine ID:\\tS-1-0-0\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm204d.example.org\",\"event_data\":{\"Application\":\"System\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"445\",\"Direction\":\"%%14592\",\"FilterOrigin\":\"Unknown\",\"FilterRTID\":\"71694\",\"InterfaceIndex\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"ProcessID\":\"4\",\"Protocol\":\"6\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"58499\"},\"event_id\":5156,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":4,\"thread\":{\"id\":1940}},\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":614833249,\"task\":\"Filtering Platform Connection\",\"version\":1}}\n",
"event": {
"action": "Filtering Platform Connection",
"code": "5156",
"kind": "event",
"original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t1.1.1.1\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
"hash": "0ea8852922910c8bceeaff4bd0d18c79c045b2d5"
},
"@timestamp": "2023-01-31T18:02:52.597000Z",
"action": {
"properties": {
"Application": "System",
"DestAddress": "5.6.7.8",
"DestPort": "445",
"Direction": "%%14592",
"FilterOrigin": "Unknown",
"FilterRTID": "71694",
"InterfaceIndex": "9",
"LayerName": "%%14610",
"LayerRTID": "44",
"ProcessID": "4",
"Protocol": "6",
"RemoteMachineID": "S-1-0-0",
"RemoteUserID": "S-1-0-0",
"SourceAddress": "1.2.3.4",
"SourcePort": "58499"
},
"id": 5156
},
"agent": {
"ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
"id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
"type": "winlogbeat",
"version": "7.0.0"
},
"host": {
"architecture": "x86_64",
"hostname": "vm204d",
"id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
"name": "vm204d",
"os": {
"build": "20348.1487",
"family": "windows",
"kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
"name": "Windows Server 2022 Datacenter",
"platform": "windows",
"version": "10.0"
}
},
"log": {
"level": "information"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "vm204d.example.org",
"event_id": "5156",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 1940
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "614833249",
"task": "Filtering Platform Connection",
"version": 1
},
"related": {
"hash": [
"0ea8852922910c8bceeaff4bd0d18c79c045b2d5"
],
"hosts": [
"vm204d"
]
}
}
{
"message": "{\"@timestamp\":\"2023-06-23T08:15:46.358Z\",\"ecs\":{\"version\":\"1.0.0\"},\"type\":\"winlogbeat\",\"tags\":[\"beats_input_codec_plain_applied\"],\"agent\":{\"id\":\"c1e16f64-cfc4-4141-bdc0-71f2a0e45791\",\"ephemeral_id\":\"21a6bd0d-afb5-4e55-827e-5329797579a4\",\"hostname\":\"VM-FOO\",\"version\":\"7.0.0\",\"type\":\"winlogbeat\"},\"host\":{\"os\":{\"build\":\"14393.5921\",\"kernel\":\"10.0.14393.5921 (rs1_release.230504-1649)\",\"version\":\"10.0\",\"name\":\"Windows Server 2016 Datacenter\",\"family\":\"windows\",\"platform\":\"windows\"},\"id\":\"8ea16272-0ba2-4838-b321-1646a493a128\",\"hostname\":\"VM-FOO\",\"architecture\":\"x86_64\",\"name\":\"VM-FOO\"},\"winlog\":{\"process\":{\"pid\":756,\"thread\":{\"id\":13000}},\"event_data\":{\"TargetLogonId\":\"0x2374a6a43\",\"SubjectLogonId\":\"0x0\",\"TargetUserName\":\"FOO-FARM-ADMIN\",\"TargetUserSid\":\"S-1-5-21-776561741-920026266-725345543-12737\",\"TargetLinkedLogonId\":\"0x0\",\"ProcessId\":\"0x0\",\"AuthenticationPackageName\":\"Kerberos\",\"ImpersonationLevel\":\"%%1833\",\"LogonGuid\":\"{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\",\"LmPackageName\":\"-\",\"RestrictedAdminMode\":\"-\",\"VirtualAccount\":\"%%1843\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"-\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"-\",\"ProcessName\":\"-\",\"TargetDomainName\":\"FOOBAR.NET\",\"KeyLength\":\"0\",\"ElevatedToken\":\"%%1842\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundUserName\":\"-\",\"LogonType\":\"3\",\"SubjectUserName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"SubjectDomainName\":\"-\",\"IpPort\":\"-\"},\"activity_id\":\"{DBC05D38-994B-0003-395D-C0DB4B99D901}\",\"record_id\":131091844,\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"opcode\":\"Info\",\"keywords\":[\"Audit Success\"],\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"Logon\",\"channel\":\"Security\",\"computer_name\":\"VM-FOO.FOOBAR.NET\",\"version\":2,\"event_id\":4624,\"api\":\"wineventlog\"},\"log\":{\"level\":\"information\"},\"event\":{\"code\":4624,\"kind\":\"event\",\"action\":\"Logon\",\"created\":\"2023-06-23T08:15:47.185Z\"},\"@version\":\"1\",\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tYes\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-12737\\n\\tAccount Name:\\t\\tFOO-FARM-ADMIN\\n\\tAccount Domain:\\t\\tFOOBAR.NET\\n\\tLogon ID:\\t\\t0x2374A6A43\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x0\\n\\tProcess Name:\\t\\t-\\n\\nNetwork Information:\\n\\tWorkstation Name:\\t-\\n\\tSource Network Address:\\t-\\n\\tSource Port:\\t\\t-\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tKerberos\\n\\tAuthentication Package:\\tKerberos\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}",
"event": {
"action": "authentication_network",
"code": "4624",
"kind": "event",
"original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-12737\n\tAccount Name:\t\tFOO-FARM-ADMIN\n\tAccount Domain:\t\tFOOBAR.NET\n\tLogon ID:\t\t0x2374A6A43\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"hash": "009b8a99fa360981d2f0407a8513d7742fc6a311",
"category": [
"authentication"
],
"type": [
"start"
]
},
"sekoiaio": {
"client": {
"os": {
"type": "windows"
},
"name": "VM-FOO",
"user": {
"id": "S-1-0-0"
}
},
"server": {
"name": "VM-FOO",
"os": {
"type": "windows"
}
}
},
"@timestamp": "2023-06-23T08:15:46.358000Z",
"action": {
"properties": {
"TargetLogonId": "0x2374a6a43",
"SubjectLogonId": "0x0",
"TargetUserName": "FOO-FARM-ADMIN",
"TargetUserSid": "S-1-5-21-776561741-920026266-725345543-12737",
"TargetLinkedLogonId": "0x0",
"ProcessId": "0x0",
"AuthenticationPackageName": "Kerberos",
"ImpersonationLevel": "%%1833",
"LogonGuid": "{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}",
"LmPackageName": "-",
"RestrictedAdminMode": "-",
"VirtualAccount": "%%1843",
"TransmittedServices": "-",
"WorkstationName": "-",
"TargetOutboundDomainName": "-",
"IpAddress": "-",
"ProcessName": "-",
"TargetDomainName": "FOOBAR.NET",
"KeyLength": "0",
"ElevatedToken": "%%1842",
"SubjectUserSid": "S-1-0-0",
"TargetOutboundUserName": "-",
"LogonType": "3",
"SubjectUserName": "-",
"LogonProcessName": "Kerberos",
"SubjectDomainName": "-",
"IpPort": "-"
},
"id": 4624,
"outcome": "success"
},
"user": {
"target": {
"name": "FOO-FARM-ADMIN",
"domain": "FOOBAR.NET",
"id": "S-1-5-21-776561741-920026266-725345543-12737"
}
},
"agent": {
"id": "c1e16f64-cfc4-4141-bdc0-71f2a0e45791",
"ephemeral_id": "21a6bd0d-afb5-4e55-827e-5329797579a4",
"version": "7.0.0",
"type": "winlogbeat"
},
"host": {
"os": {
"build": "14393.5921",
"kernel": "10.0.14393.5921 (rs1_release.230504-1649)",
"version": "10.0",
"name": "Windows Server 2016 Datacenter",
"family": "windows",
"platform": "windows"
},
"id": "8ea16272-0ba2-4838-b321-1646a493a128",
"hostname": "VM-FOO",
"architecture": "x86_64",
"name": "VM-FOO"
},
"log": {
"level": "information"
},
"winlog": {
"process": {
"pid": 756,
"thread": {
"id": 13000
}
},
"activity_id": "{dbc05d38-994b-0003-395d-c0db4b99d901}",
"record_id": "131091844",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"opcode": "Info",
"keywords": [
"Audit Success"
],
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "Logon",
"channel": "Security",
"computer_name": "VM-FOO.FOOBAR.NET",
"version": 2,
"event_id": "4624",
"api": "wineventlog"
},
"related": {
"hash": [
"009b8a99fa360981d2f0407a8513d7742fc6a311"
],
"hosts": [
"VM-FOO"
]
},
"process": {
"name": "Kerberos"
}
}
{
"message": "{\"@timestamp\":\"2023-01-31T18:02:52.597Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"379a53ae-f8df-4fb9-9968-382db61f6dda\",\"hostname\":\"vm204d\",\"id\":\"9ecce8bd-f6ab-41ac-9936-14f8c2c81242\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Filtering Platform Connection\",\"code\":5156,\"created\":\"2023-01-31T18:02:53.233Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm204d\",\"id\":\"68884df7-2cc9-4c09-a619-e1ccce85ac4e\",\"name\":\"vm204d\",\"os\":{\"build\":\"20348.1487\",\"family\":\"windows\",\"kernel\":\"10.0.20348.1487 (WinBuild.160101.0800)\",\"name\":\"Windows Server 2022 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"The Windows Filtering Platform has permitted a connection.\\n\\nApplication Information:\\n\\tProcess ID:\\t\\t4\\n\\tApplication Name:\\tSystem\\n\\nNetwork Information:\\n\\tDirection:\\t\\tInbound\\n\\tSource Address:\\t\\t192.168.83.100\\n\\tSource Port:\\t\\t58499\\n\\tDestination Address:\\t192.168.240.196\\n\\tDestination Port:\\t\\t445\\n\\tProtocol:\\t\\t6\\n\\tInterface Index:\\t\\t9\\n\\nFilter Information:\\n\\tFilter Origin:\\t\\tUnknown\\n\\tFilter Run-Time ID:\\t71694\\n\\tLayer Name:\\t\\tReceive/Accept\\n\\tLayer Run-Time ID:\\t44\\n\\tRemote User ID:\\t\\tS-1-0-0\\n\\tRemote Machine ID:\\tS-1-0-0\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm204d.example.org\",\"event_data\":{\"Application\":\"System\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"445\",\"Direction\":\"%%14592\",\"FilterOrigin\":\"Unknown\",\"FilterRTID\":\"71694\",\"InterfaceIndex\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"ProcessID\":\"4\",\"Protocol\":\"6\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"58499\"},\"event_id\":5156,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":4,\"thread\":{\"id\":1940}},\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":614833249,\"task\":\"Filtering Platform Connection\",\"version\":1}}\n",
"event": {
"action": "Filtering Platform Connection",
"code": "5156",
"kind": "event",
"original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t192.168.83.100\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
"hash": "ab796c9b97ae44dbe45db2b945d2c773175b2e08"
},
"@timestamp": "2023-01-31T18:02:52.597000Z",
"action": {
"properties": {
"Application": "System",
"DestAddress": "5.6.7.8",
"DestPort": "445",
"Direction": "%%14592",
"FilterOrigin": "Unknown",
"FilterRTID": "71694",
"InterfaceIndex": "9",
"LayerName": "%%14610",
"LayerRTID": "44",
"ProcessID": "4",
"Protocol": "6",
"RemoteMachineID": "S-1-0-0",
"RemoteUserID": "S-1-0-0",
"SourceAddress": "1.2.3.4",
"SourcePort": "58499"
},
"id": 5156
},
"agent": {
"ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
"id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
"type": "winlogbeat",
"version": "7.0.0"
},
"host": {
"architecture": "x86_64",
"hostname": "vm204d",
"id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
"name": "vm204d",
"os": {
"build": "20348.1487",
"family": "windows",
"kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
"name": "Windows Server 2022 Datacenter",
"platform": "windows",
"version": "10.0"
}
},
"log": {
"level": "information"
},
"winlog": {
"api": "wineventlog",
"channel": "Security",
"computer_name": "vm204d.example.org",
"event_id": "5156",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 1940
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "614833249",
"task": "Filtering Platform Connection",
"version": 1
},
"related": {
"hash": [
"ab796c9b97ae44dbe45db2b945d2c773175b2e08"
],
"hosts": [
"vm204d"
]
}
}
{
"message": "{\"@timestamp\":\"2023-01-31T18:02:50.013Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"f1b3df69-328e-4e41-be73-bec093727c32\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"d47011da-0be2-4021-8336-e418c1eb2c3b\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Special Logon\",\"code\":4672,\"created\":\"2023-01-31T18:02:50.783Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"010a5b7c-d244-42f9-a547-bd544c30d518\",\"name\":\"vm-exc-msg-3\",\"os\":{\"build\":\"14393.5648\",\"family\":\"windows\",\"kernel\":\"10.0.14393.5648 (rs1_release.230105-1654)\",\"name\":\"Windows Server 2016 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"Special privileges assigned to new logon.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-17198\\n\\tAccount Name:\\t\\tVM-EXC-MSG-4$\\n\\tAccount Domain:\\t\\tEXAMPLE\\n\\tLogon ID:\\t\\t0xC5D72273\\n\\nPrivileges:\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"activity_id\":\"{9F4E14C8-2C13-0004-4326-4E9F132CD901}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm-exc-msg-3.example.org\",\"event_data\":{\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"EXAMPLE\",\"SubjectLogonId\":\"0xc5d72273\",\"SubjectUserName\":\"VM-EXC-MSG-4$\",\"SubjectUserSid\":\"S-1-5-21-776561741-920026266-725345543-17198\"},\"event_id\":4672,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":856,\"thread\":{\"id\":1784}},\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1842784185,\"task\":\"Special Logon\"}}\n",
"event": {
"action": "Special Logon",
"code": "4672",
"kind": "event",
"original": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-17198\n\tAccount Name:\t\tVM-EXC-MSG-4$\n\tAccount Domain:\t\tEXAMPLE\n\tLogon ID:\t\t0xC5D72273\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
"hash": "b6bb91718122b7f68c88dccd13cbb6a0eec95599"
},
"@timestamp": "2023-01-31T18:02:50.013000Z",
"action": {
"properties": {
"PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0xc5d72273",
"SubjectUserName": "VM-EXC-MSG-4$",
"SubjectUserSid": "S-1-5-21-776561741-920026266-725345543-17198"
},
"id": 4672
},
"agent": {
"ephemeral_id": "f1b3df69-328e-4e41-be73-bec093727c32",
"id": "d47011da-0be2-4021-8336-e418c1eb2c3b",
"type": "winlogbeat",
"version": "7.0.0"
},
"host": {
"architecture": "x86_64",
"hostname": "vm-exc-msg-3",
"id": "010a5b7c-d244-42f9-a547-bd544c30d518",
"name": "vm-exc-msg-3",
"os": {
"build": "14393.5648",
"family": "windows",
"kernel": "10.0.14393.5648 (rs1_release.230105-1654)",
"name": "Windows Server 2016 Datacenter",
"platform": "windows",
"version": "10.0"
}
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{9f4e14c8-2c13-0004-4326-4e9f132cd901}",
"api": "wineventlog",
"channel": "Security",
"computer_name": "vm-exc-msg-3.example.org",
"event_id": "4672",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 856,
"thread": {
"id": 1784
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "1842784185",
"task": "Special Logon"
},
"related": {
"hash": [
"b6bb91718122b7f68c88dccd13cbb6a0eec95599"
],
"hosts": [
"vm-exc-msg-3"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.properties |
object |
The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.module |
keyword |
Name of the module this data is coming from. |
event.original |
keyword |
Raw text message of entire event. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
user.target.domain |
keyword |
Name of the directory the user is a member of. |
user.target.name |
keyword |
Short name or login of the user. |
winlog.activity_id |
keyword |
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. |
winlog.provider_guid |
keyword |
A globally unique identifier that identifies the provider that logged the event. |
Transport to the collector
Prerequisites
The following prerequisites are needed in order to setup efficient log concentration:
- Have administrator privileges on the host
- Traffic towards a logstash server which must listen beats input on port
TCP/5044
Configure the client
Install and configure Winlogbeat
- Download Winlogbeat zip from the Elastic.co download page
- Extract the archive into
C:\Program Files\winlogbeat -
Open a PowerShell prompt as an Administrator and run the following commands to install the service
PS C:\Users\Administrator> cd 'C:\Program Files\winlogbeat' PS C:\Program Files\winlogbeat> .\install-service-winlogbeat.ps1 -
Replace the configuration file
C:\Program Files\winlogbeat\winlogbeat.ymlby the following content:winlogbeat.event_logs: - name: Application ignore_older: 72h - name: System - name: Security - name: ForwardedEvents tags: [forwarded] - name: Windows PowerShell event_id: 400, 403, 600, 800 - name: Microsoft-Windows-PowerShell/Operational event_id: 4103, 4104, 4105, 4106 # ====================== Elasticsearch template settings ======================= setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false # ================================== Outputs =================================== # Configure what output to use when sending the data collected by the beat. # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: enabled: false # ------------------------------ Logstash Output ------------------------------- output.logstash: # The Logstash hosts hosts: ["logstash_concentrator:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" # Client Certificate Key #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ # ================================== Logging =================================== logging.level: info #logging.to_files: true #logging.files: #path: C:\ProgramData\winlogbeat\Logs #name: winlogbeat #keepfiles: 7 #permissions: 0640Warning
Don't forget to specify the location of your logstash server in this configuration
-
Save and validate the configuration with the command:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e -
Set up assets:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e -
Start the Winlogbeat service:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Create the intake
Go to the intake page and create a new intake from the format Winlogbeat.
Forward logs to Sekoia.io
Please consult our guide to configure logs forwarding from Logstash to Sekoia.io.
Enjoy your events
Go to the events page to watch your incoming events.