Skip to content

Winlogbeat

Overview

Winlogbeat is an open-source log collector that ships Windows Event Logs as JSON events.

Warning

This format is still in beta, please use it wisely.

Benefit from SEKOIA.IO built-in rules and upgrade Winlogbeat [BETA] with the following detection capabilities out-of-the-box.

SEKOIA.IO x Winlogbeat [BETA] on ATT&CK Navigator

WAF Block Rule

Detects when one of WAF rule blocked an HTTP request

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Access tokens security identifiers are extracted from several events
Authentication logs audit logon events are examined in detail
DLL monitoring information about dlls are extracted from several events
File monitoring information about files are extracted from several events
Host network interface Windows Filtering Platform collects information on processes having network activities
Loaded DLLs Sysmon events provide information on DLL loading
PowerShell logs Windows PowerShell logs are analyzed, and need to be specifically set up
Process command-line parameters Windows Security Auditing logs provide information about process creation
Process monitoring Windows Security Auditing logs are process tracking events
Process use of network Windows Filtering Platform collects information on processes having network activities
Windows event logs events related to Windows Event logs shutdown or restart are analyzed
Windows Registry registry auditing events are examined in detail
WMI Objects Windows WMI Activity events are analyzed, and events related to WMI process too

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "{\"@timestamp\":\"2023-01-31T18:02:52.597Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"379a53ae-f8df-4fb9-9968-382db61f6dda\",\"hostname\":\"vm204d\",\"id\":\"9ecce8bd-f6ab-41ac-9936-14f8c2c81242\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Filtering Platform Connection\",\"code\":5156,\"created\":\"2023-01-31T18:02:53.233Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm204d\",\"id\":\"68884df7-2cc9-4c09-a619-e1ccce85ac4e\",\"name\":\"vm204d\",\"os\":{\"build\":\"20348.1487\",\"family\":\"windows\",\"kernel\":\"10.0.20348.1487 (WinBuild.160101.0800)\",\"name\":\"Windows Server 2022 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"The Windows Filtering Platform has permitted a connection.\\n\\nApplication Information:\\n\\tProcess ID:\\t\\t4\\n\\tApplication Name:\\tSystem\\n\\nNetwork Information:\\n\\tDirection:\\t\\tInbound\\n\\tSource Address:\\t\\t192.168.83.100\\n\\tSource Port:\\t\\t58499\\n\\tDestination Address:\\t192.168.240.196\\n\\tDestination Port:\\t\\t445\\n\\tProtocol:\\t\\t6\\n\\tInterface Index:\\t\\t9\\n\\nFilter Information:\\n\\tFilter Origin:\\t\\tUnknown\\n\\tFilter Run-Time ID:\\t71694\\n\\tLayer Name:\\t\\tReceive/Accept\\n\\tLayer Run-Time ID:\\t44\\n\\tRemote User ID:\\t\\tS-1-0-0\\n\\tRemote Machine ID:\\tS-1-0-0\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm204d.example.org\",\"event_data\":{\"Application\":\"System\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"445\",\"Direction\":\"%%14592\",\"FilterOrigin\":\"Unknown\",\"FilterRTID\":\"71694\",\"InterfaceIndex\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"ProcessID\":\"4\",\"Protocol\":\"6\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"58499\"},\"event_id\":5156,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":4,\"thread\":{\"id\":1940}},\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":614833249,\"task\":\"Filtering Platform Connection\",\"version\":1}}\n",
    "event": {
        "action": "Filtering Platform Connection",
        "code": "5156",
        "kind": "event",
        "original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t192.168.83.100\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
        "hash": "ab796c9b97ae44dbe45db2b945d2c773175b2e08"
    },
    "@timestamp": "2023-01-31T18:02:52.597Z",
    "agent": {
        "ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
        "id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
        "type": "winlogbeat",
        "version": "7.0.0"
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "vm204d",
        "id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
        "name": "vm204d",
        "os": {
            "build": "20348.1487",
            "family": "windows",
            "kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
            "name": "Windows Server 2022 Datacenter",
            "platform": "windows",
            "version": "10.0"
        }
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "api": "wineventlog",
        "channel": "Security",
        "computer_name": "vm204d.example.org",
        "event_data": {
            "Application": "System",
            "DestAddress": "5.6.7.8",
            "DestPort": "445",
            "Direction": "%%14592",
            "FilterOrigin": "Unknown",
            "FilterRTID": "71694",
            "InterfaceIndex": "9",
            "LayerName": "%%14610",
            "LayerRTID": "44",
            "ProcessID": "4",
            "Protocol": "6",
            "RemoteMachineID": "S-1-0-0",
            "RemoteUserID": "S-1-0-0",
            "SourceAddress": "1.2.3.4",
            "SourcePort": "58499"
        },
        "event_id": "5156",
        "keywords": [
            "Audit Success"
        ],
        "opcode": "Info",
        "process": {
            "pid": 4,
            "thread": {
                "id": 1940
            }
        },
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "record_id": "614833249",
        "task": "Filtering Platform Connection",
        "version": 1
    },
    "related": {
        "hash": [
            "ab796c9b97ae44dbe45db2b945d2c773175b2e08"
        ],
        "hosts": [
            "vm204d"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2023-01-31T18:02:50.013Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"f1b3df69-328e-4e41-be73-bec093727c32\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"d47011da-0be2-4021-8336-e418c1eb2c3b\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Special Logon\",\"code\":4672,\"created\":\"2023-01-31T18:02:50.783Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"010a5b7c-d244-42f9-a547-bd544c30d518\",\"name\":\"vm-exc-msg-3\",\"os\":{\"build\":\"14393.5648\",\"family\":\"windows\",\"kernel\":\"10.0.14393.5648 (rs1_release.230105-1654)\",\"name\":\"Windows Server 2016 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"Special privileges assigned to new logon.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-17198\\n\\tAccount Name:\\t\\tVM-EXC-MSG-4$\\n\\tAccount Domain:\\t\\tEXAMPLE\\n\\tLogon ID:\\t\\t0xC5D72273\\n\\nPrivileges:\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"activity_id\":\"{9F4E14C8-2C13-0004-4326-4E9F132CD901}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm-exc-msg-3.example.org\",\"event_data\":{\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"EXAMPLE\",\"SubjectLogonId\":\"0xc5d72273\",\"SubjectUserName\":\"VM-EXC-MSG-4$\",\"SubjectUserSid\":\"S-1-5-21-776561741-920026266-725345543-17198\"},\"event_id\":4672,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":856,\"thread\":{\"id\":1784}},\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1842784185,\"task\":\"Special Logon\"}}\n",
    "event": {
        "action": "Special Logon",
        "code": "4672",
        "kind": "event",
        "original": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-17198\n\tAccount Name:\t\tVM-EXC-MSG-4$\n\tAccount Domain:\t\tEXAMPLE\n\tLogon ID:\t\t0xC5D72273\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
        "hash": "b6bb91718122b7f68c88dccd13cbb6a0eec95599"
    },
    "@timestamp": "2023-01-31T18:02:50.013Z",
    "agent": {
        "ephemeral_id": "f1b3df69-328e-4e41-be73-bec093727c32",
        "id": "d47011da-0be2-4021-8336-e418c1eb2c3b",
        "type": "winlogbeat",
        "version": "7.0.0"
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "vm-exc-msg-3",
        "id": "010a5b7c-d244-42f9-a547-bd544c30d518",
        "name": "vm-exc-msg-3",
        "os": {
            "build": "14393.5648",
            "family": "windows",
            "kernel": "10.0.14393.5648 (rs1_release.230105-1654)",
            "name": "Windows Server 2016 Datacenter",
            "platform": "windows",
            "version": "10.0"
        }
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "activity_id": "{9f4e14c8-2c13-0004-4326-4e9f132cd901}",
        "api": "wineventlog",
        "channel": "Security",
        "computer_name": "vm-exc-msg-3.example.org",
        "event_data": {
            "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
            "SubjectDomainName": "EXAMPLE",
            "SubjectLogonId": "0xc5d72273",
            "SubjectUserName": "VM-EXC-MSG-4$",
            "SubjectUserSid": "S-1-5-21-776561741-920026266-725345543-17198"
        },
        "event_id": "4672",
        "keywords": [
            "Audit Success"
        ],
        "opcode": "Info",
        "process": {
            "pid": 856,
            "thread": {
                "id": 1784
            }
        },
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "record_id": "1842784185",
        "task": "Special Logon"
    },
    "related": {
        "hash": [
            "b6bb91718122b7f68c88dccd13cbb6a0eec95599"
        ],
        "hosts": [
            "vm-exc-msg-3"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.module keyword Name of the module this data is coming from.
event.original keyword Raw text message of entire event.
event.provider keyword Source of the event.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
winlog.activity_id keyword A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
winlog.provider_guid keyword A globally unique identifier that identifies the provider that logged the event.

Transport to the collector

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator privileges on the host
  • Traffic towards a logstash server which must listen beats input on port TCP/5044

Configure the client

Install and configure Winlogbeat

  1. Download Winlogbeat zip from the Elastic.co download page
  2. Extract the archive into C:\Program Files\winlogbeat
  3. Open a PowerShell prompt as an Administrator and run the following commands to install the service

    PS C:\Users\Administrator> cd 'C:\Program Files\winlogbeat'
    PS C:\Program Files\winlogbeat> .\install-service-winlogbeat.ps1
    
  4. Replace the configuration file C:\Program Files\winlogbeat\winlogbeat.yml by the following content:

    winlogbeat.event_logs:
      - name: Application
        ignore_older: 72h
      - name: System
      - name: Security
      - name: ForwardedEvents
        tags: [forwarded]
      - name: Windows PowerShell
        event_id: 400, 403, 600, 800
      - name: Microsoft-Windows-PowerShell/Operational
        event_id: 4103, 4104, 4105, 4106
    
    # ====================== Elasticsearch template settings =======================
    
    setup.template.settings:
      index.number_of_shards: 1
      #index.codec: best_compression
      #_source.enabled: false
    
    # ================================== Outputs ===================================
    
    # Configure what output to use when sending the data collected by the beat.
    
    # ---------------------------- Elasticsearch Output ----------------------------
    output.elasticsearch:
      enabled: false
    
    # ------------------------------ Logstash Output -------------------------------
    
    output.logstash:
      # The Logstash hosts
      hosts: ["logstash_concentrator:5044"]
    
      # Optional SSL. By default is off.
      # List of root certificates for HTTPS server verifications
      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
    
      # Certificate for SSL client authentication
      #ssl.certificate: "/etc/pki/client/cert.pem"
    
      # Client Certificate Key
      #ssl.key: "/etc/pki/client/cert.key"
    
    # ================================= Processors =================================
    
    processors:
      - add_host_metadata:
          when.not.contains.tags: forwarded
      - add_cloud_metadata: ~
    
    # ================================== Logging ===================================
    
    logging.level: info
    #logging.to_files: true
    #logging.files:
      #path: C:\ProgramData\winlogbeat\Logs
      #name: winlogbeat
      #keepfiles: 7
      #permissions: 0640
    

    Warning

    Don't forget to specify the location of your logstash server in this configuration

  5. Save and validate the configuration with the command:

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
    
  6. Set up assets:

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e
    
  7. Start the Winlogbeat service:

    PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
    

Create the intake

Go to the intake page and create a new intake from the format Winlogbeat.

Transport to SEKOIA.IO

Please consult our guide to configure logs forwarding from Logstash to SEKOIA.IO.

Enjoy your events

Go to the events page to watch your incoming events.

Further Readings