Skip to content

Winlogbeat

Overview

Winlogbeat is an open-source log collector that ships Windows Event Logs as JSON events.

Benefit from SEKOIA.IO built-in rules and upgrade Winlogbeat with the following detection capabilities out-of-the-box.

SEKOIA.IO x Winlogbeat on ATT&CK Navigator

Account Added To A Security Enabled Group

Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)

  • Effort: master
Account Removed From A Security Enabled Group

Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)

  • Effort: master
Backup Catalog Deleted

The rule detects when the Backup Catalog has been deleted. It means the administrators will not be able to access any backups that were created earlier to perform recoveries. This is often being done using the wbadmin.exe tool.

  • Effort: intermediate
DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded.

  • Effort: intermediate
DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded. This would indicate a succesful attack against DHCP service allowing to disrupt the service or alter the integrity of the responses.

  • Effort: intermediate
DNS Server Error Failed Loading The ServerLevelPluginDLL

This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded. This requires the dedicated Windows event provider Microsoft-Windows-DNS-Server-Service.

  • Effort: master
Domain Trust Created Or Removed

A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.

  • Effort: advanced
Microsoft Defender Antivirus History Deleted

Windows Defender history has been deleted. Could be an attempt by an attacker to remove its traces.

  • Effort: master
Microsoft Defender Antivirus Tampering Detected

Detection of Windows Defender Tampering, from definitions' deletion to deactivation of parts or all of Defender.

  • Effort: advanced
Microsoft Defender Antivirus Threat Detected

Detection of a windows defender alert indicating the presence of potential malware

  • Effort: intermediate
Password Change On Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

  • Effort: intermediate
Possible Replay Attack

This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.

  • Effort: intermediate
Sysmon Windows File Block Executable

Sysmon has blocked an executable file from being written to the disk. This could be a malicious binary to investigate.

  • Effort: master
User Account Created

Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.

  • Effort: master
User Account Deleted

Detects local user deletion

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Access tokens security identifiers are extracted from several events
Authentication logs audit logon events are examined in detail
DLL monitoring information about dlls are extracted from several events
File monitoring information about files are extracted from several events
Host network interface Windows Filtering Platform collects information on processes having network activities
Loaded DLLs Sysmon events provide information on DLL loading
PowerShell logs Windows PowerShell logs are analyzed, and need to be specifically set up
Process command-line parameters Windows Security Auditing logs provide information about process creation
Process monitoring Windows Security Auditing logs are process tracking events
Process use of network Windows Filtering Platform collects information on processes having network activities
Windows event logs events related to Windows Event logs shutdown or restart are analyzed
Windows Registry registry auditing events are examined in detail
WMI Objects Windows WMI Activity events are analyzed, and events related to WMI process too

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"@timestamp\":\"2023-01-31T18:02:52.597Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"379a53ae-f8df-4fb9-9968-382db61f6dda\",\"hostname\":\"vm204d\",\"id\":\"9ecce8bd-f6ab-41ac-9936-14f8c2c81242\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Filtering Platform Connection\",\"code\":5156,\"created\":\"2023-01-31T18:02:53.233Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm204d\",\"id\":\"68884df7-2cc9-4c09-a619-e1ccce85ac4e\",\"name\":\"vm204d\",\"os\":{\"build\":\"20348.1487\",\"family\":\"windows\",\"kernel\":\"10.0.20348.1487 (WinBuild.160101.0800)\",\"name\":\"Windows Server 2022 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"The Windows Filtering Platform has permitted a connection.\\n\\nApplication Information:\\n\\tProcess ID:\\t\\t4\\n\\tApplication Name:\\tSystem\\n\\nNetwork Information:\\n\\tDirection:\\t\\tInbound\\n\\tSource Address:\\t\\t1.1.1.1\\n\\tSource Port:\\t\\t58499\\n\\tDestination Address:\\t192.168.240.196\\n\\tDestination Port:\\t\\t445\\n\\tProtocol:\\t\\t6\\n\\tInterface Index:\\t\\t9\\n\\nFilter Information:\\n\\tFilter Origin:\\t\\tUnknown\\n\\tFilter Run-Time ID:\\t71694\\n\\tLayer Name:\\t\\tReceive/Accept\\n\\tLayer Run-Time ID:\\t44\\n\\tRemote User ID:\\t\\tS-1-0-0\\n\\tRemote Machine ID:\\tS-1-0-0\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm204d.example.org\",\"event_data\":{\"Application\":\"System\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"445\",\"Direction\":\"%%14592\",\"FilterOrigin\":\"Unknown\",\"FilterRTID\":\"71694\",\"InterfaceIndex\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"ProcessID\":\"4\",\"Protocol\":\"6\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"58499\"},\"event_id\":5156,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":4,\"thread\":{\"id\":1940}},\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":614833249,\"task\":\"Filtering Platform Connection\",\"version\":1}}\n",
    "event": {
        "action": "Filtering Platform Connection",
        "code": "5156",
        "kind": "event",
        "original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t1.1.1.1\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
        "hash": "0ea8852922910c8bceeaff4bd0d18c79c045b2d5"
    },
    "@timestamp": "2023-01-31T18:02:52.597000Z",
    "action": {
        "properties": {
            "Application": "System",
            "DestAddress": "5.6.7.8",
            "DestPort": "445",
            "Direction": "%%14592",
            "FilterOrigin": "Unknown",
            "FilterRTID": "71694",
            "InterfaceIndex": "9",
            "LayerName": "%%14610",
            "LayerRTID": "44",
            "ProcessID": "4",
            "Protocol": "6",
            "RemoteMachineID": "S-1-0-0",
            "RemoteUserID": "S-1-0-0",
            "SourceAddress": "1.2.3.4",
            "SourcePort": "58499"
        },
        "id": 5156
    },
    "agent": {
        "ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
        "id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
        "type": "winlogbeat",
        "version": "7.0.0"
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "vm204d",
        "id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
        "name": "vm204d",
        "os": {
            "build": "20348.1487",
            "family": "windows",
            "kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
            "name": "Windows Server 2022 Datacenter",
            "platform": "windows",
            "version": "10.0"
        }
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "api": "wineventlog",
        "channel": "Security",
        "computer_name": "vm204d.example.org",
        "event_id": "5156",
        "keywords": [
            "Audit Success"
        ],
        "opcode": "Info",
        "process": {
            "pid": 4,
            "thread": {
                "id": 1940
            }
        },
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "record_id": "614833249",
        "task": "Filtering Platform Connection",
        "version": 1
    },
    "related": {
        "hash": [
            "0ea8852922910c8bceeaff4bd0d18c79c045b2d5"
        ],
        "hosts": [
            "vm204d"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2023-06-23T08:15:46.358Z\",\"ecs\":{\"version\":\"1.0.0\"},\"type\":\"winlogbeat\",\"tags\":[\"beats_input_codec_plain_applied\"],\"agent\":{\"id\":\"c1e16f64-cfc4-4141-bdc0-71f2a0e45791\",\"ephemeral_id\":\"21a6bd0d-afb5-4e55-827e-5329797579a4\",\"hostname\":\"VM-FOO\",\"version\":\"7.0.0\",\"type\":\"winlogbeat\"},\"host\":{\"os\":{\"build\":\"14393.5921\",\"kernel\":\"10.0.14393.5921 (rs1_release.230504-1649)\",\"version\":\"10.0\",\"name\":\"Windows Server 2016 Datacenter\",\"family\":\"windows\",\"platform\":\"windows\"},\"id\":\"8ea16272-0ba2-4838-b321-1646a493a128\",\"hostname\":\"VM-FOO\",\"architecture\":\"x86_64\",\"name\":\"VM-FOO\"},\"winlog\":{\"process\":{\"pid\":756,\"thread\":{\"id\":13000}},\"event_data\":{\"TargetLogonId\":\"0x2374a6a43\",\"SubjectLogonId\":\"0x0\",\"TargetUserName\":\"FOO-FARM-ADMIN\",\"TargetUserSid\":\"S-1-5-21-776561741-920026266-725345543-12737\",\"TargetLinkedLogonId\":\"0x0\",\"ProcessId\":\"0x0\",\"AuthenticationPackageName\":\"Kerberos\",\"ImpersonationLevel\":\"%%1833\",\"LogonGuid\":\"{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\",\"LmPackageName\":\"-\",\"RestrictedAdminMode\":\"-\",\"VirtualAccount\":\"%%1843\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"-\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"-\",\"ProcessName\":\"-\",\"TargetDomainName\":\"FOOBAR.NET\",\"KeyLength\":\"0\",\"ElevatedToken\":\"%%1842\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundUserName\":\"-\",\"LogonType\":\"3\",\"SubjectUserName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"SubjectDomainName\":\"-\",\"IpPort\":\"-\"},\"activity_id\":\"{DBC05D38-994B-0003-395D-C0DB4B99D901}\",\"record_id\":131091844,\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"opcode\":\"Info\",\"keywords\":[\"Audit Success\"],\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"Logon\",\"channel\":\"Security\",\"computer_name\":\"VM-FOO.FOOBAR.NET\",\"version\":2,\"event_id\":4624,\"api\":\"wineventlog\"},\"log\":{\"level\":\"information\"},\"event\":{\"code\":4624,\"kind\":\"event\",\"action\":\"Logon\",\"created\":\"2023-06-23T08:15:47.185Z\"},\"@version\":\"1\",\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tYes\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-12737\\n\\tAccount Name:\\t\\tFOO-FARM-ADMIN\\n\\tAccount Domain:\\t\\tFOOBAR.NET\\n\\tLogon ID:\\t\\t0x2374A6A43\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x0\\n\\tProcess Name:\\t\\t-\\n\\nNetwork Information:\\n\\tWorkstation Name:\\t-\\n\\tSource Network Address:\\t-\\n\\tSource Port:\\t\\t-\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tKerberos\\n\\tAuthentication Package:\\tKerberos\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}",
    "event": {
        "action": "authentication_network",
        "code": "4624",
        "kind": "event",
        "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-12737\n\tAccount Name:\t\tFOO-FARM-ADMIN\n\tAccount Domain:\t\tFOOBAR.NET\n\tLogon ID:\t\t0x2374A6A43\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
        "hash": "009b8a99fa360981d2f0407a8513d7742fc6a311",
        "category": [
            "authentication"
        ],
        "type": [
            "start"
        ]
    },
    "sekoiaio": {
        "client": {
            "os": {
                "type": "windows"
            },
            "name": "VM-FOO",
            "user": {
                "id": "S-1-0-0"
            }
        },
        "server": {
            "name": "VM-FOO",
            "os": {
                "type": "windows"
            }
        }
    },
    "@timestamp": "2023-06-23T08:15:46.358000Z",
    "action": {
        "properties": {
            "TargetLogonId": "0x2374a6a43",
            "SubjectLogonId": "0x0",
            "TargetUserName": "FOO-FARM-ADMIN",
            "TargetUserSid": "S-1-5-21-776561741-920026266-725345543-12737",
            "TargetLinkedLogonId": "0x0",
            "ProcessId": "0x0",
            "AuthenticationPackageName": "Kerberos",
            "ImpersonationLevel": "%%1833",
            "LogonGuid": "{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}",
            "LmPackageName": "-",
            "RestrictedAdminMode": "-",
            "VirtualAccount": "%%1843",
            "TransmittedServices": "-",
            "WorkstationName": "-",
            "TargetOutboundDomainName": "-",
            "IpAddress": "-",
            "ProcessName": "-",
            "TargetDomainName": "FOOBAR.NET",
            "KeyLength": "0",
            "ElevatedToken": "%%1842",
            "SubjectUserSid": "S-1-0-0",
            "TargetOutboundUserName": "-",
            "LogonType": "3",
            "SubjectUserName": "-",
            "LogonProcessName": "Kerberos",
            "SubjectDomainName": "-",
            "IpPort": "-"
        },
        "id": 4624,
        "outcome": "success"
    },
    "user": {
        "target": {
            "name": "FOO-FARM-ADMIN",
            "domain": "FOOBAR.NET",
            "id": "S-1-5-21-776561741-920026266-725345543-12737"
        }
    },
    "agent": {
        "id": "c1e16f64-cfc4-4141-bdc0-71f2a0e45791",
        "ephemeral_id": "21a6bd0d-afb5-4e55-827e-5329797579a4",
        "version": "7.0.0",
        "type": "winlogbeat"
    },
    "host": {
        "os": {
            "build": "14393.5921",
            "kernel": "10.0.14393.5921 (rs1_release.230504-1649)",
            "version": "10.0",
            "name": "Windows Server 2016 Datacenter",
            "family": "windows",
            "platform": "windows"
        },
        "id": "8ea16272-0ba2-4838-b321-1646a493a128",
        "hostname": "VM-FOO",
        "architecture": "x86_64",
        "name": "VM-FOO"
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "process": {
            "pid": 756,
            "thread": {
                "id": 13000
            }
        },
        "activity_id": "{dbc05d38-994b-0003-395d-c0db4b99d901}",
        "record_id": "131091844",
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "opcode": "Info",
        "keywords": [
            "Audit Success"
        ],
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "task": "Logon",
        "channel": "Security",
        "computer_name": "VM-FOO.FOOBAR.NET",
        "version": 2,
        "event_id": "4624",
        "api": "wineventlog"
    },
    "related": {
        "hash": [
            "009b8a99fa360981d2f0407a8513d7742fc6a311"
        ],
        "hosts": [
            "VM-FOO"
        ]
    },
    "process": {
        "name": "Kerberos"
    }
}
{
    "message": "{\"@timestamp\":\"2023-01-31T18:02:52.597Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"379a53ae-f8df-4fb9-9968-382db61f6dda\",\"hostname\":\"vm204d\",\"id\":\"9ecce8bd-f6ab-41ac-9936-14f8c2c81242\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Filtering Platform Connection\",\"code\":5156,\"created\":\"2023-01-31T18:02:53.233Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm204d\",\"id\":\"68884df7-2cc9-4c09-a619-e1ccce85ac4e\",\"name\":\"vm204d\",\"os\":{\"build\":\"20348.1487\",\"family\":\"windows\",\"kernel\":\"10.0.20348.1487 (WinBuild.160101.0800)\",\"name\":\"Windows Server 2022 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"The Windows Filtering Platform has permitted a connection.\\n\\nApplication Information:\\n\\tProcess ID:\\t\\t4\\n\\tApplication Name:\\tSystem\\n\\nNetwork Information:\\n\\tDirection:\\t\\tInbound\\n\\tSource Address:\\t\\t192.168.83.100\\n\\tSource Port:\\t\\t58499\\n\\tDestination Address:\\t192.168.240.196\\n\\tDestination Port:\\t\\t445\\n\\tProtocol:\\t\\t6\\n\\tInterface Index:\\t\\t9\\n\\nFilter Information:\\n\\tFilter Origin:\\t\\tUnknown\\n\\tFilter Run-Time ID:\\t71694\\n\\tLayer Name:\\t\\tReceive/Accept\\n\\tLayer Run-Time ID:\\t44\\n\\tRemote User ID:\\t\\tS-1-0-0\\n\\tRemote Machine ID:\\tS-1-0-0\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm204d.example.org\",\"event_data\":{\"Application\":\"System\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"445\",\"Direction\":\"%%14592\",\"FilterOrigin\":\"Unknown\",\"FilterRTID\":\"71694\",\"InterfaceIndex\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"ProcessID\":\"4\",\"Protocol\":\"6\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"58499\"},\"event_id\":5156,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":4,\"thread\":{\"id\":1940}},\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":614833249,\"task\":\"Filtering Platform Connection\",\"version\":1}}\n",
    "event": {
        "action": "Filtering Platform Connection",
        "code": "5156",
        "kind": "event",
        "original": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t4\n\tApplication Name:\tSystem\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t192.168.83.100\n\tSource Port:\t\t58499\n\tDestination Address:\t192.168.240.196\n\tDestination Port:\t\t445\n\tProtocol:\t\t6\n\tInterface Index:\t\t9\n\nFilter Information:\n\tFilter Origin:\t\tUnknown\n\tFilter Run-Time ID:\t71694\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44\n\tRemote User ID:\t\tS-1-0-0\n\tRemote Machine ID:\tS-1-0-0",
        "hash": "ab796c9b97ae44dbe45db2b945d2c773175b2e08"
    },
    "@timestamp": "2023-01-31T18:02:52.597000Z",
    "action": {
        "properties": {
            "Application": "System",
            "DestAddress": "5.6.7.8",
            "DestPort": "445",
            "Direction": "%%14592",
            "FilterOrigin": "Unknown",
            "FilterRTID": "71694",
            "InterfaceIndex": "9",
            "LayerName": "%%14610",
            "LayerRTID": "44",
            "ProcessID": "4",
            "Protocol": "6",
            "RemoteMachineID": "S-1-0-0",
            "RemoteUserID": "S-1-0-0",
            "SourceAddress": "1.2.3.4",
            "SourcePort": "58499"
        },
        "id": 5156
    },
    "agent": {
        "ephemeral_id": "379a53ae-f8df-4fb9-9968-382db61f6dda",
        "id": "9ecce8bd-f6ab-41ac-9936-14f8c2c81242",
        "type": "winlogbeat",
        "version": "7.0.0"
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "vm204d",
        "id": "68884df7-2cc9-4c09-a619-e1ccce85ac4e",
        "name": "vm204d",
        "os": {
            "build": "20348.1487",
            "family": "windows",
            "kernel": "10.0.20348.1487 (WinBuild.160101.0800)",
            "name": "Windows Server 2022 Datacenter",
            "platform": "windows",
            "version": "10.0"
        }
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "api": "wineventlog",
        "channel": "Security",
        "computer_name": "vm204d.example.org",
        "event_id": "5156",
        "keywords": [
            "Audit Success"
        ],
        "opcode": "Info",
        "process": {
            "pid": 4,
            "thread": {
                "id": 1940
            }
        },
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "record_id": "614833249",
        "task": "Filtering Platform Connection",
        "version": 1
    },
    "related": {
        "hash": [
            "ab796c9b97ae44dbe45db2b945d2c773175b2e08"
        ],
        "hosts": [
            "vm204d"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2023-01-31T18:02:50.013Z\",\"@version\":\"1\",\"agent\":{\"ephemeral_id\":\"f1b3df69-328e-4e41-be73-bec093727c32\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"d47011da-0be2-4021-8336-e418c1eb2c3b\",\"type\":\"winlogbeat\",\"version\":\"7.0.0\"},\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"action\":\"Special Logon\",\"code\":4672,\"created\":\"2023-01-31T18:02:50.783Z\",\"kind\":\"event\"},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"vm-exc-msg-3\",\"id\":\"010a5b7c-d244-42f9-a547-bd544c30d518\",\"name\":\"vm-exc-msg-3\",\"os\":{\"build\":\"14393.5648\",\"family\":\"windows\",\"kernel\":\"10.0.14393.5648 (rs1_release.230105-1654)\",\"name\":\"Windows Server 2016 Datacenter\",\"platform\":\"windows\",\"version\":\"10.0\"}},\"log\":{\"level\":\"information\"},\"message\":\"Special privileges assigned to new logon.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-17198\\n\\tAccount Name:\\t\\tVM-EXC-MSG-4$\\n\\tAccount Domain:\\t\\tEXAMPLE\\n\\tLogon ID:\\t\\t0xC5D72273\\n\\nPrivileges:\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"tags\":[\"beats_input_codec_plain_applied\"],\"type\":\"winlogbeat\",\"winlog\":{\"activity_id\":\"{9F4E14C8-2C13-0004-4326-4E9F132CD901}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"computer_name\":\"vm-exc-msg-3.example.org\",\"event_data\":{\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"EXAMPLE\",\"SubjectLogonId\":\"0xc5d72273\",\"SubjectUserName\":\"VM-EXC-MSG-4$\",\"SubjectUserSid\":\"S-1-5-21-776561741-920026266-725345543-17198\"},\"event_id\":4672,\"keywords\":[\"Audit Success\"],\"opcode\":\"Info\",\"process\":{\"pid\":856,\"thread\":{\"id\":1784}},\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1842784185,\"task\":\"Special Logon\"}}\n",
    "event": {
        "action": "Special Logon",
        "code": "4672",
        "kind": "event",
        "original": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-17198\n\tAccount Name:\t\tVM-EXC-MSG-4$\n\tAccount Domain:\t\tEXAMPLE\n\tLogon ID:\t\t0xC5D72273\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
        "hash": "b6bb91718122b7f68c88dccd13cbb6a0eec95599"
    },
    "@timestamp": "2023-01-31T18:02:50.013000Z",
    "action": {
        "properties": {
            "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
            "SubjectDomainName": "EXAMPLE",
            "SubjectLogonId": "0xc5d72273",
            "SubjectUserName": "VM-EXC-MSG-4$",
            "SubjectUserSid": "S-1-5-21-776561741-920026266-725345543-17198"
        },
        "id": 4672
    },
    "agent": {
        "ephemeral_id": "f1b3df69-328e-4e41-be73-bec093727c32",
        "id": "d47011da-0be2-4021-8336-e418c1eb2c3b",
        "type": "winlogbeat",
        "version": "7.0.0"
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "vm-exc-msg-3",
        "id": "010a5b7c-d244-42f9-a547-bd544c30d518",
        "name": "vm-exc-msg-3",
        "os": {
            "build": "14393.5648",
            "family": "windows",
            "kernel": "10.0.14393.5648 (rs1_release.230105-1654)",
            "name": "Windows Server 2016 Datacenter",
            "platform": "windows",
            "version": "10.0"
        }
    },
    "log": {
        "level": "information"
    },
    "winlog": {
        "activity_id": "{9f4e14c8-2c13-0004-4326-4e9f132cd901}",
        "api": "wineventlog",
        "channel": "Security",
        "computer_name": "vm-exc-msg-3.example.org",
        "event_id": "4672",
        "keywords": [
            "Audit Success"
        ],
        "opcode": "Info",
        "process": {
            "pid": 856,
            "thread": {
                "id": 1784
            }
        },
        "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
        "provider_name": "Microsoft-Windows-Security-Auditing",
        "record_id": "1842784185",
        "task": "Special Logon"
    },
    "related": {
        "hash": [
            "b6bb91718122b7f68c88dccd13cbb6a0eec95599"
        ],
        "hosts": [
            "vm-exc-msg-3"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
action.properties object The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.module keyword Name of the module this data is coming from.
event.original keyword Raw text message of entire event.
event.provider keyword Source of the event.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
user.target.domain keyword Name of the directory the user is a member of.
user.target.name keyword Short name or login of the user.
winlog.activity_id keyword A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
winlog.provider_guid keyword A globally unique identifier that identifies the provider that logged the event.

Transport to the collector

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator privileges on the host
  • Traffic towards a logstash server which must listen beats input on port TCP/5044

Configure the client

Install and configure Winlogbeat

  1. Download Winlogbeat zip from the Elastic.co download page
  2. Extract the archive into C:\Program Files\winlogbeat
  3. Open a PowerShell prompt as an Administrator and run the following commands to install the service

    PS C:\Users\Administrator> cd 'C:\Program Files\winlogbeat'
    PS C:\Program Files\winlogbeat> .\install-service-winlogbeat.ps1
    
  4. Replace the configuration file C:\Program Files\winlogbeat\winlogbeat.yml by the following content:

    winlogbeat.event_logs:
      - name: Application
        ignore_older: 72h
      - name: System
      - name: Security
      - name: ForwardedEvents
        tags: [forwarded]
      - name: Windows PowerShell
        event_id: 400, 403, 600, 800
      - name: Microsoft-Windows-PowerShell/Operational
        event_id: 4103, 4104, 4105, 4106
    
    # ====================== Elasticsearch template settings =======================
    
    setup.template.settings:
      index.number_of_shards: 1
      #index.codec: best_compression
      #_source.enabled: false
    
    # ================================== Outputs ===================================
    
    # Configure what output to use when sending the data collected by the beat.
    
    # ---------------------------- Elasticsearch Output ----------------------------
    output.elasticsearch:
      enabled: false
    
    # ------------------------------ Logstash Output -------------------------------
    
    output.logstash:
      # The Logstash hosts
      hosts: ["logstash_concentrator:5044"]
    
      # Optional SSL. By default is off.
      # List of root certificates for HTTPS server verifications
      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
    
      # Certificate for SSL client authentication
      #ssl.certificate: "/etc/pki/client/cert.pem"
    
      # Client Certificate Key
      #ssl.key: "/etc/pki/client/cert.key"
    
    # ================================= Processors =================================
    
    processors:
      - add_host_metadata:
          when.not.contains.tags: forwarded
      - add_cloud_metadata: ~
    
    # ================================== Logging ===================================
    
    logging.level: info
    #logging.to_files: true
    #logging.files:
      #path: C:\ProgramData\winlogbeat\Logs
      #name: winlogbeat
      #keepfiles: 7
      #permissions: 0640
    

    Warning

    Don't forget to specify the location of your logstash server in this configuration

  5. Save and validate the configuration with the command:

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e
    
  6. Set up assets:

    PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e
    
  7. Start the Winlogbeat service:

    PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
    

Create the intake

Go to the intake page and create a new intake from the format Winlogbeat.

Forward logs to Sekoia.io

Please consult our guide to configure logs forwarding from Logstash to Sekoia.io.

Enjoy your events

Go to the events page to watch your incoming events.

Further Readings