xN2MtB7C

1###################### Winlogbeat Configuration Example ##########################
2#
3#  Malware Archaeology - WinLogBeat.yml file
4#     Created by Michael Gough - April 2018
5#
6#  This is a modified default Winlogbeat.yml file to collect many logs
7#  not collected by default.  Use this to expand collection and to
8#  exclude items that are normal noise to cut back on what you collect
9#  to your log management solution
10#
11#  WARNING:  Tabs are bad for .yml files and will NOT load.  Use an editor you can see tabs vs spaces !!!!!!!
12#
13#  ###############################################################################
14#
15#  Use for Humio, ELK and any other supported log management solutions
16#
17# This file is an example configuration file highlighting only the most common
18# options. The winlogbeat.reference.yml file from the same directory contains all the
19# supported options with more comments. You can use it as a reference.
20#
21# You can find the full configuration reference here:
22# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
23
24#======================= Winlogbeat specific options ==========================
25
26#
27#  Malware Archaeology added several logs to be collected that are not in
28#  in the default winlogbeat.yml file.  You must also enable some logs in
29#  Windows to collect the events.  Several noisy Event IDs are excluded
30#  4689 - Process Terminate
31#  5158 - Windows Firewall has permitted a bind to a local port
32#  5157 - Windows Firewall has blocked a connection
33#  501 - Windows PowerShell v2 script terminate
34#  4105 - VERY noisy PowerShell v5 ScriptBlockInvocationLogging
35#  4106 - VERY noisy PowerShell v5 ScriptBlockInvocationLogging
36#
37#  Add any other event logs that you want to collect, refer to the Cheat Sheets
38#  for more information:
39#    www.MalwareArchaeology.com/cheat-sheets
40#
41# -----------------------------------------------------------------------------
42# event_logs specifies a list of event logs to monitor as well as any
43# accompanying options. The YAML data type of event_logs is a list of
44# dictionaries.
45#
46# The supported keys are name (required), tags, fields, fields_under_root,
47# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
48# visit the documentation for the complete details of each option.
49# https://go.es.io/WinlogbeatConfig
50
51winlogbeat.event_logs:
52  - name: Security
53#    event_id: -4689, -5158, -5157 
54  - name: Application
55    ignore_older: 720h
56  - name: System
57  - name: "Windows PowerShell"
58#    event_id: -501 
59  - name: "Microsoft-Windows-TaskScheduler/Operational"
60  - name: "Microsoft-Windows-PowerShell/Operational"
61  #  event_id: -4105, -4106
62  - name: Microsoft-Windows-Windows Defender/Operational
63  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
64    include_xml: true
65# - name: "Microsoft-Windows-Sysmon/Operational" (optional service)
66#
67#  ##########################################################################################################################
68#
69#  These are the exclude events by type.  
70
71#  WARNING:  WinLogBeat does NOT allow for wild card, so any items with a version can allow gaps if you broadly exclude
72#
73#  e.g.  C:\Users\<username>\AppData\Local\Google\Chrome\User Data\SwReporter\28.151.200\software_reporter_tool.exe
74#  would be excluded by a broad statement to avoid future version entries:
75#    C:\Users\<username>\AppData\Local\Google\Chrome\User Data\SwReporter
76#  This means anything dropped or exists in this path will be excluded.. including any malware.
77#  Be as specific as possible and avoid excluding by binary name alone as it does not have the file
78#  location and malware often uses real application filenames.  contains is more broad than equals, use sparingly
79#
80#  Exclude Process Created items - 4688
81#   
82processors:
83- drop_event.when.or:
84  - equals.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\slack\app-3.1.0\slack.exe'
85  - equals.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\slack\Update.exe'
86  - equals.event_data.NewProcessName: 'C:\Users\<username>\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe'
87  - equals.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\Temp\SkypeSetup.exe'
88  - contains.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\GoToMeeting\'
89  - contains.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\Temp\LogMeInUpdates\GoToMeeting'
90  - contains.event_data.NewProcessName: 'AppData\Local\Google\Chrome\User Data\SwReporter\'
91  - contains.event_data.NewProcessName: '\g2viewer.exe'
92  - contains.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\GoToMyPC\gotomypc_'
93  - contains.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\Temp\LogMeInUpdates\GoToMeeting'
94  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe'
95  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvSHIM.exe'
96  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Notification.exe'
97  - equals.event_data.NewProcessName: 'C:\Windows\System32\conhost.exe'
98  - contains.event_data.NewProcessName: 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727'
99  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe'
100#
101#  Browser events are NOISY.. you should care more what happens after the browser than what is in the browser
102#  Web Proxy logs can give you data on users surfing.  This saves a LOT of events from being collected
103#
104#  Exclude Process Created Browser items - 4688
105#
106- drop_event.when.or:     
107  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
108  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
109  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
110  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Mozilla Firefox\updater.exe'
111  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Mozilla Firefox\pingsender.exe'
112  - equals.event_data.NewProcessName: 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'
113  - contains.event_data.NewProcessName: 'C:\Users\<username>\AppData\Local\Google\Chrome\User Data\SwReporter\'
114#
115# Exclude Command Line items - 4688
116#
117- drop_event.when.or:  
118  - equals.event_data.CommandLine: 'C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}'
119  - equals.event_data.CommandLine: 'C:\WINDOWS\system32\SearchFilterHost.exe" 0 540 544 552 65536 548'
120  - contains.event_data.CommandLine: 'C:\WINDOWS\system32\SearchFilterHost.exe'
121  - equals.event_data.CommandLine: 'cmd ver'
122#
123# Exclude Win Firewall by Destination IP - 5156
124#
125# exclude DNS, IPv6 and broadcast events
126#
127- drop_event.when.or:  
128  - equals.event_data.DestAddress: '1.1.1.1'
129  - equals.event_data.DestAddress: '8.8.8.8'
130  - equals.event_data.DestAddress: '8.8.4.4'
131  - equals.event_data.DestAddress: '10.1.50.255'
132  - equals.event_data.DestAddress: '127.0.0.1'
133  - equals.event_data.DestAddress: '224.0.0.1'
134  - contains.event_data.DestAddress: '224.0.0.'
135  - equals.event_data.DestAddress: '224.0.0.251'
136  - equals.event_data.DestAddress: '239.255.255.250'
137  - equals.event_data.DestAddress: '255.255.255.255'
138  - equals.event_data.DestAddress: '::1'
139#
140# Exclude Win Firewall by Source IP - 5156
141#
142# exclude DNS, IPv6 and broadcast events
143#  
144- drop_event.when.or:    
145  - equals.event_data.SourceAddress: '239.255.255.250' 
146  - equals.event_data.SourceAddress: '239.255.255.255' 
147  - equals.event_data.SourceAddress: '255.255.255.255' 
148  - equals.event_data.SourceAddress: '10.1.20.255'
149  - equals.event_data.SourceAddress: '224.0.0.251'
150  - equals.event_data.SourceAddress: '224.0.0.252'
151  - contains.event_data.SourceAddress: '224.0.0.'
152  - contains.event_data.SourceAddress: 'fe80::'
153  - equals.event_data.SourceAddress: '224.0.0.1'
154  - equals.event_data.SourceAddress: '::1'
155  - equals.event_data.SourceAddress: '1.1.1.1'
156  - equals.event_data.SourceAddress: '8.8.8.8'
157  - equals.event_data.SourceAddress: '8.8.4.4'
158#
159# Exclude Win Firewall by Application source and destination - 5156
160#
161# exclude noisy typical chatter that won't tell you much
162#
163- drop_event.when.or: 
164  - contains.event_data.Application: '\program files (x86)\dropbox\client\dropbox.exe'
165  - contains.event_data.Application: '\program files (x86)\google\chrome\application\chrome.exe'
166  - contains.event_data.Application: '\program files (x86)\mozilla firefox\firefox.exe'
167  - contains.event_data.Application: '\users\<username>\appdata\local\slack\app-'
168  - contains.event_data.Application: '\windows\system32\spoolsv.exe'
169#
170#  Exclude Win Firewall by Application AND Source IP - 5156
171#
172# exclude by known trusted combinations of items
173#
174#- drop_event.when.and:  
175#  - contains.event_data.Application: '\program files\<some_program>\<App_Path>\binary.exe'
176#  - equals.event_data.SourceAddress: '192.168.5.123'
177
178  
179#==================== Elasticsearch template setting ==========================
180
181settemplate.settings:
182  index.number_of_shards: 3
183  #index.codec: best_compression
184  #_source.enabled: false
185
186#================================ General =====================================
187
188# The name of the shipper that publishes the network data. It can be used to group
189# all the transactions sent by a single shipper in the web interface.
190#name:
191
192# The tags of the shipper are included in their own field with each
193# transaction published.
194#tags: ["service-X", "web-tier"]
195
196# Optional fields that you can specify to add additional information to the
197# output.
198#fields:
199#  env: staging
200
201
202#============================== Dashboards =====================================
203# These settings control loading the sample dashboards to the Kibana index. Loading
204# the dashboards is disabled by default and can be enabled either by setting the
205# options here, or by using the `-setup` CLI flag or the `setup` command.
206#setup.dashboards.enabled: false
207
208# The URL from where to download the dashboards archive. By default this URL
209# has a value which is computed based on the Beat name and version. For released
210# versions, this URL points to the dashboard archive on the artifacts.elastic.co
211# website.
212#setup.dashboards.url:
213
214#============================== Kibana =====================================
215
216# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
217# This requires a Kibana endpoint configuration.
218setup.kibana:
219
220  # Kibana Host
221  # Scheme and port can be left out and will be set to the default (http and 5601)
222  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
223  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
224  #host: "localhost:5601"
225
226#============================= Elastic Cloud ==================================
227
228# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
229
230# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
231# `setup.kibana.host` options.
232# You can find the `cloud.id` in the Elastic Cloud web UI.
233#cloud.id:
234
235# The cloud.auth setting overwrites the `output.elasticsearch.username` and
236# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
237#cloud.auth:
238
239#================================ Outputs =====================================
240
241# Configure what output to use when sending the data collected by the beat.
242
243#-------------------------- Elasticsearch output ------------------------------
244
245# Humio or ELK Configuration
246
247output:
248  elasticsearch:
249    hosts: ["https://cloud.humio.com:443/api/v1/dataspaces/sandbox/ingest/elasticsearch"]
250    username: "lmFPwW7n3QFCbg8K5zM9kLOR8UZ9iDcdbh38Z2proiuk"
251    compression_level: 5
252    bulk_max_size: 50
253    worker: 1
254      
255#----------------------------- Logstash output --------------------------------
256#output.logstash:
257  # The Logstash hosts
258  #hosts: ["localhost:5044"]
259
260  # Optional SSL. By default is off.
261  # List of root certificates for HTTPS server verifications
262  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
263
264  # Certificate for SSL client authentication
265  #ssl.certificate: "/etc/pki/client/cert.pem"
266
267  # Client Certificate Key
268  #ssl.key: "/etc/pki/client/cert.key"
269
270#================================ Logging =====================================
271
272# Sets log level. The default log level is info.
273# Available log levels are: error, warning, info, debug
274#logging.level: debug
275
276# At debug level, you can selectively enable logging only for some components.
277# To enable all selectors use ["*"]. Examples of other selectors are "beat",
278# "publish", "service".
279#logging.selectors: ["*"]
280
281#============================== Xpack Monitoring ===============================
282# winlogbeat can export internal metrics to a central Elasticsearch monitoring
283# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
284# reporting is disabled by default.
285
286# Set to true to enable the monitoring reporter.
287#xpack.monitoring.enabled: false
288
289# Uncomment to send the metrics to Elasticsearch. Most settings from the
290# Elasticsearch output are accepted here as well. Any setting that is not set is
291# automatically inherited from the Elasticsearch output configuration, so if you
292# have the Elasticsearch output configured, you can simply uncomment the
293# following line.
294#xpack.monitoring.elasticsearch: