I setup Graylog to collect all the windows event logs including file event logs on the file servers at work. I noticed that the winlogbeat_event_data_AccessList field was not what the event did rather a %%#### code. I decided to build a pipeline to format the winlogbeat_event_data_AccessList field into a new field I designated as AccessList.
I created a stream dedicated for Windows events and the corresponding rule that all messages containing the Windows tag will route to the Windows stream. All my Graylog collectors for Windows have the Windows tag.
stream-windows screenshot
I than created a pipeline which I named “format access list” which contains 3 stages. The first stage (stage 0) I created one rule in it titled skip_accesslist and used the following code.
rule "skip_accesslist"
when
NOT has_field("AccessList")
then
end
I than created the next stage (stage 1) which contained one rule titled “winlogbeat_event_data_AccessList_exists” and used the following code.
rule "winlogbeat_event_data_AccessList_exists"
when
has_field("winlogbeat_event_data_AccessList")
then
set_field("AccessList", "|");
end
I than created the last stage (stage 2) which contained ten rules each to follow below.
rule "winlogbeat_event_data_AccessList_%%4423"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4423", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadAttributes|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%4417"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4417", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WriteData_or_AddFile|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%4416"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4416", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadData_or_ListDirectory|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%1537"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1537", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "Delete|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%1538"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1538", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "READ_CONTROL|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%4424"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4424", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WriteAttributes|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%1541"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1541", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "SYNCHRONIZE|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%1539"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1539", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WRITE_DAC|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%4419"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4419", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadEA|");
set_field("AccessList", temp1);
end
rule "winlogbeat_event_data_AccessList_%%1540"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1540", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WRITE_OWNER|");
set_field("AccessList", temp1);
end
which allows for this:
