다음은 7.12 버전의 input 설정.
winlogbeat.event_logs: - name: 'D:\eventlog\sample.evtx' processors: - script: lang: javascript id: sysmon file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.jsprocessors: - include_fields: when: equals.winlog.event_id: 1 fields: [ "winlog.event_id", "process.name", "process.pe", "process.hash" ]실행 결과는 다음과 같다. 의도했던 필드 필터링 성공.
{ "@timestamp": "2021-04-17T02:17:17.739Z", "@metadata": { "beat": "winlogbeat", "type": "_doc", "version": "7.12.1" }, "process": { "name": "chrome.exe", "pe": { "original_file_name": "chrome.exe", "company": "Google LLC", "description": "Google Chrome", "file_version": "89.0.4389.128", "product": "Google Chrome", "imphash": "0130af721faf956e549e01f2d8404d29" }, "hash": { "sha1": "287f37a4eac018d616476501c4cd021add6e35d8", "md5": "e60c84b6fb6336a79dd4f6df02401606", "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3" } }, "winlog": { "event_id": 1 }}같은 설정을 7.13 버전에 적용하면
필터링 실패.
{ "@timestamp": "2021-04-17T02:17:17.739Z", "@metadata": { "beat": "winlogbeat", "type": "_doc", "version": "7.13.0" }, "log": { "level": "정보", "file": { "path": "D:\\eventlog\\1.evtx" } }, "host": { "name": "MHKANG" }, "winlog": { "task": "Process Create (rule: ProcessCreate)", "record_id": 26788970, "opcode": "정보", "user": { "name": "SYSTEM", "type": "Well Known Group", "identifier": "S-1-5-18", "domain": "NT AUTHORITY" }, "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "MHKANG", "provider_name": "Microsoft-Windows-Sysmon", "api": "wineventlog", "event_id": "1", "event_data": { "FileVersion": "89.0.4389.128", "TerminalSessionId": "1", "LogonGuid": "{c5aa717c-e8ac-6078-b1c9-110000000000}", "Company": "Google LLC", "IntegrityLevel": "Low", "Product": "Google Chrome", "LogonId": "0x11c9b1", "Description": "Google Chrome" }, "process": { "pid": 5436, "thread": { "id": 6820 } }, "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "version": 5 }, "process": { "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "command_line": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --field-trial-handle=1720,10943621126192091814,2318751130763562646,131072 --lang=ko --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=1136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12792 /prefetch:1", "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\89.0.4389.128\\", "pe": { "company": "Google LLC", "description": "Google Chrome", "file_version": "89.0.4389.128", "product": "Google Chrome", "imphash": "0130af721faf956e549e01f2d8404d29", "original_file_name": "chrome.exe" }, "name": "chrome.exe", "hash": { "sha1": "287f37a4eac018d616476501c4cd021add6e35d8", "md5": "e60c84b6fb6336a79dd4f6df02401606", "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3" }, "pid": 13672, "parent": { "entity_id": "{c5aa717c-e95e-6078-bf01-000000006900}", "pid": 11992, "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "command_line": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" ", "name": "chrome.exe", "args": [ "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" ] }, "args": [ "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "--type=renderer", "--field-trial-handle=1720,10943621126192091814,2318751130763562646,131072", "--lang=ko", "--origin-trial-disabled-features=SecurePaymentConfirmation", "--device-scale-factor=1.25", "--num-raster-threads=4", "--enable-main-frame-before-activation", "--renderer-client-id=1136", "--no-v8-untrusted-code-mitigations", "--mojo-platform-channel-handle=12792", "/prefetch:1" ], "entity_id": "{c5aa717c-452d-607a-4212-000000006900}" }, "user": { "name": "Administrator", "id": "S-1-5-18", "domain": "MHKANG" }, "message": "Process Create:\nRuleName: -\nUtcTime: 2021-04-17 02:17:17.739\nProcessGuid: {c5aa717c-452d-607a-4212-000000006900}\nProcessId: 13672\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nFileVersion: 89.0.4389.128\nDescription: Google Chrome\nProduct: Google Chrome\nCompany: Google LLC\nOriginalFileName: chrome.exe\nCommandLine: \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --field-trial-handle=1720,10943621126192091814,2318751130763562646,131072 --lang=ko --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=1136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12792 /prefetch:1\nCurrentDirectory: C:\\Program Files (x86)\\Google\\Chrome\\Application\\89.0.4389.128\\\nUser: MHKANG\\Administrator\nLogonGuid: {c5aa717c-e8ac-6078-b1c9-110000000000}\nLogonId: 0x11C9B1\nTerminalSessionId: 1\nIntegrityLevel: Low\nHashes: SHA1=287F37A4EAC018D616476501C4CD021ADD6E35D8,MD5=E60C84B6FB6336A79DD4F6DF02401606,SHA256=2C3A40FB1F92E82156CF97AABFFD868E0C6ACB9908E49E4424BB6471394911F3,IMPHASH=0130AF721FAF956E549E01F2D8404D29\nParentProcessGuid: {c5aa717c-e95e-6078-bf01-000000006900}\nParentProcessId: 11992\nParentImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nParentCommandLine: \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" ", "event": { "provider": "Microsoft-Windows-Sysmon", "action": "Process Create (rule: ProcessCreate)", "created": "2021-06-09T16:54:38.591Z", "code": "1", "kind": "event", "module": "sysmon", "category": [ "process" ], "type": [ "start", "process_start" ] }, "related": { "hash": [ "287f37a4eac018d616476501c4cd021add6e35d8", "e60c84b6fb6336a79dd4f6df02401606", "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3", "0130af721faf956e549e01f2d8404d29" ], "user": "Administrator" }, "hash": { "imphash": "0130af721faf956e549e01f2d8404d29", "sha1": "287f37a4eac018d616476501c4cd021add6e35d8", "md5": "e60c84b6fb6336a79dd4f6df02401606", "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3" }, "ecs": { "version": "1.9.0" }, "agent": { "type": "winlogbeat", "version": "7.13.0", "hostname": "MHKANG", "ephemeral_id": "08886c28-4442-4e46-a2b0-53ff501d740b", "id": "d6e7a447-dd91-4219-8b87-91a674ed7b94", "name": "MHKANG" }}왜 필터링이 안 될까? 릴리즈 노트를 찾아보니 직전 버전까지 숫자로 인식하던 event_id를 문자로 인식하는 변경 발생. ECS 체계의 통일성을 위해 바꾼 듯한데, 숫자를 숫자로 인식하는 게 합리적이지 않나? 이해가 안 간다.
바뀐 버전 테스트는 필수. 따옴표를 씌워서 문자로 검사하면 잘 동작한다.
processors: - include_fields: when: equals.winlog.event_id: "1" fields: [ "winlog.event_id", "process.name", "process.pe", "process.hash" ]
댓글 없음:
댓글 쓰기