2021년 6월 10일 목요일

Winlogbeat 7.13의 변화

다음은 7.12 버전의 input 설정.

winlogbeat.event_logs:
  - name: 'D:\eventlog\sample.evtx'
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

다음은 event_id 조건의 filter 설정.

processors:
  - include_fields:
      when:
        equals.winlog.event_id: 1
      fields: [ "winlog.event_id", "process.name", "process.pe", "process.hash" ]

실행 결과는 다음과 같다. 의도했던 필드 필터링 성공.

{
  "@timestamp": "2021-04-17T02:17:17.739Z",
  "@metadata": {
    "beat": "winlogbeat",
    "type": "_doc",
    "version": "7.12.1"
  },
  "process": {
    "name": "chrome.exe",
    "pe": {
      "original_file_name": "chrome.exe",
      "company": "Google LLC",
      "description": "Google Chrome",
      "file_version": "89.0.4389.128",
      "product": "Google Chrome",
      "imphash": "0130af721faf956e549e01f2d8404d29"
    },
    "hash": {
      "sha1": "287f37a4eac018d616476501c4cd021add6e35d8",
      "md5": "e60c84b6fb6336a79dd4f6df02401606",
      "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3"
    }
  },
  "winlog": {
    "event_id": 1
  }
}

같은 설정을 7.13 버전에 적용하면

필터링 실패.

{
  "@timestamp": "2021-04-17T02:17:17.739Z",
  "@metadata": {
    "beat": "winlogbeat",
    "type": "_doc",
    "version": "7.13.0"
  },
  "log": {
    "level": "정보",
    "file": {
      "path": "D:\\eventlog\\1.evtx"
    }
  },
  "host": {
    "name": "MHKANG"
  },
  "winlog": {
    "task": "Process Create (rule: ProcessCreate)",
    "record_id": 26788970,
    "opcode": "정보",
    "user": {
      "name": "SYSTEM",
      "type": "Well Known Group",
      "identifier": "S-1-5-18",
      "domain": "NT AUTHORITY"
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer_name": "MHKANG",
    "provider_name": "Microsoft-Windows-Sysmon",
    "api": "wineventlog",
    "event_id": "1",
    "event_data": {
      "FileVersion": "89.0.4389.128",
      "TerminalSessionId": "1",
      "LogonGuid": "{c5aa717c-e8ac-6078-b1c9-110000000000}",
      "Company": "Google LLC",
      "IntegrityLevel": "Low",
      "Product": "Google Chrome",
      "LogonId": "0x11c9b1",
      "Description": "Google Chrome"
    },
    "process": {
      "pid": 5436,
      "thread": {
        "id": 6820
      }
    },
    "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
    "version": 5
  },
  "process": {
    "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
    "command_line": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --field-trial-handle=1720,10943621126192091814,2318751130763562646,131072 --lang=ko --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=1136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12792 /prefetch:1",
    "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\89.0.4389.128\\",
    "pe": {
      "company": "Google LLC",
      "description": "Google Chrome",
      "file_version": "89.0.4389.128",
      "product": "Google Chrome",
      "imphash": "0130af721faf956e549e01f2d8404d29",
      "original_file_name": "chrome.exe"
    },
    "name": "chrome.exe",
    "hash": {
      "sha1": "287f37a4eac018d616476501c4cd021add6e35d8",
      "md5": "e60c84b6fb6336a79dd4f6df02401606",
      "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3"
    },
    "pid": 13672,
    "parent": {
      "entity_id": "{c5aa717c-e95e-6078-bf01-000000006900}",
      "pid": 11992,
      "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
      "command_line": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" ",
      "name": "chrome.exe",
      "args": [
        "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
      ]
    },
    "args": [
      "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
      "--type=renderer",
      "--field-trial-handle=1720,10943621126192091814,2318751130763562646,131072",
      "--lang=ko",
      "--origin-trial-disabled-features=SecurePaymentConfirmation",
      "--device-scale-factor=1.25",
      "--num-raster-threads=4",
      "--enable-main-frame-before-activation",
      "--renderer-client-id=1136",
      "--no-v8-untrusted-code-mitigations",
      "--mojo-platform-channel-handle=12792",
      "/prefetch:1"
    ],
    "entity_id": "{c5aa717c-452d-607a-4212-000000006900}"
  },
  "user": {
    "name": "Administrator",
    "id": "S-1-5-18",
    "domain": "MHKANG"
  },
  "message": "Process Create:\nRuleName: -\nUtcTime: 2021-04-17 02:17:17.739\nProcessGuid: {c5aa717c-452d-607a-4212-000000006900}\nProcessId: 13672\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nFileVersion: 89.0.4389.128\nDescription: Google Chrome\nProduct: Google Chrome\nCompany: Google LLC\nOriginalFileName: chrome.exe\nCommandLine: \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --field-trial-handle=1720,10943621126192091814,2318751130763562646,131072 --lang=ko --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=1136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12792 /prefetch:1\nCurrentDirectory: C:\\Program Files (x86)\\Google\\Chrome\\Application\\89.0.4389.128\\\nUser: MHKANG\\Administrator\nLogonGuid: {c5aa717c-e8ac-6078-b1c9-110000000000}\nLogonId: 0x11C9B1\nTerminalSessionId: 1\nIntegrityLevel: Low\nHashes: SHA1=287F37A4EAC018D616476501C4CD021ADD6E35D8,MD5=E60C84B6FB6336A79DD4F6DF02401606,SHA256=2C3A40FB1F92E82156CF97AABFFD868E0C6ACB9908E49E4424BB6471394911F3,IMPHASH=0130AF721FAF956E549E01F2D8404D29\nParentProcessGuid: {c5aa717c-e95e-6078-bf01-000000006900}\nParentProcessId: 11992\nParentImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nParentCommandLine: \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" ",
  "event": {
    "provider": "Microsoft-Windows-Sysmon",
    "action": "Process Create (rule: ProcessCreate)",
    "created": "2021-06-09T16:54:38.591Z",
    "code": "1",
    "kind": "event",
    "module": "sysmon",
    "category": [
      "process"
    ],
    "type": [
      "start",
      "process_start"
    ]
  },
  "related": {
    "hash": [
      "287f37a4eac018d616476501c4cd021add6e35d8",
      "e60c84b6fb6336a79dd4f6df02401606",
      "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3",
      "0130af721faf956e549e01f2d8404d29"
    ],
    "user": "Administrator"
  },
  "hash": {
    "imphash": "0130af721faf956e549e01f2d8404d29",
    "sha1": "287f37a4eac018d616476501c4cd021add6e35d8",
    "md5": "e60c84b6fb6336a79dd4f6df02401606",
    "sha256": "2c3a40fb1f92e82156cf97aabffd868e0c6acb9908e49e4424bb6471394911f3"
  },
  "ecs": {
    "version": "1.9.0"
  },
  "agent": {
    "type": "winlogbeat",
    "version": "7.13.0",
    "hostname": "MHKANG",
    "ephemeral_id": "08886c28-4442-4e46-a2b0-53ff501d740b",
    "id": "d6e7a447-dd91-4219-8b87-91a674ed7b94",
    "name": "MHKANG"
  }
}

왜 필터링이 안 될까? 릴리즈 노트를 찾아보니 직전 버전까지 숫자로 인식하던 event_id를 문자로 인식하는 변경 발생. ECS 체계의 통일성을 위해 바꾼 듯한데, 숫자를 숫자로 인식하는 게 합리적이지 않나? 이해가 안 간다.

바뀐 버전 테스트는 필수. 따옴표를 씌워서 문자로 검사하면 잘 동작한다.

processors:
  - include_fields:
      when:
        equals.winlog.event_id: "1"
      fields: [ "winlog.event_id", "process.name", "process.pe", "process.hash" ]

댓글 없음:

댓글 쓰기

크리에이티브 커먼즈 라이선스