infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PowerShell Logstash filter

keyword-vs-text-changes
Roberto Rodriguez 2017-07-03 16:26:10 -04:00
parent ff18dbec99
commit d119a2905e
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
logstash/10-powershell-filter.conf Normal file
View File

@ -0,0 +1,22 @@
filter {
if [source_name] == "Microsoft-Windows-PowerShell" {
if [event_id] == 4103 {
kv {
include_keys => [ "value", "Application" ]
}
grok {
match => ["value", "(?<ps_value>^([\D].+))"]
remove_field => [ "value"]
}
grok {
match => [ "[event_data][Payload]" , "CommandInvocation\((?<ps_commandinvocation>[\D].+?)\)" ]
}
mutate {
rename => {
"Application" => "ps_hostapplication"
"value" => "ps_value_num"
}
}
}
}
}

1
winlogbeat/winlogbeat.yml
View File

@ -23,6 +23,7 @@ winlogbeat.event_logs:
- name: Security
- name: System
- name: Microsoft-windows-sysmon/operational
event_id: 4103, 4104
#================================ General =====================================