From 65dcb5019659fa897e020995465531e765a9573b Mon Sep 17 00:00:00 2001 From: inzlain Date: Wed, 1 May 2019 02:58:28 +0000 Subject: [PATCH 1/5] Added Defender event log ingestion --- docker/helk-kibana/scripts/kibana-setup.sh | 6 +- .../60-winevent-defender-template.json | 51 +++++ .../1536-winevent-defender-filter.conf | 179 ++++++++++++++++++ .../9963-winevent-defender-output.conf | 19 ++ winlogbeat/winlogbeat.yml | 3 + 5 files changed, 255 insertions(+), 3 deletions(-) mode change 100755 => 100644 docker/helk-kibana/scripts/kibana-setup.sh create mode 100644 docker/helk-logstash/output_templates/60-winevent-defender-template.json create mode 100644 docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf create mode 100644 docker/helk-logstash/pipeline/9963-winevent-defender-output.conf diff --git a/docker/helk-kibana/scripts/kibana-setup.sh b/docker/helk-kibana/scripts/kibana-setup.sh old mode 100755 new mode 100644 index 1fd00319..988618fb --- a/docker/helk-kibana/scripts/kibana-setup.sh +++ b/docker/helk-kibana/scripts/kibana-setup.sh @@ -35,7 +35,7 @@ done # ******** Set Trial License Variables *************** if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; then # *********** Creating Kibana index-patterns *************** - declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*") + declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-defender-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*") echo "[HELK-KIBANA-DOCKER-INSTALLATION-INFO] Creating Kibana Index Patterns..." for index in ${!index_patterns[@]}; do echo "[++++++] creating kibana index ${index_patterns[${index}]}" @@ -116,7 +116,7 @@ if [[ -n "$ELASTICSEARCH_PASSWORD" ]] && [[ -n "$ELASTICSEARCH_USERNAME" ]]; the ' else # *********** Creating Kibana index-patterns *************** - declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*") + declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-defender-*" "logs-endpoint-winevent-powershell-*" "mitre-attack-*" "elastalert_status" "elastalert_status_status" "elastalert_status_error" "elastalert_status_silence" "elastalert_status_past" "sysmon-join-*") echo "[+++] Creating Kibana Index Patterns..." for index in ${!index_patterns[@]}; do @@ -159,4 +159,4 @@ else sleep 1 done done -fi \ No newline at end of file +fi diff --git a/docker/helk-logstash/output_templates/60-winevent-defender-template.json b/docker/helk-logstash/output_templates/60-winevent-defender-template.json new file mode 100644 index 00000000..ba54d165 --- /dev/null +++ b/docker/helk-logstash/output_templates/60-winevent-defender-template.json @@ -0,0 +1,51 @@ +{ + "order": 60, + "index_patterns": [ "logs-endpoint-winevent-defender-*" ], + "version": 2019050101, + "mappings":{ + "doc":{ + "properties":{ + "defender_action_id":{"type":"keyword"}, + "defender_action_name":{"type":"keyword"}, + "defender_additional_actions":{"type":"keyword"}, + "defender_additional_actions_id":{"type":"keyword"}, + "defender_additional_actions_string": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } }, + "defender_category_description":{"type":"keyword"}, + "defender_category_id":{"type":"keyword"}, + "defender_category_name":{"type":"keyword"}, + "defender_configuration":{"type":"keyword"}, + "defender_detection_id":{"type":"keyword"}, + "defender_detection_time":{"type":"date"}, + "defender_engine_version":{"type":"keyword"}, + "defender_error_code":{"type":"keyword"}, + "defender_error_description": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } }, + "defender_execution_id":{"type":"keyword"}, + "defender_execution_name":{"type":"keyword"}, + "defender_feature_id":{"type":"keyword"}, + "defender_feature_name":{"type":"keyword"}, + "defender_fwlink":{"type":"keyword"}, + "defender_origin_id":{"type":"keyword"}, + "defender_origin_name":{"type":"keyword"}, + "defender_platform_version":{"type":"keyword"}, + "defender_post_clean_status":{"type":"keyword"}, + "defender_pre_execution_status":{"type":"keyword"}, + "defender_product_name":{"type":"keyword"}, + "defender_product_version":{"type":"keyword"}, + "defender_remediation_user":{"type":"keyword"}, + "defender_severity_id":{"type":"keyword"}, + "defender_severity_name":{"type":"keyword"}, + "defender_signature_version":{"type":"keyword"}, + "defender_source_id":{"type":"keyword"}, + "defender_source_name":{"type":"keyword"}, + "defender_state":{"type":"keyword"}, + "defender_status_code":{"type":"keyword"}, + "defender_status_description":{"type":"keyword"}, + "defender_threat_id":{"type":"keyword"}, + "defender_threat_name": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } }, + "defender_threat_name_trojan": { "type": "text", "norms": false, "analyzer": "standard", "fields": { "keyword": { "type": "keyword" } } }, + "defender_type_id":{"type":"keyword"}, + "defender_type_name":{"type":"keyword"} + } + } + } +} diff --git a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf new file mode 100644 index 00000000..820e403b --- /dev/null +++ b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf @@ -0,0 +1,179 @@ +# HELK Windows Defender filter file +# HELK build Stage: Alpha +# Author: Alain Homewood (@inzlain) +# License: GPL-3.0 + +filter { + if [log_name] == "Microsoft-Windows-Windows Defender/Operational" { + mutate { add_field => { "z_logstash_pipeline" => "1536" } } + # Generic fields common accross many Defender event IDs + mutate { + rename => { + "computer_name" => "host_name" + "Engine Version" => "defender_engine_version" + "Error Code" => "defender_error_code" + "Error Description" => "defender_error_description" + "Platform Version" => "defender_platform_version" + "Product Name" => "defender_product_name" + "Product Version" => "defender_product_version" + "Signature Version" => "defender_signature_version" + } + } + + # Event ID 1000: MALWAREPROTECTION_SCAN_STARTED + # Event ID 1001: MALWAREPROTECTION_SCAN_COMPLETED + # Event ID 1002: MALWAREPROTECTION_SCAN_CANCELLED + # Event ID 1003: MALWAREPROTECTION_SCAN_PAUSED + # Event ID 1004: MALWAREPROTECTION_SCAN_RESUMED + # Event ID 1005: MALWAREPROTECTION_SCAN_FAILED + # Event ID 1006: MALWAREPROTECTION_MALWARE_DETECTED + # Event ID 1007: MALWAREPROTECTION_MALWARE_ACTION_TAKEN + # Event ID 1008: MALWAREPROTECTION_MALWARE_ACTION_FAILED + # Event ID 1009: MALWAREPROTECTION_QUARANTINE_RESTORE + # Event ID 1010: MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED + # Event ID 1011: MALWAREPROTECTION_QUARANTINE_DELETE + # Event ID 1012: MALWAREPROTECTION_QUARANTINE_DELETE_FAILED + # Event ID 1013: MALWAREPROTECTION_MALWARE_HISTORY_DELETE + # Event ID 1014: MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED + # Event ID 1015: MALWAREPROTECTION_BEHAVIOR_DETECTED + # Not implemented + + # Event ID 1116: MALWAREPROTECTION_STATE_MALWARE_DETECTED + # Event ID 1117: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN + if [event_id] == 1116 or [event_id] == 1117 { + mutate { add_field => { "z_logstash_pipeline" => "1536_1" } } + mutate { + # Future Improvements: + # 1. Path + can contain multiple items seperated by semicolons - these could be split out into invidiual items + # 2. Path can contain command lines or AMSI references instead of file path - this should be parsed properly for things that aren't file paths + rename => { + "Action ID" => "defender_action_id" + "Action Name" => "defender_action_name" + "Additional Actions ID" => "defender_additional_actions_id" + "Additional Actions String" => "defender_additional_actions_string" + "Additional Actions" => "defender_additional_actions" + "Category Description" => "defender_category_description" + "Category ID" => "defender_category_id" + "Category Name" => "defender_category_name" + "Detection ID" => "defender_detection_id" + "Detection Time" => "defender_detection_time" + "Execution ID" => "defender_execution_id" + "Execution Name" => "defender_execution_name" + "FWLink" => "defender_fwlink" + "Origin ID" => "defender_origin_id" + "Origin Name" => "defender_origin_name" + "Path" => "file_path" + "Post Clean Status" => "defender_post_clean_status" + "Pre Execution Status" => "defender_pre_execution_status" + "Process Name" => "process_name" + "Remediation User" => "defender_remediation_user" + "Severity ID" => "defender_severity_id" + "Severity Name" => "defender_severity_name" + "Source ID" => "defender_source_id" + "Source Name" => "defender_source_name" + "State" => "defender_state" + "Status Code" => "defender_status_code" + "Status Description" => "defender_status_description" + "Threat ID" => "defender_threat_id" + "Threat Name Trojan" => "defender_threat_name_trojan" + "Threat Name" => "defender_threat_name" + "Type ID" => "defender_type_id" + "Type Name" => "defender_type_name" + } + } + if [Detection User] { + grok { + match => { "Detection User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } + remove_field => [ "Detection User" ] + tag_on_failure => [ "_User_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + } + + # Event ID 1118: MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED + # Event ID 1119: MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED + # Not implemented + + # Event ID 1020: MALWAREPROTECTION_THREAT_HASH + # Not implemented + + # Event ID 1150: MALWAREPROTECTION_SERVICE_HEALTHY + # Event ID 1151: MALWAREPROTECTION_SERVICE_HEALTH_REPORT + # Not implemented + + # Event ID 2000: MALWAREPROTECTION_SIGNATURE_UPDATED + # Event ID 2001: MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED + # Event ID 2002: MALWAREPROTECTION_ENGINE_UPDATED + # Event ID 2003: MALWAREPROTECTION_ENGINE_UPDATE_FAILED + # Event ID 2004: MALWAREPROTECTION_SIGNATURE_REVERSION + # Event ID 2005: MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE + # Event ID 2006: MALWAREPROTECTION_PLATFORM_UPDATE_FAILED + # Event ID 2007: MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE + # Event ID 2010: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED + # Event ID 2011: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED + # Event ID 2012: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED + # Event ID 2013: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL + # Event ID 2020: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED + # Event ID 2021: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED + # Event ID 2030: MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED + # Event ID 2031: MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED + # Event ID 2040: MALWAREPROTECTION_OS_EXPIRING + # Event ID 2041: MALWAREPROTECTION_OS_EOL + # Event ID 2042: MALWAREPROTECTION_PROTECTION_EOL + # Not implemented + + # Event ID 3002: MALWAREPROTECTION_RTP_FEATURE_FAILURE + # Event ID 3007: MALWAREPROTECTION_RTP_FEATURE_RECOVERED + # Not implemented + + # Event ID 5000: MALWAREPROTECTION_RTP_ENABLED + # Event ID 5001: MALWAREPROTECTION_RTP_DISABLED + # No filter required + + # Event ID 5004: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED + if [event_id] == 5004 { + mutate { add_field => { "z_logstash_pipeline" => "1536_2" } } + mutate { + rename => { + "Configuration" => "defender_configuration" + "Feature ID" => "defender_feature_id" + "Feature Name" => "defender_feature_name" + } + } + } + + # Event ID 5007: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED + if [event_id] == 5007 { + mutate { add_field => { "z_logstash_pipeline" => "1536_3" } } + if [New Value] { + grok { + match => { "New Value" => "%{GREEDYDATA:registry_key_path}\\%{GREEDYDATA:registry_key_value_name}\s=\s%{GREEDYDATA:registry_key_value_data}" } + remove_field => [ "New Value" ] + tag_on_failure => [ "_Registry_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + if [Old Value] { + grok { + match => { "Old Value" => ".*\s=\s%{GREEDYDATA:registry_value_old_data}" } + remove_field => [ "Old Value" ] + tag_on_failure => [ "_Registry_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + } + + # Event ID 5008: MALWAREPROTECTION_ENGINE_FAILURE + # Not implemented + + # Event ID 5009: MALWAREPROTECTION_ANTISPYWARE_ENABLED + # Event ID 5010: MALWAREPROTECTION_ANTISPYWARE_DISABLED + # Event ID 5011: MALWAREPROTECTION_ANTIVIRUS_ENABLED + # Event ID 5012: MALWAREPROTECTION_ANTIVIRUS_DISABLED + # Not implemented + + # Event ID 5100: MALWAREPROTECTION_EXPIRATION_WARNING_STATE + # Event ID 5101: MALWAREPROTECTION_DISABLED_EXPIRED_STATE + # Not implemented + + } +} diff --git a/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf b/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf new file mode 100644 index 00000000..1ad9ac14 --- /dev/null +++ b/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf @@ -0,0 +1,19 @@ +# HELK Windows Defender output file +# HELK build Stage: Alpha +# Author: Alain Homewood (@inzlain) +# License: GPL-3.0 + +output { + if [log_name] == "Microsoft-Windows-Windows Defender/Operational" { + elasticsearch { + hosts => ["helk-elasticsearch:9200"] + index => "logs-endpoint-winevent-defender-%{+YYYY.MM.dd}" + document_id => "%{[@metadata][log_hash]}" + user => 'elastic' + #password => 'elasticpassword' + template => "/opt/logstash/output_templates/60-winevent-defender-template.json" + template_name => "winevent-defender" + template_overwrite => true + } + } +} diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml index 19a6aeb4..0c39b007 100644 --- a/winlogbeat/winlogbeat.yml +++ b/winlogbeat/winlogbeat.yml @@ -24,6 +24,9 @@ winlogbeat.event_logs: ignore_older: 30m - name: Microsoft-Windows-WMI-Activity/Operational event_id: 5857,5858,5859,5860,5861 + - name: Microsoft-Windows-Windows Defender/Operational + event_id: 1116,1117,5000,5001,5007 + ignore_older: 30m #----------------------------- Kafka output -------------------------------- output.kafka: From f2bdeb5890c76593cf3895aded83b98b0cb0cfd3 Mon Sep 17 00:00:00 2001 From: inzlain Date: Wed, 1 May 2019 03:20:51 +0000 Subject: [PATCH 2/5] Added Defender event log ingestion --- .../helk-logstash/pipeline/1536-winevent-defender-filter.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf index 820e403b..b49aa98c 100644 --- a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf +++ b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf @@ -44,8 +44,7 @@ filter { mutate { add_field => { "z_logstash_pipeline" => "1536_1" } } mutate { # Future Improvements: - # 1. Path - can contain multiple items seperated by semicolons - these could be split out into invidiual items + # 1. Path can contain multiple items seperated by semicolons - these could be split out into invidiual items # 2. Path can contain command lines or AMSI references instead of file path - this should be parsed properly for things that aren't file paths rename => { "Action ID" => "defender_action_id" From db4b393dd109f5c6d3c98be9f495e2dfbd3446da Mon Sep 17 00:00:00 2001 From: inzlain Date: Wed, 1 May 2019 03:46:13 +0000 Subject: [PATCH 3/5] Added Windows Defender event log ingestion --- docker/helk-kibana/scripts/kibana-setup.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 docker/helk-kibana/scripts/kibana-setup.sh diff --git a/docker/helk-kibana/scripts/kibana-setup.sh b/docker/helk-kibana/scripts/kibana-setup.sh old mode 100644 new mode 100755 From 7aea893048bd2a26ee8cabd12032aa750780dcd8 Mon Sep 17 00:00:00 2001 From: inzlain Date: Wed, 1 May 2019 03:56:30 +0000 Subject: [PATCH 4/5] Added Defender event log ingestion --- .../helk-logstash/pipeline/9963-winevent-defender-output.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf b/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf index 1ad9ac14..11a31bcb 100644 --- a/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf +++ b/docker/helk-logstash/pipeline/9963-winevent-defender-output.conf @@ -11,9 +11,6 @@ output { document_id => "%{[@metadata][log_hash]}" user => 'elastic' #password => 'elasticpassword' - template => "/opt/logstash/output_templates/60-winevent-defender-template.json" - template_name => "winevent-defender" - template_overwrite => true } } } From 962b88cef1e70a6fb0d60e89ab404b5a5513d95d Mon Sep 17 00:00:00 2001 From: Alain Homewood <16848139+inzlain@users.noreply.github.com> Date: Wed, 1 May 2019 17:03:43 +1200 Subject: [PATCH 5/5] Fix comments --- .../helk-logstash/pipeline/1536-winevent-defender-filter.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf index b49aa98c..34a4a252 100644 --- a/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf +++ b/docker/helk-logstash/pipeline/1536-winevent-defender-filter.conf @@ -142,7 +142,7 @@ filter { } } - # Event ID 5007: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED + # Event ID 5007: MALWAREPROTECTION_CONFIG_CHANGED if [event_id] == 5007 { mutate { add_field => { "z_logstash_pipeline" => "1536_3" } } if [New Value] {