10-windows-events-filter.conf

filter {
    # If it is an eventlog message, change some fields to lower case, and rename some fields so they match logstash's default
	if "eventlog" in [tags] {
        mutate {
            lowercase => [ "EventType", "FileName", "Hostname", "Severity", "host" ]
            rename => [ "Hostname", "host" ]
            rename => [ "Message", "message" ]
  }
# Translate common Event ID's
        translate {
      field => "EventID"
      destination => "EventDesc"
      override => true
      fallback => "no match"
      dictionary => [ "4625", "4625 An account failed to log on",
	              "4648", "4648 A logon was attempted using explicit credentials",
		      "4656", "4656 A handle to an object was requested",
                      "4662", "4662 An operation was performed on an object",
                      "4663", "4663 An attempt was made to access an object",
                      "4672", "4672 Special privileges assigned to new logon",
                      "4673", "4673 A privileged service was called",
                      "4690", "4690 An attempt was made to duplicate a handle to an object",
                      "4720", "4720 A user account was created",
                      "4722", "4722 A user account was enabled",
                      "4724", "4724 An attempt was made to reset an accounts password",
                      "4725", "4725 A user account was disabled",
                      "4727", "4727 A security-enabled global group was created",
                      "4728", "4728 A member was added to a security-enabled global group",
                      "4729", "4729 A member was removed from a security-enabled global group",
                      "4735", "4735 A security-enabled local group was changed",
                      "4737", "4737 A security-enabled global group was changed",
                      "4738", "4738 A user account was changed",
                      "4740", "4740 A user account was locked out",
                      "4754", "4754 A security-enabled universal group was created",
                      "4756", "4756 A member was added to a security-enabled universal group",
                      "4757", "4757 A member was removed to a security-enabled universal group",
                      "4767", "4767 A user account was unlocked",
                      "4768", "4768 A Kerberos authentication ticket (TGT) was requested",
                      "4769", "4769 A Kerberos service ticket was requested",
                      "4770", "4770 A Kerberos service ticket was renewed",
                      "4771", "4771 Kerberos pre-authentication failed",
                      "4780", "4780 The ACL was set on accounts which are members of administrators groups",
		      "4907", "4907 Auditing settings on object were changed",
                      "4932", "4932 Synchronization of a replica of an Active Directory naming context has begun",
	              "4933", "4933 Synchronization of a replica of an Active Directory naming context has ended",
                      "5136", "5136 A directory service object was modified",
                      "5145", "5145 A network share object was checked to see whether client can be granted desired access",
                      "5152", "5152 The Windows Filtering Platform blocked a packet",
                      "5157", "5157 The Windows Filtering Platform has blocked a connection",
                      "5159", "5159 The Windows Filtering Platform has blocked a bind to a local port",
		      "6272", "6272 Network Policy Server granted access to a user",
	              "6273", "6273 Network Policy Server denied access to a user",
		      "6274", "6274 Network Policy Server discarded the request for a user",
		      "6278", "6278 Network Policy Server granted full access to a user because the host met the defined health policy"
                    ]
         }
    }

# Remove IPv6 prefix from IPAddress if not used
if [IpAddress] =~ "ffff" {
   grok {
    match => ["IpAddress", "^.*?\::ffff:%{GREEDYDATA:IpAddress}$"]
    overwrite => ["IpAddress"]
        }
   }
# For Powershell events, extract the command details and create alert field
if [SourceName] == "PowerShell" {
    grok {
       patterns_dir => "/etc/logstash/patterns"
       match => { "message" => "%{PWRSHELL:scriptname}" }
       add_field => { "PwrShellAlert" => "true" }
       }
   }
#Identify machine accounts
if [TargetUserName] =~ /\$/ {
            mutate {
               add_field => { "machine" => "true" }
    }
}       else {
        mutate {
        add_field => { "machine" => "false" }
          
        }
  }
# Extract username from email
if [TargetUserName] =~ /\@/ {
    grok {
        match => ["TargetUserName", "%{WORD:TargetUserName}"]
        overwrite => ["TargetUserName"]
        }
   }
#Add field for admin users  
#if [EventID] == 4728 or [EventID] == 4756 {	
#	if [TargetUserName] == "Admin Group 1" or [TargetUserName] == "Admin Group 2" {
#			mutate {
#				add_field => { "admin" => "true" }
#	}
#   }    
#  }
if [EventID] == 4771 or [EventID] == 4625 and [machine] == "false"  {  
    mutate {
        add_tag => [ "logon_failure" ]
    }
  } 
}