Description
The two ingest pipelines below are missing some key data in order to successfully be able to exclude alerts generated from SIEM in my opinion:
- logs-windows.powershell_operational-1.5.0
- logs-windows.forwarded-1.5.0-powershell_operational
powershell.file.script_block_text
This field is being renamed from winlog.event_data.ScriptBlockText to powershell.file.script_block_text. There are quite a few Elastic SIEM security rules that were distributed which use this field to alert on. The key issue is you can't really use this field to put in any exclusions which makes alerting on this field a problem (I think its due to it being a text field).
In my environment I found a workaround that may want to be implemented by Elastic if they do not see any performance or other issues.
Create hash from powershell.file.script_block_text:
Since the powershell.file.script_block_text field contains a LOT of data, my suggestion is to use a script in the ingest pipeline to remove all space characters and create a fingerprint in powershell.file.script_block_hash. This fingerprint can be used to add exclusions in SIEM since you are unable to use script_block_text:
Script to run on the field to remove whitespace:
def newVal = /\s/.matcher(ctx.powershell.file.script_block_temp).replaceAll("");
ctx.powershell.file.script_block_temp = newVal;
Elastic Support Ticket: #00883463
Extract powershell signature (if exists) which can be used for exclusions
If a powershell script has a signature, I think you should be able to add exclusions for this signature.
Example signature (shortened):
# SIG # Begin signature block
# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr
# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5
# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk
# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN
# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy
# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ
# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
# SIG # End signature block"
Add GROK pattern to ingest pipeline and store in powershell.file.script_block_signature (performance testing needing):
(?<script_start>.* Begin signature block)(?<powershell.file.script_block_signature>(.|\r|\n)*)(?<script_end>.*# SIG # End signature block)
https://discuss.elastic.co/t/extracting-data-between-two-phrases-with-grok/302269
Description
The two ingest pipelines below are missing some key data in order to successfully be able to exclude alerts generated from SIEM in my opinion:
powershell.file.script_block_text
This field is being renamed from winlog.event_data.ScriptBlockText to powershell.file.script_block_text. There are quite a few Elastic SIEM security rules that were distributed which use this field to alert on. The key issue is you can't really use this field to put in any exclusions which makes alerting on this field a problem (I think its due to it being a text field).
In my environment I found a workaround that may want to be implemented by Elastic if they do not see any performance or other issues.
Create hash from powershell.file.script_block_text:
Since the powershell.file.script_block_text field contains a LOT of data, my suggestion is to use a script in the ingest pipeline to remove all space characters and create a fingerprint in powershell.file.script_block_hash. This fingerprint can be used to add exclusions in SIEM since you are unable to use script_block_text:
Script to run on the field to remove whitespace:
Elastic Support Ticket: #00883463
Extract powershell signature (if exists) which can be used for exclusions
If a powershell script has a signature, I think you should be able to add exclusions for this signature.
Example signature (shortened):
Add GROK pattern to ingest pipeline and store in powershell.file.script_block_signature (performance testing needing):
(?<script_start>.* Begin signature block)(?<powershell.file.script_block_signature>(.|\r|\n)*)(?<script_end>.*# SIG # End signature block)https://discuss.elastic.co/t/extracting-data-between-two-phrases-with-grok/302269