s0p4L1n3/Graylog_Content_Pack_Windows_Security

Windows Security Content Pack for Graylog

Tested with Winlogbeat & Filebeat 7.12.1.0 / Windows 2022 / Windows 10 / Graylog 5.2.2

The Content Pack should be compatible with all Graylog 5.2.X version. This content pack contains configuration for Windows 10 Security Events, for Windows Server 2022 Security Event, For Active Directory, For Windows DNS & DHCP Server, for DFS Server.

Note this was built using filebeat and Winlogbeat as the log exporter. No inputs extractor were used, only pipeline rules.

Do not need additionnal Grok pattern, uses the default like WORD/GREEDYDATA etc..

Includes

• Input (Beats/TCP/5044)
• Stream (Filebeat & Winlogbeat)
• Pipeline Rules w/ stages
• Lookup table + Data adapter + data cache
• Dashboards

Not included

You need to download manually the CSV.

• macaddress.csv
• dhcpv4_opcode.csv
• file_monitoring_permissions.csv
• registry.csv
• windows_id.csv
• Windows-EventID-to-EventDescription.csv

Add it to your Graylog server in /srv. If different location, modify the content_pack.json to change location path (CTRL + F and replace all occurences with the desired path)

If you do not add it, some Dashboards will not display all infos, these CSV are used for Lookup Table to enrich data.

Requirements

• Graylog 5.2.0
• Sidecar API Token Created
• Graylog Sidecar Agent 1.5.0
• Winlogbeat & Filebeat 7.12.1
• Winlogbeat Security & Powershell Module
• Edit Windows-Security-Content-Pack.json before uploading it ! (See requirements)

Agents Configuration (Requirement)

Be careful, by default Graylog Sidecar 1.5.0 embedd two bad binary version of Filebeat and Winlogbeat which are 8.9.0 and OpenSearch 2.X is not compatible ! The latest compatible version is 7.12.1. Replace the two binary with the 7.12.1 version.

Download filebeat archive and extract .exe

Download winlogbeat archive and extract .exe

Create your Graylog Sidecar token API (Requirement)

You will need to generate an API Token for your Sidecar agent to be able to communicate with Graylog. Follow this Graylog guide if you don't know how.

Add the Winlogbeat modules to your Sidecar folder agent. (Requirement)

By default, Graylog Sidecar does not embedd the Winlogbeat modules

C:\Program Files\Graylog\sidecar\module

Download the module folder on this project and add it to your computer/server.

Visit for more info

Edit Windows-Security-Content-Pack.json (Requirement)

I've made some Dashboard based on Server names to filter in or out some event logged. You will need to adjust the filter based on your infrastructure.

• Follow these instructions:

  • Search & replace (use Notepadd for example):

    • srv* ---> this filter means all Netbios name starting with srv (eg: srvdfs, srvad1, etc), I use it to show only computers data on dashboard by using NOT conditions, you should replace this filter with either the name of all of your servers or another field key which is easier to implement and that identify all servers.

      • replace the string srv* by (name1 OR name2 OR name3) where nameX is all your servers name
      • 

    • (srvad1 OR srvad2) --> on my test prod, I have 2 AD DC, I use a filter where I want to show data only from my 2 DC

      • replace the strings (srvad1 OR srvad2) by (DCname1 OR DCname2 OR DCname3) where DCnameX is all your DC name

    • srvdfs1 --> on my test prod, I have a DFS Server hosting SAMBA Share, so I created a Dashboard to monitor files event for this server, if you don't have one you can ignore and delete the dashboard tab on the Web UI.

      • replace the string srvdfs1 by yourdfsname if you have one

    • Europe/Paris --> on my test prod, I'm in France so the Timezone is this one, if you are from another timezone, replace with the desired one

      • replace the string Europe/Paris by Country/Town timezone of your choice

    • graylog.lab.lan --> it is my test domain FQDN, change it according to your server FQDN / IP Address, so that all sidecars are correctly configured to send data to your Graylog Server

      • replace the string graylog.lab.lan by graylog.your.fqdn.com which normally should correspond to the FQDN point to your graylog server
      • 

Create Index for each stream

By default, the Content Pack can't embeed Index, I recommand you to create one in order to separate Filebeat and Winlogbeat and so on. I don't think you want to have all data in the same index. It is like eating all the meal ingredient at the same time, it's difficult to recognize the taste of each.

And change the Index for the Winlogbeat stream.

Repeat the process for Filebeat.

Screenshots

• Active Directory

• Account Management

• Auth

• Defender

• DHCP Server

• DNS Client

• DNS Server

• Log Event Viewer

• Windows Firewall

And so on...

References

• jhochwald winlogbeat security
• Windows Security Monitoring - Scenarios and Patterns - Book by Andrei Miroshnikov (Very good book, I recommend you to buy it)