Merge pull request #276 from elastic/rwaight-patch-1

SIEM-at-Home example updates

Author: rwaight

Security Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml

@@ -4,14 +4,14 @@ name: myHostName
 tags: ["myTag", "myHostName"]
 fields:
   env: myEnv
-  version: 11-13-2019
+  version: 11-26-2019
 
 #========================== Top Level Processor ===============================
 processors:
   - add_host_metadata:
-      # netinfo.enabled should be set to `false` in packetbeat until GitHub
-      # issue https://github.com/elastic/elasticsearch/issues/46193 is closed
-      netinfo.enabled: true
+      # netinfo.enabled should be set to `false` until GitHub issue
+      # https://github.com/elastic/elasticsearch/issues/46193 is resolved
+      netinfo.enabled: false
       Geo: # These Geo configurations are optional
         location: 40.7128, -74.0060
         continent_name: North America
@@ -58,7 +58,9 @@ cloud.auth: "data_shipper:0987654321abcDEF"
 
 # The geoip-info pipeline is used to enrich GeoIP information in Elasticsearch
 # You must configure the pipeline in Elasticsearch before enabling the pipeline in Beats.
-output.elasticsearch.pipeline: geoip-info
+# The `output.elasticsearch.pipeline: geoip-info` setting should be commented out until
+# until GitHub issue https://github.com/elastic/elasticsearch/issues/46193 is resolved
+#output.elasticsearch.pipeline: geoip-info
 
 # The `max_retries` setting is the number of times to retry publishing an event after 
 # a publishing failure. After the specified number of retries, the events are typically dropped.

Security Analytics/SIEM-at-Home/beats-configs/beats-on-windows/winlogbeat.yml

@@ -0,0 +1,39 @@
+# Example for the Beats on Windows blog
+# Configuration version: 11-25-2019
+#=== Winlogbeat specific options ===
+winlogbeat.event_logs:
+  - name: Application
+    ignore_older: 72h
+
+  - name: System
+
+  - name: Security
+    ignore_older: 24h
+    processors:
+      - drop_event.when.and: # drop local service login events
+        - equals.event.code: '4672'   
+        - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
+      - script:
+          lang: javascript
+          id: security
+          file: ${path.home}/module/security/config/winlogbeat-security.js
+
+  - name: Windows PowerShell
+    ignore_older: 72h
+
+  - name: Microsoft-Windows-PowerShell/Operational
+    ignore_older: 72h
+    event_id: 4103, 4104
+
+  - name: Microsoft-Windows-Sysmon/Operational
+    ignore_older: 24h
+    processors:
+      - script:
+          lang: javascript
+          id: sysmon
+          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
+
+#=== Beats Common Configs Here ===
+# Add the settings from the Beats General Config file (beats-general-config.yml)
+# to the end of this configuration file. The Beats General Config file example can be found at this link:
+# https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-at-Home/beats-configs/beats-general-config.yml