Architecture - JCSC-JE/Graylog-IR GitHub Wiki

The diagram below shows the architecture of the Graylog server configuration

CSV,IIS and JSON is ingested by a UDP input and then filtered into a stream which is connected to a pipeline for processing. After processing, it is stored in the OpenSearch index.

Windows EVTX files are ingested by a UDP input and then filtered into a individual stream based on log source. These logs are then processed in three stages.

  • Stage 1 - Rename log fields
  • Stage 2 - Filtering logs by Windows Event ID
  • Stage 3 - Enrichment of remaining data

Windows Event ID Filtering

We use quite aggressive filtering looking for certain windows events and drop events that do not match the Event ID's we are looking for. More information can be found on the Windows Event Filtering ID page.

Event Filtering Rule

rule "Defender drop events"
when
  to_string($message.Channel) == "Microsoft-Windows-Windows Defender/Operational"
  AND NOT
  (
  to_string($message.EventId) == "1005" OR
  to_string($message.EventId) == "1006" OR
  to_string($message.EventId) == "1007" OR
  to_string($message.EventId) == "1008" OR
  to_string($message.EventId) == "1009" OR
  to_string($message.EventId) == "1012" OR
  to_string($message.EventId) == "1015" OR
  to_string($message.EventId) == "1016" OR
  to_string($message.EventId) == "1017" OR
  to_string($message.EventId) == "1018" OR
  to_string($message.EventId) == "1019" OR
  to_string($message.EventId) == "1020" OR
  to_string($message.EventId) == "2001" OR
  to_string($message.EventId) == "2003" OR
  to_string($message.EventId) == "5001" OR
  to_string($message.EventId) == "5008" OR
  to_string($message.EventId) == "5012"
  )
then
    drop_message();
end

Windows Enrichment Rule

rule "Defender Log Event Id Enrichment"

when
	to_string($message.Channel) == "Microsoft-Windows-Windows Defender/Operational"
then
	set_field("TimelineCategory", lookup_value("defender", $message.EventId));
	set_field("TimelineSource","Windows Defender");
	set_field("TimelineEvent","true");
end

By setting the three field, this enables to construct dashboards using filtered queries on our dataset. The first part of the rule using a lookup table to match Defender Event ID's to a description. The other two lines set fields that we can use in dashboard creation.

This is the same for all processing pipelines.