Collecting Windows Logs with Elastic’s Winlogbeats
Threat Hunt with Elastic
Why Do This?
Suppose you’ve ever worked in Security Operations Center or performed any incident response. In that case, you’ll understand the value that logs play in telling a story of what occurred. But, of course, when trying to see the picture of a breach or incident, we need to fuse all the puzzle pieces. To accomplish this, we need to find all our puzzle pieces, and in this case, those come in the form of Windows event logs.
In this post, we’ll focus on collecting and aggregating windows event logs using Sysmon, Winlogbeats, and an Elastic stack.
If you followed along with my Moloch and Elastic article, this is a good way to begin adding host logs to your platform.
What is Elastic?
Elastic is still a high-growth company that had its start in search. With a search foundation, Elastic has created a platform for exploring and analyzing almost any form of data — from stocks quotes, flight data, and even Windows logs!
As a security information and event management (SIEM) platform, Elastic products have been climbing the Gartner Magic Quadrant.
What makes Elastic compelling for small-medium size businesses is that Elastic has tons of features and functionality in its free tier of products. Elasticsearch, the search platform, is also at the heart of Security Onion’s updated platform. Tons of hunt-focused architectures have been built around Elasticsearch’s flexibility and power. If you weren’t convinced about how robust this search platform is, Amazon actually created a fork of Elasticsearch called OpenSearch “for use cases such as log analytics, real-time application monitoring, and clickstream analysis.”
Okay, Cool…But What is Winlogbeats?
In order to get logs into this search platform, we’ll use a log shipper called Winlogbeats that installs on the endpoint and runs as a service. We’ll also use Microsoft’s Sysmon to generate higher fidelity logs that Winlogbeats can ship.
At the time of this writing, Elastic has recently acquired the cybersecurity company Endgame. Renowned for its endpoint protection suite and ability to map local events to the MITRE ATT&CK Matrix, Elastic is in the process of integrating Endgames capabilities into a new product called Elastic Endpoint Security which will be able to take Winlogbeats as an input.
Sweet! Am I Ready to Do the Thing?
Thanks for asking! Before I show you, we’re going to make some assumptions.
First, you should have a readily available Elastic stack (in this case just Elasticsearch and Kibana) and have their IP addresses. If you don’t, you can check out the documentation here: https://www.elastic.co/elastic-stack/. Feel free to install it locally or spin up a trial version, and return back. For this article, I’m using docker containers of Elastic and Kibana on Centos 8.
Second, you should have a Windows machine to install the Winlogbeats agent. In my examples, I’m using a Windows 10 Evaluation image. Pick up a developer VM here:https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/.
My Computer is Ready to Ship Logs. Let’s Go!
Love that enthusiasm! Keep it Up!
Now let's install Winlogbeats on your computer. Feel free to clone or download my Github repo https://github.com/alekzandr/windowsdeploy.
Inside this repository are some helpful scripts to automate the process. Due to Github size constraints, you’ll have to download the winlogbeats application and manually move the executable windowsdeploy/winlogbeat.
Now that the winlogbeats.exe is in our folder, we’ll edit our winlogbeat.yml to point our agent towards the Elastic Stack. In my case, my Elastic and Kibana servers are at 192.168.50.186, so I went down to the “Elasticsearch Output” section and inputted my Elastic IP. If you’re using standard Elastic ports, leave port 9200 for Elasticsearch and 5601 for Kibana.
With solid configurations, we’ll now open an admin PowerShell terminal, change directories to windowsdeploy-main, and execute the installservices.ps1 script. This script installs Sysmon and Winlogbeats as services and starts them.
Once you confirm that Winlogbeats and Sysmon are running, go ahead and jump over to your Kibana instance. For me that was http://192.168.50.186:5601. My winlogbeats.yml configuration will create the “winlogbeat-*” index pattern in Elasticsearch if you didn’t have one already.
And that’s everything, you’re now ingesting Windows logs into Elastic!
That’s a Lot of Data! How Do I Use It?
Well, my friend, that’s a topic for a different article. We’re all about taking little steps to improve our skillsets, security posture, and safeguarding our systems. Next time, I’ll show you have to leverage this stack to detect and track the effects generated by a potential APT. But for now, explore the data, build visualizations, and dashboards. You might find something interesting that everybody is just waiting to see!
