Collecting Windows telemetry with Elastic: An introduction to the ETW Filebeat input

Nov 21, 2024 by iHash Leave a Comment

From this output, we can see that the provider Microsoft-Windows-DNSServer offers several keywords for filtering specific event types, such as QUERY_RECEIVED, RESPONSE_SUCCESS, RESPONSE_FAILURE, and others — each represented by a unique hex code. Additionally, it provides levels (Error, Warning, Informational) that specify the severity of events that can be captured.

The Filebeat ETW input offers filtering options that allow you to capture only relevant events from a specific provider:

match_any_keyword: Captures events if they match any one of the specified keywords. This is useful when you want to monitor a range of event types that don’t necessarily occur together.
match_all_keyword: Captures events only if they match all specified keywords. This option is ideal for highly specific event monitoring where events must meet multiple criteria simultaneously.
trace_level: Filters events based on their severity level, allowing you to specify whether to capture only errors, warnings, or informational messages. This can help to focus monitoring efforts on high-priority issues.

The output from logman lists various event types with corresponding keywords, allowing you to select specific events to monitor. For example, if you want to track recursive queries, you might look for keywords like RECURSE_QUERY_OUT, RECURSE_RESPONSE_IN, or RECURSE_QUERY_DROP. To filter specifically for these recursive query events, you would calculate the bitmask sum of their values:

1. Identify the hex values for each keyword:

RECURSE_QUERY_OUT: 0x0000000000000010
RECURSE_RESPONSE_IN: 0x0000000000000020
RECURSE_QUERY_DROP: 0x0000000000000040
Microsoft-Windows-DNSServer/Analytical (to ensure Analytical events are captured): 0x8000000000000000

2. Add these values together:

This resulting bitmask, 0x8000000000000070, would be used in the match_any_keyword configuration to capture only these specific recursive query events.

This approach allows for granular control over the data the ETW input ingests, ensuring you collect only events that are relevant to your monitoring needs.

Source link

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Apple Arcade launches into 2025 with 10 new games, including PGA TOUR Pro Golf

January 10, 2025 UPDATE Apple Arcade launches into 2025 with 10 new games, including PGA TOUR Pro Golf Apple Arcade is kicking off the new year with an exciting slate of game launches, along with big updates to existing hits. Today, seven new titles are available, all with no ads or in-app purchases, including Skate […]

CrowdStrike Strengthens Container Security with Registry Scanning

Organizations of all sizes require security tools to meet their complex hybrid cloud needs. As their cloud environments and workloads evolve, this includes solutions that can scan for vulnerabilities in container images regardless of their location across public and private cloud environments. The problem is, most organizations lack this capability. Many use tools that […]

Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers

Jan 09, 2025Ravie LakshmananVulnerability / Endpoint Security Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data. “Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database […]

5 insights from public sector leaders: Solving organizational challenges with data and AI

Despite the best intentions of many public sector leaders to build data-driven organizations, the reality is that 65% of public sector leaders still struggle to use data continuously in real time and at scale. The upside? Many leaders are taking advantage of AI and generative AI to tackle this critical need. But to reach that […]

Nvidia at CES: Omniverse Blueprint for Industry, Generative Physical AI, Access to Blackwells, Cosmos Model for Physical AI

Nvidia issued its anticipated raft of news at CES this week, here’s an overview of announcements for the HPC-AI sector: ‘Mega’ Omniverse Blueprint for Industrial Robot Fleet Digital Twins The company said Mega is an omniverse framework for next-gen industrial AI and robot simulation through software-defined testing and optimization of factories and warehouses. Citing facts […]

Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers

Jan 07, 2025Ravie LakshmananFirmware Security / Malware Cybersecurity researchers have uncovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that, if successfully exploited, could permit attackers to brick or plant persistent malware on susceptible devices. “The Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM [Compatibility Support Mode] […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

JBL Flip 6 Portable Bluetooth Speaker (Open Box) for $74

Navee V25 300W Foldable e-Scooter for $299

Smart Tracker Includes Key Ring – Works with Apple Find My App (2-Pack) for $34

Harmony Premium Plan Lifetime Subscription for $99

Lenovo 11.6" 100e Chromebook 2nd Gen (2019) MediaTek MT8173C 4GB RAM 16GB eMMC (Refurbished) for $54