Badass Intelligence Part 3: Elastic / Logstash Enrichment

Time to plug the API into your ingestion pipeline. Below is a focused Logstash configuration fragment that:

Matches relevant Winlogbeat events where ObjectClass == groupPolicyContainer.
Extracts the GUID.
Calls the enrichment API.
Merges the JSON payload into the event.

Logstash Filter Example

filter {
  if [winlog][event_data][ObjectClass] == "groupPolicyContainer" {
    grok {
      match => ["[winlog][event_data][ObjectDN]", "CN=\{%{GREEDYDATA:[policy][dn]}\}"]
    }
    http {
      url   => "http://example.local:8080/gpolookup"
      query => { "guid" => "%{[policy][dn]}" }
      verb  => GET
    }
    if [body] {
      json { source => "body" target => "policy" }
      mutate { remove_field => "body" }
    }
  }
}

Explanation:

The grok pattern isolates the GUID from ObjectDN.
The http filter performs the lookup.
Returned JSON becomes policy.* fields (e.g. policy.DisplayName).

Resulting Event Fields (Example)

{
  "winlog.event_id": 5136,
  "policy": {
    "dn": "6AC1786C-016F-11D2-945F-00C04FB984F9",
    "DisplayName": "Default Domain Policy",
    "Created": "2008-11-03T14:27:16",
    "LastModified": "2020-04-26T15:04:13"
  }
}

Query Ideas (Kibana / Elastic)

event.code:5136 AND policy.DisplayName:* AND winlog.event_data.ObjectClass:"groupPolicyContainer"

Surface recent modifications:

policy.LastModified:[now-1d TO now]

Hardening & Scaling

Add retry logic or circuit breaker if API latency spikes.
Deploy multiple API instances behind an internal load balancer.
Consider a caching sidecar (e.g. Redis) for super‑hot GUIDs.

Wrap‑Up

With inline enrichment your SOC sees human names instantly-no pivoting, no GUID guessing. Extend the same pattern to other opaque identifiers (SIDs, mailbox GUIDs, etc.).

Tags: elastic · PowerShell · Logstash · Threat Hunting · Windows Events