SigmaHQ/tools/config/winlogbeat.yml

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers
logsources:
  windows:
    product: windows
    index: winlogbeat-*
  windows-application:
    product: windows
    service: application
    conditions:
      winlog.channel: Application
  windows-security:
    product: windows
    service: security
    conditions:
      winlog.channel: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      winlog.channel: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
  EventID: winlog.event_id
  AccessMask: winlog.event_data.AccessMask
  AccountName: winlog.event_data.AccountName
  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
  CallingProcessName: winlog.event_data.CallingProcessName
  CallTrace: winlog.event_data.CallTrace
  Channel: winlog.channel
  CommandLine: winlog.event_data.CommandLine
  ComputerName: winlog.ComputerName
  CurrentDirectory: winlog.event_data.CurrentDirectory
  Description: winlog.event_data.Description
  DestinationHostname: winlog.event_data.DestinationHostname
  DestinationIp: winlog.event_data.DestinationIp
  dst_ip: winlog.event_data.DestinationIp
  DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
  DestinationPort: winlog.event_data.DestinationPort
  dst_port: winlog.event_data.DestinationPort
  Details: winlog.event_data.Details
  EngineVersion: winlog.event_data.EngineVersion
  EventType: winlog.event_data.EventType
  FailureCode: winlog.event_data.FailureCode
  FileName: winlog.event_data.FileName
  GrantedAccess: winlog.event_data.GrantedAccess
  GroupName: winlog.event_data.GroupName
  GroupSid: winlog.event_data.GroupSid
  Hashes: winlog.event_data.Hashes
  HiveName: winlog.event_data.HiveName
  HostVersion: winlog.event_data.HostVersion
  Image: winlog.event_data.Image
  ImageLoaded: winlog.event_data.ImageLoaded
  ImagePath: winlog.event_data.ImagePath
  Imphash: winlog.event_data.Imphash
  IpAddress: winlog.event_data.IpAddress
  KeyLength: winlog.event_data.KeyLength
  LogonProcessName: winlog.event_data.LogonProcessName
  LogonType: winlog.event_data.LogonType
  NewProcessName: winlog.event_data.NewProcessName
  ObjectClass: winlog.event_data.ObjectClass
  ObjectName: winlog.event_data.ObjectName
  ObjectType: winlog.event_data.ObjectType
  ObjectValueName: winlog.event_data.ObjectValueName
  ParentCommandLine: winlog.event_data.ParentCommandLine
  ParentProcessName: winlog.event_data.ParentProcessName
  ParentImage: winlog.event_data.ParentImage
  Path: winlog.event_data.Path
  PipeName: winlog.event_data.PipeName
  ProcessCommandLine: winlog.event_data.ProcessCommandLine
  ProcessName: winlog.event_data.ProcessName
  Properties: winlog.event_data.Properties
  RuleName: winlog.event_data.RuleName
  SecurityID: winlog.event_data.SecurityID
  ServiceFileName: winlog.event_data.ServiceFileName
  ServiceName: winlog.event_data.ServiceName
  ShareName: winlog.event_data.ShareName
  Signature: winlog.event_data.Signature
  Source: winlog.event_data.Source
  SourceImage: winlog.event_data.SourceImage
  SourceIp: winlog.event_data.SourceIp
  src_ip: winlog.event_data.SourceIp
  SourcePort: winlog.event_data.SourcePort
  src_port: winlog.event_data.SourcePort
  StartModule: winlog.event_data.StartModule
  Status: winlog.event_data.Status
  SubjectUserName: winlog.event_data.SubjectUserName
  SubjectUserSid: winlog.event_data.SubjectUserSid
  TargetFilename: winlog.event_data.TargetFilename
  TargetImage: winlog.event_data.TargetImage
  TargetObject: winlog.event_data.TargetObject
  TicketEncryptionType: winlog.event_data.TicketEncryptionType
  TicketOptions: winlog.event_data.TicketOptions
  User: winlog.event_data.User
  WorkstationName: winlog.event_data.WorkstationName
  # Channel: WLAN-Autoconfig AND EventID: 8001
  AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
  BSSID: winlog.event_data.BSSID
  BSSType: winlog.event_data.BSSType
  CipherAlgorithm: winlog.event_data.CipherAlgorithm
  ConnectionId: winlog.event_data.ConnectionId
  ConnectionMode: winlog.event_data.ConnectionMode
  InterfaceDescription: winlog.event_data.InterfaceDescription
  InterfaceGuid: winlog.event_data.InterfaceGuid
  OnexEnabled: winlog.event_data.OnexEnabled
  PHYType: winlog.event_data.PHYType
  ProfileName: winlog.event_data.ProfileName
  SSID: winlog.event_data.SSID
Added version information to Winlogbeat configs 2019-06-30 20:44:12 +00:00			`title: Elastic Winlogbeat (from 7.x) index pattern and field mapping`
Configuration order checking 2019-04-22 22:54:10 +00:00			`order: 20`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`backends:`
			`- es-qs`
			`- es-dsl`
Added es-rule backend to all ES configurations 2020-02-24 22:20:48 +00:00			`- es-rule`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`- kibana`
			`- xpack-watcher`
			`- elastalert`
introduce elastalert-dsl (cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61) 2019-05-27 15:11:59 +00:00			`- elastalert-dsl`
Added ee-outliers backend 2020-05-08 08:04:59 +00:00			`- ee-outliers`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`logsources:`
			`windows:`
			`product: windows`
			`index: winlogbeat-*`
			`windows-application:`
			`product: windows`
			`service: application`
			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.channel: Application`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`windows-security:`
			`product: windows`
			`service: security`
			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.channel: Security`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.channel: 'Microsoft-Windows-Sysmon/Operational'`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`windows-dns-server:`
			`product: windows`
			`service: dns-server`
			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.channel: 'DNS Server'`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`windows-driver-framework:`
			`product: windows`
			`service: driver-framework`
			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'`
DHCP log source in sigmac configs 2019-02-05 13:35:16 +00:00			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
introduce elastalert-dsl (cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61) 2019-05-27 15:11:59 +00:00			`conditions:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`defaultindex: winlogbeat-*`
			`# Extract all field names qith yq:`
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html 2019-06-30 10:09:11 +00:00			`# yq -r '.detection \| del(.condition) \| map(keys) \| .[][]' $(find sigma/rules/windows -name '.yml') \| sort -u \| grep -v ^EventID$ \| sed 's/^\(.\)/ \1: winlog.event_data.\1/g'`
Added Winlogbeat configuration 2018-09-20 10:08:11 +00:00			`# Keep EventID! Clean up the list afterwards!`
			`fieldmappings:`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`EventID: winlog.event_id`
			`AccessMask: winlog.event_data.AccessMask`
			`AccountName: winlog.event_data.AccountName`
			`AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo`
			`AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName`
			`AuditPolicyChanges: winlog.event_data.AuditPolicyChanges`
			`AuthenticationPackageName: winlog.event_data.AuthenticationPackageName`
			`CallingProcessName: winlog.event_data.CallingProcessName`
			`CallTrace: winlog.event_data.CallTrace`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 08:58:51 +00:00			`Channel: winlog.channel`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`CommandLine: winlog.event_data.CommandLine`
Updated config 2020-05-20 09:35:00 +00:00			`ComputerName: winlog.ComputerName`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`CurrentDirectory: winlog.event_data.CurrentDirectory`
			`Description: winlog.event_data.Description`
			`DestinationHostname: winlog.event_data.DestinationHostname`
			`DestinationIp: winlog.event_data.DestinationIp`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 08:58:51 +00:00			`dst_ip: winlog.event_data.DestinationIp`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`DestinationIsIpv6: winlog.event_data.DestinationIsIpv6`
			`DestinationPort: winlog.event_data.DestinationPort`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 08:58:51 +00:00			`dst_port: winlog.event_data.DestinationPort`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`Details: winlog.event_data.Details`
			`EngineVersion: winlog.event_data.EngineVersion`
			`EventType: winlog.event_data.EventType`
			`FailureCode: winlog.event_data.FailureCode`
			`FileName: winlog.event_data.FileName`
			`GrantedAccess: winlog.event_data.GrantedAccess`
			`GroupName: winlog.event_data.GroupName`
			`GroupSid: winlog.event_data.GroupSid`
			`Hashes: winlog.event_data.Hashes`
			`HiveName: winlog.event_data.HiveName`
			`HostVersion: winlog.event_data.HostVersion`
			`Image: winlog.event_data.Image`
			`ImageLoaded: winlog.event_data.ImageLoaded`
			`ImagePath: winlog.event_data.ImagePath`
			`Imphash: winlog.event_data.Imphash`
			`IpAddress: winlog.event_data.IpAddress`
			`KeyLength: winlog.event_data.KeyLength`
			`LogonProcessName: winlog.event_data.LogonProcessName`
			`LogonType: winlog.event_data.LogonType`
			`NewProcessName: winlog.event_data.NewProcessName`
			`ObjectClass: winlog.event_data.ObjectClass`
			`ObjectName: winlog.event_data.ObjectName`
			`ObjectType: winlog.event_data.ObjectType`
			`ObjectValueName: winlog.event_data.ObjectValueName`
			`ParentCommandLine: winlog.event_data.ParentCommandLine`
			`ParentProcessName: winlog.event_data.ParentProcessName`
			`ParentImage: winlog.event_data.ParentImage`
			`Path: winlog.event_data.Path`
			`PipeName: winlog.event_data.PipeName`
			`ProcessCommandLine: winlog.event_data.ProcessCommandLine`
			`ProcessName: winlog.event_data.ProcessName`
			`Properties: winlog.event_data.Properties`
Add Winlogbeat's RuleName field to mapping When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt. ```xml <?xml version="1.0" encoding="utf-8" standalone="yes"?> <Events> <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/> <EventID>13</EventID> <Version>2</Version> <Level>4</Level> <Task>13</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/> <EventRecordID>160631</EventRecordID> <Correlation/> <Execution ProcessID='2156' ThreadID='3628'/> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>win10.sec699-40.lab</Computer> <Security UserID='S-1-5-18'/> </System> <EventData> <Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data> <Data Name='EventType'>SetValue</Data> <Data Name='UtcTime'>2020-03-18 03:52:07.129</Data> <Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data> <Data Name='ProcessId'>5064</Data> <Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data> <Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data> <Data Name='Details'>Binary Data</Data> </EventData> </Event> </Events> ``` When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`. This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`. The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed. 2020-03-19 18:40:18 +00:00			`RuleName: winlog.event_data.RuleName`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`SecurityID: winlog.event_data.SecurityID`
			`ServiceFileName: winlog.event_data.ServiceFileName`
			`ServiceName: winlog.event_data.ServiceName`
			`ShareName: winlog.event_data.ShareName`
			`Signature: winlog.event_data.Signature`
			`Source: winlog.event_data.Source`
			`SourceImage: winlog.event_data.SourceImage`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 08:58:51 +00:00			`SourceIp: winlog.event_data.SourceIp`
			`src_ip: winlog.event_data.SourceIp`
			`SourcePort: winlog.event_data.SourcePort`
			`src_port: winlog.event_data.SourcePort`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`StartModule: winlog.event_data.StartModule`
			`Status: winlog.event_data.Status`
			`SubjectUserName: winlog.event_data.SubjectUserName`
			`SubjectUserSid: winlog.event_data.SubjectUserSid`
			`TargetFilename: winlog.event_data.TargetFilename`
			`TargetImage: winlog.event_data.TargetImage`
			`TargetObject: winlog.event_data.TargetObject`
			`TicketEncryptionType: winlog.event_data.TicketEncryptionType`
			`TicketOptions: winlog.event_data.TicketOptions`
			`User: winlog.event_data.User`
			`WorkstationName: winlog.event_data.WorkstationName`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 08:58:51 +00:00			`# Channel: WLAN-Autoconfig AND EventID: 8001`
			`AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm`
			`BSSID: winlog.event_data.BSSID`
			`BSSType: winlog.event_data.BSSType`
			`CipherAlgorithm: winlog.event_data.CipherAlgorithm`
			`ConnectionId: winlog.event_data.ConnectionId`
			`ConnectionMode: winlog.event_data.ConnectionMode`
			`InterfaceDescription: winlog.event_data.InterfaceDescription`
			`InterfaceGuid: winlog.event_data.InterfaceGuid`
			`OnexEnabled: winlog.event_data.OnexEnabled`
			`PHYType: winlog.event_data.PHYType`
			`ProfileName: winlog.event_data.ProfileName`
Updated config 2020-05-20 09:35:00 +00:00			`SSID: winlog.event_data.SSID`