SigmaHQ/tools/config/elk-winlogbeat.yml

title: ELK Ingested with Winlogbeat
logsources:
  windows:
    product: windows
    index: winlogbeat-*
  windows-application:
    product: windows
    service: application
    conditions:
      log_name: Application
  windows-security:
    product: windows
    service: security
    conditions:
      log_name: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      log_name: 'Microsoft-Windows-Sysmon/Operational'
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      log_name: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-ntlm:
    product: windows
    service: ntlm
    conditions:
      log_name: 'Microsoft-Windows-NTLM/Operational'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      log_name:
        - 'Microsoft-Windows-AppLocker/MSI and Script'
        - 'Microsoft-Windows-AppLocker/EXE and DLL'
        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
  windows-msexchange-management:
    product: windows
    service: msexchange-management
    conditions:
      log_name: 'MSExchange Management'
  windows-printservice-admin:
    product: windows
    service: printservice-admin
    conditions:
      log_name: 'Microsoft-Windows-PrintService/Admin'
  windows-printservice-operational:
    product: windows
    service: printservice-operational
    conditions:
      log_name: 'Microsoft-Windows-PrintService/Operational'
  windows-smbclient-security:
    product: windows
    service: smbclient-security
    conditions:
      log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
    EventID: event_id
    AccessMask: event_data.AccessMask
    AccountName: event_data.AccountName
    AllowedToDelegateTo: event_data.AllowedToDelegateTo
    AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
    AuditPolicyChanges: event_data.AuditPolicyChanges
    AuthenticationPackageName: event_data.AuthenticationPackageName
    CallingProcessName: event_data.CallingProcessName
    CallTrace: event_data.CallTrace
    CommandLine: event_data.CommandLine
    ComputerName: event_data.ComputerName
    CurrentDirectory: event_data.CurrentDirectory
    Description: event_data.Description
    DestinationHostname: event_data.DestinationHostname
    DestinationIp: event_data.DestinationIp
    DestinationIsIpv6: event_data.DestinationIsIpv6
    DestinationPort: event_data.DestinationPort
    Details: event_data.Details
    EngineVersion: event_data.EngineVersion
    EventType: event_data.EventType
    FailureCode: event_data.FailureCode
    FileName: event_data.FileName
    GrantedAccess: event_data.GrantedAccess
    GroupName: event_data.GroupName
    Hashes: event_data.Hashes
    HiveName: event_data.HiveName
    HostVersion: event_data.HostVersion
    Image: event_data.Image
    ImageLoaded: event_data.ImageLoaded
    ImagePath: event_data.ImagePath
    Imphash: event_data.Imphash
    LogonProcessName: event_data.LogonProcessName
    LogonType: event_data.LogonType
    NewProcessName: event_data.NewProcessName
    ObjectClass: event_data.ObjectClass
    ObjectName: event_data.ObjectName
    ObjectType: event_data.ObjectType
    ObjectValueName: event_data.ObjectValueName
    ParentCommandLine: event_data.ParentCommandLine
    ParentImage: event_data.ParentImage
    Path: event_data.Path
    PipeName: event_data.PipeName
    ProcessName: event_data.ProcessName
    Properties: event_data.Properties
    ServiceFileName: event_data.ServiceFileName
    ServiceName: event_data.ServiceName
    ShareName: event_data.ShareName
    Signature: event_data.Signature
    Source: event_data.Source
    SourceImage: event_data.SourceImage
    StartModule: event_data.StartModule
    Status: event_data.Status
    SubjectUserName: event_data.SubjectUserName
    TargetFilename: event_data.TargetFilename
    TargetImage: event_data.TargetImage
    TargetObject: event_data.TargetObject
    TicketEncryptionType: event_data.TicketEncryptionType
    TicketOptions: event_data.TicketOptions
    User: event_data.User
    WorkstationName: event_data.WorkstationName
docs: descriptions for source configs 2020-06-25 11:59:51 +00:00			`title: ELK Ingested with Winlogbeat`
Added Humio, Crowdstrike, Corelight 2020-05-08 10:41:52 +00:00			`logsources:`
			`windows:`
			`product: windows`
			`index: winlogbeat-*`
			`windows-application:`
			`product: windows`
			`service: application`
			`conditions:`
			`log_name: Application`
			`windows-security:`
			`product: windows`
			`service: security`
			`conditions:`
			`log_name: Security`
			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`log_name: 'Microsoft-Windows-Sysmon/Operational'`
			`windows-dns-server:`
			`product: windows`
			`service: dns-server`
			`conditions:`
			`log_name: 'DNS Server'`
			`windows-driver-framework:`
			`product: windows`
			`service: driver-framework`
			`conditions:`
Added Windows NTLM log source + fixes 2020-07-02 21:20:36 +00:00			`log_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'`
			`windows-ntlm:`
			`product: windows`
			`service: ntlm`
			`conditions:`
			`log_name: 'Microsoft-Windows-NTLM/Operational'`
Added AppLocker log source 2020-07-13 20:44:03 +00:00			`windows-applocker:`
			`product: windows`
			`service: applocker`
			`conditions:`
			`log_name:`
			`- 'Microsoft-Windows-AppLocker/MSI and Script'`
			`- 'Microsoft-Windows-AppLocker/EXE and DLL'`
			`- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'`
			`- 'Microsoft-Windows-AppLocker/Packaged app-Execution'`
feat: MSExchange Management log mapping 2021-03-20 07:49:59 +00:00			`windows-msexchange-management:`
			`product: windows`
			`service: msexchange-management`
			`conditions:`
			`log_name: 'MSExchange Management'`
refactor: Admin log - not Operational 2021-06-30 12:22:40 +00:00			`windows-printservice-admin:`
config: mappings for Microsoft print service 2021-06-30 12:09:44 +00:00			`product: windows`
refactor: Admin log - not Operational 2021-06-30 12:22:40 +00:00			`service: printservice-admin`
config: mappings for Microsoft print service 2021-06-30 12:09:44 +00:00			`conditions:`
refactor: Admin log - not Operational 2021-06-30 12:22:40 +00:00			`log_name: 'Microsoft-Windows-PrintService/Admin'`
config: add PrintService Operational 2021-07-01 07:55:15 +00:00			`windows-printservice-operational:`
			`product: windows`
			`service: printservice-operational`
			`conditions:`
			`log_name: 'Microsoft-Windows-PrintService/Operational'`
config: mapping for Microsoft SMBClient service - security 2021-06-30 12:16:26 +00:00			`windows-smbclient-security:`
			`product: windows`
			`service: smbclient-security`
			`conditions:`
			`log_name: 'Microsoft-Windows-SmbClient/Security'`
Added Humio, Crowdstrike, Corelight 2020-05-08 10:41:52 +00:00			`defaultindex: winlogbeat-*`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`# Extract all field names with yq:`
Added Humio, Crowdstrike, Corelight 2020-05-08 10:41:52 +00:00			`# yq -r '.detection \| del(.condition) \| map(keys) \| .[][]' $(find sigma/rules/windows -name '.yml') \| sort -u \| grep -v ^EventID$ \| sed 's/^\(.\)/ \1: event_data.\1/g'`
			`# Keep EventID! Clean up the list afterwards!`
			`fieldmappings:`
			`EventID: event_id`
			`AccessMask: event_data.AccessMask`
			`AccountName: event_data.AccountName`
			`AllowedToDelegateTo: event_data.AllowedToDelegateTo`
			`AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName`
			`AuditPolicyChanges: event_data.AuditPolicyChanges`
			`AuthenticationPackageName: event_data.AuthenticationPackageName`
			`CallingProcessName: event_data.CallingProcessName`
			`CallTrace: event_data.CallTrace`
			`CommandLine: event_data.CommandLine`
			`ComputerName: event_data.ComputerName`
			`CurrentDirectory: event_data.CurrentDirectory`
			`Description: event_data.Description`
			`DestinationHostname: event_data.DestinationHostname`
			`DestinationIp: event_data.DestinationIp`
			`DestinationIsIpv6: event_data.DestinationIsIpv6`
			`DestinationPort: event_data.DestinationPort`
			`Details: event_data.Details`
			`EngineVersion: event_data.EngineVersion`
			`EventType: event_data.EventType`
			`FailureCode: event_data.FailureCode`
			`FileName: event_data.FileName`
			`GrantedAccess: event_data.GrantedAccess`
			`GroupName: event_data.GroupName`
			`Hashes: event_data.Hashes`
			`HiveName: event_data.HiveName`
			`HostVersion: event_data.HostVersion`
			`Image: event_data.Image`
			`ImageLoaded: event_data.ImageLoaded`
			`ImagePath: event_data.ImagePath`
			`Imphash: event_data.Imphash`
			`LogonProcessName: event_data.LogonProcessName`
			`LogonType: event_data.LogonType`
			`NewProcessName: event_data.NewProcessName`
			`ObjectClass: event_data.ObjectClass`
			`ObjectName: event_data.ObjectName`
			`ObjectType: event_data.ObjectType`
			`ObjectValueName: event_data.ObjectValueName`
			`ParentCommandLine: event_data.ParentCommandLine`
			`ParentImage: event_data.ParentImage`
			`Path: event_data.Path`
			`PipeName: event_data.PipeName`
			`ProcessName: event_data.ProcessName`
			`Properties: event_data.Properties`
			`ServiceFileName: event_data.ServiceFileName`
			`ServiceName: event_data.ServiceName`
			`ShareName: event_data.ShareName`
			`Signature: event_data.Signature`
			`Source: event_data.Source`
			`SourceImage: event_data.SourceImage`
			`StartModule: event_data.StartModule`
			`Status: event_data.Status`
			`SubjectUserName: event_data.SubjectUserName`
			`TargetFilename: event_data.TargetFilename`
			`TargetImage: event_data.TargetImage`
			`TargetObject: event_data.TargetObject`
			`TicketEncryptionType: event_data.TicketEncryptionType`
			`TicketOptions: event_data.TicketOptions`
			`User: event_data.User`
			`WorkstationName: event_data.WorkstationName`