2019-06-30 20:44:12 +00:00
|
|
|
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
|
2019-04-22 22:54:10 +00:00
|
|
|
order: 20
|
2019-05-19 23:00:33 +00:00
|
|
|
backends:
|
|
|
|
|
- es-qs
|
|
|
|
|
- es-dsl
|
2020-02-24 22:20:48 +00:00
|
|
|
- es-rule
|
2019-05-19 23:00:33 +00:00
|
|
|
- kibana
|
|
|
|
|
- xpack-watcher
|
|
|
|
|
- elastalert
|
2019-05-27 15:11:59 +00:00
|
|
|
- elastalert-dsl
|
2020-05-08 08:04:59 +00:00
|
|
|
- ee-outliers
|
2018-09-20 10:08:11 +00:00
|
|
|
logsources:
|
|
|
|
|
windows:
|
|
|
|
|
product: windows
|
|
|
|
|
index: winlogbeat-*
|
|
|
|
|
windows-application:
|
|
|
|
|
product: windows
|
|
|
|
|
service: application
|
|
|
|
|
conditions:
|
2019-06-30 10:09:11 +00:00
|
|
|
winlog.channel: Application
|
2018-09-20 10:08:11 +00:00
|
|
|
windows-security:
|
|
|
|
|
product: windows
|
|
|
|
|
service: security
|
|
|
|
|
conditions:
|
2019-06-30 10:09:11 +00:00
|
|
|
winlog.channel: Security
|
2018-09-20 10:08:11 +00:00
|
|
|
windows-sysmon:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
conditions:
|
2019-06-30 10:09:11 +00:00
|
|
|
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
|
2018-09-20 10:08:11 +00:00
|
|
|
windows-dns-server:
|
|
|
|
|
product: windows
|
|
|
|
|
service: dns-server
|
|
|
|
|
conditions:
|
2019-06-30 10:09:11 +00:00
|
|
|
winlog.channel: 'DNS Server'
|
2018-09-20 10:08:11 +00:00
|
|
|
windows-driver-framework:
|
|
|
|
|
product: windows
|
|
|
|
|
service: driver-framework
|
|
|
|
|
conditions:
|
2020-07-02 21:20:36 +00:00
|
|
|
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
2019-02-05 13:35:16 +00:00
|
|
|
windows-dhcp:
|
|
|
|
|
product: windows
|
|
|
|
|
service: dhcp
|
2019-05-27 15:11:59 +00:00
|
|
|
conditions:
|
2020-07-02 21:20:36 +00:00
|
|
|
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
|
|
|
|
|
windows-ntlm:
|
|
|
|
|
product: windows
|
|
|
|
|
service: ntlm
|
|
|
|
|
conditions:
|
|
|
|
|
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
|
2020-06-28 08:55:32 +00:00
|
|
|
windows-defender:
|
|
|
|
|
product: windows
|
|
|
|
|
service: windefend
|
|
|
|
|
conditions:
|
|
|
|
|
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
|
2020-07-13 20:18:01 +00:00
|
|
|
windows-applocker:
|
|
|
|
|
product: windows
|
|
|
|
|
service: applocker
|
|
|
|
|
conditions:
|
|
|
|
|
winlog.channel:
|
|
|
|
|
- 'Microsoft-Windows-AppLocker/MSI and Script'
|
|
|
|
|
- 'Microsoft-Windows-AppLocker/EXE and DLL'
|
|
|
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
|
|
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
|
2018-09-20 10:08:11 +00:00
|
|
|
defaultindex: winlogbeat-*
|
|
|
|
|
# Extract all field names qith yq:
|
2019-06-30 10:09:11 +00:00
|
|
|
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
|
2018-09-20 10:08:11 +00:00
|
|
|
# Keep EventID! Clean up the list afterwards!
|
|
|
|
|
fieldmappings:
|
2019-12-06 23:23:30 +00:00
|
|
|
EventID: winlog.event_id
|
|
|
|
|
AccessMask: winlog.event_data.AccessMask
|
|
|
|
|
AccountName: winlog.event_data.AccountName
|
|
|
|
|
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
|
|
|
|
|
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
|
|
|
|
|
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
|
|
|
|
|
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
|
|
|
|
|
CallingProcessName: winlog.event_data.CallingProcessName
|
|
|
|
|
CallTrace: winlog.event_data.CallTrace
|
2020-05-19 08:58:51 +00:00
|
|
|
Channel: winlog.channel
|
2019-12-06 23:23:30 +00:00
|
|
|
CommandLine: winlog.event_data.CommandLine
|
2020-05-20 09:35:00 +00:00
|
|
|
ComputerName: winlog.ComputerName
|
2019-12-06 23:23:30 +00:00
|
|
|
CurrentDirectory: winlog.event_data.CurrentDirectory
|
|
|
|
|
Description: winlog.event_data.Description
|
|
|
|
|
DestinationHostname: winlog.event_data.DestinationHostname
|
|
|
|
|
DestinationIp: winlog.event_data.DestinationIp
|
2020-05-19 08:58:51 +00:00
|
|
|
dst_ip: winlog.event_data.DestinationIp
|
2019-12-06 23:23:30 +00:00
|
|
|
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
|
|
|
|
|
DestinationPort: winlog.event_data.DestinationPort
|
2020-05-19 08:58:51 +00:00
|
|
|
dst_port: winlog.event_data.DestinationPort
|
2019-12-06 23:23:30 +00:00
|
|
|
Details: winlog.event_data.Details
|
|
|
|
|
EngineVersion: winlog.event_data.EngineVersion
|
|
|
|
|
EventType: winlog.event_data.EventType
|
|
|
|
|
FailureCode: winlog.event_data.FailureCode
|
|
|
|
|
FileName: winlog.event_data.FileName
|
|
|
|
|
GrantedAccess: winlog.event_data.GrantedAccess
|
|
|
|
|
GroupName: winlog.event_data.GroupName
|
|
|
|
|
GroupSid: winlog.event_data.GroupSid
|
|
|
|
|
Hashes: winlog.event_data.Hashes
|
|
|
|
|
HiveName: winlog.event_data.HiveName
|
|
|
|
|
HostVersion: winlog.event_data.HostVersion
|
|
|
|
|
Image: winlog.event_data.Image
|
|
|
|
|
ImageLoaded: winlog.event_data.ImageLoaded
|
|
|
|
|
ImagePath: winlog.event_data.ImagePath
|
|
|
|
|
Imphash: winlog.event_data.Imphash
|
|
|
|
|
IpAddress: winlog.event_data.IpAddress
|
|
|
|
|
KeyLength: winlog.event_data.KeyLength
|
|
|
|
|
LogonProcessName: winlog.event_data.LogonProcessName
|
|
|
|
|
LogonType: winlog.event_data.LogonType
|
|
|
|
|
NewProcessName: winlog.event_data.NewProcessName
|
|
|
|
|
ObjectClass: winlog.event_data.ObjectClass
|
|
|
|
|
ObjectName: winlog.event_data.ObjectName
|
|
|
|
|
ObjectType: winlog.event_data.ObjectType
|
|
|
|
|
ObjectValueName: winlog.event_data.ObjectValueName
|
|
|
|
|
ParentCommandLine: winlog.event_data.ParentCommandLine
|
|
|
|
|
ParentProcessName: winlog.event_data.ParentProcessName
|
|
|
|
|
ParentImage: winlog.event_data.ParentImage
|
|
|
|
|
Path: winlog.event_data.Path
|
|
|
|
|
PipeName: winlog.event_data.PipeName
|
|
|
|
|
ProcessCommandLine: winlog.event_data.ProcessCommandLine
|
|
|
|
|
ProcessName: winlog.event_data.ProcessName
|
|
|
|
|
Properties: winlog.event_data.Properties
|
2020-03-19 18:40:18 +00:00
|
|
|
RuleName: winlog.event_data.RuleName
|
2019-12-06 23:23:30 +00:00
|
|
|
SecurityID: winlog.event_data.SecurityID
|
|
|
|
|
ServiceFileName: winlog.event_data.ServiceFileName
|
|
|
|
|
ServiceName: winlog.event_data.ServiceName
|
|
|
|
|
ShareName: winlog.event_data.ShareName
|
|
|
|
|
Signature: winlog.event_data.Signature
|
|
|
|
|
Source: winlog.event_data.Source
|
|
|
|
|
SourceImage: winlog.event_data.SourceImage
|
2020-05-19 08:58:51 +00:00
|
|
|
SourceIp: winlog.event_data.SourceIp
|
|
|
|
|
src_ip: winlog.event_data.SourceIp
|
|
|
|
|
SourcePort: winlog.event_data.SourcePort
|
|
|
|
|
src_port: winlog.event_data.SourcePort
|
2019-12-06 23:23:30 +00:00
|
|
|
StartModule: winlog.event_data.StartModule
|
|
|
|
|
Status: winlog.event_data.Status
|
|
|
|
|
SubjectUserName: winlog.event_data.SubjectUserName
|
|
|
|
|
SubjectUserSid: winlog.event_data.SubjectUserSid
|
|
|
|
|
TargetFilename: winlog.event_data.TargetFilename
|
|
|
|
|
TargetImage: winlog.event_data.TargetImage
|
|
|
|
|
TargetObject: winlog.event_data.TargetObject
|
|
|
|
|
TicketEncryptionType: winlog.event_data.TicketEncryptionType
|
|
|
|
|
TicketOptions: winlog.event_data.TicketOptions
|
|
|
|
|
User: winlog.event_data.User
|
|
|
|
|
WorkstationName: winlog.event_data.WorkstationName
|
2020-05-19 08:58:51 +00:00
|
|
|
# Channel: WLAN-Autoconfig AND EventID: 8001
|
|
|
|
|
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
|
|
|
|
|
BSSID: winlog.event_data.BSSID
|
|
|
|
|
BSSType: winlog.event_data.BSSType
|
|
|
|
|
CipherAlgorithm: winlog.event_data.CipherAlgorithm
|
|
|
|
|
ConnectionId: winlog.event_data.ConnectionId
|
|
|
|
|
ConnectionMode: winlog.event_data.ConnectionMode
|
|
|
|
|
InterfaceDescription: winlog.event_data.InterfaceDescription
|
|
|
|
|
InterfaceGuid: winlog.event_data.InterfaceGuid
|
|
|
|
|
OnexEnabled: winlog.event_data.OnexEnabled
|
|
|
|
|
PHYType: winlog.event_data.PHYType
|
|
|
|
|
ProfileName: winlog.event_data.ProfileName
|
2020-05-20 09:35:00 +00:00
|
|
|
SSID: winlog.event_data.SSID
|
