Added field name mappings to HELK configuration

2024-11-07 09:48:58 +00:00 · 2018-03-27 14:33:39 +02:00 · 2018-03-27 14:33:39 +02:00 · 17c1c1adff
commit 17c1c1adff
parent a3e02ea70f
1 changed files with 63 additions and 0 deletions
--- a/tools/config/helk.yml
+++ b/tools/config/helk.yml
@ -28,3 +28,66 @@ logsources:
    service: powershell-classic
    index: logs-endpoint-winevent-powershell-*
 defaultindex: logs-*
+fieldmappings:
+    AccessMask: object_access_mask_requested
+    AccountName: service_account_name
+    AllowedToDelegateTo: user_attribute_allowed_todelegate
+    AttributeLDAPDisplayName: dsobject_attribute_name
+    AuditPolicyChanges: policy_changes
+    AuthenticationPackageName: logon_authentication_package
+    CallTrace: process_calltrace
+    CommandLine: command_line
+    ComputerName: host_name
+    CurrentDirectory: process_current_directory
+    DestinationHostname: dst_host
+    DestinationIp: dst_ip
+    DestinationIsIpv6: dst_isipv6
+    DestinationPort: dst_port_number
+    Details: registry_details
+    EngineVersion: powershell.engine.version
+    EventID: event_id
+    EventType: 
+        EventID=12: registry_event_type
+        EventID=13: registry_event_type
+        EventID=14: registry_event_type
+        EventID=19: wmi_event_type
+        EventID=20: wmi_event_type
+        EventID=21: wmi_event_type
+    FailureCode: ticket_failure_code
+    GrantedAccess: process_granted_access
+    GroupName: group_name
+    HiveName: hive_name
+    HostVersion: powershell.host.version
+    Image: process_path
+    ImageLoaded: image_loaded
+    LogonProcessName: logon_process_name
+    LogonType: logon_type
+    NewProcessName: process_path
+    ObjectClass: dsobject_class
+    ObjectName: object_name
+    ObjectType: object_type
+    ObjectValueName: object_value_name
+    OperationType: object_operation_type
+    ParentImage: process_parent_path
+    PipeName: pipe_name
+    ProcessName: process_path
+    RelativeTargetName: share_relative_target_name
+    ServiceFileName: service_image_path
+    ServiceName: service_name
+    ShareName: share_name
+    Source: source_name
+    SourceImage: process_path
+    StartModule: thread_startmodule
+    Status: logon_failure_status
+    SubjectUserName: user_name
+    TargetFilename: file_name
+    TargetImage: process_target_path
+    TargetObject: registry_target_object
+    TargetImage: target_process_path
+    TaskName: task_name
+    TicketEncryptionType: ticket_encryption_type
+    TicketOptions: ticket_options
+    User: user
+    UserName: user_name
+    Workstation: src_host
+    WorkstationName: src_host