mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
Merge pull request #464 from neu5ron/updates-to-sigma-main
update HELK and add winlogbeat module enabled taxonomy
This commit is contained in:
Thomas Patzke
GitHub
commit
4711d4cad6
@ -36,7 +36,6 @@ logsources:
|
||||
product: windows
|
||||
service: powershell-classic
|
||||
index: logs-endpoint-winevent-powershell-*
|
||||
|
||||
defaultindex: logs-*
|
||||
fieldmappings:
|
||||
AccessMask: object_access_mask_requested
|
||||
@ -47,18 +46,22 @@ fieldmappings:
|
||||
AuthenticationPackageName: logon_authentication_package
|
||||
CallingProcessName: process_path
|
||||
CallTrace: process_call_trace
|
||||
ClientAddress: src_ip_addr
|
||||
ClientIPAddress: src_ip_addr
|
||||
ClientIP: src_ip_addr
|
||||
CommandLine: process_command_line
|
||||
Company: file_company
|
||||
ComputerName: host_name
|
||||
Configuration:
|
||||
EventID=16: sysmon_configuration
|
||||
ConnectedViaIPAddress: dst_nat_ip_addr
|
||||
CurrentDirectory: process_current_directory
|
||||
Description: file_description
|
||||
DestAddress: dst_ip_addr
|
||||
Destination:
|
||||
EventID=20: wmi_consumer_destination
|
||||
DestinationHostname: dst_host_name
|
||||
DestinationIp: dst_ip_addr
|
||||
DestinationIsIpv6: dst_is_ipv6
|
||||
DestinationPort: dst_port
|
||||
DestinationPortName: dst_port_name
|
||||
Details:
|
||||
@ -88,8 +91,13 @@ fieldmappings:
|
||||
EventID=3: network_initiated"
|
||||
IntegrityLevel:
|
||||
EventID=1: process_integrity_level
|
||||
ipAddress: dst_ip_addr
|
||||
IpAddress: src_ip_addr
|
||||
IPString: src_ip_addr
|
||||
LaunchedViaIPAddress: dst_ip_addr
|
||||
LogonProcessName: logon_process_name
|
||||
LogonType: logon_type
|
||||
MachineIpAddress: dst_ip_addr
|
||||
MachineName: host_name
|
||||
Name:
|
||||
EventID=19: wmi_name
|
||||
@ -106,13 +114,15 @@ fieldmappings:
|
||||
EventID=20: wmi_operation
|
||||
EventID=21: wmi_operation
|
||||
OperationType: object_operation_type
|
||||
OriginalFileName: file_name_original
|
||||
ParentImage: process_parent_path
|
||||
ParentProcessName: process_parent_path
|
||||
PasswordLastSet: user_attribute_password_lastset
|
||||
Path: process_path
|
||||
ParentCommandLine: process_parent_command_line
|
||||
PipeName: pipe_name
|
||||
ProcessName: process_path
|
||||
ProcesssCommandLine: process_command_line
|
||||
ProcessCommandLine: process_command_line
|
||||
Product: file_product
|
||||
Properties: object_properties
|
||||
Protocol:
|
||||
@ -120,6 +130,7 @@ fieldmappings:
|
||||
Query:
|
||||
EventID=19: wmi_query
|
||||
RelativeTargetName: share_relative_target_name
|
||||
SourceAddress: src_ip_addr
|
||||
SchemaVersion:
|
||||
EventID=4: sysmon_schema_version
|
||||
ServiceFileName: service_image_path
|
||||
@ -131,6 +142,7 @@ fieldmappings:
|
||||
Source: source_name
|
||||
SourceHostname: src_host_name
|
||||
SourceImage: process_path
|
||||
SourceIp: src_ip_addr
|
||||
SourcePort: src_port
|
||||
SourcePortName: src_port_name
|
||||
StartAddress: thread_start_address
|
||||
@ -144,18 +156,21 @@ fieldmappings:
|
||||
EventID=4624: user_reporter_name
|
||||
EventId=4648: user_name
|
||||
EventID=5140: user_name
|
||||
TargetServer: dst_ip_addr
|
||||
TaskName: task_name
|
||||
TicketEncryptionType: ticket_encryption_type
|
||||
TicketOptions: ticket_options
|
||||
TargetFilename: file_name
|
||||
TargetImage: target_process_path
|
||||
TargetProcessAddress: thread_start_address
|
||||
TargetObject: registry_key_path
|
||||
TaskName: task_name
|
||||
TicketEncryptionType: ticket_encryption_type
|
||||
TicketOptions: ticket_options
|
||||
Type:
|
||||
EventID=20: wmi_consumer_type
|
||||
User: user_account
|
||||
UserName: user_name
|
||||
Value:
|
||||
EventID=1102: dst_ip_addr
|
||||
Version:
|
||||
EventID=4: sysmon_version
|
||||
Workstation: src_host_name
|
||||
WorkstationName: src_host_name
|
||||
WorkstationName: src_host_name
|
||||
125
tools/config/winlogbeat-modules-enabled.yml
Normal file
125
tools/config/winlogbeat-modules-enabled.yml
Normal file
@ -0,0 +1,125 @@
|
||||
title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
|
||||
order: 20
|
||||
backends:
|
||||
- es-qs
|
||||
- es-dsl
|
||||
- kibana
|
||||
- xpack-watcher
|
||||
- elastalert
|
||||
- elastalert-dsl
|
||||
logsources:
|
||||
windows:
|
||||
product: windows
|
||||
index: winlogbeat-*
|
||||
windows-application:
|
||||
product: windows
|
||||
service: application
|
||||
conditions:
|
||||
winlog.channel: Application
|
||||
windows-security:
|
||||
product: windows
|
||||
service: security
|
||||
conditions:
|
||||
winlog.channel: Security
|
||||
windows-sysmon:
|
||||
product: windows
|
||||
service: sysmon
|
||||
conditions:
|
||||
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
|
||||
windows-dns-server:
|
||||
product: windows
|
||||
service: dns-server
|
||||
conditions:
|
||||
winlog.channel: 'DNS Server'
|
||||
windows-driver-framework:
|
||||
product: windows
|
||||
service: driver-framework
|
||||
conditions:
|
||||
winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
||||
windows-dhcp:
|
||||
product: windows
|
||||
service: dhcp
|
||||
conditions:
|
||||
winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
|
||||
defaultindex: winlogbeat-*
|
||||
# Extract all field names qith yq:
|
||||
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
|
||||
# Keep EventID! Clean up the list afterwards!
|
||||
fieldmappings:
|
||||
EventID: winlog.event_id
|
||||
AccessMask: winlog.event_data.AccessMask
|
||||
AccountName: winlog.event_data.AccountName
|
||||
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
|
||||
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
|
||||
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
|
||||
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
|
||||
CallingProcessName: winlog.event_data.CallingProcessName
|
||||
CallTrace: winlog.event_data.CallTrace
|
||||
CommandLine: process.args
|
||||
ComputerName: winlog.ComputerName
|
||||
CurrentDirectory: process.working_directory
|
||||
Description: winlog.event_data.Description
|
||||
DestinationHostname: destination.domain
|
||||
DestinationIp: destination.ip
|
||||
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
|
||||
DestinationPort: destination.port
|
||||
DestinationPortName: network.protocol
|
||||
Details: winlog.event_data.Details
|
||||
EngineVersion: winlog.event_data.EngineVersion
|
||||
EventType: winlog.event_data.EventType
|
||||
FailureCode: winlog.event_data.FailureCode
|
||||
FileName: file.path
|
||||
GrantedAccess: winlog.event_data.GrantedAccess
|
||||
GroupName: winlog.event_data.GroupName
|
||||
GroupSid: winlog.event_data.GroupSid
|
||||
Hashes: winlog.event_data.Hashes
|
||||
HiveName: winlog.event_data.HiveName
|
||||
HostVersion: winlog.event_data.HostVersion
|
||||
Image: process.executable
|
||||
ImageLoaded: file.path
|
||||
ImagePath: winlog.event_data.ImagePath
|
||||
Imphash: winlog.event_data.Imphash
|
||||
IpAddress: source.ip
|
||||
IpPort: source.port
|
||||
KeyLength: winlog.event_data.KeyLength
|
||||
LogonProcessName: winlog.event_data.LogonProcessName
|
||||
LogonType: winlog.event_data.LogonType
|
||||
NewProcessName: winlog.event_data.NewProcessName
|
||||
ObjectClass: winlog.event_data.ObjectClass
|
||||
ObjectName: winlog.event_data.ObjectName
|
||||
ObjectType: winlog.event_data.ObjectType
|
||||
ObjectValueName: winlog.event_data.ObjectValueName
|
||||
ParentCommandLine: process.parent.args
|
||||
ParentProcessName: process.parent.name
|
||||
ParentImage: process.parent.executable
|
||||
Path: winlog.event_data.Path
|
||||
PipeName: file.name
|
||||
ProcessCommandLine: winlog.event_data.ProcessCommandLine
|
||||
ProcessName: process.executable
|
||||
Properties: winlog.event_data.Properties
|
||||
SecurityID: winlog.event_data.SecurityID
|
||||
ServiceFileName: winlog.event_data.ServiceFileName
|
||||
ServiceName: winlog.event_data.ServiceName
|
||||
ShareName: winlog.event_data.ShareName
|
||||
Signature: winlog.event_data.Signature
|
||||
Source: winlog.event_data.Source
|
||||
SourceHostname: source.domain
|
||||
SourceImage: process.executable
|
||||
SourceIp: source.ip
|
||||
SourcePort: source.port
|
||||
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
|
||||
StartModule: winlog.event_data.StartModule
|
||||
Status: winlog.event_data.Status
|
||||
SubjectDomainName: user.domain
|
||||
SubjectUserName: user.name
|
||||
SubjectUserSid: user.id
|
||||
TargetFilename: file.path
|
||||
TargetImage: winlog.event_data.TargetImage
|
||||
TargetObject: winlog.event_data.TargetObject
|
||||
TicketEncryptionType: winlog.event_data.TicketEncryptionType
|
||||
TicketOptions: winlog.event_data.TicketOptions
|
||||
TargetDomainName: user.domain
|
||||
TargetUserName: user.name
|
||||
TargetUserSid: user.id
|
||||
User: user.name
|
||||
WorkstationName: source.domain
|
||||
Loading…
Reference in New Issue
Block a user