Merge pull request #1686 from leegengyu/patch-12

Update winlogbeat-modules-enabled.yml
2024-11-07 09:48:58 +00:00 · 2021-07-15 08:37:09 +02:00 · 2021-07-15 08:37:09 +02:00 · 680e01d309
commit 680e01d309
parent abb8df887a aacb5f767c
1 changed files with 2 additions and 2 deletions
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@ -106,7 +106,7 @@ defaultindex: winlogbeat-*
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
 # Keep EventID! Clean up the list afterwards!
 fieldmappings:
-    EventID: winlog.event_id
+    EventID: event.code
    AccessMask: winlog.event_data.AccessMask
    AccountName: winlog.event_data.AccountName
    AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
@ -189,7 +189,7 @@ fieldmappings:
    SubjectUserSid: user.id
    TargetFilename: file.path
    TargetImage: winlog.event_data.TargetImage
-    TargetObject: winlog.event_data.TargetObject
+    TargetObject: registry.path
    TicketEncryptionType: winlog.event_data.TicketEncryptionType
    TicketOptions: winlog.event_data.TicketOptions
    TargetDomainName: user.domain