Further proxy field name fixes (config + rules)

rules/proxy/proxy_apt40.yml

@@ -14,7 +14,7 @@ detection:
     condition: selection
 fields:
     - c-ip
-    - cs-uri
+    - c-uri
 falsepositives:
     - Old browsers
 level: high

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -9,13 +9,12 @@ logsource:
     category: proxy
 detection:
     selection:
-        cs-uri-query: 
+        c-uri-query:
             - '*/install_flash_player.exe'
             - '*/flash_install.php*'
     filter:
-        cs-uri-stem: '*.adobe.com/*'
+        c-uri-stem: '*.adobe.com/*'
     condition: selection and not filter
 falsepositives:
     - Unknown flash download locations
 level: high
-

tools/config/arcsight.yml

@@ -53,7 +53,7 @@ logsources:
   windows-dhcp:
     product: windows
     service: dhcp
-    conditions: 
+    conditions:
       deviceVendor: Microsoft
   windows-system:
     product: windows

tools/config/netwitness.yml

@@ -37,7 +37,7 @@ logsources:
   windows-dhcp:
     product: windows
     service: dhcp
-    conditions: 
+    conditions:
       device.type: winevent_nic
       event.source: microsoft-windows-dhcp-server
   windows-sec:
@@ -52,7 +52,7 @@ logsources:
     conditions:
       device.type: winevent_nic
 fieldmappings:
-  dst: 
+  dst:
     - ip.dst
   dst_ip:
     - ip.dst
@@ -72,21 +72,21 @@ fieldmappings:
     - user.dst
   c-uri-extension:
     - extension
-  UserAgent:
+  c-useragent:
     - user.agent
   r-dns:
     - alias.host
   DestinationHostname:
     - alias.host
-  Host:
+  cs-host:
     - alias.host
   c-uri-query:
     - web.page
-  URL:
+  c-uri:
     - web.page
-  HttpMethod:
+  cs-method:
     - action
-  Cookie:
+  cs-cookie:
     - web.cookie
   SubjectUserName:
     - user.dst

tools/config/powershell.yml

@@ -22,12 +22,12 @@ logsources:
     product: windows
     service: sysmon
     conditions:
-        LogName: 'Microsoft-Windows-Sysmon/Operational'
+      LogName: 'Microsoft-Windows-Sysmon/Operational'
   windows-powershell:
     product: windows
     service: powershell
     conditions:
-        LogName: 'Microsoft-Windows-PowerShell/Operational'
+      LogName: 'Microsoft-Windows-PowerShell/Operational'
   windows-classicpowershell:
     product: windows
     service: powershell-classic
@@ -67,5 +67,5 @@ logsources:
   windows-dhcp:
     product: windows
     service: dhcp
-    conditions: 
+    conditions:
       LogName: 'Microsoft-Windows-DHCP-Server/Operational'

tools/config/qradar.yml

@@ -26,29 +26,27 @@ logsources:
     index: flows
 
   flow:
-   category: flow
-   index: flows
+    category: flow
+    index: flows
 
 fieldmappings:
-    EventID:
-        - Event ID Code
-    dst:
-        - destinationIP
-    dst_ip:
-        - destinationIP
-    src:
-        - sourceIP
-    src_ip:
-        - sourceIP
-    c-ip: sourceIP
-    cs-ip: sourceIP
-    cs-uri: url
-    c-uri: sourceIP
-    c-uri-extension: file_extension
-    UserAgent: user_agent
-    c-uri-query: uri_query
-    HttpMethod: Method
-    URL: URL
-    r-dns: FQDN
-    ClientIP: sourceIP    
-    ServiceFileName: Service Name
+  EventID:
+    - Event ID Code
+  dst:
+    - destinationIP
+  dst_ip:
+    - destinationIP
+  src:
+    - sourceIP
+  src_ip:
+    - sourceIP
+  c-ip: sourceIP
+  cs-ip: sourceIP
+  c-uri: url
+  c-uri-extension: file_extension
+  c-useragent: user_agent
+  c-uri-query: uri_query
+  cs-method: Method
+  r-dns: FQDN
+  ClientIP: sourceIP
+  ServiceFileName: Service Name

tools/config/qualys.yml

@@ -3,19 +3,18 @@ order: 20
 backends:
   - qualys
 fieldmappings:
-    dst:
-        - network.remote.address.ip
-    dst_ip:
-        - network.remote.address.ip
-    src:
-        - network.local.address.ip
-    src_ip:
-        - network.local.address.ip
-    file_hash:
-        - file.hash.md5
-        - file.hash.sha256
-    NewProcessName: process.name
-    ServiceName: process.name
-    ServiceFileName: process.name
-    TargetObject: registry.path
-
+  dst:
+    - network.remote.address.ip
+  dst_ip:
+    - network.remote.address.ip
+  src:
+    - network.local.address.ip
+  src_ip:
+    - network.local.address.ip
+  file_hash:
+    - file.hash.md5
+    - file.hash.sha256
+  NewProcessName: process.name
+  ServiceName: process.name
+  ServiceFileName: process.name
+  TargetObject: registry.path

tools/config/splunk-windows.yml

@@ -68,7 +68,7 @@ logsources:
   windows-dhcp:
     product: windows
     service: dhcp
-    conditions: 
+    conditions:
       source: 'Microsoft-Windows-DHCP-Server/Operational'
 fieldmappings:
-    EventID: EventCode
+  EventID: EventCode

tools/config/sumologic.yml

@@ -54,7 +54,7 @@ logsources:
   windows-dhcp:
     product: windows
     service: dhcp
-    conditions: 
+    conditions:
       EventChannel: Microsoft-Windows-DHCP-Server
     index: WINDOWS
   apache:
@@ -97,10 +97,6 @@ logsources:
   application-rails:
     product: rails
     index: RAILS
-  application-rails:
-    category: application
-    product: ruby_on_rails
-    index: RAILS
   application-spring:
     product: spring
     index: SPRING

tools/config/thor.yml

@@ -29,42 +29,42 @@ logsources:
   windows-application:
     product: windows
     service: application
-    sources: 
+    sources:
       - 'WinEventLog:Application'
   windows-security:
     product: windows
     service: security
-    sources: 
+    sources:
       - 'WinEventLog:Security'
   windows-system:
     product: windows
     service: system
-    sources: 
+    sources:
       - 'WinEventLog:System'
   windows-sysmon:
     product: windows
     service: sysmon
-    sources: 
+    sources:
       - 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
   windows-powershell:
     product: windows
     service: powershell
-    sources: 
+    sources:
       - 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
   windows-taskscheduler:
     product: windows
     service: taskscheduler
-    sources: 
+    sources:
       - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
   windows-wmi:
     product: windows
     service: wmi
-    sources: 
+    sources:
       - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
   windows-dhcp:
     product: windows
     service: dhcp
-    sources: 
+    sources:
       - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
   apache:
     category: webserver

tools/config/winlogbeat-modules-enabled.yml

@@ -46,80 +46,80 @@ defaultindex: winlogbeat-*
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
 # Keep EventID! Clean up the list afterwards!
 fieldmappings:
-    EventID: winlog.event_id
-    AccessMask: winlog.event_data.AccessMask
-    AccountName: winlog.event_data.AccountName
-    AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
-    AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
-    AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
-    AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
-    CallingProcessName: winlog.event_data.CallingProcessName
-    CallTrace: winlog.event_data.CallTrace
-    CommandLine: process.args
-    ComputerName: winlog.ComputerName
-    CurrentDirectory: process.working_directory
-    Description: winlog.event_data.Description
-    DestinationHostname: destination.domain
-    DestinationIp: destination.ip
-    #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
-    DestinationPort: destination.port
-    DestinationPortName: network.protocol
-    Details: winlog.event_data.Details
-    EngineVersion: winlog.event_data.EngineVersion
-    EventType: winlog.event_data.EventType
-    FailureCode: winlog.event_data.FailureCode
-    FileName: file.path
-    GrantedAccess: winlog.event_data.GrantedAccess
-    GroupName: winlog.event_data.GroupName
-    GroupSid: winlog.event_data.GroupSid
-    Hashes: winlog.event_data.Hashes
-    HiveName: winlog.event_data.HiveName
-    HostVersion: winlog.event_data.HostVersion
-    Image: process.executable
-    ImageLoaded: file.path
-    ImagePath: winlog.event_data.ImagePath
-    Imphash: winlog.event_data.Imphash
-    IpAddress: source.ip
-    IpPort: source.port
-    KeyLength: winlog.event_data.KeyLength
-    LogonProcessName: winlog.event_data.LogonProcessName
-    LogonType: winlog.event_data.LogonType
-    NewProcessName: winlog.event_data.NewProcessName
-    ObjectClass: winlog.event_data.ObjectClass
-    ObjectName: winlog.event_data.ObjectName
-    ObjectType: winlog.event_data.ObjectType
-    ObjectValueName: winlog.event_data.ObjectValueName
-    ParentCommandLine: process.parent.args
-    ParentProcessName: process.parent.name
-    ParentImage: process.parent.executable
-    Path: winlog.event_data.Path
-    PipeName: file.name
-    ProcessCommandLine: winlog.event_data.ProcessCommandLine
-    ProcessName: process.executable
-    Properties: winlog.event_data.Properties
-    SecurityID: winlog.event_data.SecurityID
-    ServiceFileName: winlog.event_data.ServiceFileName
-    ServiceName: winlog.event_data.ServiceName
-    ShareName: winlog.event_data.ShareName
-    Signature: winlog.event_data.Signature
-    Source: winlog.event_data.Source
-    SourceHostname: source.domain
-    SourceImage: process.executable
-    SourceIp: source.ip
-    SourcePort: source.port
-    #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
-    StartModule: winlog.event_data.StartModule
-    Status: winlog.event_data.Status
-    SubjectDomainName: user.domain
-    SubjectUserName: user.name
-    SubjectUserSid: user.id
-    TargetFilename: file.path
-    TargetImage: winlog.event_data.TargetImage
-    TargetObject: winlog.event_data.TargetObject
-    TicketEncryptionType: winlog.event_data.TicketEncryptionType
-    TicketOptions: winlog.event_data.TicketOptions
-    TargetDomainName: user.domain
-    TargetUserName: user.name
-    TargetUserSid: user.id
-    User: user.name
-    WorkstationName: source.domain
+  EventID: winlog.event_id
+  AccessMask: winlog.event_data.AccessMask
+  AccountName: winlog.event_data.AccountName
+  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
+  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
+  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
+  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
+  CallingProcessName: winlog.event_data.CallingProcessName
+  CallTrace: winlog.event_data.CallTrace
+  CommandLine: process.args
+  ComputerName: winlog.ComputerName
+  CurrentDirectory: process.working_directory
+  Description: winlog.event_data.Description
+  DestinationHostname: destination.domain
+  DestinationIp: destination.ip
+  #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
+  DestinationPort: destination.port
+  DestinationPortName: network.protocol
+  Details: winlog.event_data.Details
+  EngineVersion: winlog.event_data.EngineVersion
+  EventType: winlog.event_data.EventType
+  FailureCode: winlog.event_data.FailureCode
+  FileName: file.path
+  GrantedAccess: winlog.event_data.GrantedAccess
+  GroupName: winlog.event_data.GroupName
+  GroupSid: winlog.event_data.GroupSid
+  Hashes: winlog.event_data.Hashes
+  HiveName: winlog.event_data.HiveName
+  HostVersion: winlog.event_data.HostVersion
+  Image: process.executable
+  ImageLoaded: file.path
+  ImagePath: winlog.event_data.ImagePath
+  Imphash: winlog.event_data.Imphash
+  IpAddress: source.ip
+  IpPort: source.port
+  KeyLength: winlog.event_data.KeyLength
+  LogonProcessName: winlog.event_data.LogonProcessName
+  LogonType: winlog.event_data.LogonType
+  NewProcessName: winlog.event_data.NewProcessName
+  ObjectClass: winlog.event_data.ObjectClass
+  ObjectName: winlog.event_data.ObjectName
+  ObjectType: winlog.event_data.ObjectType
+  ObjectValueName: winlog.event_data.ObjectValueName
+  ParentCommandLine: process.parent.args
+  ParentProcessName: process.parent.name
+  ParentImage: process.parent.executable
+  Path: winlog.event_data.Path
+  PipeName: file.name
+  ProcessCommandLine: winlog.event_data.ProcessCommandLine
+  ProcessName: process.executable
+  Properties: winlog.event_data.Properties
+  SecurityID: winlog.event_data.SecurityID
+  ServiceFileName: winlog.event_data.ServiceFileName
+  ServiceName: winlog.event_data.ServiceName
+  ShareName: winlog.event_data.ShareName
+  Signature: winlog.event_data.Signature
+  Source: winlog.event_data.Source
+  SourceHostname: source.domain
+  SourceImage: process.executable
+  SourceIp: source.ip
+  SourcePort: source.port
+  #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
+  StartModule: winlog.event_data.StartModule
+  Status: winlog.event_data.Status
+  SubjectDomainName: user.domain
+  SubjectUserName: user.name
+  SubjectUserSid: user.id
+  TargetFilename: file.path
+  TargetImage: winlog.event_data.TargetImage
+  TargetObject: winlog.event_data.TargetObject
+  TicketEncryptionType: winlog.event_data.TicketEncryptionType
+  TicketOptions: winlog.event_data.TicketOptions
+  TargetDomainName: user.domain
+  TargetUserName: user.name
+  TargetUserSid: user.id
+  User: user.name
+  WorkstationName: source.domain

tools/config/winlogbeat-old.yml

@@ -46,70 +46,70 @@ defaultindex: winlogbeat-*
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
 # Keep EventID! Clean up the list afterwards!
 fieldmappings:
-    EventID: event_id
-    AccessMask: event_data.AccessMask
-    AccountName: event_data.AccountName
-    AllowedToDelegateTo: event_data.AllowedToDelegateTo
-    AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
-    AuditPolicyChanges: event_data.AuditPolicyChanges
-    AuthenticationPackageName: event_data.AuthenticationPackageName
-    CallingProcessName: event_data.CallingProcessName
-    CallTrace: event_data.CallTrace
-    CommandLine: event_data.CommandLine
-    ComputerName: event_data.ComputerName
-    CurrentDirectory: event_data.CurrentDirectory
-    Description: event_data.Description
-    DestinationHostname: event_data.DestinationHostname
-    DestinationIp: event_data.DestinationIp
-    DestinationIsIpv6: event_data.DestinationIsIpv6
-    DestinationPort: event_data.DestinationPort
-    Details: event_data.Details
-    EngineVersion: event_data.EngineVersion
-    EventType: event_data.EventType
-    FailureCode: event_data.FailureCode
-    FileName: event_data.FileName
-    GrantedAccess: event_data.GrantedAccess
-    GroupName: event_data.GroupName
-    GroupSid: event_data.GroupSid
-    Hashes: event_data.Hashes
-    HiveName: event_data.HiveName
-    HostVersion: event_data.HostVersion
-    Image: event_data.Image
-    ImageLoaded: event_data.ImageLoaded
-    ImagePath: event_data.ImagePath
-    Imphash: event_data.Imphash
-    IpAddress: event_data.IpAddress
-    KeyLength: event_data.KeyLength
-    LogonProcessName: event_data.LogonProcessName
-    LogonType: event_data.LogonType
-    NewProcessName: event_data.NewProcessName
-    ObjectClass: event_data.ObjectClass
-    ObjectName: event_data.ObjectName
-    ObjectType: event_data.ObjectType
-    ObjectValueName: event_data.ObjectValueName
-    ParentCommandLine: event_data.ParentCommandLine
-    ParentProcessName: event_data.ParentProcessName
-    ParentImage: event_data.ParentImage
-    Path: event_data.Path
-    PipeName: event_data.PipeName
-    ProcessCommandLine: event_data.ProcessCommandLine
-    ProcessName: event_data.ProcessName
-    Properties: event_data.Properties
-    SecurityID: event_data.SecurityID
-    ServiceFileName: event_data.ServiceFileName
-    ServiceName: event_data.ServiceName
-    ShareName: event_data.ShareName
-    Signature: event_data.Signature
-    Source: event_data.Source
-    SourceImage: event_data.SourceImage
-    StartModule: event_data.StartModule
-    Status: event_data.Status
-    SubjectUserName: event_data.SubjectUserName
-    SubjectUserSid: event_data.SubjectUserSid
-    TargetFilename: event_data.TargetFilename
-    TargetImage: event_data.TargetImage
-    TargetObject: event_data.TargetObject
-    TicketEncryptionType: event_data.TicketEncryptionType
-    TicketOptions: event_data.TicketOptions
-    User: event_data.User
-    WorkstationName: event_data.WorkstationName
+  EventID: event_id
+  AccessMask: event_data.AccessMask
+  AccountName: event_data.AccountName
+  AllowedToDelegateTo: event_data.AllowedToDelegateTo
+  AttributeLDAPDisplayName: event_data.AttributeLDAPDisplayName
+  AuditPolicyChanges: event_data.AuditPolicyChanges
+  AuthenticationPackageName: event_data.AuthenticationPackageName
+  CallingProcessName: event_data.CallingProcessName
+  CallTrace: event_data.CallTrace
+  CommandLine: event_data.CommandLine
+  ComputerName: event_data.ComputerName
+  CurrentDirectory: event_data.CurrentDirectory
+  Description: event_data.Description
+  DestinationHostname: event_data.DestinationHostname
+  DestinationIp: event_data.DestinationIp
+  DestinationIsIpv6: event_data.DestinationIsIpv6
+  DestinationPort: event_data.DestinationPort
+  Details: event_data.Details
+  EngineVersion: event_data.EngineVersion
+  EventType: event_data.EventType
+  FailureCode: event_data.FailureCode
+  FileName: event_data.FileName
+  GrantedAccess: event_data.GrantedAccess
+  GroupName: event_data.GroupName
+  GroupSid: event_data.GroupSid
+  Hashes: event_data.Hashes
+  HiveName: event_data.HiveName
+  HostVersion: event_data.HostVersion
+  Image: event_data.Image
+  ImageLoaded: event_data.ImageLoaded
+  ImagePath: event_data.ImagePath
+  Imphash: event_data.Imphash
+  IpAddress: event_data.IpAddress
+  KeyLength: event_data.KeyLength
+  LogonProcessName: event_data.LogonProcessName
+  LogonType: event_data.LogonType
+  NewProcessName: event_data.NewProcessName
+  ObjectClass: event_data.ObjectClass
+  ObjectName: event_data.ObjectName
+  ObjectType: event_data.ObjectType
+  ObjectValueName: event_data.ObjectValueName
+  ParentCommandLine: event_data.ParentCommandLine
+  ParentProcessName: event_data.ParentProcessName
+  ParentImage: event_data.ParentImage
+  Path: event_data.Path
+  PipeName: event_data.PipeName
+  ProcessCommandLine: event_data.ProcessCommandLine
+  ProcessName: event_data.ProcessName
+  Properties: event_data.Properties
+  SecurityID: event_data.SecurityID
+  ServiceFileName: event_data.ServiceFileName
+  ServiceName: event_data.ServiceName
+  ShareName: event_data.ShareName
+  Signature: event_data.Signature
+  Source: event_data.Source
+  SourceImage: event_data.SourceImage
+  StartModule: event_data.StartModule
+  Status: event_data.Status
+  SubjectUserName: event_data.SubjectUserName
+  SubjectUserSid: event_data.SubjectUserSid
+  TargetFilename: event_data.TargetFilename
+  TargetImage: event_data.TargetImage
+  TargetObject: event_data.TargetObject
+  TicketEncryptionType: event_data.TicketEncryptionType
+  TicketOptions: event_data.TicketOptions
+  User: event_data.User
+  WorkstationName: event_data.WorkstationName

tools/config/winlogbeat.yml

@@ -46,70 +46,70 @@ defaultindex: winlogbeat-*
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
 # Keep EventID! Clean up the list afterwards!
 fieldmappings:
-    EventID: winlog.event_id
-    AccessMask: winlog.event_data.AccessMask
-    AccountName: winlog.event_data.AccountName
-    AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
-    AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
-    AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
-    AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
-    CallingProcessName: winlog.event_data.CallingProcessName
-    CallTrace: winlog.event_data.CallTrace
-    CommandLine: winlog.event_data.CommandLine
-    ComputerName: winlog.ComputerName
-    CurrentDirectory: winlog.event_data.CurrentDirectory
-    Description: winlog.event_data.Description
-    DestinationHostname: winlog.event_data.DestinationHostname
-    DestinationIp: winlog.event_data.DestinationIp
-    DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
-    DestinationPort: winlog.event_data.DestinationPort
-    Details: winlog.event_data.Details
-    EngineVersion: winlog.event_data.EngineVersion
-    EventType: winlog.event_data.EventType
-    FailureCode: winlog.event_data.FailureCode
-    FileName: winlog.event_data.FileName
-    GrantedAccess: winlog.event_data.GrantedAccess
-    GroupName: winlog.event_data.GroupName
-    GroupSid: winlog.event_data.GroupSid
-    Hashes: winlog.event_data.Hashes
-    HiveName: winlog.event_data.HiveName
-    HostVersion: winlog.event_data.HostVersion
-    Image: winlog.event_data.Image
-    ImageLoaded: winlog.event_data.ImageLoaded
-    ImagePath: winlog.event_data.ImagePath
-    Imphash: winlog.event_data.Imphash
-    IpAddress: winlog.event_data.IpAddress
-    KeyLength: winlog.event_data.KeyLength
-    LogonProcessName: winlog.event_data.LogonProcessName
-    LogonType: winlog.event_data.LogonType
-    NewProcessName: winlog.event_data.NewProcessName
-    ObjectClass: winlog.event_data.ObjectClass
-    ObjectName: winlog.event_data.ObjectName
-    ObjectType: winlog.event_data.ObjectType
-    ObjectValueName: winlog.event_data.ObjectValueName
-    ParentCommandLine: winlog.event_data.ParentCommandLine
-    ParentProcessName: winlog.event_data.ParentProcessName
-    ParentImage: winlog.event_data.ParentImage
-    Path: winlog.event_data.Path
-    PipeName: winlog.event_data.PipeName
-    ProcessCommandLine: winlog.event_data.ProcessCommandLine
-    ProcessName: winlog.event_data.ProcessName
-    Properties: winlog.event_data.Properties
-    SecurityID: winlog.event_data.SecurityID
-    ServiceFileName: winlog.event_data.ServiceFileName
-    ServiceName: winlog.event_data.ServiceName
-    ShareName: winlog.event_data.ShareName
-    Signature: winlog.event_data.Signature
-    Source: winlog.event_data.Source
-    SourceImage: winlog.event_data.SourceImage
-    StartModule: winlog.event_data.StartModule
-    Status: winlog.event_data.Status
-    SubjectUserName: winlog.event_data.SubjectUserName
-    SubjectUserSid: winlog.event_data.SubjectUserSid
-    TargetFilename: winlog.event_data.TargetFilename
-    TargetImage: winlog.event_data.TargetImage
-    TargetObject: winlog.event_data.TargetObject
-    TicketEncryptionType: winlog.event_data.TicketEncryptionType
-    TicketOptions: winlog.event_data.TicketOptions
-    User: winlog.event_data.User
-    WorkstationName: winlog.event_data.WorkstationName
+  EventID: winlog.event_id
+  AccessMask: winlog.event_data.AccessMask
+  AccountName: winlog.event_data.AccountName
+  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
+  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
+  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
+  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
+  CallingProcessName: winlog.event_data.CallingProcessName
+  CallTrace: winlog.event_data.CallTrace
+  CommandLine: winlog.event_data.CommandLine
+  ComputerName: winlog.ComputerName
+  CurrentDirectory: winlog.event_data.CurrentDirectory
+  Description: winlog.event_data.Description
+  DestinationHostname: winlog.event_data.DestinationHostname
+  DestinationIp: winlog.event_data.DestinationIp
+  DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
+  DestinationPort: winlog.event_data.DestinationPort
+  Details: winlog.event_data.Details
+  EngineVersion: winlog.event_data.EngineVersion
+  EventType: winlog.event_data.EventType
+  FailureCode: winlog.event_data.FailureCode
+  FileName: winlog.event_data.FileName
+  GrantedAccess: winlog.event_data.GrantedAccess
+  GroupName: winlog.event_data.GroupName
+  GroupSid: winlog.event_data.GroupSid
+  Hashes: winlog.event_data.Hashes
+  HiveName: winlog.event_data.HiveName
+  HostVersion: winlog.event_data.HostVersion
+  Image: winlog.event_data.Image
+  ImageLoaded: winlog.event_data.ImageLoaded
+  ImagePath: winlog.event_data.ImagePath
+  Imphash: winlog.event_data.Imphash
+  IpAddress: winlog.event_data.IpAddress
+  KeyLength: winlog.event_data.KeyLength
+  LogonProcessName: winlog.event_data.LogonProcessName
+  LogonType: winlog.event_data.LogonType
+  NewProcessName: winlog.event_data.NewProcessName
+  ObjectClass: winlog.event_data.ObjectClass
+  ObjectName: winlog.event_data.ObjectName
+  ObjectType: winlog.event_data.ObjectType
+  ObjectValueName: winlog.event_data.ObjectValueName
+  ParentCommandLine: winlog.event_data.ParentCommandLine
+  ParentProcessName: winlog.event_data.ParentProcessName
+  ParentImage: winlog.event_data.ParentImage
+  Path: winlog.event_data.Path
+  PipeName: winlog.event_data.PipeName
+  ProcessCommandLine: winlog.event_data.ProcessCommandLine
+  ProcessName: winlog.event_data.ProcessName
+  Properties: winlog.event_data.Properties
+  SecurityID: winlog.event_data.SecurityID
+  ServiceFileName: winlog.event_data.ServiceFileName
+  ServiceName: winlog.event_data.ServiceName
+  ShareName: winlog.event_data.ShareName
+  Signature: winlog.event_data.Signature
+  Source: winlog.event_data.Source
+  SourceImage: winlog.event_data.SourceImage
+  StartModule: winlog.event_data.StartModule
+  Status: winlog.event_data.Status
+  SubjectUserName: winlog.event_data.SubjectUserName
+  SubjectUserSid: winlog.event_data.SubjectUserSid
+  TargetFilename: winlog.event_data.TargetFilename
+  TargetImage: winlog.event_data.TargetImage
+  TargetObject: winlog.event_data.TargetObject
+  TicketEncryptionType: winlog.event_data.TicketEncryptionType
+  TicketOptions: winlog.event_data.TicketOptions
+  User: winlog.event_data.User
+  WorkstationName: winlog.event_data.WorkstationName