DHCP log source in sigmac configs

2024-11-07 09:48:58 +00:00 · 2019-02-05 14:35:16 +01:00 · 2019-02-05 14:35:16 +01:00 · a276d3083d
commit a276d3083d
parent dfd4ce878f
10 changed files with 49 additions and 0 deletions
--- a/tools/config/arcsight.yml
+++ b/tools/config/arcsight.yml
@ -46,6 +46,11 @@ logsources:
    service: powershell
    conditions:
      deviceVendor: Microsoft
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      deviceVendor: Microsoft
  windows-system:
    product: windows
    service: system
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@ -27,4 +27,9 @@ logsources:
    service: driver-framework
    conditions:
      source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: logstash-*
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@ -27,6 +27,11 @@ logsources:
    service: driver-framework
    conditions:
      source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
--- a/tools/config/helk.yml
+++ b/tools/config/helk.yml
@ -27,6 +27,7 @@ logsources:
    product: windows
    service: powershell-classic
    index: logs-endpoint-winevent-powershell-*
+
 defaultindex: logs-*
 fieldmappings:
    AccessMask: object_access_mask_requested
--- a/tools/config/logpoint-windows-all.yml
+++ b/tools/config/logpoint-windows-all.yml
@ -19,6 +19,12 @@ logsources:
    service: driver-framework
    conditions:
      source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
+
 fieldmappings:
    EventID: event_id
    FailureCode: result_code
--- a/tools/config/netwitness.yml
+++ b/tools/config/netwitness.yml
@ -30,6 +30,12 @@ logsources:
    service: powershell
    conditions:
      device.type: winevent_nic
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      device.type: winevent_nic
+      event.source: microsoft-windows-dhcp-server
  windows-sec:
    product: windows
    service: security
--- a/tools/config/powershell-windows-all.yml
+++ b/tools/config/powershell-windows-all.yml
@ -60,3 +60,8 @@ logsources:
    service: ntlm
    conditions:
      LogName: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      LogName: 'Microsoft-Windows-DHCP-Server/Operational'
--- a/tools/config/spark.yml
+++ b/tools/config/spark.yml
@ -34,6 +34,11 @@ logsources:
    service: wmi
    sources: 
      - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    sources: 
+      - 'Microsoft-Windows-DHCP-Server'
  apache:
    category: webserver
    sources:
--- a/tools/config/splunk-windows-all.yml
+++ b/tools/config/splunk-windows-all.yml
@ -60,5 +60,10 @@ logsources:
    service: ntlm
    conditions:
      source: 'Microsoft-Windows-NTLM/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      source: 'Microsoft-Windows-DHCP-Server/Operational'
 fieldmappings:
    EventID: EventCode
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@ -44,6 +44,12 @@ logsources:
    conditions:
      EventChannel: System
    index: WINDOWS
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions: 
+      EventChannel: Microsoft-Windows-DHCP-Server
+    index: WINDOWS
  apache:
    product: apache
    service: apache