LogPoint windows mapping

2024-11-07 09:48:58 +00:00 · 2017-03-20 16:57:19 +01:00 · 2017-03-20 16:57:19 +01:00 · c3c405a95e
commit c3c405a95e
parent 1bf11dc471
1 changed files with 20 additions and 0 deletions
--- a/tools/config/logpoint-windows-all.yml
+++ b/tools/config/logpoint-windows-all.yml
@ -0,0 +1,20 @@
+logsources:
+  windows-security:
+    product: windows
+    service: security
+    conditions:
+      event_source: 'Microsoft-Windows-Security-Auditing'
+  windows-security:
+    product: windows
+    service: system
+    conditions:
+      event_source: 'Microsoft-Windows-Security-Auditing'
+fieldmappings:
+    EventID: event_id
+    FailureCode: result_code
+    GroupName: group_name
+    ServiceName: service
+    SubjectAccountName: target_user
+    TicketOptions: ticket_options
+    TicketEnctyption: ticket_encryption
+    Type: event_type