From c3c405a95e5f3a267d6ef26c388c8968c283ca8b Mon Sep 17 00:00:00 2001
From: Ben de Haan <bjf.dehaan@gmail.com>
Date: Mon, 20 Mar 2017 16:57:19 +0100
Subject: [PATCH] LogPoint windows mapping

---
 tools/config/logpoint-windows-all.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 tools/config/logpoint-windows-all.yml

diff --git a/tools/config/logpoint-windows-all.yml b/tools/config/logpoint-windows-all.yml
new file mode 100644
index 00000000..003dfba6
--- /dev/null
+++ b/tools/config/logpoint-windows-all.yml
@@ -0,0 +1,20 @@
+logsources:
+  windows-security:
+    product: windows
+    service: security
+    conditions:
+      event_source: 'Microsoft-Windows-Security-Auditing'
+  windows-security:
+    product: windows
+    service: system
+    conditions:
+      event_source: 'Microsoft-Windows-Security-Auditing'
+fieldmappings:
+    EventID: event_id
+    FailureCode: result_code
+    GroupName: group_name
+    ServiceName: service
+    SubjectAccountName: target_user
+    TicketOptions: ticket_options
+    TicketEnctyption: ticket_encryption
+    Type: event_type