title: Elastic Winlogbeat (from 7.x) index pattern and field mapping order: 20 backends: - es-qs - es-dsl - es-rule - kibana - xpack-watcher - elastalert - elastalert-dsl - ee-outliers logsources: windows: product: windows index: winlogbeat-* windows-application: product: windows service: application conditions: winlog.channel: Application windows-security: product: windows service: security conditions: winlog.channel: Security windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' windows-dns-server: product: windows service: dns-server conditions: winlog.channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework conditions: winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-dhcp: product: windows service: dhcp conditions: winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational' windows-ntlm: product: windows service: ntlm conditions: winlog.channel: 'Microsoft-Windows-NTLM/Operational' windows-defender: product: windows service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' windows-applocker: product: windows service: applocker conditions: winlog.channel: - 'Microsoft-Windows-AppLocker/MSI and Script' - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* # Extract all field names qith yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: EventID: winlog.event_id AccessMask: winlog.event_data.AccessMask AccountName: winlog.event_data.AccountName AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName AuditPolicyChanges: winlog.event_data.AuditPolicyChanges AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace Channel: winlog.channel CommandLine: winlog.event_data.CommandLine ComputerName: winlog.ComputerName CurrentDirectory: winlog.event_data.CurrentDirectory Description: winlog.event_data.Description DestinationHostname: winlog.event_data.DestinationHostname DestinationIp: winlog.event_data.DestinationIp dst_ip: winlog.event_data.DestinationIp DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestinationPort: winlog.event_data.DestinationPort dst_port: winlog.event_data.DestinationPort Details: winlog.event_data.Details EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: winlog.event_data.FileName GrantedAccess: winlog.event_data.GrantedAccess GroupName: winlog.event_data.GroupName GroupSid: winlog.event_data.GroupSid Hashes: winlog.event_data.Hashes HiveName: winlog.event_data.HiveName HostVersion: winlog.event_data.HostVersion Image: winlog.event_data.Image ImageLoaded: winlog.event_data.ImageLoaded ImagePath: winlog.event_data.ImagePath Imphash: winlog.event_data.Imphash IpAddress: winlog.event_data.IpAddress KeyLength: winlog.event_data.KeyLength LogonProcessName: winlog.event_data.LogonProcessName LogonType: winlog.event_data.LogonType NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName ParentCommandLine: winlog.event_data.ParentCommandLine ParentProcessName: winlog.event_data.ParentProcessName ParentImage: winlog.event_data.ParentImage Path: winlog.event_data.Path PipeName: winlog.event_data.PipeName ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: winlog.event_data.ProcessName Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName ShareName: winlog.event_data.ShareName Signature: winlog.event_data.Signature Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp src_ip: winlog.event_data.SourceIp SourcePort: winlog.event_data.SourcePort src_port: winlog.event_data.SourcePort StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName SubjectUserSid: winlog.event_data.SubjectUserSid TargetFilename: winlog.event_data.TargetFilename TargetImage: winlog.event_data.TargetImage TargetObject: winlog.event_data.TargetObject TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions User: winlog.event_data.User WorkstationName: winlog.event_data.WorkstationName # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm BSSID: winlog.event_data.BSSID BSSType: winlog.event_data.BSSType CipherAlgorithm: winlog.event_data.CipherAlgorithm ConnectionId: winlog.event_data.ConnectionId ConnectionMode: winlog.event_data.ConnectionMode InterfaceDescription: winlog.event_data.InterfaceDescription InterfaceGuid: winlog.event_data.InterfaceGuid OnexEnabled: winlog.event_data.OnexEnabled PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID