SigmaHQ/tools/config/winlogbeat.yml

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers
logsources:
  windows:
    product: windows
    index: winlogbeat-*
  windows-application:
    product: windows
    service: application
    conditions:
      winlog.channel: Application
  windows-security:
    product: windows
    service: security
    conditions:
      winlog.channel: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      winlog.channel: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
  EventID: winlog.event_id
  AccessMask: winlog.event_data.AccessMask
  AccountName: winlog.event_data.AccountName
  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
  CallingProcessName: winlog.event_data.CallingProcessName
  CallTrace: winlog.event_data.CallTrace
  Channel: winlog.channel
  CommandLine: winlog.event_data.CommandLine
  ComputerName: winlog.ComputerName
  CurrentDirectory: winlog.event_data.CurrentDirectory
  Description: winlog.event_data.Description
  DestinationHostname: winlog.event_data.DestinationHostname
  DestinationIp: winlog.event_data.DestinationIp
  dst_ip: winlog.event_data.DestinationIp
  DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
  DestinationPort: winlog.event_data.DestinationPort
  dst_port: winlog.event_data.DestinationPort
  Details: winlog.event_data.Details
  EngineVersion: winlog.event_data.EngineVersion
  EventType: winlog.event_data.EventType
  FailureCode: winlog.event_data.FailureCode
  FileName: winlog.event_data.FileName
  GrantedAccess: winlog.event_data.GrantedAccess
  GroupName: winlog.event_data.GroupName
  GroupSid: winlog.event_data.GroupSid
  Hashes: winlog.event_data.Hashes
  HiveName: winlog.event_data.HiveName
  HostVersion: winlog.event_data.HostVersion
  Image: winlog.event_data.Image
  ImageLoaded: winlog.event_data.ImageLoaded
  ImagePath: winlog.event_data.ImagePath
  Imphash: winlog.event_data.Imphash
  IpAddress: winlog.event_data.IpAddress
  KeyLength: winlog.event_data.KeyLength
  LogonProcessName: winlog.event_data.LogonProcessName
  LogonType: winlog.event_data.LogonType
  NewProcessName: winlog.event_data.NewProcessName
  ObjectClass: winlog.event_data.ObjectClass
  ObjectName: winlog.event_data.ObjectName
  ObjectType: winlog.event_data.ObjectType
  ObjectValueName: winlog.event_data.ObjectValueName
  ParentCommandLine: winlog.event_data.ParentCommandLine
  ParentProcessName: winlog.event_data.ParentProcessName
  ParentImage: winlog.event_data.ParentImage
  Path: winlog.event_data.Path
  PipeName: winlog.event_data.PipeName
  ProcessCommandLine: winlog.event_data.ProcessCommandLine
  ProcessName: winlog.event_data.ProcessName
  Properties: winlog.event_data.Properties
  RuleName: winlog.event_data.RuleName
  SecurityID: winlog.event_data.SecurityID
  ServiceFileName: winlog.event_data.ServiceFileName
  ServiceName: winlog.event_data.ServiceName
  ShareName: winlog.event_data.ShareName
  Signature: winlog.event_data.Signature
  Source: winlog.event_data.Source
  SourceImage: winlog.event_data.SourceImage
  SourceIp: winlog.event_data.SourceIp
  src_ip: winlog.event_data.SourceIp
  SourcePort: winlog.event_data.SourcePort
  src_port: winlog.event_data.SourcePort
  StartModule: winlog.event_data.StartModule
  Status: winlog.event_data.Status
  SubjectUserName: winlog.event_data.SubjectUserName
  SubjectUserSid: winlog.event_data.SubjectUserSid
  TargetFilename: winlog.event_data.TargetFilename
  TargetImage: winlog.event_data.TargetImage
  TargetObject: winlog.event_data.TargetObject
  TicketEncryptionType: winlog.event_data.TicketEncryptionType
  TicketOptions: winlog.event_data.TicketOptions
  User: winlog.event_data.User
  WorkstationName: winlog.event_data.WorkstationName
  # Channel: WLAN-Autoconfig AND EventID: 8001
  AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
  BSSID: winlog.event_data.BSSID
  BSSType: winlog.event_data.BSSType
  CipherAlgorithm: winlog.event_data.CipherAlgorithm
  ConnectionId: winlog.event_data.ConnectionId
  ConnectionMode: winlog.event_data.ConnectionMode
  InterfaceDescription: winlog.event_data.InterfaceDescription
  InterfaceGuid: winlog.event_data.InterfaceGuid
  OnexEnabled: winlog.event_data.OnexEnabled
  PHYType: winlog.event_data.PHYType
  ProfileName: winlog.event_data.ProfileName
  SSID: winlog.event_data.SSID