valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3a19e3cf23
SigmaHQ/tools/config/winlogbeat.yml
Pushkarev Dmitry 3a19e3cf23 Added AppLocker log source
2020-07-13 20:18:01 +00:00

158 lines
5.9 KiB
YAML
Raw Blame History

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
dst_ip: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
dst_port: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Imphash
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
src_ip: winlog.event_data.SourceIp
SourcePort: winlog.event_data.SourcePort
src_port: winlog.event_data.SourcePort
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
Reference in New Issue View Git Blame Copy Permalink