valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4e394d83a1
SigmaHQ/tools/config/winlogbeat.yml
Gábor Lipták d2592ee0b6
Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
2021-07-26 21:26:16 -04:00

259 lines
10 KiB
YAML
Raw Blame History

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
windows:
product: windows
index: winlogbeat-*
windows-application:
product: windows
service: application
conditions:
winlog.channel: Application
windows-security:
product: windows
service: security
conditions:
winlog.channel: Security
windows-system:
product: windows
service: system
conditions:
winlog.channel: System
windows-sysmon:
product: windows
service: sysmon
conditions:
winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
windows-powershell:
product: windows
service: powershell
conditions:
winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
windows-classicpowershell:
product: windows
service: powershell-classic
conditions:
winlog.channel: 'Windows PowerShell'
windows-dns-server:
product: windows
service: dns-server
conditions:
winlog.channel: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
winlog.channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
windows-dhcp:
product: windows
service: dhcp
conditions:
winlog.channel: 'Microsoft-Windows-DHCP-Server/Operational'
windows-ntlm:
product: windows
service: ntlm
conditions:
winlog.channel: 'Microsoft-Windows-NTLM/Operational'
windows-defender:
product: windows
service: windefend
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
winlog.channel: 'Microsoft-Windows-SmbClient/Security'
windows-applocker:
product: windows
service: applocker
conditions:
winlog.channel:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
EventID: winlog.event_id
AccessMask: winlog.event_data.AccessMask
AccessList: winlog.event_data.AccessList
AccountName: winlog.event_data.AccountName
AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
dst_ip: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
dst_port: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
FailureCode: winlog.event_data.FailureCode
FileName: winlog.event_data.FileName
GrantedAccess: winlog.event_data.GrantedAccess
GroupName: winlog.event_data.GroupName
GroupSid: winlog.event_data.GroupSid
Hashes: winlog.event_data.Hashes
HiveName: winlog.event_data.HiveName
HostVersion: winlog.event_data.HostVersion
Image: winlog.event_data.Image
ImageLoaded: winlog.event_data.ImageLoaded
ImagePath: winlog.event_data.ImagePath
Imphash: winlog.event_data.Hashes
IpAddress: winlog.event_data.IpAddress
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
ObjectType: winlog.event_data.ObjectType
ObjectValueName: winlog.event_data.ObjectValueName
OriginalFileName: winlog.event_data.OriginalFileName
ParentCommandLine: winlog.event_data.ParentCommandLine
ParentProcessName: winlog.event_data.ParentProcessName
ParentImage: winlog.event_data.ParentImage
Path: winlog.event_data.Path
PipeName: winlog.event_data.PipeName
ProcessCommandLine: winlog.event_data.ProcessCommandLine
ProcessName: winlog.event_data.ProcessName
Product: winlog.event_data.Product
Properties: winlog.event_data.Properties
RuleName: winlog.event_data.RuleName
ScriptBlockText: winlog.event_data.ScriptBlockText
SecurityID: winlog.event_data.SecurityID
ServiceFileName: winlog.event_data.ServiceFileName
ServiceName: winlog.event_data.ServiceName
ShareName: winlog.event_data.ShareName
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
src_ip: winlog.event_data.SourceIp
SourcePort: winlog.event_data.SourcePort
src_port: winlog.event_data.SourcePort
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
SubjectUserSid: winlog.event_data.SubjectUserSid
TargetFilename: winlog.event_data.TargetFilename
TargetImage: winlog.event_data.TargetImage
TargetObject: winlog.event_data.TargetObject
TicketEncryptionType: winlog.event_data.TicketEncryptionType
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
# powershell
SequenceNumber: winlog.event_data.SequenceNumber
NewEngineState: winlog.event_data.NewEngineState
PreviousEngineState: winlog.event_data.PreviousEngineState
NewProviderState: winlog.event_data.NewProviderState
ProviderName: winlog.event_data.ProviderName
HostId: winlog.event_data.HostId
HostApplication: winlog.event_data.HostApplication
HostName: winlog.event_data.HostName
Payload: winlog.event_data.Payload
ContextInfo: winlog.event_data.ContextInfo
# from here missing field at 20210706
Accesses: winlog.event_data.Accesses
AttributeValue: winlog.event_data.AttributeValue
AuditSourceName: winlog.event_data.AuditSourceName
AuthenticationPackage: winlog.event_data.AuthenticationPackageName
CallerProcessName: winlog.event_data.CallerProcessName
ClassName: winlog.event_data.ClassName
ClassId: winlog.event_data.ClassId
Company: winlog.event_data.Company
DestAddress: winlog.event_data.DestAddress
Destination: winlog.event_data.Destination
DestPort: winlog.event_data.DestPort
Device: winlog.event_data.Device
DeviceDescription: winlog.event_data.DeviceDescription
# DeviceName => Microsoft-Windows-Ntfs EventID: 98
DeviceName: winlog.event_data.DeviceName
# ErrorCode => printservice-admin EventID: 4909 or 808
ErrorCode: winlog.event_data.ErrorCode
FilePath: winlog.event_data.FilePath
FileVersion: winlog.event_data.FileVersion
# Filename => product: antivirus
Filename: winlog.event_data.Filename
Initiated: winlog.event_data.Initiated
IntegrityLevel: winlog.event_data.IntegrityLevel
LayerRTID: winlog.event_data.LayerRTID
LDAPDisplayName: winlog.event_data.LDAPDisplayName
# Level => Source: MSExchange Control Panel EventID: 4
Level: winlog.event_data.Level
LogonId: winlog.event_data.LogonId
NewName: winlog.event_data.NewName
NewValue: winlog.event_data.NewValue
ObjectServer: winlog.event_data.ObjectServer
PasswordLastSet: winlog.event_data.PasswordLastSet
PrivilegeList: winlog.event_data.PrivilegeList
QueryName: winlog.event_data.QueryName
QueryResults: winlog.event_data.QueryResults
QueryStatus: winlog.event_data.QueryStatus
RelativeTargetName: winlog.event_data.RelativeTargetName
SamAccountName: winlog.event_data.SamAccountName
Service: winlog.event_data.Service
ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
sha1: winlog.event_data.Hashes
SidHistory: winlog.event_data.SidHistory
Signed: winlog.event_data.Signed
SourceAddress: winlog.event_data.SourceAddress
StartFunction: winlog.event_data.StartFunction
SubjectLogonId: winlog.event_data.SubjectLogonId
TargetFileName: winlog.event_data.TargetFilename
TargetProcessAddress: winlog.event_data.TargetProcessAddress
TargetServerName: winglog.event_data.TargetServerName
TargetLogonId: winlog.event_data.TargetLogonId
TaskName: winlog.event_data.TaskName
# UserName => smbclient-security eventid:31017
UserName: winlog.event_data.UserName
Workstation: winlog.event_data.Workstation
Reference in New Issue View Git Blame Copy Permalink