mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
176 lines
5.1 KiB
YAML
176 lines
5.1 KiB
YAML
title: HELK index patterns and OSSEM field mappings
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- kibana
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
logsources:
|
|
windows-application:
|
|
product: windows
|
|
service: application
|
|
index: logs-endpoint-winevent-application-*
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
index: logs-endpoint-winevent-security-*
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
index: logs-endpoint-winevent-sysmon-*
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
index: logs-endpoint-winevent-system-*
|
|
windows-wmi:
|
|
product: windows
|
|
service: wmi
|
|
index: logs-endpoint-winevent-wmiactivity-*
|
|
windows-powershell:
|
|
product: windows
|
|
service: powershell
|
|
index: logs-endpoint-winevent-powershell-*
|
|
windows-powershell-classic:
|
|
product: windows
|
|
service: powershell-classic
|
|
index: logs-endpoint-winevent-powershell-*
|
|
defaultindex: logs-*
|
|
fieldmappings:
|
|
AccessMask: object_access_mask_requested
|
|
AccountName: user_name
|
|
AllowedToDelegateTo: user_attribute_allowed_todelegate
|
|
AttributeLDAPDisplayName: dsobject_attribute_name
|
|
AuditPolicyChanges: policy_changes
|
|
AuthenticationPackageName: logon_authentication_package
|
|
CallingProcessName: process_path
|
|
CallTrace: process_call_trace
|
|
ClientAddress: src_ip_addr
|
|
ClientIPAddress: src_ip_addr
|
|
ClientIP: src_ip_addr
|
|
CommandLine: process_command_line
|
|
Company: file_company
|
|
ComputerName: host_name
|
|
Configuration:
|
|
EventID=16: sysmon_configuration
|
|
ConnectedViaIPAddress: dst_nat_ip_addr
|
|
CurrentDirectory: process_current_directory
|
|
Description: file_description
|
|
DestAddress: dst_ip_addr
|
|
Destination:
|
|
EventID=20: wmi_consumer_destination
|
|
DestinationHostname: dst_host_name
|
|
DestinationIp: dst_ip_addr
|
|
DestinationPort: dst_port
|
|
DestinationPortName: dst_port_name
|
|
Details:
|
|
EventID=13: registry_key_value
|
|
Device: device_name
|
|
EngineVersion: powershell.engine.version
|
|
EventID: event_id
|
|
EventType: event_type
|
|
EventNamespace:
|
|
EventID=19: wmi_namespace
|
|
Filter:
|
|
EventID=21: wmi_filter_path
|
|
FailureCode: ticket_failure_code
|
|
FileName: file_name
|
|
FileVersion: file_version
|
|
GrantedAccess: process_granted_access
|
|
GroupName: group_name
|
|
GroupSid: group_sid
|
|
HiveName: hive_name
|
|
HostVersion: powershell.host.version
|
|
Image: process_path
|
|
ImageLoaded:
|
|
EventID=6: driver_loaded
|
|
EventID=7: module_loaded
|
|
Imphash: hash_imphash
|
|
Initiated:
|
|
EventID=3: network_initiated"
|
|
IntegrityLevel:
|
|
EventID=1: process_integrity_level
|
|
ipAddress: dst_ip_addr
|
|
IpAddress: src_ip_addr
|
|
IPString: src_ip_addr
|
|
LaunchedViaIPAddress: dst_ip_addr
|
|
LogonProcessName: logon_process_name
|
|
LogonType: logon_type
|
|
MachineIpAddress: dst_ip_addr
|
|
MachineName: host_name
|
|
Name:
|
|
EventID=19: wmi_name
|
|
EventID=20: wmi_name
|
|
NewProcessName: process_path
|
|
NewName:
|
|
EventID=14: registry_key_new_name
|
|
ObjectClass: dsobject_class
|
|
ObjectName: object_name
|
|
ObjectType: object_type
|
|
ObjectValueName: object_value_name
|
|
Operation:
|
|
EventID=19: wmi_operation
|
|
EventID=20: wmi_operation
|
|
EventID=21: wmi_operation
|
|
OperationType: object_operation_type
|
|
OriginalFileName: file_name_original
|
|
ParentImage: process_parent_path
|
|
ParentProcessName: process_parent_path
|
|
PasswordLastSet: user_attribute_password_lastset
|
|
Path: process_path
|
|
ParentCommandLine: process_parent_command_line
|
|
PipeName: pipe_name
|
|
ProcessName: process_path
|
|
ProcessCommandLine: process_command_line
|
|
Product: file_product
|
|
Properties: object_properties
|
|
Protocol:
|
|
EventID=3: network_protocol
|
|
Query:
|
|
EventID=19: wmi_query
|
|
RelativeTargetName: share_relative_target_name
|
|
SourceAddress: src_ip_addr
|
|
SchemaVersion:
|
|
EventID=4: sysmon_schema_version
|
|
ServiceFileName: service_image_path
|
|
ServiceName: service_name
|
|
ShareName: share_name
|
|
Signature: signature
|
|
SignatureStatus: signature_status
|
|
Signed: signed
|
|
Source: source_name
|
|
SourceHostname: src_host_name
|
|
SourceImage: process_path
|
|
SourceIp: src_ip_addr
|
|
SourcePort: src_port
|
|
SourcePortName: src_port_name
|
|
StartAddress: thread_start_address
|
|
StartFunction: thread_start_function
|
|
StartModule: thread_start_module
|
|
Status: event_status
|
|
State:
|
|
EventID=4: service_state
|
|
EventID=16: sysmon_configuration_state
|
|
SubjectUserName:
|
|
EventID=4624: user_reporter_name
|
|
EventId=4648: user_name
|
|
EventID=5140: user_name
|
|
TargetServer: dst_ip_addr
|
|
TaskName: task_name
|
|
TicketEncryptionType: ticket_encryption_type
|
|
TicketOptions: ticket_options
|
|
TargetFilename: file_name
|
|
TargetImage: target_process_path
|
|
TargetProcessAddress: thread_start_address
|
|
TargetObject: registry_key_path
|
|
Type:
|
|
EventID=20: wmi_consumer_type
|
|
User: user_account
|
|
UserName: user_name
|
|
Value:
|
|
EventID=1102: dst_ip_addr
|
|
Version:
|
|
EventID=4: sysmon_version
|
|
Workstation: src_host_name
|
|
WorkstationName: src_host_name |