mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
155 lines
3.5 KiB
YAML
155 lines
3.5 KiB
YAML
title: Logpoint
|
|
order: 20
|
|
backends:
|
|
- logpoint
|
|
logsources:
|
|
windows-security:
|
|
product: windows
|
|
service: security
|
|
conditions:
|
|
event_source: 'Microsoft-Windows-Security-Auditing'
|
|
windows-system:
|
|
product: windows
|
|
service: system
|
|
conditions:
|
|
event_source: 'Microsoft-Windows-Security-Auditing'
|
|
windows-dns-server:
|
|
product: windows
|
|
service: dns-server
|
|
conditions:
|
|
event_source: 'DNS Server'
|
|
windows-driver-framework:
|
|
product: windows
|
|
service: driver-framework
|
|
conditions:
|
|
event_source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
|
windows-dhcp:
|
|
product: windows
|
|
service: dhcp
|
|
conditions:
|
|
event_source: 'Microsoft-Windows-DHCP-Server/Operational'
|
|
windows-ntlm:
|
|
product: windows
|
|
service: ntlm
|
|
conditions:
|
|
event_source: 'Microsoft-Windows-NTLM/Operational'
|
|
|
|
fieldmappings:
|
|
EventID: event_id
|
|
FailureCode: result_code
|
|
GroupName: group_name
|
|
GroupSid: group_sid
|
|
KeyLength: key_length
|
|
LogonProcessName: logon_process
|
|
LogonType: logon_type
|
|
ServiceName: service
|
|
SubjectAccountName:
|
|
EventID=4611:
|
|
- user
|
|
EventID=4624:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4625:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4634:
|
|
- user
|
|
EventID=4648:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4662:
|
|
- user
|
|
EventID=4672:
|
|
- user
|
|
EventID=4688:
|
|
- user
|
|
EventID=4719:
|
|
- user
|
|
EventID=4720:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4722:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4723:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4724:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4728:
|
|
- user
|
|
- member
|
|
EventID=4729:
|
|
- user
|
|
- member
|
|
EventID=4731:
|
|
- user
|
|
EventID=4732:
|
|
- user
|
|
- member
|
|
EventID=4735:
|
|
- user
|
|
EventID=4737:
|
|
- user
|
|
EventID=4738:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4740:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4742:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4755:
|
|
- user
|
|
EventID=4756:
|
|
- user
|
|
- member
|
|
EventID=4757:
|
|
- user
|
|
- member
|
|
EventID=4767:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4768:
|
|
- user
|
|
EventID=4769:
|
|
- user
|
|
EventID=4770:
|
|
- user
|
|
EventID=4771:
|
|
- user
|
|
EventID=4774:
|
|
- user
|
|
EventID=4776:
|
|
- user
|
|
EventID=4781:
|
|
- target_user
|
|
- caller_user
|
|
EventID=4904:
|
|
- user
|
|
EventID=4905:
|
|
- user
|
|
EventID=5061:
|
|
- user
|
|
EventID=5136:
|
|
- user
|
|
EventID=5137:
|
|
- user
|
|
default:
|
|
- caller_user
|
|
- target_user
|
|
- user
|
|
- member
|
|
TicketOptions: ticket_options
|
|
TicketEnctyption: ticket_encryption
|
|
Type: event_type
|
|
UserName:
|
|
default:
|
|
- caller_user
|
|
- target_user
|
|
- user
|
|
- member
|
|
SourceWorkstation: workstation
|