valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-07 01:55:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

changed yaml to yml in one of enrichments name

Browse Source
This commit is contained in:
yugoslavskiy 2018-12-21 20:20:53 +01:00
parent 450ac66287
commit b9a6fd5876
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.yml Normal file
View File

@ -0,0 +1,47 @@
title: EN_0002_enrich_sysmon_event_id_1_with_parent_info
description: >
Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level,
Parent User and Parent of Parent Image fields.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov
requirements:
- EN_0001_cache_sysmon_event_id_1_info
new_fields:
- event_data.ParentIntegrityLevel
- event_data.ParentUser
- event_data.ParentOfParentImage
config: |
We can use Logstash to enrich Sysmon Event ID 1 with data cached in Memcached.
Here is the config example:
```
filter {
# Get previously cached information about parent process from cache to enrich process creation events (event id 1)
if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 and [event_data][ParentProcessGuid] {
# Enrich event with additional information about process
memcached {
# get info from cache
hosts => ["127.0.0.1:11211"]
get => {
"%{computer_name}_%{[event_data][ParentProcessGuid]}" => "[@metadata][processinfo]"
}
}
if [@metadata][processinfo] {
kv {
source => "[@metadata][processinfo]"
target => "[@metadata][processinfo]"
field_split => ","
value_split => "="
}
if [@metadata][processinfo][ParentImage] {
mutate {
add_field => { "[event_data][ParentIntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" }
add_field => { "[event_data][ParentUser]" => "%{[@metadata][processinfo][User]}" }
add_field => { "[event_data][ParentOfParentImage]" => "%{[@metadata][processinfo][ParentImage]}" }
}
}
}
}
}
```