tools/config/winlogbeat-modules-enabled.yml

title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - elasticsearch-rule
  - ee-outliers
logsources:
  windows:
    product: windows
    index: winlogbeat-*
  windows-application:
    product: windows
    service: application
    conditions:
      winlog.channel: Application
  windows-security:
    product: windows
    service: security
    conditions:
      winlog.channel: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      winlog.channel: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
  windows-ntlm:
    product: windows
    service: ntlm
    conditions:
      winlog.provider_name: 'Microsoft-Windows-NTLM/Operational'
  windows-defender:
    product: windows
    service: windefend
    conditions:
      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      winlog.channel:
        - 'Microsoft-Windows-AppLocker/MSI and Script'
        - 'Microsoft-Windows-AppLocker/EXE and DLL'
        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
defaultindex: winlogbeat-*
# Extract all field names qith yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
# Keep EventID! Clean up the list afterwards!
fieldmappings:
  EventID: winlog.event_id
  AccessMask: winlog.event_data.AccessMask
  AccountName: winlog.event_data.AccountName
  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
  CallingProcessName: winlog.event_data.CallingProcessName
  CallTrace: winlog.event_data.CallTrace
  Channel: winlog.channel
  CommandLine: process.args
  ComputerName: winlog.ComputerName
  CurrentDirectory: process.working_directory
  Description: winlog.event_data.Description
  DestinationHostname: destination.domain
  DestinationIp: destination.ip
  dst_ip: destination.ip
  #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
  DestinationPort: destination.port
  dst_port: destination.port
  DestinationPortName: network.protocol
  Details: winlog.event_data.Details
  EngineVersion: winlog.event_data.EngineVersion
  EventType: winlog.event_data.EventType
  FailureCode: winlog.event_data.FailureCode
  FileName: file.path
  GrantedAccess: winlog.event_data.GrantedAccess
  GroupName:
    - winlog.event_data.GroupName
    - group.name
  GroupSid:
    - group.id
    - winlog.event_data.GroupSid
  Hashes: winlog.event_data.Hashes
  file_hash: winlog.event_data.Hashes
  HiveName: winlog.event_data.HiveName
  HostVersion: winlog.event_data.HostVersion
  Image: process.executable
  ImageLoaded: file.path
  ImagePath: winlog.event_data.ImagePath
  Imphash: winlog.event_data.Imphash
  IpAddress: source.ip
  IpPort: source.port
  KeyLength: winlog.event_data.KeyLength
  LogonProcessName: winlog.event_data.LogonProcessName
  LogonType: winlog.event_data.LogonType
  NewProcessName: winlog.event_data.NewProcessName
  ObjectClass: winlog.event_data.ObjectClass
  ObjectName: winlog.event_data.ObjectName
  ObjectType: winlog.event_data.ObjectType
  ObjectValueName: winlog.event_data.ObjectValueName
  ParentCommandLine: process.parent.args
  ParentProcessName: process.parent.name
  ParentImage: process.parent.executable
  Path: winlog.event_data.Path
  PipeName: file.name
  ProcessCommandLine: winlog.event_data.ProcessCommandLine
  ProcessName: process.executable
  Properties: winlog.event_data.Properties
  RuleName: winlog.event_data.RuleName
  SecurityID: winlog.event_data.SecurityID
  ServiceFileName: winlog.event_data.ServiceFileName
  ServiceName: winlog.event_data.ServiceName
  ShareName: winlog.event_data.ShareName
  Signature: winlog.event_data.Signature
  Source: winlog.event_data.Source
  SourceHostname: source.domain
  SourceImage: process.executable
  SourceIp: source.ip
  src_ip: source.ip
  SourcePort: source.port
  src_port: source.port
  #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
  StartModule: winlog.event_data.StartModule
  Status: winlog.event_data.Status
  SubjectDomainName: user.domain
  SubjectUserName: user.name
  SubjectUserSid: user.id
  TargetFilename: file.path
  TargetImage: winlog.event_data.TargetImage
  TargetObject: winlog.event_data.TargetObject
  TicketEncryptionType: winlog.event_data.TicketEncryptionType
  TicketOptions: winlog.event_data.TicketOptions
  TargetDomainName: user.domain
  TargetUserName: user.name
  TargetUserSid: user.id
  User: user.name
  WorkstationName: source.domain
  # Channel: WLAN-Autoconfig AND EventID: 8001
  AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
  BSSID: winlog.event_data.BSSID
  BSSType: winlog.event_data.BSSType
  CipherAlgorithm: winlog.event_data.CipherAlgorithm
  ConnectionId: winlog.event_data.ConnectionId
  ConnectionMode: winlog.event_data.ConnectionMode
  InterfaceDescription: winlog.event_data.InterfaceDescription
  InterfaceGuid: winlog.event_data.InterfaceGuid
  OnexEnabled: winlog.event_data.OnexEnabled
  PHYType: winlog.event_data.PHYType
  ProfileName: winlog.event_data.ProfileName
  SSID: winlog.event_data.SSID
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion 2019-10-01 10:16:42 -04:00			`title: Elastic Winlogbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules`
			`order: 20`
			`backends:`
			`- es-qs`
			`- es-dsl`
Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00			`- es-rule`
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion 2019-10-01 10:16:42 -04:00			`- kibana`
			`- xpack-watcher`
			`- elastalert`
			`- elastalert-dsl`
Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00			`- elasticsearch-rule`
Added ee-outliers backend 2020-05-08 10:04:59 +02:00			`- ee-outliers`
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion 2019-10-01 10:16:42 -04:00			`logsources:`
			`windows:`
			`product: windows`
			`index: winlogbeat-*`
			`windows-application:`
			`product: windows`
			`service: application`
			`conditions:`
			`winlog.channel: Application`
			`windows-security:`
			`product: windows`
			`service: security`
			`conditions:`
			`winlog.channel: Security`
			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`winlog.channel: 'Microsoft-Windows-Sysmon/Operational'`
			`windows-dns-server:`
			`product: windows`
			`service: dns-server`
			`conditions:`
			`winlog.channel: 'DNS Server'`
			`windows-driver-framework:`
			`product: windows`
			`service: driver-framework`
			`conditions:`
			`winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'`
			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
			`conditions:`
			`winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'`
Added Windows NTLM log source + fixes 2020-07-02 23:20:36 +02:00			`windows-ntlm:`
			`product: windows`
			`service: ntlm`
			`conditions:`
			`winlog.provider_name: 'Microsoft-Windows-NTLM/Operational'`
Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00			`windows-defender:`
			`product: windows`
			`service: windefend`
			`conditions:`
			`winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'`
Added AppLocker log source 2020-07-13 20:21:46 +00:00			`windows-applocker:`
			`product: windows`
			`service: applocker`
			`conditions:`
			`winlog.channel:`
			`- 'Microsoft-Windows-AppLocker/MSI and Script'`
			`- 'Microsoft-Windows-AppLocker/EXE and DLL'`
			`- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'`
			`- 'Microsoft-Windows-AppLocker/Packaged app-Execution'`
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion 2019-10-01 10:16:42 -04:00			`defaultindex: winlogbeat-*`
			`# Extract all field names qith yq:`
			`# yq -r '.detection \| del(.condition) \| map(keys) \| .[][]' $(find sigma/rules/windows -name '.yml') \| sort -u \| grep -v ^EventID$ \| sed 's/^\(.\)/ \1: winlog.event_data.\1/g'`
			`# Keep EventID! Clean up the list afterwards!`
			`fieldmappings:`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`EventID: winlog.event_id`
			`AccessMask: winlog.event_data.AccessMask`
			`AccountName: winlog.event_data.AccountName`
			`AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo`
			`AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName`
			`AuditPolicyChanges: winlog.event_data.AuditPolicyChanges`
			`AuthenticationPackageName: winlog.event_data.AuthenticationPackageName`
			`CallingProcessName: winlog.event_data.CallingProcessName`
			`CallTrace: winlog.event_data.CallTrace`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`Channel: winlog.channel`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`CommandLine: process.args`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`ComputerName: winlog.ComputerName`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`CurrentDirectory: process.working_directory`
			`Description: winlog.event_data.Description`
			`DestinationHostname: destination.domain`
			`DestinationIp: destination.ip`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`dst_ip: destination.ip`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279`
			`DestinationPort: destination.port`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`dst_port: destination.port`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`DestinationPortName: network.protocol`
			`Details: winlog.event_data.Details`
			`EngineVersion: winlog.event_data.EngineVersion`
			`EventType: winlog.event_data.EventType`
			`FailureCode: winlog.event_data.FailureCode`
			`FileName: file.path`
			`GrantedAccess: winlog.event_data.GrantedAccess`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`GroupName:`
			`- winlog.event_data.GroupName`
			`- group.name`
			`GroupSid:`
			`- group.id`
			`- winlog.event_data.GroupSid`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`Hashes: winlog.event_data.Hashes`
Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00			`file_hash: winlog.event_data.Hashes`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`HiveName: winlog.event_data.HiveName`
			`HostVersion: winlog.event_data.HostVersion`
			`Image: process.executable`
			`ImageLoaded: file.path`
			`ImagePath: winlog.event_data.ImagePath`
			`Imphash: winlog.event_data.Imphash`
			`IpAddress: source.ip`
			`IpPort: source.port`
			`KeyLength: winlog.event_data.KeyLength`
			`LogonProcessName: winlog.event_data.LogonProcessName`
			`LogonType: winlog.event_data.LogonType`
			`NewProcessName: winlog.event_data.NewProcessName`
			`ObjectClass: winlog.event_data.ObjectClass`
			`ObjectName: winlog.event_data.ObjectName`
			`ObjectType: winlog.event_data.ObjectType`
			`ObjectValueName: winlog.event_data.ObjectValueName`
			`ParentCommandLine: process.parent.args`
			`ParentProcessName: process.parent.name`
			`ParentImage: process.parent.executable`
			`Path: winlog.event_data.Path`
			`PipeName: file.name`
			`ProcessCommandLine: winlog.event_data.ProcessCommandLine`
			`ProcessName: process.executable`
			`Properties: winlog.event_data.Properties`
Add Winlogbeat's RuleName field to mapping 2020-03-19 19:40:18 +01:00			`RuleName: winlog.event_data.RuleName`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`SecurityID: winlog.event_data.SecurityID`
			`ServiceFileName: winlog.event_data.ServiceFileName`
			`ServiceName: winlog.event_data.ServiceName`
			`ShareName: winlog.event_data.ShareName`
			`Signature: winlog.event_data.Signature`
			`Source: winlog.event_data.Source`
			`SourceHostname: source.domain`
			`SourceImage: process.executable`
			`SourceIp: source.ip`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`src_ip: source.ip`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`SourcePort: source.port`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`src_port: source.port`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279`
			`StartModule: winlog.event_data.StartModule`
			`Status: winlog.event_data.Status`
			`SubjectDomainName: user.domain`
			`SubjectUserName: user.name`
			`SubjectUserSid: user.id`
			`TargetFilename: file.path`
			`TargetImage: winlog.event_data.TargetImage`
			`TargetObject: winlog.event_data.TargetObject`
			`TicketEncryptionType: winlog.event_data.TicketEncryptionType`
			`TicketOptions: winlog.event_data.TicketOptions`
			`TargetDomainName: user.domain`
			`TargetUserName: user.name`
			`TargetUserSid: user.id`
			`User: user.name`
			`WorkstationName: source.domain`
winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00			`# Channel: WLAN-Autoconfig AND EventID: 8001`
			`AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm`
			`BSSID: winlog.event_data.BSSID`
			`BSSType: winlog.event_data.BSSType`
			`CipherAlgorithm: winlog.event_data.CipherAlgorithm`
			`ConnectionId: winlog.event_data.ConnectionId`
			`ConnectionMode: winlog.event_data.ConnectionMode`
			`InterfaceDescription: winlog.event_data.InterfaceDescription`
			`InterfaceGuid: winlog.event_data.InterfaceGuid`
			`OnexEnabled: winlog.event_data.OnexEnabled`
			`PHYType: winlog.event_data.PHYType`
			`ProfileName: winlog.event_data.ProfileName`
			`SSID: winlog.event_data.SSID`